extensions: LOG: add log flags translation to nft

For example:
 # iptables-translate -A OUTPUT -j LOG --log-uid
 nft add rule ip filter OUTPUT counter log flags skuid

 # iptables-translate -A OUTPUT -j LOG --log-tcp-sequence \
 --log-tcp-options
 nft add rule ip filter OUTPUT counter log flags tcp sequence,options

 # iptables-translate -A OUTPUT -j LOG --log-level debug --log-uid
 nft add rule ip filter OUTPUT counter log level debug flags skuid

 # ip6tables-translate -A OUTPUT -j LOG --log-ip-options --log-macdecode
 nft add rule ip6 filter OUTPUT counter log flags ip options flags ether

 # ip6tables-translate -A OUTPUT -j LOG --log-ip-options --log-uid \
 --log-tcp-sequence --log-tcp-options --log-macdecode
 nft add rule ip6 filter OUTPUT counter log flags all

Signed-off-by: Liping Zhang <zlpnobody@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/extensions/libip6t_LOG.c b/extensions/libip6t_LOG.c
index af77b9a5b2190721b2ecb7827df64a16eb55f4fc..40adc69d85ed4a668223ec205eb80734942c73e4 100644 (file)
--- a/extensions/libip6t_LOG.c
+++ b/extensions/libip6t_LOG.c
@@ -189,22 +189,44 @@ static int LOG_xlate(struct xt_xlate *xl,
                (const struct ip6t_log_info *)params->target->data;
        unsigned int i = 0;
 
-       xt_xlate_add(xl, "log ");
+       xt_xlate_add(xl, "log");
        if (strcmp(loginfo->prefix, "") != 0) {
                if (params->escape_quotes)
-                       xt_xlate_add(xl, "prefix \\\"%s\\\" ", loginfo->prefix);
+                       xt_xlate_add(xl, " prefix \\\"%s\\\"", loginfo->prefix);
                else
-                       xt_xlate_add(xl, "prefix \"%s\" ", loginfo->prefix);
+                       xt_xlate_add(xl, " prefix \"%s\"", loginfo->prefix);
        }
 
        for (i = 0; i < ARRAY_SIZE(ip6t_log_xlate_names); ++i)
                if (loginfo->level == ip6t_log_xlate_names[i].level &&
                    loginfo->level != LOG_DEFAULT_LEVEL) {
-                       xt_xlate_add(xl, "level %s",
+                       xt_xlate_add(xl, " level %s",
                                   ip6t_log_xlate_names[i].name);
                        break;
                }
 
+       if ((loginfo->logflags & IP6T_LOG_MASK) == IP6T_LOG_MASK) {
+               xt_xlate_add(xl, " flags all");
+       } else {
+               if (loginfo->logflags & (IP6T_LOG_TCPSEQ | IP6T_LOG_TCPOPT)) {
+                       const char *delim = " ";
+
+                       xt_xlate_add(xl, " flags tcp");
+                       if (loginfo->logflags & IP6T_LOG_TCPSEQ) {
+                               xt_xlate_add(xl, " sequence");
+                               delim = ",";
+                       }
+                       if (loginfo->logflags & IP6T_LOG_TCPOPT)
+                               xt_xlate_add(xl, "%soptions", delim);
+               }
+               if (loginfo->logflags & IP6T_LOG_IPOPT)
+                       xt_xlate_add(xl, " flags ip options");
+               if (loginfo->logflags & IP6T_LOG_UID)
+                       xt_xlate_add(xl, " flags skuid");
+               if (loginfo->logflags & IP6T_LOG_MACDECODE)
+                       xt_xlate_add(xl, " flags ether");
+       }
+
        return 1;
 }
 static struct xtables_target log_tg6_reg = {

diff --git a/extensions/libipt_LOG.c b/extensions/libipt_LOG.c
index 2784d9bc527c9cb2dd720ca546e1e591660d1106..36e2e73b7e360785b75ecf3a73a5932a79dd41ad 100644 (file)
--- a/extensions/libipt_LOG.c
+++ b/extensions/libipt_LOG.c
@@ -189,22 +189,44 @@ static int LOG_xlate(struct xt_xlate *xl,
                (const struct ipt_log_info *)params->target->data;
        unsigned int i = 0;
 
-       xt_xlate_add(xl, "log ");
+       xt_xlate_add(xl, "log");
        if (strcmp(loginfo->prefix, "") != 0) {
                if (params->escape_quotes)
-                       xt_xlate_add(xl, "prefix \\\"%s\\\" ", loginfo->prefix);
+                       xt_xlate_add(xl, " prefix \\\"%s\\\"", loginfo->prefix);
                else
-                       xt_xlate_add(xl, "prefix \"%s\" ", loginfo->prefix);
+                       xt_xlate_add(xl, " prefix \"%s\"", loginfo->prefix);
        }
 
        for (i = 0; i < ARRAY_SIZE(ipt_log_xlate_names); ++i)
                if (loginfo->level != LOG_DEFAULT_LEVEL &&
                    loginfo->level == ipt_log_xlate_names[i].level) {
-                       xt_xlate_add(xl, "level %s ",
+                       xt_xlate_add(xl, " level %s",
                                   ipt_log_xlate_names[i].name);
                        break;
                }
 
+       if ((loginfo->logflags & IPT_LOG_MASK) == IPT_LOG_MASK) {
+               xt_xlate_add(xl, " flags all");
+       } else {
+               if (loginfo->logflags & (IPT_LOG_TCPSEQ | IPT_LOG_TCPOPT)) {
+                       const char *delim = " ";
+
+                       xt_xlate_add(xl, " flags tcp");
+                       if (loginfo->logflags & IPT_LOG_TCPSEQ) {
+                               xt_xlate_add(xl, " sequence");
+                               delim = ",";
+                       }
+                       if (loginfo->logflags & IPT_LOG_TCPOPT)
+                               xt_xlate_add(xl, "%soptions", delim);
+               }
+               if (loginfo->logflags & IPT_LOG_IPOPT)
+                       xt_xlate_add(xl, " flags ip options");
+               if (loginfo->logflags & IPT_LOG_UID)
+                       xt_xlate_add(xl, " flags skuid");
+               if (loginfo->logflags & IPT_LOG_MACDECODE)
+                       xt_xlate_add(xl, " flags ether");
+       }
+
        return 1;
 }
 static struct xtables_target log_tg_reg = {