Yes, it is compiled into kernel as a module (CONFIG_NFT_LOG=m). And
also, you can see that module loaded with lsmod. I'm really out of the clue.
On 19-03-2018 12:09, Duncan Roe wrote:
> On Mon, Mar 19, 2018 at 10:02:06PM +1100, Duncan Roe wrote:
>> On Mon, Mar 19, 2018 at 11:14:58AM +0100, Darius wrote:
>>> I actually have same problem if I use config file and there families are defined:
>>>
>>> #!/usr/sbin/nft -f
>>>
>>> table ip ipv4_filter {
>>>
>>> chain incoming{
>>> type filter hook input priority 0; policy drop;
>>>
>>> tcp dport {ssh} log accept
>>> }
>>> }
>>>
>> I am at a loss to explain this. I tried your command on my system:
>>
>>> nft add rule ip IP FILTER_INPUT tcp dport {ssh} log accept
>> (except with my table and chain names) and the command was accepted.
>>
>> This has been working since January - is your nft older?
>>>> On March 19, 2018 at 12:52 AM Duncan Roe <duncan_roe@xxxxxxxxxxxxxxx> wrote:
>>>>
>>>>
>>>> On Sun, Mar 18, 2018 at 11:29:35PM +0100, darius wrote:
>>>>> Hi,
>>>>>
>>>>> Apparently, I can't add log statement in nft firewall. It does not
>>>>> matter if I do it in config file or in command line. In any case I get
>>>>> error:
>>>>>
>>>>> nft add rule filter input log
>>>>> Error: Could not process rule: No such file or directory
>>>>> add rule filter input log
>>>>> ^^^^^^^^^^^^^^^^^^^^^^^^^^
>>>>>
>>>> [...]
>>>>
>>>> Try inserting the family before the table name. nft always assumes "ip4" if you
>>>> don't. You will then get the above error if table filter is ip6 (or inet).
>>>>
>>>> Cheers ... Duncan.
> Check your kernel .config for including Netfilter LOG over NFNETLINK interface
> (NETFILTER_NETLINK_LOG)
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
