ѽ҉ᶬḳ℠ <vtol@xxxxxxx> wrote: > On 05/02/2020 14:29, Florian Westphal wrote: > > ѽ҉ᶬḳ℠ <vtol@xxxxxxx> wrote: > > > Having perused the WIKI [1] I tried to get protocol specific logging going, > > > but ended up with > > > > > > * tcp log -> Error: syntax error, unexpected log > > > * icmpv6 log -> Error: syntax error, unexpected log > > > > > > Only with an explicit protocol statement logging works > > > > > > * ip protocol tcp log > > > * ip6 nexthdr icmpv6 log > > You mean "log" doesn't work? (no "tcp" prefix). > > Yes, logging does not work with > > icmpv6 log > > and throws the error, whilst > > ip6 nexthdr icmpv6 log > > works and does not exhibit the error, similar with tcp | udp. > > For package filtering it is however not necessary to make such explicit ip > protocol | ip6 nexthdr statements. And since there is no mention of such > (explicit) requirement in the WIKI I raised the question here because I find > it inexplicable that filtering does work one way and logging another way. Not following. "log" is a single statement, it has no prefix keyword. Why would it be special? It works just like everyting else. If you want to log just tcp (regardless of ipv4 or ipv6), then use "meta l4proto tcp log" in the inet family. "meta l4proto" gives next header protocol after the ip or ipv6 header. In case of ipv6, it will skip extension headers, if any.
