Re: [PATCH nft 0/3] src: add nft log flags support

Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> · Mon, 14 Nov 2016 23:21:56 +0100

On Sun, Sep 25, 2016 at 05:06:58PM +0800, Liping Zhang wrote:
> From: Liping Zhang <liping.zhang@xxxxxxxxxxxxxx>
> 
> After NF_LOG_XXX is exposed to the userspace, we can set log flags to
> log more things. The following iptables rule:
>   # iptables -A OUTPUT -j LOG --log-tcp-sequence --log-tcp-options \
>   --log-ip-options --log-uid --log-macdecode
> is equal to the following nft rule:
>   # nft add rule filter OUTPUT log tcpseq,tcpopt,ipopt,uid,macdecode

Sorry, I wanted to have a closer look at this but time has been
running up and I didn't manage to get back to this.

So basically, I would like to explore different syntax for this, eg.

        log flags tcp sequence,options
        log flags ip options
        log flags skuid
        log flags ether

I think syntax would be larger, but it would look more consistent to
what we have. Worst case is to get them all set. We can provide a
compact version for this:

        log flags all

Please, see sketch patch attached for brainstorming.

Would you have a look into this? Thanks and again sorry for not
getting any sooner on this.

diff --git a/src/parser_bison.y b/src/parser_bison.y
index 91955c187f3f..286290341ffb 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -201,6 +201,8 @@ static void location_update(struct location *loc, struct location *rhs, int n)
 %token EXPORT			"export"
 %token MONITOR			"monitor"
 
+%token ALL			"all"
+
 %token ACCEPT			"accept"
 %token DROP			"drop"
 %token CONTINUE			"continue"
@@ -268,6 +270,8 @@ static void location_update(struct location *loc, struct location *rhs, int n)
 %token GATEWAY			"gateway"
 %token MTU			"mtu"
 
+%token OPTIONS			"options"
+
 %token IP6			"ip6"
 %token PRIORITY			"priority"
 %token FLOWLABEL		"flowlabel"
@@ -1530,6 +1534,25 @@ log_arg			:	PREFIX			string
 				$<stmt>0->log.level	= $2;
 				$<stmt>0->log.flags 	|= STMT_LOG_LEVEL;
 			}
+			|	FLAGS			log_flags
+			{
+				;
+			}
+			;
+
+log_flags		:	TCP	log_flags_tcp
+			|	IP	OPTIONS
+			|	SKUID
+			|	ETHER
+			|	ALL
+			;
+
+log_flags_tcp		:	log_flags_tcp	COMMA	log_flag_tcp
+			|	log_flag_tcp
+			;
+
+log_flag_tcp		:	SEQUENCE
+			|	OPTIONS
 			;
 
 level_type		:	string
diff --git a/src/scanner.l b/src/scanner.l
index cd7398b4e534..625023f5257c 100644
--- a/src/scanner.l
+++ b/src/scanner.l
@@ -469,6 +469,9 @@ addrstring	({macaddr}|{ip4addr}|{ip6addr})
 
 "notrack"		{ return NOTRACK; }
 
+"options"		{ return OPTIONS; }
+"all"			{ return ALL; }
+
 "xml"			{ return XML; }
 "json"			{ return JSON; }
 




