On 05/02/2020 14:29, Florian Westphal wrote:
ѽ҉ᶬḳ℠ <vtol@xxxxxxx> wrote:
Having perused the WIKI [1] I tried to get protocol specific logging going,
but ended up with
* tcp log -> Error: syntax error, unexpected log
* icmpv6 log -> Error: syntax error, unexpected log
Only with an explicit protocol statement logging works
* ip protocol tcp log
* ip6 nexthdr icmpv6 log
You mean "log" doesn't work? (no "tcp" prefix).
Yes, logging does not work with
icmpv6 log
and throws the error, whilst
ip6 nexthdr icmpv6 log
works and does not exhibit the error, similar with tcp | udp.
For package filtering it is however not necessary to make such explicit
ip protocol | ip6 nexthdr statements. And since there is no mention of
such (explicit) requirement in the WIKI I raised the question here
because I find it inexplicable that filtering does work one way and
logging another way.
cat /proc/net/netfilter/nf_log
0 NONE (nfnetlink_log)
1 NONE (nfnetlink_log)
2 nf_log_ipv4 (nf_log_ipv4,nfnetlink_log)
3 NONE (nfnetlink_log)
4 NONE (nfnetlink_log)
5 NONE (nfnetlink_log)
6 NONE (nfnetlink_log)
7 NONE (nfnetlink_log)
8 NONE (nfnetlink_log)
9 NONE (nfnetlink_log)
10 nf_log_ipv6 (nf_log_ipv6,nfnetlink_log)
11 NONE (nfnetlink_log)
12 NONE (nfnetlink_log)
This means that ipv4 is logged by nf_log_ipv4 and ipv6 via
nf_log_ipv6. Everything should be working for ipv4, ipv6 and inet
without any further action (provided you want to use printk-based
logging via dmesg rather than nfnetlink).
Just installed nfnetlink_log module to see whether it would make a
difference but it did not and it is now removed again.
Tried with
echo "nf_log_icmp" > /proc/sys/net/netfilter/nf_log/1
There is no layer 4 logger. nf_log_XXX, where XXX is a l3 protocol
family, i.e. nf_log_{ipv4,ipv6,arp,bridge} or nfnetlink_log.
