src: add log flags syntax support

Now NF_LOG_XXX is exposed to the userspace, we can set it explicitly.
Like iptables LOG target, we can log TCP sequence numbers, TCP options,
IP options, UID owning local socket and decode MAC header. Note the
log flags are mutually exclusive with group.

Some examples are listed below:
 # nft add rule t c log flags tcp sequence,options
 # nft add rule t c log flags ip options
 # nft add rule t c log flags skuid
 # nft add rule t c log flags ether
 # nft add rule t c log flags all
 # nft add rule t c log flags all group 1
 <cmdline>:1:14-16: Error: flags and group are mutually exclusive
 add rule t c log flags all group 1
              ^^^

Signed-off-by: Liping Zhang <zlpnobody@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

1 files changed, 23 insertions, 0 deletions

diff --git a/src/statement.c b/src/statement.c
index 8ccd4891..e70eb51e 100644
--- a/src/statement.c
+++ b/src/statement.c
@@ -27,6 +27,7 @@
 
 #include <netinet/in.h>
 #include <linux/netfilter/nf_nat.h>
+#include <linux/netfilter/nf_log.h>
 
 struct stmt *stmt_alloc(const struct location *loc,
 			const struct stmt_ops *ops)
@@ -193,6 +194,28 @@ static void log_stmt_print(const struct stmt *stmt)
 	if ((stmt->log.flags & STMT_LOG_LEVEL) &&
 	    stmt->log.level != LOG_WARNING)
 		printf(" level %s", log_level(stmt->log.level));
+
+	if ((stmt->log.logflags & NF_LOG_MASK) == NF_LOG_MASK) {
+		printf(" flags all");
+	} else {
+		if (stmt->log.logflags & (NF_LOG_TCPSEQ | NF_LOG_TCPOPT)) {
+			const char *delim = " ";
+
+			printf(" flags tcp");
+			if (stmt->log.logflags & NF_LOG_TCPSEQ) {
+				printf(" sequence");
+				delim = ",";
+			}
+			if (stmt->log.logflags & NF_LOG_TCPOPT)
+				printf("%soptions", delim);
+		}
+		if (stmt->log.logflags & NF_LOG_IPOPT)
+			printf(" flags ip options");
+		if (stmt->log.logflags & NF_LOG_UID)
+			printf(" flags skuid");
+		if (stmt->log.logflags & NF_LOG_MACDECODE)
+			printf(" flags ether");
+	}
 }
 
 static void log_stmt_destroy(struct stmt *stmt)