[PATCH nft 0/3] src: add nft log flags support

[PATCH nft 0/3] src: add nft log flags support

[Liping Zhang]

From: Liping Zhang <liping.zhang@spreadtrum.com>

After NF_LOG_XXX is exposed to the userspace, we can set log flags to
log more things. The following iptables rule:
  # iptables -A OUTPUT -j LOG --log-tcp-sequence --log-tcp-options \
  --log-ip-options --log-uid --log-macdecode
is equal to the following nft rule:
  # nft add rule filter OUTPUT log tcpseq,tcpopt,ipopt,uid,macdecode

The syntax supported was done by patch #1, user manual was updated by
patch #2, test case was added by patch #3.

After this patch set is accepted, I will send another patch to do
iptables xlat.

Liping Zhang (3):
  src: add log flags syntax support
  doc: add description about log flags
  tests: py: add some testcases for log flags

 doc/nft.xml                       | 36 ++++++++++++++++++++++++++++++++++++
 include/linux/netfilter/nf_log.h  | 12 ++++++++++++
 include/statement.h               |  1 +
 src/evaluate.c                    | 12 +++++++++---
 src/netlink_delinearize.c         |  4 ++++
 src/netlink_linearize.c           |  3 +++
 src/parser_bison.y                | 26 +++++++++++++++++++++++++-
 src/scanner.l                     |  5 +++++
 src/statement.c                   | 24 ++++++++++++++++++++++++
 tests/py/any/log.t                |  4 ++++
 tests/py/any/log.t.payload        | 33 ++++++++++++++++++++-------------
 tests/py/ip/icmp.t.payload.ip     |  2 +-
 tests/py/ip6/icmpv6.t.payload.ip6 |  6 +++---
 13 files changed, 147 insertions(+), 21 deletions(-)
 create mode 100644 include/linux/netfilter/nf_log.h

-- 
2.5.5

[PATCH nft 1/3] src: add log flags syntax support

[Liping Zhang]

From: Liping Zhang <liping.zhang@spreadtrum.com>

Now NF_LOG_XXX is exposed to the userspace, we can set it explicitly.
Like iptables LOG target, we can log TCP sequence numbers, TCP options,
IP options, UID owning local socket and decode MAC header. Note the
log flags are mutually exclusive with group.

Some examples are listed below:
  # nft add rule filter output log uid
  # nft add rule filter output log tcpopt,ipopt,uid
  # nft add rule filter output log level debug tcpseq,uid,macdecode
  # nft add rule filter output log group 0 uid
  <cmdline>:1:24-26: Error: flags and group are mutually exclusive
  add rule filter OUTPUT log group 0 uid
                         ^^^

Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com>
---
 include/linux/netfilter/nf_log.h | 12 ++++++++++++
 include/statement.h              |  1 +
 src/evaluate.c                   | 12 +++++++++---
 src/netlink_delinearize.c        |  4 ++++
 src/netlink_linearize.c          |  3 +++
 src/parser_bison.y               | 26 +++++++++++++++++++++++++-
 src/scanner.l                    |  5 +++++
 src/statement.c                  | 24 ++++++++++++++++++++++++
 8 files changed, 83 insertions(+), 4 deletions(-)
 create mode 100644 include/linux/netfilter/nf_log.h

diff --git a/include/linux/netfilter/nf_log.h b/include/linux/netfilter/nf_log.h
new file mode 100644
index 0000000..8be21e0
--- /dev/null
+++ b/include/linux/netfilter/nf_log.h
@@ -0,0 +1,12 @@
+#ifndef _NETFILTER_NF_LOG_H
+#define _NETFILTER_NF_LOG_H
+
+#define NF_LOG_TCPSEQ		0x01	/* Log TCP sequence numbers */
+#define NF_LOG_TCPOPT		0x02	/* Log TCP options */
+#define NF_LOG_IPOPT		0x04	/* Log IP options */
+#define NF_LOG_UID		0x08	/* Log UID owning local socket */
+#define NF_LOG_NFLOG		0x10	/* Unsupported, don't reuse */
+#define NF_LOG_MACDECODE	0x20	/* Decode MAC header */
+#define NF_LOG_MASK		0x2f
+
+#endif /* _NETFILTER_NF_LOG_H */
diff --git a/include/statement.h b/include/statement.h
index e278b70..ffbe9e2 100644
--- a/include/statement.h
+++ b/include/statement.h
@@ -50,6 +50,7 @@ struct log_stmt {
 	uint16_t		group;
 	uint16_t		qthreshold;
 	uint32_t		level;
+	uint32_t		logflags;
 	uint32_t		flags;
 };
 
