|
Packit |
7b22a4 |
Turn on kernel logging of matching packets. When this option is set
|
|
Packit |
7b22a4 |
for a rule, the Linux kernel will print some information on all
|
|
Packit |
7b22a4 |
matching packets (like most IP/IPv6 header fields) via the kernel log
|
|
Packit |
7b22a4 |
(where it can be read with \fIdmesg(1)\fP or read in the syslog).
|
|
Packit |
7b22a4 |
.PP
|
|
Packit |
7b22a4 |
This is a "non-terminating target", i.e. rule traversal continues at
|
|
Packit |
7b22a4 |
the next rule. So if you want to LOG the packets you refuse, use two
|
|
Packit |
7b22a4 |
separate rules with the same matching criteria, first using target LOG
|
|
Packit |
7b22a4 |
then DROP (or REJECT).
|
|
Packit |
7b22a4 |
.TP
|
|
Packit |
7b22a4 |
\fB\-\-log\-level\fP \fIlevel\fP
|
|
Packit |
7b22a4 |
Level of logging, which can be (system-specific) numeric or a mnemonic.
|
|
Packit |
7b22a4 |
Possible values are (in decreasing order of priority): \fBemerg\fP,
|
|
Packit |
7b22a4 |
\fBalert\fP, \fBcrit\fP, \fBerror\fP, \fBwarning\fP, \fBnotice\fP, \fBinfo\fP
|
|
Packit |
7b22a4 |
or \fBdebug\fP.
|
|
Packit |
7b22a4 |
.TP
|
|
Packit |
7b22a4 |
\fB\-\-log\-prefix\fP \fIprefix\fP
|
|
Packit |
7b22a4 |
Prefix log messages with the specified prefix; up to 29 letters long,
|
|
Packit |
7b22a4 |
and useful for distinguishing messages in the logs.
|
|
Packit |
7b22a4 |
.TP
|
|
Packit |
7b22a4 |
\fB\-\-log\-tcp\-sequence\fP
|
|
Packit |
7b22a4 |
Log TCP sequence numbers. This is a security risk if the log is
|
|
Packit |
7b22a4 |
readable by users.
|
|
Packit |
7b22a4 |
.TP
|
|
Packit |
7b22a4 |
\fB\-\-log\-tcp\-options\fP
|
|
Packit |
7b22a4 |
Log options from the TCP packet header.
|
|
Packit |
7b22a4 |
.TP
|
|
Packit |
7b22a4 |
\fB\-\-log\-ip\-options\fP
|
|
Packit |
7b22a4 |
Log options from the IP/IPv6 packet header.
|
|
Packit |
7b22a4 |
.TP
|
|
Packit |
7b22a4 |
\fB\-\-log\-uid\fP
|
|
Packit |
7b22a4 |
Log the userid of the process which generated the packet.
|