2016-11-15 6:21 GMT+08:00 Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>: > On Sun, Sep 25, 2016 at 05:06:58PM +0800, Liping Zhang wrote: >> From: Liping Zhang <liping.zhang@xxxxxxxxxxxxxx> >> >> After NF_LOG_XXX is exposed to the userspace, we can set log flags to >> log more things. The following iptables rule: >> # iptables -A OUTPUT -j LOG --log-tcp-sequence --log-tcp-options \ >> --log-ip-options --log-uid --log-macdecode >> is equal to the following nft rule: >> # nft add rule filter OUTPUT log tcpseq,tcpopt,ipopt,uid,macdecode > > Sorry, I wanted to have a closer look at this but time has been > running up and I didn't manage to get back to this. > > So basically, I would like to explore different syntax for this, eg. > > log flags tcp sequence,options > log flags ip options > log flags skuid > log flags ether Yes, this syntax looks better, I will send V2 later based on your suggestions. Thanks Pablo. > > I think syntax would be larger, but it would look more consistent to > what we have. Worst case is to get them all set. We can provide a > compact version for this: > > log flags all > > Please, see sketch patch attached for brainstorming. > > Would you have a look into this? Thanks and again sorry for not > getting any sooner on this. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html