diff --git a/src/evaluate.c b/src/evaluate.c
index 45af329..429628b 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -2395,12 +2395,18 @@ static int stmt_evaluate_queue(struct eval_ctx *ctx, struct stmt *stmt)
 static int stmt_evaluate_log(struct eval_ctx *ctx, struct stmt *stmt)
 {
 	if (stmt->log.flags & STMT_LOG_LEVEL &&
-	    (stmt->log.flags & STMT_LOG_GROUP	||
-	     stmt->log.flags & STMT_LOG_SNAPLEN	||
-	     stmt->log.flags & STMT_LOG_QTHRESHOLD)) {
+	    stmt->log.flags & (STMT_LOG_GROUP | STMT_LOG_SNAPLEN |
+			       STMT_LOG_QTHRESHOLD)) {
 		return stmt_error(ctx, stmt,
 				  "level and group are mutually exclusive");
 	}
+
+	if (stmt->log.logflags &&
+	    stmt->log.flags & (STMT_LOG_GROUP | STMT_LOG_SNAPLEN |
+			       STMT_LOG_QTHRESHOLD)) {
+		return stmt_error(ctx, stmt,
+				  "flags and group are mutually exclusive");
+	}
 	return 0;
 }
 
diff --git a/src/netlink_delinearize.c b/src/netlink_delinearize.c
index 6bb27b6..f47ccfb 100644
--- a/src/netlink_delinearize.c
+++ b/src/netlink_delinearize.c
@@ -657,6 +657,10 @@ static void netlink_parse_log(struct netlink_parse_ctx *ctx,
 			nftnl_expr_get_u32(nle, NFTNL_EXPR_LOG_LEVEL);
 		stmt->log.flags |= STMT_LOG_LEVEL;
 	}
+	if (nftnl_expr_is_set(nle, NFTNL_EXPR_LOG_FLAGS)) {
+		stmt->log.logflags =
+			nftnl_expr_get_u32(nle, NFTNL_EXPR_LOG_FLAGS);
+	}
 
 	ctx->stmt = stmt;
 }
diff --git a/src/netlink_linearize.c b/src/netlink_linearize.c
index 558deb2..f14ecfe 100644
--- a/src/netlink_linearize.c
+++ b/src/netlink_linearize.c
@@ -805,6 +805,9 @@ static void netlink_gen_log_stmt(struct netlink_linearize_ctx *ctx,
 		if (stmt->log.flags & STMT_LOG_LEVEL)
 			nftnl_expr_set_u32(nle, NFTNL_EXPR_LOG_LEVEL,
 					   stmt->log.level);
+		if (stmt->log.logflags)
+			nftnl_expr_set_u32(nle, NFTNL_EXPR_LOG_FLAGS,
+					   stmt->log.logflags);
 	}
 	nftnl_rule_add_expr(ctx->nlr, nle);
 }
diff --git a/src/parser_bison.y b/src/parser_bison.y
index aac10dc..515349f 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -20,6 +20,7 @@
 #include <linux/netfilter/nf_tables.h>
 #include <linux/netfilter/nf_conntrack_tuple_common.h>
 #include <linux/netfilter/nf_nat.h>
+#include <linux/netfilter/nf_log.h>
 #include <netinet/ip_icmp.h>
 #include <netinet/icmp6.h>
 #include <libnftnl/common.h>
@@ -369,6 +370,11 @@ static void location_update(struct location *loc, struct location *rhs, int n)
 %token LEVEL_NOTICE		"notice"
 %token LEVEL_INFO		"info"
 %token LEVEL_DEBUG		"debug"
+%token TCPSEQ			"tcpseq"
+%token TCPOPT			"tcpopt"
+%token IPOPT			"ipopt"
+%token UID			"uid"
+%token MACDECODE		"macdecode"
 
