iptables: don't pollute logs

The netfilter package uses logs to make debugging the (de)serialization of structs easier. This generates a lot of (usually irrelevant) logs. Logging is now hidden behind a debug flag. PiperOrigin-RevId: 309087115
author: Kevin Krakauer <krakauer@google.com> 2020-04-29 13:36:29 -0700
committer: gVisor bot <gvisor-bot@google.com> 2020-04-29 13:38:14 -0700
commit: a105d185ff9fc24f5bf0c1ca28cbc0f7ec7c4ea5 (patch)
tree: 0fcdf3d85925fbd09d4b766b7cd82ce94763e379 /pkg
parent: d5c34ba2ffef0b0aee38d4f96f06bc00b04b0a53 (diff)
1 files changed, 6 insertions, 1 deletions
diff --git a/pkg/sentry/socket/netfilter/netfilter.go b/pkg/sentry/socket/netfilter/netfilter.go
index 878f81fd5..72d093aa8 100644
--- a/pkg/sentry/socket/netfilter/netfilter.go
+++ b/pkg/sentry/socket/netfilter/netfilter.go
@@ -53,9 +53,14 @@ type metadata struct {
 	Size       uint32
 }
 
+// enableLogging controls whether to log the (de)serialization of netfilter
+// structs between userspace and netstack. These logs are useful when
+// developing iptables, but can pollute sentry logs otherwise.
+const enableLogging = false
+
 // nflog logs messages related to the writing and reading of iptables.
 func nflog(format string, args ...interface{}) {
-	if log.IsLogging(log.Debug) {
+	if enableLogging && log.IsLogging(log.Debug) {
 		log.Debugf("netfilter: "+format, args...)
 	}
 }
author	Kevin Krakauer <krakauer@google.com>	2020-04-29 13:36:29 -0700
committer	gVisor bot <gvisor-bot@google.com>	2020-04-29 13:38:14 -0700
commit	a105d185ff9fc24f5bf0c1ca28cbc0f7ec7c4ea5 (patch)
tree	0fcdf3d85925fbd09d4b766b7cd82ce94763e379 /pkg
parent	d5c34ba2ffef0b0aee38d4f96f06bc00b04b0a53 (diff)