On Saturday, 2008 April 5 at 17:10:59 +0200, Pablo Neira Ayuso wrote: > Eric Leblond wrote: > > This patch adds support for "state" option to the NFLOG plugin. For example, it > > can be used by another module to determine if the packet has been dropped, > > rejected or accepted. > > What is the exact purpose of the "state" option? The use of the term > "state" for this seems to me a bit confusing as users may think that it > is related with "stateful filtering". Please, develop the idea a bit more. Hmm, you are quiet right, 'state' may be a bad choice. In fact, the idea is to be able to give a context relative to the logging. For example, I planned to use it with: if state = 0 then packet has been dropped (typical -j NFLOG followed by -j DROP) if state = 1 then this is -j NFLOG followed by -j ACCEPT With that usage choice, the word 'decision' would be better than 'state'. I think other people may think to other usage. For example, it could be used to indicate the severity of the logged "attack". In this case, the 'decision' keyword is not really a good choice. The only words that came to my mind and that would be better than 'state' are 'flag' or 'context' but you may have a better idea. > I have kept back patches 8/14 to 13/14 until we end discussing this. > > > This patch also fixes a bug in definition of seq_global_ce macro. > > Please, split this into two patches next time as they are not related. Ok. BR, -- Eric Leblond INL: http://www.inl.fr/ NuFW: http://www.nufw.org/
Attachment:
signature.asc
Description: Digital signature