 %token LIMIT			"limit"
 %token RATE			"rate"
@@ -474,7 +480,7 @@ static void location_update(struct location *loc, struct location *rhs, int n)
 %destructor { stmt_free($$); }	meta_stmt
 %type <stmt>			log_stmt log_stmt_alloc
 %destructor { stmt_free($$); }	log_stmt log_stmt_alloc
-%type <val>			level_type
+%type <val>			level_type log_stmt_flags log_stmt_flag
 %type <stmt>			limit_stmt quota_stmt
 %destructor { stmt_free($$); }	limit_stmt quota_stmt
 %type <val>			limit_burst limit_mode time_unit quota_mode
@@ -1515,6 +1521,10 @@ log_arg			:	PREFIX			string
 				$<stmt>0->log.level	= $2;
 				$<stmt>0->log.flags 	|= STMT_LOG_LEVEL;
 			}
+			|	log_stmt_flags
+			{
+				$<stmt>0->log.logflags	|= $1;
+			}
 			;
 
 level_type		:	LEVEL_EMERG	{ $$ = LOG_EMERG; }
@@ -1527,6 +1537,20 @@ level_type		:	LEVEL_EMERG	{ $$ = LOG_EMERG; }
 			|	LEVEL_DEBUG	{ $$ = LOG_DEBUG; }
 			;
 
+log_stmt_flags		:	log_stmt_flag
+			|	log_stmt_flags	COMMA	log_stmt_flag
+			{
+				$$ = $1 | $3;
+			}
+			;
+
+log_stmt_flag		:	TCPSEQ		{ $$ = NF_LOG_TCPSEQ; }
+			|	TCPOPT		{ $$ = NF_LOG_TCPOPT; }
+			|	IPOPT		{ $$ = NF_LOG_IPOPT; }
+			|	UID		{ $$ = NF_LOG_UID; }
+			|	MACDECODE	{ $$ = NF_LOG_MACDECODE; }
+			;
+
 limit_stmt		:	LIMIT	RATE	limit_mode	NUM	SLASH	time_unit	limit_burst
 	    		{
 				$$ = limit_stmt_alloc(&@$);
diff --git a/src/scanner.l b/src/scanner.l
index 8b5a383..17b987a 100644
--- a/src/scanner.l
+++ b/src/scanner.l
@@ -307,6 +307,11 @@ addrstring	({macaddr}|{ip4addr}|{ip6addr})
 "notice"		{ return LEVEL_NOTICE; }
 "info"			{ return LEVEL_INFO; }
 "debug"			{ return LEVEL_DEBUG; }
+"tcpseq"		{ return TCPSEQ; }
+"tcpopt"		{ return TCPOPT; }
+"ipopt"			{ return IPOPT; }
+"uid"			{ return UID; }
+"macdecode"		{ return MACDECODE; }
 
 "queue"			{ return QUEUE;}
 "num"			{ return QUEUENUM;}
diff --git a/src/statement.c b/src/statement.c
index 8ccd489..f5a659f 100644
--- a/src/statement.c
+++ b/src/statement.c
@@ -27,6 +27,7 @@
 
 #include <netinet/in.h>
 #include <linux/netfilter/nf_nat.h>
+#include <linux/netfilter/nf_log.h>
 
 struct stmt *stmt_alloc(const struct location *loc,
 			const struct stmt_ops *ops)
@@ -181,6 +182,8 @@ static const char *log_level(uint32_t level)
 
 static void log_stmt_print(const struct stmt *stmt)
 {
+	const char *delim = " ";
+
 	printf("log");
 	if (stmt->log.flags & STMT_LOG_PREFIX)
 		printf(" prefix \"%s\"", stmt->log.prefix);
@@ -193,6 +196,27 @@ static void log_stmt_print(const struct stmt *stmt)
 	if ((stmt->log.flags & STMT_LOG_LEVEL) &&
 	    stmt->log.level != LOG_WARNING)
 		printf(" level %s", log_level(stmt->log.level));
+
+	if (stmt->log.logflags) {
+		if (stmt->log.logflags & NF_LOG_TCPSEQ) {
+			printf("%stcpseq", delim);
+			delim = ",";
+		}
+		if (stmt->log.logflags & NF_LOG_TCPOPT) {
+			printf("%stcpopt", delim);
+			delim = ",";
+		}
+		if (stmt->log.logflags & NF_LOG_IPOPT) {
+			printf("%sipopt", delim);
+			delim = ",";
+		}
+		if (stmt->log.logflags & NF_LOG_UID) {
+			printf("%suid", delim);
+			delim = ",";
+		}
+		if (stmt->log.logflags & NF_LOG_MACDECODE)
+			printf("%smacdecode", delim);
+	}
 }
 
 static void log_stmt_destroy(struct stmt *stmt)
-- 
2.5.5

[PATCH nft 2/3] doc: add description about log flags

[Liping Zhang]

From: Liping Zhang <liping.zhang@spreadtrum.com>

Update usage description about tcpseq, tcpopt, ipopt, uid and macdecode
flags in log statement.

Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com>
---
 doc/nft.xml | 36 ++++++++++++++++++++++++++++++++++++
 1 file changed, 36 insertions(+)

diff --git a/doc/nft.xml b/doc/nft.xml
index 3b215f8..f4b21de 100644
--- a/doc/nft.xml
+++ b/doc/nft.xml
@@ -2238,6 +2238,7 @@ ip forward ip dscp set 42
 					<replaceable>quoted_string</replaceable></arg>
 					<arg choice="opt">level
 					<replaceable>syslog-level</replaceable></arg>
+					<arg choice="opt">tcpseq,tcpopt,ipopt,uid,macdecode</arg>
 				</cmdsynopsis>
 				<cmdsynopsis>
 					<command>log</command>
@@ -2297,6 +2298,41 @@ ip forward ip dscp set 42
 						</tbody>
 					</tgroup>
 				</table>
+				<table frame="all">
+					<title>log statement flags</title>
+					<tgroup cols='2' align='left' colsep='1' rowsep='1'>
+						<colspec colname='c1'/>
+						<colspec colname='c2'/>
+						<thead>
+							<row>
+								<entry>Flag</entry>
+								<entry>Description</entry>
+							</row>
+						</thead>
+						<tbody>
+							<row>
+								<entry>tcpseq</entry>
+								<entry>Log TCP sequence numbers.</entry>
+							</row>
+							<row>
+								<entry>tcpopt</entry>
+								<entry>Log options from the TCP packet header.</entry>
+							</row>
+							<row>
+								<entry>ipopt</entry>
+								<entry>Log options from the IP/IPv6 packet header.</entry>
+							</row>
+							<row>
+								<entry>uid</entry>
+								<entry>Log the userid of the process which generated the packet.</entry>
+							</row>
+							<row>
+								<entry>macdecode</entry>
+								<entry>Decode MAC addresses and protocol.</entry>
+							</row>
+						</tbody>
+					</tgroup>
+				</table>
 			</para>
                 </refsect2>
 		<refsect2>
-- 
2.5.5

[PATCH nft 3/3] tests: py: add some testcases for log flags

[Liping Zhang]

From: Liping Zhang <liping.zhang@spreadtrum.com>

Add both good and bad nft rules to cover log flags, also update t.payload
due to changes in libnftnl, i.e. "prefix (null)" and "flags 0" will never
be printed out.

Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com>
---
 tests/py/any/log.t                |  4 ++++
 tests/py/any/log.t.payload        | 33 ++++++++++++++++++++-------------
 tests/py/ip/icmp.t.payload.ip     |  2 +-
 tests/py/ip6/icmpv6.t.payload.ip6 |  6 +++---
 4 files changed, 28 insertions(+), 17 deletions(-)

diff --git a/tests/py/any/log.t b/tests/py/any/log.t
index 99a7f1f..eb7779c 100644
--- a/tests/py/any/log.t
+++ b/tests/py/any/log.t
@@ -25,3 +25,7 @@ log prefix aaaaa-aaaaaa group 2 snaplen 33;ok;log prefix "aaaaa-aaaaaa" group 2
 log group 2 queue-threshold 2;ok
 log group 2 snaplen 33;ok
 log group 2 prefix \"nft-test: \";ok;log prefix "nft-test: " group 2
+
+log uid;ok
+log level debug tcpseq,ipopt,uid;ok
+log tcpopt,macdecoed group 2;fail
diff --git a/tests/py/any/log.t.payload b/tests/py/any/log.t.payload
index 689668b..cecdcee 100644
--- a/tests/py/any/log.t.payload
+++ b/tests/py/any/log.t.payload
@@ -1,52 +1,59 @@
 # log
 ip test-ip4 output
-  [ log prefix (null) ]
+  [ log ]
 
