From e0d85a97cc755d5df14cd50af33f6ea8ab017b84 Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Mon, 23 Jun 2014 02:49:38 +0200 Subject: src: add level option to the log statement This patch is required if you use upcoming Linux kernels >= 3.17 which come with a complete logging support for nf_tables. If you use 'log' without options, the kernel logging buffer is used: nft> add rule filter input log You can also specify the logging prefix string: nft> add rule filter input log prefix "input: " You may want to specify the log level: nft> add rule filter input log prefix "input: " level notice By default, if not specified, the default level is 'warn' (just like in iptables). If you specify the group, then nft uses the nfnetlink_log instead: nft> add rule filter input log prefix "input: " group 10 You can also specify the snaplen and qthreshold for the nfnetlink_log. But you cannot mix level and group at the same time, they are mutually exclusive. Default values for both snaplen and qthreshold are 0 (just like in iptables). Signed-off-by: Pablo Neira Ayuso --- src/netlink_delinearize.c | 28 +++++++++++++++++++++++----- 1 file changed, 23 insertions(+), 5 deletions(-) (limited to 'src/netlink_delinearize.c') diff --git a/src/netlink_delinearize.c b/src/netlink_delinearize.c index 5c6ca800..195d4329 100644 --- a/src/netlink_delinearize.c +++ b/src/netlink_delinearize.c @@ -428,12 +428,30 @@ static void netlink_parse_log(struct netlink_parse_ctx *ctx, stmt = log_stmt_alloc(loc); prefix = nft_rule_expr_get_str(nle, NFT_EXPR_LOG_PREFIX); - if (prefix != NULL) + if (nft_rule_expr_is_set(nle, NFT_EXPR_LOG_PREFIX)) { stmt->log.prefix = xstrdup(prefix); - stmt->log.group = nft_rule_expr_get_u16(nle, NFT_EXPR_LOG_GROUP); - stmt->log.snaplen = nft_rule_expr_get_u32(nle, NFT_EXPR_LOG_SNAPLEN); - stmt->log.qthreshold = - nft_rule_expr_get_u16(nle, NFT_EXPR_LOG_QTHRESHOLD); + stmt->log.flags |= STMT_LOG_PREFIX; + } + if (nft_rule_expr_is_set(nle, NFT_EXPR_LOG_GROUP)) { + stmt->log.group = + nft_rule_expr_get_u16(nle, NFT_EXPR_LOG_GROUP); + stmt->log.flags |= STMT_LOG_GROUP; + } + if (nft_rule_expr_is_set(nle, NFT_EXPR_LOG_SNAPLEN)) { + stmt->log.snaplen = + nft_rule_expr_get_u32(nle, NFT_EXPR_LOG_SNAPLEN); + stmt->log.flags |= STMT_LOG_SNAPLEN; + } + if (nft_rule_expr_is_set(nle, NFT_EXPR_LOG_QTHRESHOLD)) { + stmt->log.qthreshold = + nft_rule_expr_get_u16(nle, NFT_EXPR_LOG_QTHRESHOLD); + stmt->log.flags |= STMT_LOG_QTHRESHOLD; + } + if (nft_rule_expr_is_set(nle, NFT_EXPR_LOG_LEVEL)) { + stmt->log.level = + nft_rule_expr_get_u32(nle, NFT_EXPR_LOG_LEVEL); + stmt->log.flags |= STMT_LOG_LEVEL; + } list_add_tail(&stmt->list, &ctx->rule->stmts); } -- cgit v1.2.3