[nft,0/3] src: add nft log flags support

Message ID	20161114222156.GA28139@salvia
State	RFC
Delegated to:	Pablo Neira
Headers	show Return-Path: <netfilter-devel-owner@vger.kernel.org> Date: Mon, 14 Nov 2016 23:21:56 +0100 From: Pablo Neira Ayuso <pablo@netfilter.org> To: Liping Zhang <zlpnobody@163.com> Cc: netfilter-devel@vger.kernel.org, Liping Zhang <liping.zhang@spreadtrum.com> Subject: Re: [PATCH nft 0/3] src: add nft log flags support Message-ID: <20161114222156.GA28139@salvia> References: <1474794421-5365-1-git-send-email-zlpnobody@163.com> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="ikeVEW9yuYc//A+q" Content-Disposition: inline In-Reply-To: <1474794421-5365-1-git-send-email-zlpnobody@163.com> User-Agent: Mutt/1.5.23 (2014-03-12) Sender: netfilter-devel-owner@vger.kernel.org Precedence: bulk

Message ID

20161114222156.GA28139@salvia

State

RFC

Delegated to:

Pablo Neira

Headers

Date: Mon, 14 Nov 2016 23:21:56 +0100
From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Liping Zhang <zlpnobody@163.com>
Cc: netfilter-devel@vger.kernel.org,
	Liping Zhang <liping.zhang@spreadtrum.com>
Subject: Re: [PATCH nft 0/3] src: add nft log flags support
Message-ID: <20161114222156.GA28139@salvia>
References: <1474794421-5365-1-git-send-email-zlpnobody@163.com>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="ikeVEW9yuYc//A+q"
Content-Disposition: inline
In-Reply-To: <1474794421-5365-1-git-send-email-zlpnobody@163.com>
User-Agent: Mutt/1.5.23 (2014-03-12)
Sender: netfilter-devel-owner@vger.kernel.org
Precedence: bulk

Commit Message

Pablo Neira Ayuso Nov. 14, 2016, 10:21 p.m. UTC

On Sun, Sep 25, 2016 at 05:06:58PM +0800, Liping Zhang wrote:
> From: Liping Zhang <liping.zhang@spreadtrum.com>
> 
> After NF_LOG_XXX is exposed to the userspace, we can set log flags to
> log more things. The following iptables rule:
>   # iptables -A OUTPUT -j LOG --log-tcp-sequence --log-tcp-options \
>   --log-ip-options --log-uid --log-macdecode
> is equal to the following nft rule:
>   # nft add rule filter OUTPUT log tcpseq,tcpopt,ipopt,uid,macdecode

Sorry, I wanted to have a closer look at this but time has been
running up and I didn't manage to get back to this.

So basically, I would like to explore different syntax for this, eg.

        log flags tcp sequence,options
        log flags ip options
        log flags skuid
        log flags ether

I think syntax would be larger, but it would look more consistent to
what we have. Worst case is to get them all set. We can provide a
compact version for this:

        log flags all

Please, see sketch patch attached for brainstorming.

Would you have a look into this? Thanks and again sorry for not
getting any sooner on this.

Comments

Liping Zhang Nov. 15, 2016, 2:25 p.m. UTC | #1

2016-11-15 6:21 GMT+08:00 Pablo Neira Ayuso <pablo@netfilter.org>:
> On Sun, Sep 25, 2016 at 05:06:58PM +0800, Liping Zhang wrote:
>> From: Liping Zhang <liping.zhang@spreadtrum.com>
>>
>> After NF_LOG_XXX is exposed to the userspace, we can set log flags to
>> log more things. The following iptables rule:
>>   # iptables -A OUTPUT -j LOG --log-tcp-sequence --log-tcp-options \
>>   --log-ip-options --log-uid --log-macdecode
>> is equal to the following nft rule:
>>   # nft add rule filter OUTPUT log tcpseq,tcpopt,ipopt,uid,macdecode
>
> Sorry, I wanted to have a closer look at this but time has been
> running up and I didn't manage to get back to this.
>
> So basically, I would like to explore different syntax for this, eg.
>
>         log flags tcp sequence,options
>         log flags ip options
>         log flags skuid
>         log flags ether

Yes, this syntax looks better, I will send V2 later based on your suggestions.

Thanks Pablo.

>
> I think syntax would be larger, but it would look more consistent to
> what we have. Worst case is to get them all set. We can provide a
> compact version for this:
>
>         log flags all
>
> Please, see sketch patch attached for brainstorming.
>
> Would you have a look into this? Thanks and again sorry for not
> getting any sooner on this.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

diff --git a/src/parser_bison.y b/src/parser_bison.y
index 91955c187f3f..286290341ffb 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -201,6 +201,8 @@  static void location_update(struct location *loc, struct location *rhs, int n)
 %token EXPORT			"export"
 %token MONITOR			"monitor"
 
+%token ALL			"all"
+
 %token ACCEPT			"accept"
 %token DROP			"drop"
 %token CONTINUE			"continue"
@@ -268,6 +270,8 @@  static void location_update(struct location *loc, struct location *rhs, int n)
 %token GATEWAY			"gateway"
 %token MTU			"mtu"
 
+%token OPTIONS			"options"
+
 %token IP6			"ip6"
 %token PRIORITY			"priority"
 %token FLOWLABEL		"flowlabel"
@@ -1530,6 +1534,25 @@  log_arg			:	PREFIX			string
 				$<stmt>0->log.level	= $2;
 				$<stmt>0->log.flags 	|= STMT_LOG_LEVEL;
 			}
+			|	FLAGS			log_flags
+			{
+				;
+			}
+			;
+
+log_flags		:	TCP	log_flags_tcp
+			|	IP	OPTIONS
+			|	SKUID
+			|	ETHER
+			|	ALL
+			;
+
+log_flags_tcp		:	log_flags_tcp	COMMA	log_flag_tcp
+			|	log_flag_tcp
+			;
+
+log_flag_tcp		:	SEQUENCE
+			|	OPTIONS
 			;
 
 level_type		:	string
diff --git a/src/scanner.l b/src/scanner.l
index cd7398b4e534..625023f5257c 100644
--- a/src/scanner.l
+++ b/src/scanner.l
@@ -469,6 +469,9 @@  addrstring	({macaddr}|{ip4addr}|{ip6addr})
 
 "notrack"		{ return NOTRACK; }
 
+"options"		{ return OPTIONS; }
+"all"			{ return ALL; }
+
 "xml"			{ return XML; }
 "json"			{ return JSON; }

[nft,0/3] src: add nft log flags support

Commit Message

Comments

Patch