 # log level emerg
 ip test-ip4 output
-  [ log prefix (null) level 0 flags 0]
+  [ log level 0 ]
 
 # log level alert
 ip test-ip4 output
-  [ log prefix (null) level 1 flags 0]
+  [ log level 1 ]
 
 # log level crit
 ip test-ip4 output
-  [ log prefix (null) level 2 flags 0]
+  [ log level 2 ]
 
 # log level err
 ip test-ip4 output
-  [ log prefix (null) level 3 flags 0]
+  [ log level 3 ]
 
 # log level warn
 ip test-ip4 output
-  [ log prefix (null) level 4 flags 0]
+  [ log level 4 ]
 
 # log level notice
 ip test-ip4 output
-  [ log prefix (null) level 5 flags 0]
+  [ log level 5 ]
 
 # log level info
 ip test-ip4 output
-  [ log prefix (null) level 6 flags 0]
+  [ log level 6 ]
 
 # log level debug
 ip test-ip4 output
-  [ log prefix (null) level 7 flags 0]
+  [ log level 7 ]
 
 # log prefix aaaaa-aaaaaa group 2 snaplen 33
 ip test-ip4 output
-  [ log prefix aaaaa-aaaaaa group 2 snaplen 33 qthreshold 0]
+  [ log prefix aaaaa-aaaaaa group 2 snaplen 33 qthreshold 0 ]
 
 # log group 2 queue-threshold 2
 ip test-ip4 output
-  [ log prefix (null) group 2 snaplen 0 qthreshold 2]
+  [ log group 2 snaplen 0 qthreshold 2 ]
 
 # log group 2 snaplen 33
 ip test-ip4 output
-  [ log prefix (null) group 2 snaplen 33 qthreshold 0]
+  [ log group 2 snaplen 33 qthreshold 0 ]
 
 # log group 2 prefix \"nft-test: \"
 ip test-ip4 output
-  [ log prefix nft-test:  group 2 snaplen 0 qthreshold 0]
+  [ log prefix nft-test:  group 2 snaplen 0 qthreshold 0 ]
 
+# log uid
+ip test-ip4 output
+  [ log uid ]
+
+# log level debug tcpseq,ipopt,uid
+ip test-ip4 output
+  [ log level 7 tcpseq ipopt uid ]
diff --git a/tests/py/ip/icmp.t.payload.ip b/tests/py/ip/icmp.t.payload.ip
index 32f2685..ecfb9ce 100644
--- a/tests/py/ip/icmp.t.payload.ip
+++ b/tests/py/ip/icmp.t.payload.ip
@@ -227,7 +227,7 @@ ip test-ip4 input
   [ cmp eq reg 1 0x00000001 ]
   [ payload load 2b @ transport header + 4 => reg 1 ]
   [ cmp eq reg 1 0x0000dd04 ]
-  [ log prefix (null) ]
+  [ log ]
 
 # icmp id 22
 ip test-ip4 input
diff --git a/tests/py/ip6/icmpv6.t.payload.ip6 b/tests/py/ip6/icmpv6.t.payload.ip6
index 4b6f541..d9fa1ee 100644
--- a/tests/py/ip6/icmpv6.t.payload.ip6
+++ b/tests/py/ip6/icmpv6.t.payload.ip6
@@ -193,7 +193,7 @@ ip6 test-ip6 input
   [ cmp eq reg 1 0x0000003a ]
   [ payload load 2b @ transport header + 2 => reg 1 ]
   [ cmp eq reg 1 0x0000ae08 ]
-  [ log prefix (null) ]
+  [ log ]
 
 # icmpv6 checksum != 2222 log
 ip6 test-ip6 input
@@ -201,7 +201,7 @@ ip6 test-ip6 input
   [ cmp eq reg 1 0x0000003a ]
   [ payload load 2b @ transport header + 2 => reg 1 ]
   [ cmp neq reg 1 0x0000ae08 ]
-  [ log prefix (null) ]
+  [ log ]
 
 # icmpv6 checksum 222-226
 ip6 test-ip6 input
@@ -217,7 +217,7 @@ ip6 test-ip6 input
   [ cmp eq reg 1 0x0000003a ]
   [ payload load 2b @ transport header + 2 => reg 1 ]
   [ cmp neq reg 1 0x0000ae08 ]
-  [ log prefix (null) ]
+  [ log ]
 
 # icmpv6 checksum { 222, 226}
 __set%d test-ip6 3
-- 
2.5.5

Re: [PATCH nft 0/3] src: add nft log flags support

[Pablo Neira Ayuso]

[-- Attachment #1: Type: text/plain, Size: 1099 bytes --]

On Sun, Sep 25, 2016 at 05:06:58PM +0800, Liping Zhang wrote:
> From: Liping Zhang <liping.zhang@spreadtrum.com>
> 
> After NF_LOG_XXX is exposed to the userspace, we can set log flags to
> log more things. The following iptables rule:
>   # iptables -A OUTPUT -j LOG --log-tcp-sequence --log-tcp-options \
>   --log-ip-options --log-uid --log-macdecode
> is equal to the following nft rule:
>   # nft add rule filter OUTPUT log tcpseq,tcpopt,ipopt,uid,macdecode

Sorry, I wanted to have a closer look at this but time has been
running up and I didn't manage to get back to this.

