diff options
| author | Liping Zhang <zlpnobody@gmail.com> | 2016-11-27 20:08:29 +0800 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2016-11-29 23:30:10 +0100 |
| commit | bb50942a62b2d76810babc0b1150895d9e5ef229 (patch) | |
| tree | b1589bcad8673504a5c6228cdc1cf0c50b271b71 /extensions | |
| parent | 6de5f08a33fc4503b7199cece736979b4be91ef3 (diff) | |
extensions: LOG: add log flags translation to nft
For example:
# iptables-translate -A OUTPUT -j LOG --log-uid
nft add rule ip filter OUTPUT counter log flags skuid
# iptables-translate -A OUTPUT -j LOG --log-tcp-sequence \
--log-tcp-options
nft add rule ip filter OUTPUT counter log flags tcp sequence,options
# iptables-translate -A OUTPUT -j LOG --log-level debug --log-uid
nft add rule ip filter OUTPUT counter log level debug flags skuid
# ip6tables-translate -A OUTPUT -j LOG --log-ip-options --log-macdecode
nft add rule ip6 filter OUTPUT counter log flags ip options flags ether
# ip6tables-translate -A OUTPUT -j LOG --log-ip-options --log-uid \
--log-tcp-sequence --log-tcp-options --log-macdecode
nft add rule ip6 filter OUTPUT counter log flags all
Signed-off-by: Liping Zhang <zlpnobody@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'extensions')
| -rw-r--r-- | extensions/libip6t_LOG.c | 30 | ||||
| -rw-r--r-- | extensions/libipt_LOG.c | 30 |
2 files changed, 52 insertions, 8 deletions
diff --git a/extensions/libip6t_LOG.c b/extensions/libip6t_LOG.c index af77b9a5..40adc69d 100644 --- a/extensions/libip6t_LOG.c +++ b/extensions/libip6t_LOG.c @@ -189,22 +189,44 @@ static int LOG_xlate(struct xt_xlate *xl, (const struct ip6t_log_info *)params->target->data; unsigned int i = 0; - xt_xlate_add(xl, "log "); + xt_xlate_add(xl, "log"); if (strcmp(loginfo->prefix, "") != 0) { if (params->escape_quotes) - xt_xlate_add(xl, "prefix \\\"%s\\\" ", loginfo->prefix); + xt_xlate_add(xl, " prefix \\\"%s\\\"", loginfo->prefix); else - xt_xlate_add(xl, "prefix \"%s\" ", loginfo->prefix); + xt_xlate_add(xl, " prefix \"%s\"", loginfo->prefix); } for (i = 0; i < ARRAY_SIZE(ip6t_log_xlate_names); ++i) if (loginfo->level == ip6t_log_xlate_names[i].level && loginfo->level != LOG_DEFAULT_LEVEL) { - xt_xlate_add(xl, "level %s", + xt_xlate_add(xl, " level %s", ip6t_log_xlate_names[i].name); break; } + if ((loginfo->logflags & IP6T_LOG_MASK) == IP6T_LOG_MASK) { + xt_xlate_add(xl, " flags all"); + } else { + if (loginfo->logflags & (IP6T_LOG_TCPSEQ | IP6T_LOG_TCPOPT)) { + const char *delim = " "; + + xt_xlate_add(xl, " flags tcp"); + if (loginfo->logflags & IP6T_LOG_TCPSEQ) { + xt_xlate_add(xl, " sequence"); + delim = ","; + } + if (loginfo->logflags & IP6T_LOG_TCPOPT) + xt_xlate_add(xl, "%soptions", delim); + } + if (loginfo->logflags & IP6T_LOG_IPOPT) + xt_xlate_add(xl, " flags ip options"); + if (loginfo->logflags & IP6T_LOG_UID) + xt_xlate_add(xl, " flags skuid"); + if (loginfo->logflags & IP6T_LOG_MACDECODE) + xt_xlate_add(xl, " flags ether"); + } + return 1; } static struct xtables_target log_tg6_reg = { diff --git a/extensions/libipt_LOG.c b/extensions/libipt_LOG.c index 2784d9bc..36e2e73b 100644 --- a/extensions/libipt_LOG.c +++ b/extensions/libipt_LOG.c @@ -189,22 +189,44 @@ static int LOG_xlate(struct xt_xlate *xl, (const struct ipt_log_info *)params->target->data; unsigned int i = 0; - xt_xlate_add(xl, "log "); + xt_xlate_add(xl, "log"); if (strcmp(loginfo->prefix, "") != 0) { if (params->escape_quotes) - xt_xlate_add(xl, "prefix \\\"%s\\\" ", loginfo->prefix); + xt_xlate_add(xl, " prefix \\\"%s\\\"", loginfo->prefix); else - xt_xlate_add(xl, "prefix \"%s\" ", loginfo->prefix); + xt_xlate_add(xl, " prefix \"%s\"", loginfo->prefix); } for (i = 0; i < ARRAY_SIZE(ipt_log_xlate_names); ++i) if (loginfo->level != LOG_DEFAULT_LEVEL && loginfo->level == ipt_log_xlate_names[i].level) { - xt_xlate_add(xl, "level %s ", + xt_xlate_add(xl, " level %s", ipt_log_xlate_names[i].name); break; } + if ((loginfo->logflags & IPT_LOG_MASK) == IPT_LOG_MASK) { + xt_xlate_add(xl, " flags all"); + } else { + if (loginfo->logflags & (IPT_LOG_TCPSEQ | IPT_LOG_TCPOPT)) { + const char *delim = " "; + + xt_xlate_add(xl, " flags tcp"); + if (loginfo->logflags & IPT_LOG_TCPSEQ) { + xt_xlate_add(xl, " sequence"); + delim = ","; + } + if (loginfo->logflags & IPT_LOG_TCPOPT) + xt_xlate_add(xl, "%soptions", delim); + } + if (loginfo->logflags & IPT_LOG_IPOPT) + xt_xlate_add(xl, " flags ip options"); + if (loginfo->logflags & IPT_LOG_UID) + xt_xlate_add(xl, " flags skuid"); + if (loginfo->logflags & IPT_LOG_MACDECODE) + xt_xlate_add(xl, " flags ether"); + } + return 1; } static struct xtables_target log_tg_reg = { |