[NETFILTER]: Kill ebt_ulog

[NETFILTER]: Kill ebt_ulog

[Patrick McHardy]

[-- Attachment #1: Type: text/plain, Size: 1 bytes --]



[-- Attachment #2: x --]
[-- Type: text/plain, Size: 9035 bytes --]

[NETFILTER]: Kill ebt_ulog

It uses NETLINK_NFLOG, which is also used by ipt_ULOG, so it causes
conflicts in netlink_kernel_create. As no userspace daemon exists,
and a generic replacement by Harald will follow in the next couple
of days, kill it.

Signed-off-by: Patrick McHardy <kaber@trash.net>

---
commit a980554c9fbb31e7fe5bf3b4639b4d0d24a422fb
tree c9eb95bbc8f410232ed9de56946db902c0bdb916
parent 3aa13776ac25163f546d52cc990d194bbbb9120c
author Patrick McHardy <kaber@trash.net> Sat, 23 Jul 2005 04:37:20 +0200
committer Patrick McHardy <kaber@trash.net> Sat, 23 Jul 2005 04:37:20 +0200

 net/bridge/netfilter/ebt_ulog.c |  295 ---------------------------------------
 1 files changed, 0 insertions(+), 295 deletions(-)

diff --git a/net/bridge/netfilter/ebt_ulog.c b/net/bridge/netfilter/ebt_ulog.c
deleted file mode 100644
--- a/net/bridge/netfilter/ebt_ulog.c
+++ /dev/null
@@ -1,295 +0,0 @@
-/*
- * netfilter module for userspace bridged Ethernet frames logging daemons
- *
- *	Authors:
- *	Bart De Schuymer <bdschuym@pandora.be>
- *
- *  November, 2004
- *
- * Based on ipt_ULOG.c, which is
- * (C) 2000-2002 by Harald Welte <laforge@netfilter.org>
- *
- * This module accepts two parameters: 
- * 
- * nlbufsiz:
- *   The parameter specifies how big the buffer for each netlink multicast
- * group is. e.g. If you say nlbufsiz=8192, up to eight kb of packets will
- * get accumulated in the kernel until they are sent to userspace. It is
- * NOT possible to allocate more than 128kB, and it is strongly discouraged,
- * because atomically allocating 128kB inside the network rx softirq is not
- * reliable. Please also keep in mind that this buffer size is allocated for
- * each nlgroup you are using, so the total kernel memory usage increases
- * by that factor.
- *
- * flushtimeout:
- *   Specify, after how many hundredths of a second the queue should be
- *   flushed even if it is not full yet.
- *
- */
-
-#include <linux/module.h>
-#include <linux/config.h>
-#include <linux/spinlock.h>
-#include <linux/socket.h>
-#include <linux/skbuff.h>
-#include <linux/kernel.h>
-#include <linux/timer.h>
-#include <linux/netlink.h>
-#include <linux/netdevice.h>
-#include <linux/module.h>
-#include <linux/netfilter_bridge/ebtables.h>
-#include <linux/netfilter_bridge/ebt_ulog.h>
-#include <net/sock.h>
-#include "../br_private.h"
-
-#define PRINTR(format, args...) do { if (net_ratelimit()) \
-                                printk(format , ## args); } while (0)
-
-static unsigned int nlbufsiz = 4096;
-module_param(nlbufsiz, uint, 0600);
-MODULE_PARM_DESC(nlbufsiz, "netlink buffer size (number of bytes) "
-                           "(defaults to 4096)");
-
-static unsigned int flushtimeout = 10;
-module_param(flushtimeout, uint, 0600);
-MODULE_PARM_DESC(flushtimeout, "buffer flush timeout (hundredths ofa second) "
-                               "(defaults to 10)");
-
-typedef struct {
-	unsigned int qlen;		/* number of nlmsgs' in the skb */
-	struct nlmsghdr *lastnlh;	/* netlink header of last msg in skb */
-	struct sk_buff *skb;		/* the pre-allocated skb */
-	struct timer_list timer;	/* the timer function */
-	spinlock_t lock;		/* the per-queue lock */
-} ebt_ulog_buff_t;
-
-static ebt_ulog_buff_t ulog_buffers[EBT_ULOG_MAXNLGROUPS];
-static struct sock *ebtulognl;
-
-/* send one ulog_buff_t to userspace */
-static void ulog_send(unsigned int nlgroup)
-{
-	ebt_ulog_buff_t *ub = &ulog_buffers[nlgroup];
-
-	if (timer_pending(&ub->timer))
-		del_timer(&ub->timer);
-
-	/* last nlmsg needs NLMSG_DONE */
-	if (ub->qlen > 1)
-		ub->lastnlh->nlmsg_type = NLMSG_DONE;
-
-	NETLINK_CB(ub->skb).dst_groups = 1 << nlgroup;
-	netlink_broadcast(ebtulognl, ub->skb, 0, 1 << nlgroup, GFP_ATOMIC);
-
-	ub->qlen = 0;
-	ub->skb = NULL;
-}
-
-/* timer function to flush queue in flushtimeout time */
-static void ulog_timer(unsigned long data)
-{
-	spin_lock_bh(&ulog_buffers[data].lock);
-	if (ulog_buffers[data].skb)
-		ulog_send(data);
-	spin_unlock_bh(&ulog_buffers[data].lock);
-}
-
-static struct sk_buff *ulog_alloc_skb(unsigned int size)
-{
-	struct sk_buff *skb;
-
-	skb = alloc_skb(nlbufsiz, GFP_ATOMIC);
-	if (!skb) {
-		PRINTR(KERN_ERR "ebt_ulog: can't alloc whole buffer "
-		       "of size %ub!\n", nlbufsiz);
-		if (size < nlbufsiz) {
-			/* try to allocate only as much as we need for
-			 * current packet */
-			skb = alloc_skb(size, GFP_ATOMIC);
-			if (!skb)
