Open auxesis opened 11 years ago
If we're accepting the traffic in question, then that's very much a debugging or auditing type option that you wouldn't want enabled by default... It'd be problematic to implement globally unless we apply some very strict rate-limiting to it (like max one per second? Even then it'd probably be a significant I/O increase).
For arbitrarily dropped traffic, sure - it makes sense to log that stuff.
@laminat0r this would only be enabled if you did :log => true
on a rule or a partition, so it wouldn't instantly burn us in production.
Agree it should only be used for debugging, and there should be suitable disclaimers in the documentation explaining the performance impact.
I think enabling --log-prefix
by default is a good idea, but we could also provide an option to disable it (:debug => false
?) if you want fast production logging.
Right now we mandate users specify a comment when defining a rule, but we just throw away the comment.
We could use this comment in the log messages, so the following:
Would emit a rule that looks like this:
This would make analysing packet filtering behaviour via logging much easier.
One small caveat: per the iptables documentation there is a character limit on
--log-prefix
So the argument would need to be trimmed like this: