How to log frames that been processed as part of a vmap?
map foo {
type icmpv6_type . icmpv6_code : verdict
elements = {
1 . 0 : accept,
1 . 1 : accept,
1 . 2 : accept,
1 . 3 : accept,
1 . 4 : accept,
1 . 5 : accept,
1 . 6 : accept,
1 . 7 : accept,
1 . 8 : accept,
2 . 0 : accept,
3 . 0 : accept,
3 . 1 : accept,
4 . 0 : accept,
4 . 1 : accept,
4 . 2 : accept,
128 . 0 : accept,
}
}
putting the log statement after the vmap, e.g.:
icmpv6 type . icmpv6 code vmap @foo log flags all prefix "bar: ";
does not produce any logging, supposedly since the verdict being
terminal and processed prior the log statement. Putting it before the
rule however:
log flags all prefix "bar: "icmpv6 type . icmpv6 code vmap @foo;
logs frames out of context of this rule, it logs everything frame that
is processed in the chain prior the vmap statement is processed, e.g.:
FW bar: IN=br-lan OUT=pppoe-wan MACSRC=b0:10:41:ba:be:5f
MACDST=d8:58:d7:00:79:7a MACPROTO=0800 SRC=192.168.84.205
DST=xxx.xxx.59.84 LEN=28 TOS=0x00 PREC=0x00 TTL=4 ID=25008 DF PROTO=UDP
SPT=61905 DPT=36653 LEN=8
