src: add log flags syntax support

Now NF_LOG_XXX is exposed to the userspace, we can set it explicitly.
Like iptables LOG target, we can log TCP sequence numbers, TCP options,
IP options, UID owning local socket and decode MAC header. Note the
log flags are mutually exclusive with group.

Some examples are listed below:
 # nft add rule t c log flags tcp sequence,options
 # nft add rule t c log flags ip options
 # nft add rule t c log flags skuid
 # nft add rule t c log flags ether
 # nft add rule t c log flags all
 # nft add rule t c log flags all group 1
 <cmdline>:1:14-16: Error: flags and group are mutually exclusive
 add rule t c log flags all group 1
              ^^^

Signed-off-by: Liping Zhang <zlpnobody@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

1 files changed, 7 insertions, 5 deletions

diff --git a/src/evaluate.c b/src/evaluate.c
index c60e0f11..8b113c8c 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -2429,12 +2429,14 @@ static int stmt_evaluate_queue(struct eval_ctx *ctx, struct stmt *stmt)
 
 static int stmt_evaluate_log(struct eval_ctx *ctx, struct stmt *stmt)
 {
-	if (stmt->log.flags & STMT_LOG_LEVEL &&
-	    (stmt->log.flags & STMT_LOG_GROUP	||
-	     stmt->log.flags & STMT_LOG_SNAPLEN	||
-	     stmt->log.flags & STMT_LOG_QTHRESHOLD)) {
-		return stmt_error(ctx, stmt,
+	if (stmt->log.flags & (STMT_LOG_GROUP | STMT_LOG_SNAPLEN |
+			       STMT_LOG_QTHRESHOLD)) {
+		if (stmt->log.flags & STMT_LOG_LEVEL)
+			return stmt_error(ctx, stmt,
 				  "level and group are mutually exclusive");
+		if (stmt->log.logflags)
+			return stmt_error(ctx, stmt,
+				  "flags and group are mutually exclusive");
 	}
 	return 0;
 }