diff options
| author | Pablo Neira Ayuso <pablo@netfilter.org> | 2014-06-23 02:49:38 +0200 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2014-07-25 18:18:40 +0200 |
| commit | e0d85a97cc755d5df14cd50af33f6ea8ab017b84 (patch) | |
| tree | 30cd96afc4d1c8097d0a8e7c714880a03751602b /src/statement.c | |
| parent | 371fdadfafd64b3e364f91a21dac231a16622736 (diff) | |
src: add level option to the log statement
This patch is required if you use upcoming Linux kernels >= 3.17
which come with a complete logging support for nf_tables.
If you use 'log' without options, the kernel logging buffer is used:
nft> add rule filter input log
You can also specify the logging prefix string:
nft> add rule filter input log prefix "input: "
You may want to specify the log level:
nft> add rule filter input log prefix "input: " level notice
By default, if not specified, the default level is 'warn' (just like
in iptables).
If you specify the group, then nft uses the nfnetlink_log instead:
nft> add rule filter input log prefix "input: " group 10
You can also specify the snaplen and qthreshold for the nfnetlink_log.
But you cannot mix level and group at the same time, they are mutually
exclusive.
Default values for both snaplen and qthreshold are 0 (just like in
iptables).
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'src/statement.c')
| -rw-r--r-- | src/statement.c | 31 |
1 files changed, 27 insertions, 4 deletions
diff --git a/src/statement.c b/src/statement.c index 2dd3f187..4be66251 100644 --- a/src/statement.c +++ b/src/statement.c @@ -14,6 +14,7 @@ #include <stdint.h> #include <inttypes.h> #include <string.h> +#include <syslog.h> #include <statement.h> #include <utils.h> @@ -112,17 +113,39 @@ struct stmt *counter_stmt_alloc(const struct location *loc) return stmt_alloc(loc, &counter_stmt_ops); } +static const char *syslog_level[LOG_DEBUG + 1] = { + [LOG_EMERG] = "emerg", + [LOG_ALERT] = "alert", + [LOG_CRIT] = "crit", + [LOG_ERR] = "err", + [LOG_WARNING] = "warn", + [LOG_NOTICE] = "notice", + [LOG_INFO] = "info", + [LOG_DEBUG] = "debug", +}; + +static const char *log_level(uint32_t level) +{ + if (level > LOG_DEBUG) + return "unknown"; + + return syslog_level[level]; +} + static void log_stmt_print(const struct stmt *stmt) { printf("log"); - if (stmt->log.prefix != NULL) + if (stmt->log.flags & STMT_LOG_PREFIX) printf(" prefix \"%s\"", stmt->log.prefix); - if (stmt->log.group) + if (stmt->log.flags & STMT_LOG_GROUP) printf(" group %u", stmt->log.group); - if (stmt->log.snaplen) + if (stmt->log.flags & STMT_LOG_SNAPLEN) printf(" snaplen %u", stmt->log.snaplen); - if (stmt->log.qthreshold) + if (stmt->log.flags & STMT_LOG_QTHRESHOLD) printf(" queue-threshold %u", stmt->log.qthreshold); + if ((stmt->log.flags & STMT_LOG_LEVEL) && + stmt->log.level != LOG_WARNING) + printf(" level %s", log_level(stmt->log.level)); } static void log_stmt_destroy(struct stmt *stmt) |