enum nft_meta_keys key,
struct expr *expr);
+enum {
+ STMT_LOG_PREFIX = (1 << 0),
+ STMT_LOG_SNAPLEN = (1 << 1),
+ STMT_LOG_GROUP = (1 << 2),
+ STMT_LOG_QTHRESHOLD = (1 << 3),
+ STMT_LOG_LEVEL = (1 << 4),
+};
+
struct log_stmt {
const char *prefix;
unsigned int snaplen;
uint16_t group;
uint16_t qthreshold;
+ uint32_t level;
+ uint32_t flags;
};
extern struct stmt *log_stmt_alloc(const struct location *loc);
return 0;
}
+static int stmt_evaluate_log(struct eval_ctx *ctx, struct stmt *stmt)
+{
+ if (stmt->log.flags & STMT_LOG_LEVEL &&
+ (stmt->log.flags & STMT_LOG_GROUP ||
+ stmt->log.flags & STMT_LOG_SNAPLEN ||
+ stmt->log.flags & STMT_LOG_QTHRESHOLD)) {
+ return stmt_error(ctx, stmt,
+ "level and group are mutually exclusive");
+ }
+ return 0;
+}
+
static int stmt_evaluate(struct eval_ctx *ctx, struct stmt *stmt)
{
#ifdef DEBUG
switch (stmt->ops->type) {
case STMT_COUNTER:
case STMT_LIMIT:
- case STMT_LOG:
return 0;
case STMT_EXPRESSION:
return stmt_evaluate_expr(ctx, stmt);
return stmt_evaluate_verdict(ctx, stmt);
case STMT_META:
return stmt_evaluate_meta(ctx, stmt);
+ case STMT_LOG:
+ return stmt_evaluate_log(ctx, stmt);
case STMT_REJECT:
return stmt_evaluate_reject(ctx, stmt);
case STMT_NAT:
stmt = log_stmt_alloc(loc);
prefix = nft_rule_expr_get_str(nle, NFT_EXPR_LOG_PREFIX);
- if (prefix != NULL)
+ if (nft_rule_expr_is_set(nle, NFT_EXPR_LOG_PREFIX)) {
stmt->log.prefix = xstrdup(prefix);
- stmt->log.group = nft_rule_expr_get_u16(nle, NFT_EXPR_LOG_GROUP);
- stmt->log.snaplen = nft_rule_expr_get_u32(nle, NFT_EXPR_LOG_SNAPLEN);
- stmt->log.qthreshold =
- nft_rule_expr_get_u16(nle, NFT_EXPR_LOG_QTHRESHOLD);
+ stmt->log.flags |= STMT_LOG_PREFIX;
+ }
+ if (nft_rule_expr_is_set(nle, NFT_EXPR_LOG_GROUP)) {
+ stmt->log.group =
+ nft_rule_expr_get_u16(nle, NFT_EXPR_LOG_GROUP);
+ stmt->log.flags |= STMT_LOG_GROUP;
+ }
+ if (nft_rule_expr_is_set(nle, NFT_EXPR_LOG_SNAPLEN)) {
+ stmt->log.snaplen =
+ nft_rule_expr_get_u32(nle, NFT_EXPR_LOG_SNAPLEN);
+ stmt->log.flags |= STMT_LOG_SNAPLEN;
+ }
+ if (nft_rule_expr_is_set(nle, NFT_EXPR_LOG_QTHRESHOLD)) {
+ stmt->log.qthreshold =
+ nft_rule_expr_get_u16(nle, NFT_EXPR_LOG_QTHRESHOLD);
+ stmt->log.flags |= STMT_LOG_QTHRESHOLD;
+ }
+ if (nft_rule_expr_is_set(nle, NFT_EXPR_LOG_LEVEL)) {
+ stmt->log.level =
+ nft_rule_expr_get_u32(nle, NFT_EXPR_LOG_LEVEL);
+ stmt->log.flags |= STMT_LOG_LEVEL;
+ }
list_add_tail(&stmt->list, &ctx->rule->stmts);
}
nft_rule_expr_set_str(nle, NFT_EXPR_LOG_PREFIX,
stmt->log.prefix);
}
- if (stmt->log.group) {
+ if (stmt->log.flags & STMT_LOG_GROUP) {
nft_rule_expr_set_u16(nle, NFT_EXPR_LOG_GROUP,
stmt->log.group);
- }
- if (stmt->log.snaplen) {
- nft_rule_expr_set_u32(nle, NFT_EXPR_LOG_SNAPLEN,
- stmt->log.snaplen);
- }
- if (stmt->log.qthreshold) {
- nft_rule_expr_set_u16(nle, NFT_EXPR_LOG_QTHRESHOLD,
- stmt->log.qthreshold);
+ if (stmt->log.flags & STMT_LOG_SNAPLEN)
+ nft_rule_expr_set_u32(nle, NFT_EXPR_LOG_SNAPLEN,
+ stmt->log.snaplen);
+ if (stmt->log.flags & STMT_LOG_QTHRESHOLD)
+ nft_rule_expr_set_u16(nle, NFT_EXPR_LOG_QTHRESHOLD,
+ stmt->log.qthreshold);
+ } else {
+ nft_rule_expr_set_u32(nle, NFT_EXPR_LOG_LEVEL, stmt->log.level);
}
nft_rule_add_expr(ctx->nlr, nle);
}
#include <stddef.h>
#include <stdio.h>
#include <inttypes.h>
+#include <syslog.h>