-				PRINTR(KERN_ERR "ebt_ulog: can't even allocate "
-				       "buffer of size %ub\n", size);
-		}
-	}
-
-	return skb;
-}
-
-static void ebt_ulog(const struct sk_buff *skb, unsigned int hooknr,
-   const struct net_device *in, const struct net_device *out,
-   const void *data, unsigned int datalen)
-{
-	ebt_ulog_packet_msg_t *pm;
-	size_t size, copy_len;
-	struct nlmsghdr *nlh;
-	struct ebt_ulog_info *uloginfo = (struct ebt_ulog_info *)data;
-	unsigned int group = uloginfo->nlgroup;
-	ebt_ulog_buff_t *ub = &ulog_buffers[group];
-	spinlock_t *lock = &ub->lock;
-
-	if ((uloginfo->cprange == 0) ||
-	    (uloginfo->cprange > skb->len + ETH_HLEN))
-		copy_len = skb->len + ETH_HLEN;
-	else
-		copy_len = uloginfo->cprange;
-
-	size = NLMSG_SPACE(sizeof(*pm) + copy_len);
-	if (size > nlbufsiz) {
-		PRINTR("ebt_ulog: Size %Zd needed, but nlbufsiz=%d\n",
-		       size, nlbufsiz);
-		return;
-	}
-
-	spin_lock_bh(lock);
-
-	if (!ub->skb) {
-		if (!(ub->skb = ulog_alloc_skb(size)))
-			goto alloc_failure;
-	} else if (size > skb_tailroom(ub->skb)) {
-		ulog_send(group);
-
-		if (!(ub->skb = ulog_alloc_skb(size)))
-			goto alloc_failure;
-	}
-
-	nlh = NLMSG_PUT(ub->skb, 0, ub->qlen, 0,
-	                size - NLMSG_ALIGN(sizeof(*nlh)));
-	ub->qlen++;
-
-	pm = NLMSG_DATA(nlh);
-
-	/* Fill in the ulog data */
-	pm->version = EBT_ULOG_VERSION;
-	do_gettimeofday(&pm->stamp);
-	if (ub->qlen == 1)
-		ub->skb->stamp = pm->stamp;
-	pm->data_len = copy_len;
-	pm->mark = skb->nfmark;
-	pm->hook = hooknr;
-	if (uloginfo->prefix != NULL)
-		strcpy(pm->prefix, uloginfo->prefix);
-	else
-		*(pm->prefix) = '\0';
-
-	if (in) {
-		strcpy(pm->physindev, in->name);
-		/* If in isn't a bridge, then physindev==indev */
-		if (in->br_port)
-			strcpy(pm->indev, in->br_port->br->dev->name);
-		else
-			strcpy(pm->indev, in->name);
-	} else
-		pm->indev[0] = pm->physindev[0] = '\0';
-
-	if (out) {
-		/* If out exists, then out is a bridge port */
-		strcpy(pm->physoutdev, out->name);
-		strcpy(pm->outdev, out->br_port->br->dev->name);
-	} else
-		pm->outdev[0] = pm->physoutdev[0] = '\0';
-
-	if (skb_copy_bits(skb, -ETH_HLEN, pm->data, copy_len) < 0)
-		BUG();
-
-	if (ub->qlen > 1)
-		ub->lastnlh->nlmsg_flags |= NLM_F_MULTI;
-
-	ub->lastnlh = nlh;
-
-	if (ub->qlen >= uloginfo->qthreshold)
-		ulog_send(group);
-	else if (!timer_pending(&ub->timer)) {
-		ub->timer.expires = jiffies + flushtimeout * HZ / 100;
-		add_timer(&ub->timer);
-	}
-
-unlock:
-	spin_unlock_bh(lock);
-
-	return;
-
-nlmsg_failure:
-	printk(KERN_CRIT "ebt_ulog: error during NLMSG_PUT. This should "
-	       "not happen, please report to author.\n");
-	goto unlock;
-alloc_failure:
-	goto unlock;
-}
-
-static int ebt_ulog_check(const char *tablename, unsigned int hookmask,
-   const struct ebt_entry *e, void *data, unsigned int datalen)
-{
-	struct ebt_ulog_info *uloginfo = (struct ebt_ulog_info *)data;
-
-	if (datalen != EBT_ALIGN(sizeof(struct ebt_ulog_info)) ||
-	    uloginfo->nlgroup > 31)
-		return -EINVAL;
-
-	uloginfo->prefix[EBT_ULOG_PREFIX_LEN - 1] = '\0';
-
-	if (uloginfo->qthreshold > EBT_ULOG_MAX_QLEN)
-		uloginfo->qthreshold = EBT_ULOG_MAX_QLEN;
-
-	return 0;
-}
-
-static struct ebt_watcher ulog = {
-	.name		= EBT_ULOG_WATCHER,
-	.watcher	= ebt_ulog,
-	.check		= ebt_ulog_check,
-	.me		= THIS_MODULE,
-};
-
-static int __init init(void)
-{
-	int i, ret = 0;
-
-	if (nlbufsiz >= 128*1024) {
-		printk(KERN_NOTICE "ebt_ulog: Netlink buffer has to be <= 128kB,"
-		       " please try a smaller nlbufsiz parameter.\n");
-		return -EINVAL;
-	}
-
-	/* initialize ulog_buffers */
-	for (i = 0; i < EBT_ULOG_MAXNLGROUPS; i++) {
-		init_timer(&ulog_buffers[i].timer);
-		ulog_buffers[i].timer.function = ulog_timer;
-		ulog_buffers[i].timer.data = i;
-		spin_lock_init(&ulog_buffers[i].lock);
-	}
-
-	ebtulognl = netlink_kernel_create(NETLINK_NFLOG, NULL);
-	if (!ebtulognl)
-		ret = -ENOMEM;
-	else if ((ret = ebt_register_watcher(&ulog)))
-		sock_release(ebtulognl->sk_socket);
-
-	return ret;
-}
-
-static void __exit fini(void)
-{
-	ebt_ulog_buff_t *ub;
-	int i;
-
-	ebt_unregister_watcher(&ulog);
-	for (i = 0; i < EBT_ULOG_MAXNLGROUPS; i++) {
-		ub = &ulog_buffers[i];
-		if (timer_pending(&ub->timer))
-			del_timer(&ub->timer);
-		spin_lock_bh(&ub->lock);
-		if (ub->skb) {
-			kfree_skb(ub->skb);
-			ub->skb = NULL;
-		}
-		spin_unlock_bh(&ub->lock);
-	}
-	sock_release(ebtulognl->sk_socket);
-}
-
-module_init(init);
-module_exit(fini);
-MODULE_LICENSE("GPL");
-MODULE_AUTHOR("Bart De Schuymer <bdschuym@pandora.be>");
-MODULE_DESCRIPTION("ebtables userspace logging module for bridged Ethernet"
-                   " frames");

