diff options
| author | Liping Zhang <zlpnobody@gmail.com> | 2016-11-19 19:31:15 +0800 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2016-11-24 13:32:52 +0100 |
| commit | 1419b0003fccca32bf61ed40265a5539e2465497 (patch) | |
| tree | c35bd0c06398f71f26c8a81d49152920c84e22cd /doc/nft.xml | |
| parent | 9e20fcb72dbf25fd41e4636aa580d05e4791650d (diff) | |
src: add log flags syntax support
Now NF_LOG_XXX is exposed to the userspace, we can set it explicitly.
Like iptables LOG target, we can log TCP sequence numbers, TCP options,
IP options, UID owning local socket and decode MAC header. Note the
log flags are mutually exclusive with group.
Some examples are listed below:
# nft add rule t c log flags tcp sequence,options
# nft add rule t c log flags ip options
# nft add rule t c log flags skuid
# nft add rule t c log flags ether
# nft add rule t c log flags all
# nft add rule t c log flags all group 1
<cmdline>:1:14-16: Error: flags and group are mutually exclusive
add rule t c log flags all group 1
^^^
Signed-off-by: Liping Zhang <zlpnobody@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'doc/nft.xml')
| -rw-r--r-- | doc/nft.xml | 56 |
1 files changed, 56 insertions, 0 deletions
diff --git a/doc/nft.xml b/doc/nft.xml index d11abca4..8026d85f 100644 --- a/doc/nft.xml +++ b/doc/nft.xml @@ -2400,6 +2400,8 @@ ip forward ip dscp set 42 <replaceable>quoted_string</replaceable></arg> <arg choice="opt">level <replaceable>syslog-level</replaceable></arg> + <arg choice="opt">flags + <replaceable>log-flags</replaceable></arg> </cmdsynopsis> <cmdsynopsis> <command>log</command> @@ -2459,6 +2461,60 @@ ip forward ip dscp set 42 </tbody> </tgroup> </table> + <table frame="all"> + <title>log-flags</title> + <tgroup cols='2' align='left' colsep='1' rowsep='1'> + <colspec colname='c1'/> + <colspec colname='c2'/> + <thead> + <row> + <entry>Flag</entry> + <entry>Description</entry> + </row> + </thead> + <tbody> + <row> + <entry>tcp sequence</entry> + <entry>Log TCP sequence numbers.</entry> + </row> + <row> + <entry>tcp options</entry> + <entry>Log options from the TCP packet header.</entry> + </row> + <row> + <entry>ip options</entry> + <entry>Log options from the IP/IPv6 packet header.</entry> + </row> + <row> + <entry>skuid</entry> + <entry>Log the userid of the process which generated the packet.</entry> + </row> + <row> + <entry>ether</entry> + <entry>Decode MAC addresses and protocol.</entry> + </row> + <row> + <entry>all</entry> + <entry>Enable all log flags listed above.</entry> + </row> + </tbody> + </tgroup> + </table> + </para> + <para> + <example> + <title>Using log statement</title> + <programlisting> +# log the UID which generated the packet and ip options +ip filter output log flags skuid flags ip options + +# log the tcp sequence numbers and tcp options from the TCP packet +ip filter output log flags tcp sequence,options + +# enable all supported log flags +ip6 filter output log flags all + </programlisting> + </example> </para> </refsect2> <refsect2> |