| Turn on kernel logging of matching packets. When this option is set |
| for a rule, the Linux kernel will print some information on all |
| matching packets (like most IP header fields) via the kernel log |
| (where it can be read with |
| .I dmesg |
| or |
| .IR syslogd (8)). |
| This is a "non-terminating target", i.e. rule traversal continues at |
| the next rule. So if you want to LOG the packets you refuse, use two |
| separate rules with the same matching criteria, first using target LOG |
| then DROP (or REJECT). |
| .TP |
| .BI "--log-level " "level" |
| Level of logging (numeric or see \fIsyslog.conf\fP(5)). |
| .TP |
| .BI "--log-prefix " "prefix" |
| Prefix log messages with the specified prefix; up to 29 letters long, |
| and useful for distinguishing messages in the logs. |
| .TP |
| .B --log-tcp-sequence |
| Log TCP sequence numbers. This is a security risk if the log is |
| readable by users. |
| .TP |
| .B --log-tcp-options |
| Log options from the TCP packet header. |
| .TP |
| .B --log-ip-options |
| Log options from the IP packet header. |
| .TP |
| .B --log-uid |
| Log the userid of the process which generated the packet. |