Re: [NETFILTER]: Kill ebt_ulog

[Patrick McHardy]

[-- Attachment #1: Type: text/plain, Size: 107 bytes --]

Patrick McHardy wrote:

> [NETFILTER]: Kill ebt_ulog

Oops, sorry, I forgot to remove the Makefile entry.


[-- Attachment #2: x --]
[-- Type: text/plain, Size: 10238 bytes --]

[NETFILTER]: Kill ebt_ulog

It uses NETLINK_NFLOG, which is also used by ipt_ULOG, so it causes
conflicts in netlink_kernel_create. As no userspace daemon exists,
and a generic replacement by Harald will follow in the next couple
of days, kill it.

Signed-off-by: Patrick McHardy <kaber@trash.net>

---
commit e2200c9015e33a7619f856349dc883dbadae2ea6
tree 1e91d9b3453addf227b9daf7f4f6496f8a5dd764
parent 3aa13776ac25163f546d52cc990d194bbbb9120c
author Patrick McHardy <kaber@trash.net> Sat, 23 Jul 2005 04:39:57 +0200
committer Patrick McHardy <kaber@trash.net> Sat, 23 Jul 2005 04:39:57 +0200

 net/bridge/netfilter/Kconfig    |   13 --
 net/bridge/netfilter/Makefile   |    1 
 net/bridge/netfilter/ebt_ulog.c |  295 ---------------------------------------
 3 files changed, 0 insertions(+), 309 deletions(-)

diff --git a/net/bridge/netfilter/Kconfig b/net/bridge/netfilter/Kconfig
--- a/net/bridge/netfilter/Kconfig
+++ b/net/bridge/netfilter/Kconfig
@@ -195,17 +195,4 @@ config BRIDGE_EBT_LOG
 
 	  To compile it as a module, choose M here.  If unsure, say N.
 
-config BRIDGE_EBT_ULOG
-	tristate "ebt: ulog support"
-	depends on BRIDGE_NF_EBTABLES
-	help
-	  This option adds the ulog watcher, that you can use in any rule
-	  in any ebtables table. The packet is passed to a userspace
-	  logging daemon using netlink multicast sockets. This differs
-	  from the log watcher in the sense that the complete packet is
-	  sent to userspace instead of a descriptive text and that
-	  netlink multicast sockets are used instead of the syslog.
-
-	  To compile it as a module, choose M here.  If unsure, say N.
-
 endmenu
diff --git a/net/bridge/netfilter/Makefile b/net/bridge/netfilter/Makefile
--- a/net/bridge/netfilter/Makefile
+++ b/net/bridge/netfilter/Makefile
@@ -29,4 +29,3 @@ obj-$(CONFIG_BRIDGE_EBT_SNAT) += ebt_sna
 
