Hi,
We manage firewall appliance products. A few of them can log not
only packet information but also log which rule number or rule ID
causes to log. I know nflog can do so by specifying log-prefix but
user must keep the uniqueness, it seems troublesome.
Based on it, how about passing systematic id to nflog? I think one
of a way is introducing holder struct like
struct nft_rule_key {
char *chain_name;
u64 rule_handle;
};
and add it to struct nft_pktinfo member. A Rule identifier --- chain
name and rule handle number --- can be passed to eval() callback by
setting those in nft_do_chain()::nf_tables_core.c before calling
eval() callback.
But I don't know whether this way adapts to the whole nft design or
not. And it seems that big change will be needed after passing
nft_rule_key to nft_log_eval().
Then, please let me ask three questions:
* Is there a way to identify the rule which rule outputs log without
log-prefix?
* Is there a plan to identify the rule from log?
* How do I progress in nft_log_eval() if this method, passing rule
identifier to nflog_log_eval(), can be acceptable?
Thanks,
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
