path: root/include
diff options
authorLiping Zhang <>2016-11-19 19:31:15 +0800
committerPablo Neira Ayuso <>2016-11-24 13:32:52 +0100
commit1419b0003fccca32bf61ed40265a5539e2465497 (patch)
treec35bd0c06398f71f26c8a81d49152920c84e22cd /include
parent9e20fcb72dbf25fd41e4636aa580d05e4791650d (diff)
src: add log flags syntax support
Now NF_LOG_XXX is exposed to the userspace, we can set it explicitly. Like iptables LOG target, we can log TCP sequence numbers, TCP options, IP options, UID owning local socket and decode MAC header. Note the log flags are mutually exclusive with group. Some examples are listed below: # nft add rule t c log flags tcp sequence,options # nft add rule t c log flags ip options # nft add rule t c log flags skuid # nft add rule t c log flags ether # nft add rule t c log flags all # nft add rule t c log flags all group 1 <cmdline>:1:14-16: Error: flags and group are mutually exclusive add rule t c log flags all group 1 ^^^ Signed-off-by: Liping Zhang <> Signed-off-by: Pablo Neira Ayuso <>
Diffstat (limited to 'include')
2 files changed, 13 insertions, 0 deletions
diff --git a/include/linux/netfilter/nf_log.h b/include/linux/netfilter/nf_log.h
new file mode 100644
index 00000000..8be21e02
--- /dev/null
+++ b/include/linux/netfilter/nf_log.h
@@ -0,0 +1,12 @@
+#define NF_LOG_TCPSEQ 0x01 /* Log TCP sequence numbers */
+#define NF_LOG_TCPOPT 0x02 /* Log TCP options */
+#define NF_LOG_IPOPT 0x04 /* Log IP options */
+#define NF_LOG_UID 0x08 /* Log UID owning local socket */
+#define NF_LOG_NFLOG 0x10 /* Unsupported, don't reuse */
+#define NF_LOG_MACDECODE 0x20 /* Decode MAC header */
+#define NF_LOG_MASK 0x2f
+#endif /* _NETFILTER_NF_LOG_H */
diff --git a/include/statement.h b/include/statement.h
index fe83717f..277ff2f4 100644
--- a/include/statement.h
+++ b/include/statement.h
@@ -50,6 +50,7 @@ struct log_stmt {
uint16_t group;
uint16_t qthreshold;
uint32_t level;
+ uint32_t logflags;
uint32_t flags;