 # watchers
 obj-$(CONFIG_BRIDGE_EBT_LOG) += ebt_log.o
-obj-$(CONFIG_BRIDGE_EBT_LOG) += ebt_ulog.o
diff --git a/net/bridge/netfilter/ebt_ulog.c b/net/bridge/netfilter/ebt_ulog.c
deleted file mode 100644
--- a/net/bridge/netfilter/ebt_ulog.c
+++ /dev/null
@@ -1,295 +0,0 @@
-/*
- * netfilter module for userspace bridged Ethernet frames logging daemons
- *
- *	Authors:
- *	Bart De Schuymer <bdschuym@pandora.be>
- *
- *  November, 2004
- *
- * Based on ipt_ULOG.c, which is
- * (C) 2000-2002 by Harald Welte <laforge@netfilter.org>
- *
- * This module accepts two parameters: 
- * 
- * nlbufsiz:
- *   The parameter specifies how big the buffer for each netlink multicast
- * group is. e.g. If you say nlbufsiz=8192, up to eight kb of packets will
- * get accumulated in the kernel until they are sent to userspace. It is
- * NOT possible to allocate more than 128kB, and it is strongly discouraged,
- * because atomically allocating 128kB inside the network rx softirq is not
- * reliable. Please also keep in mind that this buffer size is allocated for
- * each nlgroup you are using, so the total kernel memory usage increases
- * by that factor.
- *
- * flushtimeout:
- *   Specify, after how many hundredths of a second the queue should be
- *   flushed even if it is not full yet.
- *
- */
-
-#include <linux/module.h>
-#include <linux/config.h>
-#include <linux/spinlock.h>
-#include <linux/socket.h>
-#include <linux/skbuff.h>
-#include <linux/kernel.h>
-#include <linux/timer.h>
-#include <linux/netlink.h>
-#include <linux/netdevice.h>
-#include <linux/module.h>
-#include <linux/netfilter_bridge/ebtables.h>
-#include <linux/netfilter_bridge/ebt_ulog.h>
-#include <net/sock.h>
-#include "../br_private.h"
-
-#define PRINTR(format, args...) do { if (net_ratelimit()) \
-                                printk(format , ## args); } while (0)
-
-static unsigned int nlbufsiz = 4096;
-module_param(nlbufsiz, uint, 0600);
-MODULE_PARM_DESC(nlbufsiz, "netlink buffer size (number of bytes) "
-                           "(defaults to 4096)");
-
-static unsigned int flushtimeout = 10;
-module_param(flushtimeout, uint, 0600);
-MODULE_PARM_DESC(flushtimeout, "buffer flush timeout (hundredths ofa second) "
-                               "(defaults to 10)");
-
-typedef struct {
-	unsigned int qlen;		/* number of nlmsgs' in the skb */
-	struct nlmsghdr *lastnlh;	/* netlink header of last msg in skb */
-	struct sk_buff *skb;		/* the pre-allocated skb */
-	struct timer_list timer;	/* the timer function */
-	spinlock_t lock;		/* the per-queue lock */
-} ebt_ulog_buff_t;
-
-static ebt_ulog_buff_t ulog_buffers[EBT_ULOG_MAXNLGROUPS];
-static struct sock *ebtulognl;
-
-/* send one ulog_buff_t to userspace */
-static void ulog_send(unsigned int nlgroup)
-{
-	ebt_ulog_buff_t *ub = &ulog_buffers[nlgroup];
-
-	if (timer_pending(&ub->timer))
-		del_timer(&ub->timer);
-
-	/* last nlmsg needs NLMSG_DONE */
-	if (ub->qlen > 1)
-		ub->lastnlh->nlmsg_type = NLMSG_DONE;
-
-	NETLINK_CB(ub->skb).dst_groups = 1 << nlgroup;
-	netlink_broadcast(ebtulognl, ub->skb, 0, 1 << nlgroup, GFP_ATOMIC);
-
-	ub->qlen = 0;
-	ub->skb = NULL;
-}
-
-/* timer function to flush queue in flushtimeout time */
-static void ulog_timer(unsigned long data)
-{
-	spin_lock_bh(&ulog_buffers[data].lock);
-	if (ulog_buffers[data].skb)
-		ulog_send(data);
-	spin_unlock_bh(&ulog_buffers[data].lock);
-}
-
-static struct sk_buff *ulog_alloc_skb(unsigned int size)
-{
-	struct sk_buff *skb;
-
-	skb = alloc_skb(nlbufsiz, GFP_ATOMIC);
-	if (!skb) {
-		PRINTR(KERN_ERR "ebt_ulog: can't alloc whole buffer "
-		       "of size %ub!\n", nlbufsiz);
-		if (size < nlbufsiz) {
-			/* try to allocate only as much as we need for
-			 * current packet */
-			skb = alloc_skb(size, GFP_ATOMIC);
-			if (!skb)
-				PRINTR(KERN_ERR "ebt_ulog: can't even allocate "
-				       "buffer of size %ub\n", size);
-		}
-	}
-
-	return skb;
-}
-
-static void ebt_ulog(const struct sk_buff *skb, unsigned int hooknr,
-   const struct net_device *in, const struct net_device *out,
-   const void *data, unsigned int datalen)
-{
-	ebt_ulog_packet_msg_t *pm;
-	size_t size, copy_len;
-	struct nlmsghdr *nlh;
-	struct ebt_ulog_info *uloginfo = (struct ebt_ulog_info *)data;
-	unsigned int group = uloginfo->nlgroup;
-	ebt_ulog_buff_t *ub = &ulog_buffers[group];
-	spinlock_t *lock = &ub->lock;
-
-	if ((uloginfo->cprange == 0) ||
-	    (uloginfo->cprange > skb->len + ETH_HLEN))
-		copy_len = skb->len + ETH_HLEN;
-	else
-		copy_len = uloginfo->cprange;
-
-	size = NLMSG_SPACE(sizeof(*pm) + copy_len);
-	if (size > nlbufsiz) {
-		PRINTR("ebt_ulog: Size %Zd needed, but nlbufsiz=%d\n",
-		       size, nlbufsiz);
-		return;
-	}
-
-	spin_lock_bh(lock);
-
-	if (!ub->skb) {
-		if (!(ub->skb = ulog_alloc_skb(size)))
-			goto alloc_failure;
-	} else if (size > skb_tailroom(ub->skb)) {
-		ulog_send(group);
-
-		if (!(ub->skb = ulog_alloc_skb(size)))
-			goto alloc_failure;
-	}
-
-	nlh = NLMSG_PUT(ub->skb, 0, ub->qlen, 0,
-	                size - NLMSG_ALIGN(sizeof(*nlh)));
-	ub->qlen++;
-
-	pm = NLMSG_DATA(nlh);
-
-	/* Fill in the ulog data */
-	pm->version = EBT_ULOG_VERSION;
-	do_gettimeofday(&pm->stamp);
-	if (ub->qlen == 1)
-		ub->skb->stamp = pm->stamp;
-	pm->data_len = copy_len;
-	pm->mark = skb->nfmark;
-	pm->hook = hooknr;
-	if (uloginfo->prefix != NULL)
-		strcpy(pm->prefix, uloginfo->prefix);
-	else
-		*(pm->prefix) = '\0';
-
-	if (in) {
-		strcpy(pm->physindev, in->name);
-		/* If in isn't a bridge, then physindev==indev */
-		if (in->br_port)
-			strcpy(pm->indev, in->br_port->br->dev->name);
-		else
-			strcpy(pm->indev, in->name);
-	} else
-		pm->indev[0] = pm->physindev[0] = '\0';
-
-	if (out) {
-		/* If out exists, then out is a bridge port */
-		strcpy(pm->physoutdev, out->name);
-		strcpy(pm->outdev, out->br_port->br->dev->name);
-	} else
-		pm->outdev[0] = pm->physoutdev[0] = '\0';
-
-	if (skb_copy_bits(skb, -ETH_HLEN, pm->data, copy_len) < 0)
-		BUG();
-
-	if (ub->qlen > 1)
-		ub->lastnlh->nlmsg_flags |= NLM_F_MULTI;
-
-	ub->lastnlh = nlh;
-
-	if (ub->qlen >= uloginfo->qthreshold)
-		ulog_send(group);
-	else if (!timer_pending(&ub->timer)) {
-		ub->timer.expires = jiffies + flushtimeout * HZ / 100;
-		add_timer(&ub->timer);
-	}
-
-unlock:
-	spin_unlock_bh(lock);
-
-	return;
-
-nlmsg_failure:
-	printk(KERN_CRIT "ebt_ulog: error during NLMSG_PUT. This should "
-	       "not happen, please report to author.\n");
-	goto unlock;
-alloc_failure:
-	goto unlock;
-}
-
-static int ebt_ulog_check(const char *tablename, unsigned int hookmask,
-   const struct ebt_entry *e, void *data, unsigned int datalen)
-{
-	struct ebt_ulog_info *uloginfo = (struct ebt_ulog_info *)data;
-
-	if (datalen != EBT_ALIGN(sizeof(struct ebt_ulog_info)) ||
-	    uloginfo->nlgroup > 31)
-		return -EINVAL;
-
-	uloginfo->prefix[EBT_ULOG_PREFIX_LEN - 1] = '\0';
-
-	if (uloginfo->qthreshold > EBT_ULOG_MAX_QLEN)
-		uloginfo->qthreshold = EBT_ULOG_MAX_QLEN;
-
-	return 0;
-}
-
-static struct ebt_watcher ulog = {
-	.name		= EBT_ULOG_WATCHER,
-	.watcher	= ebt_ulog,
-	.check		= ebt_ulog_check,
-	.me		= THIS_MODULE,
-};
-
-static int __init init(void)
-{
-	int i, ret = 0;
-
-	if (nlbufsiz >= 128*1024) {
-		printk(KERN_NOTICE "ebt_ulog: Netlink buffer has to be <= 128kB,"
-		       " please try a smaller nlbufsiz parameter.\n");
-		return -EINVAL;
-	}
-
-	/* initialize ulog_buffers */
-	for (i = 0; i < EBT_ULOG_MAXNLGROUPS; i++) {
-		init_timer(&ulog_buffers[i].timer);
-		ulog_buffers[i].timer.function = ulog_timer;
-		ulog_buffers[i].timer.data = i;
-		spin_lock_init(&ulog_buffers[i].lock);
-	}
-
-	ebtulognl = netlink_kernel_create(NETLINK_NFLOG, NULL);
-	if (!ebtulognl)
-		ret = -ENOMEM;
-	else if ((ret = ebt_register_watcher(&ulog)))
-		sock_release(ebtulognl->sk_socket);
-
-	return ret;
-}
-
-static void __exit fini(void)
-{
-	ebt_ulog_buff_t *ub;
-	int i;
-
-	ebt_unregister_watcher(&ulog);
-	for (i = 0; i < EBT_ULOG_MAXNLGROUPS; i++) {
-		ub = &ulog_buffers[i];
-		if (timer_pending(&ub->timer))
-			del_timer(&ub->timer);
-		spin_lock_bh(&ub->lock);
-		if (ub->skb) {
-			kfree_skb(ub->skb);
-			ub->skb = NULL;
-		}
-		spin_unlock_bh(&ub->lock);
-	}
-	sock_release(ebtulognl->sk_socket);
-}
-
-module_init(init);
-module_exit(fini);
-MODULE_LICENSE("GPL");
-MODULE_AUTHOR("Bart De Schuymer <bdschuym@pandora.be>");
-MODULE_DESCRIPTION("ebtables userspace logging module for bridged Ethernet"
-                   " frames");

Re: [NETFILTER]: Kill ebt_ulog

[Bart De Schuymer]

Op za, 23-07-2005 te 04:38 +0200, schreef Patrick McHardy:
> plain text document bijlage (x)
> [NETFILTER]: Kill ebt_ulog
> 
> It uses NETLINK_NFLOG, which is also used by ipt_ULOG, so it causes
> conflicts in netlink_kernel_create. As no userspace daemon exists,
> and a generic replacement by Harald will follow in the next couple
> of days, kill it.

Killing ebt_ulog is not the right thing, it is an ebtables module that
is used by people (which is why I made it). The right thing would be to
make ebt_ulog use Harald's upcoming generic code, which is hopefully not
restricted to iptables.

cheers,
Bart

Re: [NETFILTER]: Kill ebt_ulog

[Patrick McHardy]

Bart De Schuymer wrote:
> Op za, 23-07-2005 te 04:38 +0200, schreef Patrick McHardy:
> 
>>plain text document bijlage (x)
>>[NETFILTER]: Kill ebt_ulog
>>
>>It uses NETLINK_NFLOG, which is also used by ipt_ULOG, so it causes
>>conflicts in netlink_kernel_create. As no userspace daemon exists,
>>and a generic replacement by Harald will follow in the next couple
>>of days, kill it.
> 
> Killing ebt_ulog is not the right thing, it is an ebtables module that
> is used by people (which is why I made it). The right thing would be to
> make ebt_ulog use Harald's upcoming generic code, which is hopefully not
> restricted to iptables.

The upcoming code will be a generic replacement, so there's no need to
have ipt_ULOG/ebt_ulog except for backwards compatiblity reasons.
Is there actually a userspace daemon for ebt_ulog? In any case it makes
little sense to allocate a new netlink number for ebt_ulog since it
will break userspace compatiblity anyway.

Regards
Patrick

Re: [NETFILTER]: Kill ebt_ulog

[Bart De Schuymer]

Op za, 23-07-2005 te 17:52 +0200, schreef Patrick McHardy:
> Bart De Schuymer wrote:
> > Op za, 23-07-2005 te 04:38 +0200, schreef Patrick McHardy:
> > 
> >>plain text document bijlage (x)
> >>[NETFILTER]: Kill ebt_ulog
> >>
> >>It uses NETLINK_NFLOG, which is also used by ipt_ULOG, so it causes
> >>conflicts in netlink_kernel_create. As no userspace daemon exists,
> >>and a generic replacement by Harald will follow in the next couple
> >>of days, kill it.
> > 
> > Killing ebt_ulog is not the right thing, it is an ebtables module that
> > is used by people (which is why I made it). The right thing would be to
> > make ebt_ulog use Harald's upcoming generic code, which is hopefully not
> > restricted to iptables.
> 
> The upcoming code will be a generic replacement, so there's no need to
> have ipt_ULOG/ebt_ulog except for backwards compatiblity reasons.
> Is there actually a userspace daemon for ebt_ulog? In any case it makes
> little sense to allocate a new netlink number for ebt_ulog since it
> will break userspace compatiblity anyway.

I wrote an example (see the ebtables CVS) that receives the netlink
messages and prints out data for ping requests and replies.
Gustavo Carneiro released some Perl code that handles the netlink
messages (see http://ebtables.sourceforge.net/examples.html#easy). There
is no full-blown full-featured daemon, I don't think that's always what
people want anyway.
What mechanism will let the user decide which packets should be sent to
userspace? I think it would be a bad thing if {ip,eb}tables could no
longer be used for that (it's not just backwards compatibility).