#include <netinet/ip.h>
#include <netinet/if_ether.h>
#include <linux/netfilter.h>
%token GROUP "group"
%token SNAPLEN "snaplen"
%token QUEUE_THRESHOLD "queue-threshold"
+%token LEVEL "level"
+%token LEVEL_EMERG "emerg"
+%token LEVEL_ALERT "alert"
+%token LEVEL_CRIT "crit"
+%token LEVEL_ERR "err"
+%token LEVEL_WARN "warn"
+%token LEVEL_NOTICE "notice"
+%token LEVEL_INFO "info"
+%token LEVEL_DEBUG "debug"
%token LIMIT "limit"
%token RATE "rate"
%destructor { stmt_free($$); } meta_stmt
%type <stmt> log_stmt log_stmt_alloc
%destructor { stmt_free($$); } log_stmt log_stmt_alloc
+%type <val> level_type
%type <stmt> limit_stmt
%destructor { stmt_free($$); } limit_stmt
%type <val> time_unit
log_arg : PREFIX string
{
$<stmt>0->log.prefix = $2;
+ $<stmt>0->log.flags |= STMT_LOG_PREFIX;
}
| GROUP NUM
{
$<stmt>0->log.group = $2;
+ $<stmt>0->log.flags |= STMT_LOG_GROUP;
}
| SNAPLEN NUM
{
$<stmt>0->log.snaplen = $2;
+ $<stmt>0->log.flags |= STMT_LOG_SNAPLEN;
}
| QUEUE_THRESHOLD NUM
{
$<stmt>0->log.qthreshold = $2;
+ $<stmt>0->log.flags |= STMT_LOG_QTHRESHOLD;
+ }
+ | LEVEL level_type
+ {
+ $<stmt>0->log.level = $2;
+ $<stmt>0->log.flags |= STMT_LOG_LEVEL;
+ }
+ ;
+
+level_type : LEVEL_EMERG
+ {
+ $$ = LOG_EMERG;
+ }
+ | LEVEL_ALERT
+ {
+ $$ = LOG_ALERT;
+ }
+ | LEVEL_CRIT
+ {
+ $$ = LOG_CRIT;
+ }
+ | LEVEL_ERR
+ {
+ $$ = LOG_ERR;
+ }
+ | LEVEL_WARN
+ {
+ $$ = LOG_WARNING;
+ }
+ | LEVEL_NOTICE
+ {
+ $$ = LOG_NOTICE;
+ }
+ | LEVEL_INFO
+ {
+ $$ = LOG_INFO;
+ }
+ | LEVEL_DEBUG
+ {
+ $$ = LOG_DEBUG;
}
;
"group" { return GROUP; }
"snaplen" { return SNAPLEN; }
"queue-threshold" { return QUEUE_THRESHOLD; }
+"level" { return LEVEL; }
+"emerg" { return LEVEL_EMERG; }
+"alert" { return LEVEL_ALERT; }
+"crit" { return LEVEL_CRIT; }
+"err" { return LEVEL_ERR; }
+"warn" { return LEVEL_WARN; }
+"notice" { return LEVEL_NOTICE; }
+"info" { return LEVEL_INFO; }
+"debug" { return LEVEL_DEBUG; }
"queue" { return QUEUE;}
"num" { return QUEUENUM;}
#include <stdint.h>
#include <inttypes.h>
#include <string.h>
+#include <syslog.h>
#include <statement.h>
#include <utils.h>
return stmt_alloc(loc, &counter_stmt_ops);
}
+static const char *syslog_level[LOG_DEBUG + 1] = {
+ [LOG_EMERG] = "emerg",
+ [LOG_ALERT] = "alert",
+ [LOG_CRIT] = "crit",
+ [LOG_ERR] = "err",
+ [LOG_WARNING] = "warn",
+ [LOG_NOTICE] = "notice",
+ [LOG_INFO] = "info",
+ [LOG_DEBUG] = "debug",
+};
+
+static const char *log_level(uint32_t level)
+{
+ if (level > LOG_DEBUG)
+ return "unknown";
+
+ return syslog_level[level];
+}
+
static void log_stmt_print(const struct stmt *stmt)
{
printf("log");
- if (stmt->log.prefix != NULL)
+ if (stmt->log.flags & STMT_LOG_PREFIX)
printf(" prefix \"%s\"", stmt->log.prefix);
- if (stmt->log.group)
+ if (stmt->log.flags & STMT_LOG_GROUP)
printf(" group %u", stmt->log.group);
- if (stmt->log.snaplen)
+ if (stmt->log.flags & STMT_LOG_SNAPLEN)
printf(" snaplen %u", stmt->log.snaplen);
- if (stmt->log.qthreshold)
+ if (stmt->log.flags & STMT_LOG_QTHRESHOLD)
printf(" queue-threshold %u", stmt->log.qthreshold);
+ if ((stmt->log.flags & STMT_LOG_LEVEL) &&
+ stmt->log.level != LOG_WARNING)
+ printf(" level %s", log_level(stmt->log.level));
}
static void log_stmt_destroy(struct stmt *stmt)
projects / thirdparty / nftables.git / commitdiff
