On Thu, May 12, 2016 at 4:35 PM, Pablo Neira Ayuso <pa...@netfilter.org> wrote:
> On Thu, May 12, 2016 at 04:21:06PM +0530, Shivani Bhardwaj wrote:
>> On Thu, May 12, 2016 at 3:14 PM, Pablo Neira Ayuso <pa...@netfilter.org>
>> wrote:
>> > On Thu, May 12, 2016 at 01:38:45PM +0530, Shivani Bhardwaj wrote:
>> >> + <para>
>> >> + The nflog statement provides
>> >> logging of matching packets. When this statement is set for a rule, the
>> >> Linux kernel will pass the packet to the loaded logging backend to log
>> >> the packet. This is used in combination with nfnetlink_log as logging
>> >> backend, which will multicast the packet through a netlink socket to the
>> >> specified multicast group. One or more userspace processes may subscribe
>> >> to the group to receive the packets. Like log statement, this is a
>> >> non-terminating statement, i.e. rule traversal continues at the next
>> >> rule. It is necessary to mention the group [default 0] to consider
>> >> logging with nflog.
>> >
>> > We don't have a nflog statement, actually this is integrated into
>> > 'log' itself. So if you indique the group, then it is assumed that you
>> > want to use logging through nflog.
>> >
>> Yes, I'm sorry for the mistake.
>
> No problem.
>
> [...]
>> >> <title>Meta statement</title>
>> >> <para>
>> >> + A meta statement sets the value of a meta
>> >> expression.
>> >> + The existing meta fields are: length,
>> >> nfproto, l4proto, protocol, priority, mark, iif, iifname, iiftype,
>> >> oif, oifname, oiftype, skuid, skgid, nftrace, rtclassid, ibriport,
>> >> obriport, pkttype, cpu, iifgroup, oifgroup, cgroup.
>> >
>> > We actually support a bunch of this, have a look at:
>> > net/netfilter/nft_meta.c so you know which ones we support ;)
>> >
>> Should I be adding the ones like prandom, secmark too? nft_meta.c
>> shows it but nftables doesn't seem to have an entry in the parser.
>> Please let me know.
>
> void nft_meta_set_eval(const struct nft_expr *expr,
> struct nft_regs *regs,
> const struct nft_pktinfo *pkt)
> {
> const struct nft_meta *meta = nft_expr_priv(expr);
> struct sk_buff *skb = pkt->skb;
> u32 value = regs->data[meta->sreg];
>
> switch (meta->key) {
> case NFT_META_MARK:
> [...]
> break;
> case NFT_META_PRIORITY:
> [...]
> break;
> case NFT_META_PKTTYPE:
> [...]
> break;
> case NFT_META_NFTRACE:
> [...]
> default:
> WARN_ON(1);
> }
> }
>
> We support mark, priority, pkttype and nftrace for meta statements at
> this stage.
>
> Note that you indicated what we support for meta expressions (what we
> used to call 'matches' in iptables) that is the long list of things
> you placed above.
OK. I confused expressions with statements again. I'm sorry. Fixing
this and sending the patch. Thanks!
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