I think changing the netlink number is a lot less drastic w.r.t.
userspace compatibility than bluntly removing ebt_ulog. Perhaps it's my
awful memory, but I seem to remember that ipt_ULOG and ebt_ulog could be
used together. Anyway, it's sad that they can't share NETLINK_NFLOG,
differentiation between both message flows is easily accomplished by the
user with using a different netlink group number (but this issue should
be fixed by the generic implementation).

cheers,
Bart

Re: [NETFILTER]: Kill ebt_ulog

[Patrick McHardy]

Bart De Schuymer wrote:
> Op za, 23-07-2005 te 17:52 +0200, schreef Patrick McHardy:
> 
>>The upcoming code will be a generic replacement, so there's no need to
>>have ipt_ULOG/ebt_ulog except for backwards compatiblity reasons.
>>Is there actually a userspace daemon for ebt_ulog? In any case it makes
>>little sense to allocate a new netlink number for ebt_ulog since it
>>will break userspace compatiblity anyway.
> 
> I wrote an example (see the ebtables CVS) that receives the netlink
> messages and prints out data for ping requests and replies.
> Gustavo Carneiro released some Perl code that handles the netlink
> messages (see http://ebtables.sourceforge.net/examples.html#easy). There
> is no full-blown full-featured daemon, I don't think that's always what
> people want anyway.
> What mechanism will let the user decide which packets should be sent to
> userspace? I think it would be a bad thing if {ip,eb}tables could no
> longer be used for that (it's not just backwards compatibility).

The QUEUE target will get a queue-number argument. Userspace can
register for different queues using netlink messages. All this
will be handled by the core to we don't need ipt_ULOG/ebt_ulog
anymore.

> I think changing the netlink number is a lot less drastic w.r.t.
> userspace compatibility than bluntly removing ebt_ulog. Perhaps it's my
> awful memory, but I seem to remember that ipt_ULOG and ebt_ulog could be
> used together. Anyway, it's sad that they can't share NETLINK_NFLOG,
> differentiation between both message flows is easily accomplished by the
> user with using a different netlink group number (but this issue should
> be fixed by the generic implementation).

The problem is that we can't create two kernel sockets for the same
netlink family. Netlink families are a scarce resource, so I don't think
it makes much sense to waste another one for a soon (couple of days)
deprecated mechanism. I propose to continue this discussion once the
new code is there, so we can see if it fits your needs.

Regards
Patrick

Re: [NETFILTER]: Kill ebt_ulog

[Bart De Schuymer]

Op za, 23-07-2005 te 22:04 +0200, schreef Patrick McHardy:
> The QUEUE target will get a queue-number argument. Userspace can
> register for different queues using netlink messages. All this
> will be handled by the core to we don't need ipt_ULOG/ebt_ulog
> anymore.

What if someone wants to just get a copy sent to userspace while the
kernel continues routing the copied packet? AFAIK this behaviour can't
be obtained using the queue target.

> The problem is that we can't create two kernel sockets for the same
> netlink family. Netlink families are a scarce resource, so I don't think
> it makes much sense to waste another one for a soon (couple of days)
> deprecated mechanism. I propose to continue this discussion once the
> new code is there, so we can see if it fits your needs.

If the generic code is such that other modules can make it send messages
through the NETLINK_NFLOG socket, then those problems are over. I think
there is no problem in keeping ULOG and QUEUE as long as they use the
generic framework, those targets do different things.

I'll be unreachable, most of the time, from July 25 'till August 7, I
hope I can catch up on the discussion then...

cheers,
Bart

Re: [NETFILTER]: Kill ebt_ulog

[Patrick McHardy]

Bart De Schuymer wrote:
> Op za, 23-07-2005 te 22:04 +0200, schreef Patrick McHardy:
> 
> What if someone wants to just get a copy sent to userspace while the
> kernel continues routing the copied packet? AFAIK this behaviour can't
> be obtained using the queue target.

Yes, sorry, I spread misinformation :) There is also a replacement
for ip_queue and I was mixing them up.

Regards
Patrick

Re: [NETFILTER]: Kill ebt_ulog

[Harald Welte]

[-- Attachment #1: Type: text/plain, Size: 2385 bytes --]

On Sat, Jul 23, 2005 at 09:34:39PM +0000, Bart De Schuymer wrote:
> Op za, 23-07-2005 te 22:04 +0200, schreef Patrick McHardy:
> > The QUEUE target will get a queue-number argument. Userspace can
> > register for different queues using netlink messages. All this
> > will be handled by the core to we don't need ipt_ULOG/ebt_ulog
> > anymore.
> 
> What if someone wants to just get a copy sent to userspace while the
> kernel continues routing the copied packet? AFAIK this behaviour can't
> be obtained using the queue target.

> > The problem is that we can't create two kernel sockets for the same
> > netlink family. Netlink families are a scarce resource, so I don't think
> > it makes much sense to waste another one for a soon (couple of days)
> > deprecated mechanism. I propose to continue this discussion once the
> > new code is there, so we can see if it fits your needs.
> 
> If the generic code is such that other modules can make it send messages
> through the NETLINK_NFLOG socket, then those problems are over. I think
> there is no problem in keeping ULOG and QUEUE as long as they use the
> generic framework, those targets do different things.

yes, that is what I'm doing at the moment.  nfnetlink_nflog is
registering with the already-existing nf_log_packet() api.

The architecture is like follows:

The iptables LOG (and ebt_ulog) modules would do nothing else but do a
single call to nf_log_packet() every time the want to log a packet.
nf_log_packet() will be extended to specify the log group.

