Re: Did firewall logging got broken with netfilter?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

George N. White III writes:
<URL:https://thermalcircle.de/doku.php? id=blog:linux:nftables_packet_flow_netfilter_hooks_detail>https://thermalcirc le.de/doku.php?id=blog:linux:nftables_packet_flow_netfilter_hooks_detail 

My attention span was not sufficient for that one.
The author says he used logs to work out the details, but doesn't says how the logs were 
obtained.   There is lots of old stuff on netfilter logging:
<URL:https://wiki.nftables.org/wiki- nftables/index.php/Logging_traffic>Logging traffic - nftables wiki (from 2017) uses ulogd. 

So, there is a logging facility, of some sorts, in nft.
But I already had logging working when firewalld was using iptables. The rich rule that specifies logging is still there. Nothing happened to it.
firewall-config even shows this rule. firewall-config has a checkbox to, allegedly, enable logging. When showing this rule firewall-config even shows this checkbox as selected. So far so good, but the forward march of progress ends abruptly, at this point: 

No logging.
Also, curiously, I don't seem to be able to edit this rule in firewall- config. It shows it but won't let me edit it. The rich rule was added directly via firewall-cmd, so at some level firewalld knows about it. Except that it is not fully implemented in the UI, and fully unimplemented in the netfilter backend. At least the rule itself is there, and its core functionality is there. But the logging is sorely missed.
Perusing the nftables wiki it does seem that firewalld /should/ be able to grok this, and it's simply not implemented. I'll just cross my fingers, and patiently wait for it to catch up with iptables.
A shot in the dark: the old iptables-based rule specified a rate limit on the logging. The nft wiki page makes no mention of rate limit. I wonder if that's the firewalld limitation, it just ignores the log spefication because of that?

Attachment: pgpcIWNGnrhNW.pgp
Description: PGP signature

_______________________________________________
users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux