From mboxrd@z Thu Jan  1 00:00:00 1970
From: Patrick McHardy <kaber@trash.net>
Subject: Re: --log-uid target?
Date: Thu, 04 Nov 2004 04:30:57 +0100
Message-ID: <4189A271.5060702@trash.net>
References: <1099109256.1798.411.camel@ws102.darkcore.net>	
	<41898F60.8080004@trash.net>
	<1099535517.26577.586.camel@ws102.darkcore.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Cc: netfilter-develop <netfilter-devel@lists.netfilter.org>
Return-path: <netfilter-devel-bounces@lists.netfilter.org>
To: John Lange <john.lange@bighostbox.com>
In-Reply-To: <1099535517.26577.586.camel@ws102.darkcore.net>
List-Unsubscribe: <https://lists.netfilter.org/mailman/listinfo/netfilter-devel>,
	<mailto:netfilter-devel-request@lists.netfilter.org?subject=unsubscribe>
List-Archive: </pipermail/netfilter-devel>
List-Post: <mailto:netfilter-devel@lists.netfilter.org>
List-Help: <mailto:netfilter-devel-request@lists.netfilter.org?subject=help>
List-Subscribe: <https://lists.netfilter.org/mailman/listinfo/netfilter-devel>,
	<mailto:netfilter-devel-request@lists.netfilter.org?subject=subscribe>
Sender: netfilter-devel-bounces@lists.netfilter.org
Errors-To: netfilter-devel-bounces@lists.netfilter.org
List-Id: netfilter-devel.vger.kernel.org

John Lange wrote:

>Actually, Martin supplied me with the old patch from 2002 which I
>modified to work with 2.6.9 and I sent them back to him for review.
>
>I have been using it on 2 production systems since The weekend and so
>far everything seems good.
>
>There is one problem though, though I have this line in my firewall
>script:
>
>/usr/local/sbin/iptables -A OUTPUT -p tcp --dport 25 -j LOG --log-prefix
>"SMTP " --log-uid
>
>A great deal of packets are being logged with NO UID as follows:
>
>Nov  3 20:16:50 venus kernel: SMTP IN= OUT=eth0 SRC=209.xxx.xxx.xxx
>DST=203.xxx.xxx.xxx LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=8368 DF
>PROTO=TCP SPT=39737 DPT=25 WINDOW=0 RES=0x00 RST URGP=0
>
>The target does in fact work at least some of the time because there are
>also plenty of packets logged like this:
>
>Nov  3 20:25:45 venus kernel: SMTP IN= OUT=eth0 SRC=209.xxx.xxx.xxx
>DST=64..xxx.xxx.xxx LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=7784 DF
>PROTO=TCP SPT=39780 DPT=25 WINDOW=1460 RES=0x00 ACK URGP=0 UID=500 
>
>UID=500 is what i expect since thats my SMTP server uid.
>
>Under what situations could an outgoing packet be logged without a UID?
>Something must own this packet?
>  
>
When the kernel replies to packets itself there is no UID.
RSTs sent in response to a packet addressed to a non-existant
socket have no (user) socket, that's why the RST is sent :)
Same for ICMP messages generated by the kernel. You should
see the UID for all packets sent from userspace.

Regards
Patrick