Turn on kernel logging of matching packets.  When this option is set

for a rule, the Linux kernel will print some information on all

matching packets (like most IP/IPv6 header fields) via the kernel log

(where it can be read with \fIdmesg(1)\fP or read in the syslog).

.PP

This is a "non-terminating target", i.e. rule traversal continues at

the next rule.  So if you want to LOG the packets you refuse, use two

separate rules with the same matching criteria, first using target LOG

then DROP (or REJECT).

.TP

\fB\-\-log\-level\fP \fIlevel\fP

Level of logging, which can be (system-specific) numeric or a mnemonic.

Possible values are (in decreasing order of priority): \fBemerg\fP,

\fBalert\fP, \fBcrit\fP, \fBerror\fP, \fBwarning\fP, \fBnotice\fP, \fBinfo\fP

or \fBdebug\fP.

.TP

\fB\-\-log\-prefix\fP \fIprefix\fP

Prefix log messages with the specified prefix; up to 29 letters long,

and useful for distinguishing messages in the logs.

.TP

\fB\-\-log\-tcp\-sequence\fP

Log TCP sequence numbers. This is a security risk if the log is

readable by users.

.TP

\fB\-\-log\-tcp\-options\fP

Log options from the TCP packet header.

.TP

\fB\-\-log\-ip\-options\fP

Log options from the IP/IPv6 packet header.

.TP

\fB\-\-log\-uid\fP

Log the userid of the process which generated the packet.