Re: Log statement seems to be not working

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Mon, Mar 19, 2018 at 09:28:15PM +0100, darius wrote:
> The same situation is with NETFILTER_NETLINK_LOG. It is set as module in
> kernel.
>
> On 19-03-2018 12:09, Duncan Roe wrote:
> > On Mon, Mar 19, 2018 at 10:02:06PM +1100, Duncan Roe wrote:
> >> On Mon, Mar 19, 2018 at 11:14:58AM +0100, Darius wrote:
> >>> I actually have same problem if I use config file and there families are defined:
> >>>
> >>> #!/usr/sbin/nft -f
> >>>
> >>> table ip ipv4_filter {
> >>>
> >>>         chain incoming{
> >>>         type filter hook input priority 0; policy drop;
> >>>
> >>>         tcp dport {ssh} log accept
> >>>         }
> >>> }
> >>>
> >> I am at a loss to explain this. I tried your command on my system:
> >>
> >>> nft add rule ip IP FILTER_INPUT tcp dport {ssh} log accept
> >> (except with my table and chain names) and the command was accepted.
> >>
> >> This has been working since January - is your nft older?
> >>>> On March 19, 2018 at 12:52 AM Duncan Roe <duncan_roe@xxxxxxxxxxxxxxx> wrote:
> >>>>
> >>>>
> >>>> On Sun, Mar 18, 2018 at 11:29:35PM +0100, darius wrote:
> >>>>> Hi,
> >>>>>
> >>>>> Apparently, I can't add log statement in nft firewall. It does not
> >>>>> matter if I do it in config file or in command line. In any case I get
> >>>>> error:
> >>>>>
> >>>>> nft add rule filter input log
> >>>>> Error: Could not process rule: No such file or directory
> >>>>> add rule filter input log
> >>>>> ^^^^^^^^^^^^^^^^^^^^^^^^^^
> >>>>>
> >>>> [...]
> >>>>
> >>>> Try inserting the family before the table name. nft always assumes "ip4" if you
> >>>> don't. You will then get the above error if table filter is ip6 (or inet).
> >>>>
> >>>> Cheers ... Duncan.
> > Check your kernel .config for including Netfilter LOG over NFNETLINK interface
> > (NETFILTER_NETLINK_LOG)
>
Anything in dmesg?

I'm really clutching at straws here - does anyone else have some idea what might
be going wrong?
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux