- iptables supports the NFLOG target instead of LOG target. NFLOG is designed to work with ulogd2. LOG is designed to work with syslog. If you use syslog, all iptables packets have the kernel facility. It's hard coded and can't be changed. This means we're unable to avoid polluting the kernel ring buffer (dmesg) with iptables messages.
- We have hardware failure detection logic that monitors dmesg. Since iptables logs push everything else out of dmesg, we basically lose hardware failure detection.
- ulogd2 would work around this issue.
- Red Hat Enterprise Linux 7
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.