Re: [PATCH iptables v2 0/8] extensions: libxt_NFLOG: use nft back-end for iptables-nft

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, Jan 17, 2022 at 09:54:52PM +0000, Jeremy Sowden wrote:
> On 2022-01-17, at 11:40:51 +0100, Phil Sutter wrote:
> > On Sun, Jan 16, 2022 at 08:08:15PM +0100, Florian Westphal wrote:
[...]
> > > Pablo, Phil, others -- what is your take?
> >
> > I think the change is OK if existing rulesets will continue to work
> > just as before and remain compatible with legacy. IMHO, new rulesets
> > created using iptables-nft may become incompatible if users explicitly
> > ask for it (e.g. by specifying an exceedingly long log prefix.
> >
> > What about --nflog-range? This series seems to drop support for it, at
> > least in the sense that ruleset dumps won't contain the option. In
> > theory, users could depend on identifying a specific rule via nflog
> > range value.
> 
> Fair enough.  I'll add a check so that nft is not used for targets that
> specify `--nflog-range`.

--nflog-range does work?

--nflog-size is used and can be mapped to 'snaplen' in nft_log.

Manpage also discourages the usage of --nflog-range for long time.

Not sure it is worth to add a different path for this case.



[Index of Archives]     [Netfitler Users]     [Berkeley Packet Filter]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux