On 05/02/2020 14:48, Florian Westphal wrote:
ѽ҉ᶬḳ℠ <vtol@xxxxxxx> wrote:
On 05/02/2020 14:29, Florian Westphal wrote:
ѽ҉ᶬḳ℠ <vtol@xxxxxxx> wrote:
Having perused the WIKI [1] I tried to get protocol specific logging going,
but ended up with
* tcp log -> Error: syntax error, unexpected log
* icmpv6 log -> Error: syntax error, unexpected log
Only with an explicit protocol statement logging works
* ip protocol tcp log
* ip6 nexthdr icmpv6 log
You mean "log" doesn't work? (no "tcp" prefix).
Yes, logging does not work with
icmpv6 log
and throws the error, whilst
ip6 nexthdr icmpv6 log
works and does not exhibit the error, similar with tcp | udp.
For package filtering it is however not necessary to make such explicit ip
protocol | ip6 nexthdr statements. And since there is no mention of such
(explicit) requirement in the WIKI I raised the question here because I find
it inexplicable that filtering does work one way and logging another way.
Not following. "log" is a single statement, it has no prefix keyword.
Why would it be special?
It works just like everyting else.
If you want to log just tcp (regardless of ipv4 or ipv6), then use
"meta l4proto tcp log"
in the inet family. "meta l4proto" gives next header protocol after
the ip or ipv6 header. In case of ipv6, it will skip extension headers,
if any.
Citing an example from the WIKI
nft add rule filter input tcp dport 22 ct state new log prefix \"New SSH
connection: \" accept
there is no "ip protocol" stipulated. And neither does it throw an error
and it works as expected (described in the WIKI)
Trying something similar in the inet table
nft add rule inet filter input tcp log
throws
Error: syntax error, unexpected log
However,
* nft add rule inet filter input ip protocol tcp log
* nft add rule inet filter input ip6 nexthdr icmpv6 log
neither throws an error. Hope that makes it clear.