So basically, I would like to explore different syntax for this, eg.

        log flags tcp sequence,options
        log flags ip options
        log flags skuid
        log flags ether

I think syntax would be larger, but it would look more consistent to
what we have. Worst case is to get them all set. We can provide a
compact version for this:

        log flags all

Please, see sketch patch attached for brainstorming.

Would you have a look into this? Thanks and again sorry for not
getting any sooner on this.

[-- Attachment #2: x.patch --]
[-- Type: text/x-diff, Size: 1416 bytes --]

diff --git a/src/parser_bison.y b/src/parser_bison.y
index 91955c187f3f..286290341ffb 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -201,6 +201,8 @@ static void location_update(struct location *loc, struct location *rhs, int n)
 %token EXPORT			"export"
 %token MONITOR			"monitor"
 
+%token ALL			"all"
+
 %token ACCEPT			"accept"
 %token DROP			"drop"
 %token CONTINUE			"continue"
@@ -268,6 +270,8 @@ static void location_update(struct location *loc, struct location *rhs, int n)
 %token GATEWAY			"gateway"
 %token MTU			"mtu"
 
+%token OPTIONS			"options"
+
 %token IP6			"ip6"
 %token PRIORITY			"priority"
 %token FLOWLABEL		"flowlabel"
@@ -1530,6 +1534,25 @@ log_arg			:	PREFIX			string
 				$<stmt>0->log.level	= $2;
 				$<stmt>0->log.flags 	|= STMT_LOG_LEVEL;
 			}
+			|	FLAGS			log_flags
+			{
+				;
+			}
+			;
+
+log_flags		:	TCP	log_flags_tcp
+			|	IP	OPTIONS
+			|	SKUID
+			|	ETHER
+			|	ALL
+			;
+
+log_flags_tcp		:	log_flags_tcp	COMMA	log_flag_tcp
+			|	log_flag_tcp
+			;
+
+log_flag_tcp		:	SEQUENCE
+			|	OPTIONS
 			;
 
 level_type		:	string
diff --git a/src/scanner.l b/src/scanner.l
index cd7398b4e534..625023f5257c 100644
--- a/src/scanner.l
+++ b/src/scanner.l
@@ -469,6 +469,9 @@ addrstring	({macaddr}|{ip4addr}|{ip6addr})
 
 "notrack"		{ return NOTRACK; }
 
+"options"		{ return OPTIONS; }
+"all"			{ return ALL; }
+
 "xml"			{ return XML; }
 "json"			{ return JSON; }
 

Re: [PATCH nft 0/3] src: add nft log flags support

[Liping Zhang]

2016-11-15 6:21 GMT+08:00 Pablo Neira Ayuso <pablo@netfilter.org>:
> On Sun, Sep 25, 2016 at 05:06:58PM +0800, Liping Zhang wrote:
>> From: Liping Zhang <liping.zhang@spreadtrum.com>
>>
>> After NF_LOG_XXX is exposed to the userspace, we can set log flags to
>> log more things. The following iptables rule:
>>   # iptables -A OUTPUT -j LOG --log-tcp-sequence --log-tcp-options \
>>   --log-ip-options --log-uid --log-macdecode
>> is equal to the following nft rule:
>>   # nft add rule filter OUTPUT log tcpseq,tcpopt,ipopt,uid,macdecode
>
> Sorry, I wanted to have a closer look at this but time has been
> running up and I didn't manage to get back to this.
>
> So basically, I would like to explore different syntax for this, eg.
>
>         log flags tcp sequence,options
>         log flags ip options
>         log flags skuid
>         log flags ether

Yes, this syntax looks better, I will send V2 later based on your suggestions.

Thanks Pablo.

>
> I think syntax would be larger, but it would look more consistent to
> what we have. Worst case is to get them all set. We can provide a
> compact version for this:
>
>         log flags all
>
> Please, see sketch patch attached for brainstorming.
>
> Would you have a look into this? Thanks and again sorry for not
> getting any sooner on this.