log patch

From kadlec@blackhole.kfki.hu Mon Sep 17 10:35:32 2001
Date: Wed, 28 Feb 2001 13:00:13 +0100 (CET)
From: Jozsef Kadlecsik 
To: netfilter-devel@lists.samba.org
Subject: trace patch [was Re: Request for Log Message Enhancements]

Hello,

I have finished a patch, which adds a a new '--trace' option to 
iptables and ip6tables with the following effect: if a rule flagged 
with '--trace' matches a packet, then the packet is logged (via the 
LOG target internally) with the prefixes:

NF_TRACE: chainname/rulenum:
NF6TRACE: chainname/rulenum:

Due to the size limit of the prefix in the ipt_LOG module, there 
are two restrictions: chains with longer than 12 characters 
in the name and rules above 9999 in a chain cannot be traced.
If the traced rule is above 9999 in the chain, then the prefixes

NF_TRACE: chainname/9999+
NF6TRACE: chainname/9999+

The used syslog level is debug.

It's a fairly simple patch without a main redesign of the internals,
but there are "problemtic" parts of course :-):

1. Now the core (ip_tables.c) is aware of one extension, which is
   not quite nice. However, I think it's a good deal for the
   functionality.
2. It is *not* optimized at all. In another words, because there
   are no back-pointers (it would require much more effort),
   the searching for a matched and traced rule always starts at the *base*
   of the table. (But hey, it's tracing and not performance-tuning :-). 
trace.tgz