bpfilter icon indicating copy to clipboard operation
bpfilter copied to clipboard

Published 20 hours ago verified publisher icon facebook

Log packets matching a rule

Open qdeslandes opened this issue 5 months ago • 0 comments

nftables allows for packets to be logged: if a packet matches the rule's criteria (some of) its content is logged.

The exact implementation is not defined yet, as there are multiple questions that should first be answered:

  • Should this be a new verdict? A rule should be able to log a packet and then apply a verdict (accept, drop, ...). If we define a new LOG verdict, it mean we should allow for verdicts to be combined such as LOG | DROP. Otherwise, it could be a rule directive like counter is in bfcli.
  • How to actually log the data? bpf_printk() is too slow and not meant for this, BPF perfbuf could be used, but it BPF ringbuf could be better.
  • What should be logged? Having the user define specific fields to log would complexify the bytecode: we would have to first check if the field is available in the current packet and then copy only the required data. Another approach could be to copy part of the program's runtime context back to userspace which contains: L3/4 protocol, L2 header, L3 header, L4 header. The user could also request only specific headers.

qdeslandes avatar Sep 02 '24 15:09 qdeslandes