From 109aab644873fcc732c08aea25288b7be1525ed0 Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Sat, 27 Oct 2018 12:15:50 +0200
Subject: [PATCH] nft.8: Document log level audit

Since this pseudo log level fundamentally changes behaviour of log
statement, dedicate this mode a separate paragraph.

Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

Conflicts:
	doc/statements.txt
-> Patch manually applied to doc/nft.xml from asciidoc source.

Signed-off-by: Phil Sutter <psutter@redhat.com>
---
 doc/nft.xml | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/doc/nft.xml b/doc/nft.xml
index 0df42810c5e68..22d57ac630037 100644
--- a/doc/nft.xml
+++ b/doc/nft.xml
@@ -4700,9 +4700,22 @@ tcp flags syn tcp option maxseg size set rt mtu
 					<arg choice="opt">snaplen
 					<replaceable>size</replaceable></arg>
 				</cmdsynopsis>
+				<cmdsynopsis>
+					<command>log</command>
+					<arg choice="none">level audit</arg>
+				</cmdsynopsis>
+			</para>
+			<para>
+				The log statement enables logging of matching packets. When this statement is used from a rule, the Linux kernel will print some information on all matching packets, such as header fields, via the kernel log (where it can be read with dmesg(1) or read in the syslog).
+			</para>
+			<para>
+				In the second form of invocation (if 'nflog_group' is specified), the Linux kernel will pass the packet to nfnetlink_log which will multicast the packet through a netlink socket to the specified multicast group. One or more userspace processes may subscribe to the group to receive the packets, see libnetfilter_queue documentation for details.
+			</para>
+			<para>
+				In the third form of invocation (if level audit is specified), the Linux kernel writes a message into the audit buffer suitably formatted for reading with auditd. Therefore no further formatting options (such as prefix or flags) are allowed in this mode.
 			</para>
 			<para>
-				The log statement enables logging of matching packets. When this statement is used from a rule, the Linux kernel will print some information on all matching packets, such as header fields, via the kernel log (where it can be read with dmesg(1) or read in the syslog). If the group number is specified, the Linux kernel will pass the packet to nfnetlink_log which will multicast the packet through a netlink socket to the specified multicast group. One or more userspace processes may subscribe to the group to receive the packets, see libnetfilter_queue documentation for details. This is a non-terminating statement, so the rule evaluation continues after the packet is logged.
+				This is a non-terminating statement, so the rule evaluation continues after the packet is logged.
 			</para>
 			<para>
 				<table frame="all">
-- 
2.21.0