Element-Level Logging Support in nftables Sets

Element-Level Logging Support in nftables Sets

[sontu mazumdar]

Hi Everyone,

I am exploring whether it's possible to add logging support at the
element level within an nftables set. Specifically, I'm looking for
functionality where an individual element in a set can trigger a log
when it's matched—something like the following:

table inet mytable {
set s {
typeof ip saddr
counter
elements = { 1.1.1.1 log prefix "element1" level info,
                     1.1.1.3 log prefix "element2" level info }
        }
}

I understand that nftables sets currently do not support logging at
the element level. Is there any plan to introduce this feature in
future releases?

Regards,
Sontu

Re: Element-Level Logging Support in nftables Sets

[Florian Westphal]

sontu mazumdar <sontu21@gmail.com> wrote:
> I am exploring whether it's possible to add logging support at the
> element level within an nftables set. Specifically, I'm looking for
> functionality where an individual element in a set can trigger a log
> when it's matched—something like the following:
> 
> table inet mytable {
> set s {
> typeof ip saddr
> counter
> elements = { 1.1.1.1 log prefix "element1" level info,
>                      1.1.1.3 log prefix "element2" level info }
>         }
> }

Could be done, however, typically "log" is combined with "limit" to
prevent log flooding.

> I understand that nftables sets currently do not support logging at
> the element level. Is there any plan to introduce this feature in
> future releases?

Not that I know of.  Whats your use case?