* Feature suggestion: internal logdrop table
@ 2003-12-17 15:04 Markus Saarinen
2003-12-17 19:45 ` Henrik Nordstrom
0 siblings, 1 reply; 2+ messages in thread
From: Markus Saarinen @ 2003-12-17 15:04 UTC (permalink / raw)
To: netfilter-devel
Would it be possible to have a 'logdrop' target coded into iptables?
I know that i can manually create a table with a simple log & drop rules,
but it gets very long ruleset if i want to have different log prefixes
for different
kind of matches, e.g.:
iptables -A INPUT -s subnet1 -d somewhere -j LOG --log-prefix "fromsubnet1"
iptables -A INPUT -s subnet1 -d somewhere -j DROP
iptables -A INPUT -s subnet2 -d somewhere -j LOG --log-prefix "fromsubnet2"
iptables -A INPUT -s subnet2 -d somewhere -j DROP
...and so on...
Whereas this would seem much more convenient and logical:
iptables -A INPUT -s subnet1 -d somewhere -j LOGDROP --log-prefix
"fromsubnet1"
iptables -A INPUT -s subnet2 -d somewhere -j LOGDROP --log-prefix
"fromsubnet2"
From a bit of Googling, i've seen that quite many people actually
create these log-drop
chains by hand (myself included), so think it would actually be a quite
useful feature.
Not to mention the few clockticks my firewall would save when it could
just drop the
packet from the same rule without traversing back to the original chain
and parsing
a new rule ;-)
Cheers,
Markus
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: Feature suggestion: internal logdrop table
2003-12-17 15:04 Feature suggestion: internal logdrop table Markus Saarinen
@ 2003-12-17 19:45 ` Henrik Nordstrom
0 siblings, 0 replies; 2+ messages in thread
From: Henrik Nordstrom @ 2003-12-17 19:45 UTC (permalink / raw)
To: Markus Saarinen; +Cc: netfilter-devel
On Wed, 17 Dec 2003, Markus Saarinen wrote:
> Would it be possible to have a 'logdrop' target coded into iptables?
Jost copy LOG and make a terminal version of LOG, or extend the LOG target
with options to indicate that the rule is terminal.
But I guess that the reason why this is not done is because "terminal" log
is just as often used with other actions such as ACCEPT/REJECT making the
number of combinations very large.
What have been discussed before is making a log match instead of a target.
This would allow log to be used within any other rule in a clean manner.
But unfortunately this discussion got sidetracked on other issues and
apparently no such match was made.
This would make the example rules look like:
-A INPUT -s subnet1 -d somewhere -m log --log-prefix "fromsubnet1" -J DROP
-A INPUT -s subnet2 -d somewhere -m log --log-prefix "fromsubnet2" -J DROP
> From a bit of Googling, i've seen that quite many people actually
> create these log-drop chains by hand (myself included).
Yes, this is the common solution to the problem. However when using
--log-prefix is creates very many chains (one per --log-prefix).
> so think it would actually be a quite useful feature. Not to mention the few
> clockticks my firewall would save when it could just drop the packet
> from the same rule without traversing back to the original chain and
> parsing a new rule ;-)
For now use custom chains making the target of the packet. This saves you
from duplicating all the matches. So your main chains matches the packet
to your rules, and target chains decides on what should be done with the
packet including log/nolog etc.. The CPU difference is not large between
using custom chains and using a combined rule like discussed above, the
main difference is in how easy the ruleset is to maintain.
Regards
Henrik
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2003-12-17 19:45 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2003-12-17 15:04 Feature suggestion: internal logdrop table Markus Saarinen
2003-12-17 19:45 ` Henrik Nordstrom
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.