Create a conntrack/translations logger daemon.
The daemon should listen to netlink updates directly, parse them, get and log required data.
It should be reusable for CGNAT and other services.
Good to have for CGNAT next info for the NEW packets/flow:
Needs to think about the format of the file with log data.
| Status | Subtype | Assigned | Task | ||
|---|---|---|---|---|---|
| Needs testing | FEATURE REQUEST | None | T5169 Add CGNAT Carrier-Grade NAT based on nftables | ||
| Needs testing | FEATURE REQUEST | HollyGurza | T6362 Create a conntrack/translations logger daemon |
Hi!
I am not against the Python implementation, but why isn't ulogd2 simply used for this?
Hi!
I have a related question too.
I can configure a firewall rule to log userspace via nflog.
set firewall ipv4 forward filter rule 22 log
set firewall ipv4 forward filter rule 22 log-options group '0'
Which is translated to nft rule:
ip daddr 2.2.3.22 tcp dport 1022 ip saddr 1.2.3.22 log prefix "[ipv4-FWD-filter-22-A]" log group 0 counter packets 0 bytes 0 accept comment "ipv4-FWD-filter-22"
But after commit nothing is listen in userspace for nflog group 0 in vyos.
Wouldn't it be more consistent to use ulogd2 for both packet and conntrack (and flow) level logging?