Capture FINAL_REJECT and STATE_INVALID_DROP packages

Hi, do you know a method to capture the packages before they are discarded? I do see a couple of "interesting" packages, that I would like to examine a bit further (e.g. with wireshark) The usual way would be using ulogd, but according to gh#268 https:// github.com/firewalld/firewalld/issues/268, this is out of scope ATM. When looking into the source, a general implementation seems pretty straight forward, with the most work being configuration/interfaces, but of course, this will raise questions of scatter logging into the ruleset everywhere <shrug>, proper testing, etc. # LogTarget # Define alternate logging target, eg. ULOG, NFLOG # Default: LOG LogTarget=LOG # LogPrefixOption # Log prefix option, eg. --nflog-prefix, --ulog-prefix # Default: "--log-prefix" LogPrefixOption="--log-prefix" # LogTargetOptions # Options for alternate logging target, eg. --nflog-group 32 # Default: "" LogTargetOptions= When making firewalld ulogd aware (ULOG, NFLOG), we could hardcode the LogPrefixOption, and simply call LogTargetOptions LogTargetGroup. Opinions? Cheers, Pete