expr: log: complete log flags support

If NFTNL_EXPR_LOG_FLAGS is not set, it's unnecessary to print out the
flags value. Furthermore, it's better to print out string message
instead of the hex value.

Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/include/linux/netfilter/nf_log.h b/include/linux/netfilter/nf_log.h
new file mode 100644 (file)
index 0000000..8be21e0
--- /dev/null
+++ b/include/linux/netfilter/nf_log.h
@@ -0,0 +1,12 @@
+#ifndef _NETFILTER_NF_LOG_H
+#define _NETFILTER_NF_LOG_H
+
+#define NF_LOG_TCPSEQ          0x01    /* Log TCP sequence numbers */
+#define NF_LOG_TCPOPT          0x02    /* Log TCP options */
+#define NF_LOG_IPOPT           0x04    /* Log IP options */
+#define NF_LOG_UID             0x08    /* Log UID owning local socket */
+#define NF_LOG_NFLOG           0x10    /* Unsupported, don't reuse */
+#define NF_LOG_MACDECODE       0x20    /* Decode MAC header */
+#define NF_LOG_MASK            0x2f
+
+#endif /* _NETFILTER_NF_LOG_H */

diff --git a/src/expr/log.c b/src/expr/log.c
index a231bac9327ec41e532afdaa667d3027aac7e37f..b6422553f5126aa447af98f9c6b40b75176fbcf1 100644 (file)
--- a/src/expr/log.c
+++ b/src/expr/log.c
@@ -15,6 +15,7 @@
 #include <arpa/inet.h>
 #include <errno.h>
 #include <linux/netfilter/nf_tables.h>
+#include <linux/netfilter/nf_log.h>
 
 #include "internal.h"
 #include <libmnl/libmnl.h>
@@ -237,13 +238,37 @@ static int nftnl_expr_log_snprintf_default(char *buf, size_t size,
 
        if (e->flags & (1 << NFTNL_EXPR_LOG_GROUP)) {
                ret = snprintf(buf + offset, len,
-                              "group %u snaplen %u qthreshold %u",
+                              "group %u snaplen %u qthreshold %u ",
                               log->group, log->snaplen, log->qthreshold);
                SNPRINTF_BUFFER_SIZE(ret, size, len, offset);
-       } else if (e->flags & (1 << NFTNL_EXPR_LOG_LEVEL)) {
-               ret = snprintf(buf + offset, len, "level %u flags %u",
-                              log->level, log->flags);
-               SNPRINTF_BUFFER_SIZE(ret, size, len, offset);
+       } else {
+               if (e->flags & (1 << NFTNL_EXPR_LOG_LEVEL)) {
+                       ret = snprintf(buf + offset, len, "level %u ",
+                                      log->level);
+                       SNPRINTF_BUFFER_SIZE(ret, size, len, offset);
+               }
+               if (e->flags & (1 << NFTNL_EXPR_LOG_FLAGS)) {
+                       if (log->flags & NF_LOG_TCPSEQ) {
+                               ret = snprintf(buf + offset, len, "tcpseq ");
+                               SNPRINTF_BUFFER_SIZE(ret, size, len, offset);
+                       }
+                       if (log->flags & NF_LOG_TCPOPT) {
+                               ret = snprintf(buf + offset, len, "tcpopt ");
+                               SNPRINTF_BUFFER_SIZE(ret, size, len, offset);
+                       }
+                       if (log->flags & NF_LOG_IPOPT) {
+                               ret = snprintf(buf + offset, len, "ipopt ");
+                               SNPRINTF_BUFFER_SIZE(ret, size, len, offset);
+                       }
+                       if (log->flags & NF_LOG_UID) {
+                               ret = snprintf(buf + offset, len, "uid ");
+                               SNPRINTF_BUFFER_SIZE(ret, size, len, offset);
+                       }
+                       if (log->flags & NF_LOG_MACDECODE) {
+                               ret = snprintf(buf + offset, len, "macdecode ");
+                               SNPRINTF_BUFFER_SIZE(ret, size, len, offset);
+                       }
+               }
        }
 
        return offset;