diff options
| author | Pablo Neira Ayuso <pablo@netfilter.org> | 2014-06-23 02:49:38 +0200 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2014-07-25 18:18:40 +0200 |
| commit | e0d85a97cc755d5df14cd50af33f6ea8ab017b84 (patch) | |
| tree | 30cd96afc4d1c8097d0a8e7c714880a03751602b /src/evaluate.c | |
| parent | 371fdadfafd64b3e364f91a21dac231a16622736 (diff) | |
src: add level option to the log statement
This patch is required if you use upcoming Linux kernels >= 3.17
which come with a complete logging support for nf_tables.
If you use 'log' without options, the kernel logging buffer is used:
nft> add rule filter input log
You can also specify the logging prefix string:
nft> add rule filter input log prefix "input: "
You may want to specify the log level:
nft> add rule filter input log prefix "input: " level notice
By default, if not specified, the default level is 'warn' (just like
in iptables).
If you specify the group, then nft uses the nfnetlink_log instead:
nft> add rule filter input log prefix "input: " group 10
You can also specify the snaplen and qthreshold for the nfnetlink_log.
But you cannot mix level and group at the same time, they are mutually
exclusive.
Default values for both snaplen and qthreshold are 0 (just like in
iptables).
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'src/evaluate.c')
| -rw-r--r-- | src/evaluate.c | 15 |
1 files changed, 14 insertions, 1 deletions
diff --git a/src/evaluate.c b/src/evaluate.c index e05473a9..f66a8ea3 100644 --- a/src/evaluate.c +++ b/src/evaluate.c @@ -1180,6 +1180,18 @@ static int stmt_evaluate_ct(struct eval_ctx *ctx, struct stmt *stmt) return 0; } +static int stmt_evaluate_log(struct eval_ctx *ctx, struct stmt *stmt) +{ + if (stmt->log.flags & STMT_LOG_LEVEL && + (stmt->log.flags & STMT_LOG_GROUP || + stmt->log.flags & STMT_LOG_SNAPLEN || + stmt->log.flags & STMT_LOG_QTHRESHOLD)) { + return stmt_error(ctx, stmt, + "level and group are mutually exclusive"); + } + return 0; +} + static int stmt_evaluate(struct eval_ctx *ctx, struct stmt *stmt) { #ifdef DEBUG @@ -1193,7 +1205,6 @@ static int stmt_evaluate(struct eval_ctx *ctx, struct stmt *stmt) switch (stmt->ops->type) { case STMT_COUNTER: case STMT_LIMIT: - case STMT_LOG: return 0; case STMT_EXPRESSION: return stmt_evaluate_expr(ctx, stmt); @@ -1201,6 +1212,8 @@ static int stmt_evaluate(struct eval_ctx *ctx, struct stmt *stmt) return stmt_evaluate_verdict(ctx, stmt); case STMT_META: return stmt_evaluate_meta(ctx, stmt); + case STMT_LOG: + return stmt_evaluate_log(ctx, stmt); case STMT_REJECT: return stmt_evaluate_reject(ctx, stmt); case STMT_NAT: |