Skip to content

Use rule comments in log messages #3

New issue
New issue
Open
Open
Use rule comments in log messages#3
Labels
enhancement
@auxesis

Description

@auxesis
auxesis
opened on Jan 30, 2013

Right now we mandate users specify a comment when defining a rule, but we just throw away the comment.

We could use this comment in the log messages, so the following:

partition "keepalived" do
  label "primary lvs",   :address => "172.16.0.216"
  label "secondary lvs", :address => "172.16.0.217"
  label "fw multicast",  :address => "224.0.0.0/8"

  accept "keepalive chatter on the fw multicast", :log => true do
    protocols "vrrp"
    from      "primary lvs", "secondary lvs"
    to        "fw multicast"
  end
end

Would emit a rule that looks like this:

iptables --table filter --append keepalive-ac0ff33 --protocol vrrp --destination 224.0.0.0/8 --source 172.16.0.216 --jump LOG --log-prefix "keepalive chatter on the fw multicast"

This would make analysing packet filtering behaviour via logging much easier.

One small caveat: per the iptables documentation there is a character limit on --log-prefix

--log-prefix prefix
       Prefix log messages with the specified prefix; up to 29 letters long, and useful for distinguishing mes-
       sages in the logs.

So the argument would need to be trimmed like this:

--log-prefix "keepalive chatter on the fw m"

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancement

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions