path: root/include/statement.h
diff options
authorPablo Neira Ayuso <>2014-06-23 02:49:38 +0200
committerPablo Neira Ayuso <>2014-07-25 18:18:40 +0200
commite0d85a97cc755d5df14cd50af33f6ea8ab017b84 (patch)
tree30cd96afc4d1c8097d0a8e7c714880a03751602b /include/statement.h
parent371fdadfafd64b3e364f91a21dac231a16622736 (diff)
src: add level option to the log statement
This patch is required if you use upcoming Linux kernels >= 3.17 which come with a complete logging support for nf_tables. If you use 'log' without options, the kernel logging buffer is used: nft> add rule filter input log You can also specify the logging prefix string: nft> add rule filter input log prefix "input: " You may want to specify the log level: nft> add rule filter input log prefix "input: " level notice By default, if not specified, the default level is 'warn' (just like in iptables). If you specify the group, then nft uses the nfnetlink_log instead: nft> add rule filter input log prefix "input: " group 10 You can also specify the snaplen and qthreshold for the nfnetlink_log. But you cannot mix level and group at the same time, they are mutually exclusive. Default values for both snaplen and qthreshold are 0 (just like in iptables). Signed-off-by: Pablo Neira Ayuso <>
Diffstat (limited to 'include/statement.h')
1 files changed, 10 insertions, 0 deletions
diff --git a/include/statement.h b/include/statement.h
index 480b7190..12336bc0 100644
--- a/include/statement.h
+++ b/include/statement.h
@@ -28,11 +28,21 @@ extern struct stmt *meta_stmt_alloc(const struct location *loc,
enum nft_meta_keys key,
struct expr *expr);
+enum {
+ STMT_LOG_PREFIX = (1 << 0),
+ STMT_LOG_SNAPLEN = (1 << 1),
+ STMT_LOG_GROUP = (1 << 2),
+ STMT_LOG_LEVEL = (1 << 4),
struct log_stmt {
const char *prefix;
unsigned int snaplen;
uint16_t group;
uint16_t qthreshold;
+ uint32_t level;
+ uint32_t flags;
extern struct stmt *log_stmt_alloc(const struct location *loc);