LOG and DROP some specified packets in the same iptables rule
Patrick Schaaf
bof at bof.de
Mon May 2 09:11:53 CEST 2005
> When I want to log and then drop the specified packets, I can write like
> the following
> iptables rule to reduce the amounts of rule number for performance
> improvement in the system.
> Do you think so?
If all you want to have is performance optimization in the number
of rules, you can easily use the "traditional" approach of a user
defined LOGDROP chain:
iptables -t mangle -N LOGDROP
iptables -t mangle -A LOGDROP -j LOG --log-prefix "LOGDROP: "
iptables -t mangle -A LOGDROP -j DROP
> iptables -t mangle -A FORWARD -p udp --dport 1024: -j DLOG --log-prefix
> "Drop this packet "
then becomes
iptables -t mangle -A FORWARD -p udp --dport 1024: -j LOGDROP
as often as you need it.
Drawback: now the --log-prefix is the same for all callers of LOGDROP.
I wouldn't go to the effort of locally making a copy of LOG, like the
DLOG you propose. It would make more sense, if people agree that this
is a generally useful approach, to make a (hopefully backwards
compatible) new option to LOG, called --drop.
Of course, the general solution, which has been talked about a lot,
but never really reached the point of being incorporated, is to
be able to have multiple targets in the same rule line.
The last time we had this discussion, was about one or two weeks ago. :)
best regards
Patrick
More information about the netfilter-devel
mailing list