diff options
| author | Liping Zhang <zlpnobody@gmail.com> | 2016-11-19 19:31:15 +0800 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2016-11-24 13:32:52 +0100 |
| commit | 1419b0003fccca32bf61ed40265a5539e2465497 (patch) | |
| tree | c35bd0c06398f71f26c8a81d49152920c84e22cd /tests/py | |
| parent | 9e20fcb72dbf25fd41e4636aa580d05e4791650d (diff) | |
src: add log flags syntax support
Now NF_LOG_XXX is exposed to the userspace, we can set it explicitly.
Like iptables LOG target, we can log TCP sequence numbers, TCP options,
IP options, UID owning local socket and decode MAC header. Note the
log flags are mutually exclusive with group.
Some examples are listed below:
# nft add rule t c log flags tcp sequence,options
# nft add rule t c log flags ip options
# nft add rule t c log flags skuid
# nft add rule t c log flags ether
# nft add rule t c log flags all
# nft add rule t c log flags all group 1
<cmdline>:1:14-16: Error: flags and group are mutually exclusive
add rule t c log flags all group 1
^^^
Signed-off-by: Liping Zhang <zlpnobody@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'tests/py')
| -rw-r--r-- | tests/py/any/log.t | 6 | ||||
| -rw-r--r-- | tests/py/any/log.t.payload | 15 |
2 files changed, 21 insertions, 0 deletions
diff --git a/tests/py/any/log.t b/tests/py/any/log.t index 99a7f1f1..37982022 100644 --- a/tests/py/any/log.t +++ b/tests/py/any/log.t @@ -25,3 +25,9 @@ log prefix aaaaa-aaaaaa group 2 snaplen 33;ok;log prefix "aaaaa-aaaaaa" group 2 log group 2 queue-threshold 2;ok log group 2 snaplen 33;ok log group 2 prefix \"nft-test: \";ok;log prefix "nft-test: " group 2 + +log flags all;ok +log level debug flags ip options flags skuid;ok +log flags tcp sequence,options;ok +log flags ip options flags ether flags skuid flags tcp sequence,options;ok;log flags all +log flags all group 2;fail diff --git a/tests/py/any/log.t.payload b/tests/py/any/log.t.payload index dc885b4b..385b8bba 100644 --- a/tests/py/any/log.t.payload +++ b/tests/py/any/log.t.payload @@ -50,3 +50,18 @@ ip test-ip4 output ip test-ip4 output [ log prefix nft-test: group 2 snaplen 0 qthreshold 0 ] +# log flags all +ip test-ip4 output + [ log tcpseq tcpopt ipopt uid macdecode ] + +# log level debug flags ip options flags skuid +ip test-ip4 output + [ log level 7 ipopt uid ] + +# log flags tcp sequence,options +ip test-ip4 output + [ log tcpseq tcpopt ] + +# log flags ip options flags ether flags skuid flags tcp sequence,options +ip test-ip4 output + [ log tcpseq tcpopt ipopt uid macdecode ] |