Message ID | 20151221173559.GA8787@gmail.com |
---|---|
State | Accepted |
Delegated to: | Pablo Neira |
Headers | show |
On 21 December 2015 at 18:35, Shivani Bhardwaj <shivanib134@gmail.com> wrote: > Add translation for NF Logging to nftables. > > Examples: > > $ sudo iptables-translate -A OUTPUT -j NFLOG --nflog-group 30 > nft add rule ip filter OUTPUT counter log group 30 > > $ sudo iptables-translate -A FORWARD -j NFLOG --nflog-group 32 --nflog-prefix "Prefix 1.0" > nft add rule ip filter FORWARD counter log prefix \"Prefix 1.0\" log group 32 > Hi Shivani, I think that rule should translate to: nft add rule ip filter FORWARD counter log prefix \"Prefix 1.0\" group 32 so, avoid using multiple 'log' keywords, which will load several nftables log expressions. > > +static void nflog_print_xlate(const struct xt_nflog_info *info, > + char *prefix, struct xt_buf *buf) > +{ > + if (info->prefix[0] != '\0') > + xt_buf_add(buf, "%slog prefix \\\"%s\\\" ", > + prefix, info->prefix); > + if (info->group) > + xt_buf_add(buf, "%slog group %u ", prefix, info->group); > + if (info->len) > + xt_buf_add(buf, "%slog snaplen %u ", prefix, info->len); > + if (info->threshold != XT_NFLOG_DEFAULT_THRESHOLD) > + xt_buf_add(buf, "%slog queue-threshold %u ", > + prefix, info->threshold); > +} > + You may revisit this function.
On 21 December 2015 at 18:35, Shivani Bhardwaj <shivanib134@gmail.com> wrote: > > +static void nflog_print_xlate(const struct xt_nflog_info *info, > + char *prefix, struct xt_buf *buf) > +{ > + if (info->prefix[0] != '\0') > + xt_buf_add(buf, "%slog prefix \\\"%s\\\" ", > + prefix, info->prefix); > + if (info->group) > + xt_buf_add(buf, "%slog group %u ", prefix, info->group); if info->group is not set, you should probably default to 0, since this group info is mandatory in nftables to consider this logging the same type of NFLOG (ie, use nfnetlink_log). For reference, see: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/net/netfilter/nft_log.c#n67
On Mon, Dec 21, 2015 at 11:05:59PM +0530, Shivani Bhardwaj wrote: > Add translation for NF Logging to nftables. > > Examples: > > $ sudo iptables-translate -A OUTPUT -j NFLOG --nflog-group 30 > nft add rule ip filter OUTPUT counter log group 30 > > $ sudo iptables-translate -A FORWARD -j NFLOG --nflog-group 32 --nflog-prefix "Prefix 1.0" > nft add rule ip filter FORWARD counter log prefix \"Prefix 1.0\" log group 32 > > $ sudo iptables-translate -I INPUT -j NFLOG --nflog-range 256 > nft insert rule ip filter INPUT counter log snaplen 256 > > $ sudo iptables-translate -I INPUT -j NFLOG --nflog-threshold 25 > nft insert rule ip filter INPUT counter log queue-threshold 25 Applied with changes. > Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com> > --- > extensions/libxt_NFLOG.c | 28 +++++++++++++++++++++++++++- > 1 file changed, 27 insertions(+), 1 deletion(-) > > diff --git a/extensions/libxt_NFLOG.c b/extensions/libxt_NFLOG.c > index 448576a..3d05ce0 100644 > --- a/extensions/libxt_NFLOG.c > +++ b/extensions/libxt_NFLOG.c > @@ -72,7 +72,7 @@ static void nflog_print(const struct xt_nflog_info *info, char *prefix) > } > > static void NFLOG_print(const void *ip, const struct xt_entry_target *target, > - int numeric) > + int numeric) > { > const struct xt_nflog_info *info = (struct xt_nflog_info *)target->data; > > @@ -86,6 +86,31 @@ static void NFLOG_save(const void *ip, const struct xt_entry_target *target) > nflog_print(info, "--"); > } > > +static void nflog_print_xlate(const struct xt_nflog_info *info, > + char *prefix, struct xt_buf *buf) > +{ > + if (info->prefix[0] != '\0') > + xt_buf_add(buf, "%slog prefix \\\"%s\\\" ", > + prefix, info->prefix); > + if (info->group) > + xt_buf_add(buf, "%slog group %u ", prefix, info->group); > + if (info->len) > + xt_buf_add(buf, "%slog snaplen %u ", prefix, info->len); > + if (info->threshold != XT_NFLOG_DEFAULT_THRESHOLD) > + xt_buf_add(buf, "%slog queue-threshold %u ", > + prefix, info->threshold); > +} > + > +static int NFLOG_xlate(const struct xt_entry_target *target, > + struct xt_buf *buf, int numeric) > +{ > + const struct xt_nflog_info *info = (struct xt_nflog_info *)target->data; > + > + nflog_print_xlate(info, "", buf); ^^ This is always "", so we can get rid of this extra parameter. I have fixed this here, no need to send v2. Thanks. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On Tue, Dec 22, 2015 at 01:47:57PM +0100, Arturo Borrero Gonzalez wrote: > On 21 December 2015 at 18:35, Shivani Bhardwaj <shivanib134@gmail.com> wrote: > > > > +static void nflog_print_xlate(const struct xt_nflog_info *info, > > + char *prefix, struct xt_buf *buf) > > +{ > > + if (info->prefix[0] != '\0') > > + xt_buf_add(buf, "%slog prefix \\\"%s\\\" ", > > + prefix, info->prefix); > > + if (info->group) > > + xt_buf_add(buf, "%slog group %u ", prefix, info->group); > > if info->group is not set, you should probably default to 0, since > this group info is mandatory in nftables to consider this logging the > same type of NFLOG (ie, use nfnetlink_log). > > For reference, see: > https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/net/netfilter/nft_log.c#n67 Thanks Arturo. Please Shivani, address Arturo's feedback and send me an incremental patch to fix this. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/extensions/libxt_NFLOG.c b/extensions/libxt_NFLOG.c index 448576a..3d05ce0 100644 --- a/extensions/libxt_NFLOG.c +++ b/extensions/libxt_NFLOG.c @@ -72,7 +72,7 @@ static void nflog_print(const struct xt_nflog_info *info, char *prefix) } static void NFLOG_print(const void *ip, const struct xt_entry_target *target, - int numeric) + int numeric) { const struct xt_nflog_info *info = (struct xt_nflog_info *)target->data; @@ -86,6 +86,31 @@ static void NFLOG_save(const void *ip, const struct xt_entry_target *target) nflog_print(info, "--"); } +static void nflog_print_xlate(const struct xt_nflog_info *info, + char *prefix, struct xt_buf *buf) +{ + if (info->prefix[0] != '\0') + xt_buf_add(buf, "%slog prefix \\\"%s\\\" ", + prefix, info->prefix); + if (info->group) + xt_buf_add(buf, "%slog group %u ", prefix, info->group); + if (info->len) + xt_buf_add(buf, "%slog snaplen %u ", prefix, info->len); + if (info->threshold != XT_NFLOG_DEFAULT_THRESHOLD) + xt_buf_add(buf, "%slog queue-threshold %u ", + prefix, info->threshold); +} + +static int NFLOG_xlate(const struct xt_entry_target *target, + struct xt_buf *buf, int numeric) +{ + const struct xt_nflog_info *info = (struct xt_nflog_info *)target->data; + + nflog_print_xlate(info, "", buf); + + return 1; +} + static struct xtables_target nflog_target = { .family = NFPROTO_UNSPEC, .name = "NFLOG", @@ -98,6 +123,7 @@ static struct xtables_target nflog_target = { .print = NFLOG_print, .save = NFLOG_save, .x6_options = NFLOG_opts, + .xlate = NFLOG_xlate, }; void _init(void)
Add translation for NF Logging to nftables. Examples: $ sudo iptables-translate -A OUTPUT -j NFLOG --nflog-group 30 nft add rule ip filter OUTPUT counter log group 30 $ sudo iptables-translate -A FORWARD -j NFLOG --nflog-group 32 --nflog-prefix "Prefix 1.0" nft add rule ip filter FORWARD counter log prefix \"Prefix 1.0\" log group 32 $ sudo iptables-translate -I INPUT -j NFLOG --nflog-range 256 nft insert rule ip filter INPUT counter log snaplen 256 $ sudo iptables-translate -I INPUT -j NFLOG --nflog-threshold 25 nft insert rule ip filter INPUT counter log queue-threshold 25 Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com> --- extensions/libxt_NFLOG.c | 28 +++++++++++++++++++++++++++- 1 file changed, 27 insertions(+), 1 deletion(-)