Everything else is dealt with by the core.  A userspace process can use
nfnetlink to tell the kernel "please register as nf_log_packet() handler
for PF_BRIDGE, PF_INET, ... - and then register to one or multipe
groups. 

> I'll be unreachable, most of the time, from July 25 'till August 7, I
> hope I can catch up on the discussion then...

the new code should be fixed until then.  I'm resolving some oopses at
the moment, it's a matter of days..

-- 
- Harald Welte <laforge@netfilter.org>                 http://netfilter.org/
============================================================================
  "Fragmentation is like classful addressing -- an interesting early
   architectural error that shows how much experimentation was going
   on while IP was being designed."                    -- Paul Vixie

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: [NETFILTER]: Kill ebt_ulog

[Carl-Daniel Hailfinger]

Patrick McHardy schrieb:
> The problem is that we can't create two kernel sockets for the same
> netlink family. Netlink families are a scarce resource, so I don't think
> it makes much sense to waste another one for a soon (couple of days)
> deprecated mechanism. I propose to continue this discussion once the
> new code is there, so we can see if it fits your needs.

Please add ebt_ulog to Documentation/feature-removal-schedule.txt
and give people the usual 6 month grace period to transition to
the proposed feature-equivalent alternatives.

Regards,
Carl-Daniel

Re: [NETFILTER]: Kill ebt_ulog

[Patrick McHardy]

Carl-Daniel Hailfinger wrote:
> Patrick McHardy schrieb:
> 
>>The problem is that we can't create two kernel sockets for the same
>>netlink family. Netlink families are a scarce resource, so I don't think
>>it makes much sense to waste another one for a soon (couple of days)
>>deprecated mechanism. I propose to continue this discussion once the
>>new code is there, so we can see if it fits your needs.
> 
> 
> Please add ebt_ulog to Documentation/feature-removal-schedule.txt
> and give people the usual 6 month grace period to transition to
> the proposed feature-equivalent alternatives.

It is _broken_ right now and conflicts with ipt_ULOG. There is no
point in keeping it broken for 6 month.

Re: [NETFILTER]: Kill ebt_ulog

[Bart De Schuymer]

Op zo, 24-07-2005 te 01:20 +0200, schreef Patrick McHardy:
> > Please add ebt_ulog to Documentation/feature-removal-schedule.txt
> > and give people the usual 6 month grace period to transition to
> > the proposed feature-equivalent alternatives.
> 
> It is _broken_ right now and conflicts with ipt_ULOG. There is no
> point in keeping it broken for 6 month.

Removing ebt_ulog would be stupid. So what if it conflicts with
ipt_ULOG, there is no kernel panic, they just can't be used together
currently. That problem should be solved by the generic replacement. To
say that ebt_ulog is broken is plain false.
If the "generic" replacement is such that it can only be used by
iptables modules then it is not generic at all.

Bart

Re: [NETFILTER]: Kill ebt_ulog

[Harald Welte]

[-- Attachment #1: Type: text/plain, Size: 1919 bytes --]

On Sun, Jul 24, 2005 at 09:22:51AM +0000, Bart De Schuymer wrote:
> Op zo, 24-07-2005 te 01:20 +0200, schreef Patrick McHardy:
> > > Please add ebt_ulog to Documentation/feature-removal-schedule.txt
> > > and give people the usual 6 month grace period to transition to
> > > the proposed feature-equivalent alternatives.
> > 
> > It is _broken_ right now and conflicts with ipt_ULOG. There is no
> > point in keeping it broken for 6 month.
> 
> Removing ebt_ulog would be stupid. So what if it conflicts with
> ipt_ULOG, there is no kernel panic, they just can't be used together
> currently. 

Yes, you 'just' don't get logs of your security policy violations
anymore.  I think a lot of people would consider this a _serious_
security issue, one that even rectifies a security advisory.

So the code isn't broken _if_ it was using a different netlink family
number.  I'm not in a position to decide on whether to assign you one, I
can just tell you that reusing the number used by ipt_ULOG is causing
security problems and therefore is a bug.  

If no new number can be assigned, I recommend putting in some KConfig
rule to prevent enabling both ebt_ulog and ipt_ULOG at the same time.

> That problem should be solved by the generic replacement. 

yes, it is solved by it.  Patch will be posted any day.

> If the "generic" replacement is such that it can only be used by
> iptables modules then it is not generic at all.

The 'generic' replacement can be used by anyone in the kernel who wants
to log an skb.

-- 
- Harald Welte <laforge@netfilter.org>                 http://netfilter.org/
============================================================================
  "Fragmentation is like classful addressing -- an interesting early
   architectural error that shows how much experimentation was going
   on while IP was being designed."                    -- Paul Vixie

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: [NETFILTER]: Kill ebt_ulog

[David S. Miller]

From: Bart De Schuymer <bdschuym@pandora.be>
Date: Sun, 24 Jul 2005 09:22:51 +0000

> Removing ebt_ulog would be stupid. So what if it conflicts with
> ipt_ULOG, there is no kernel panic, they just can't be used together
> currently. That problem should be solved by the generic replacement. To
> say that ebt_ulog is broken is plain false.
> If the "generic" replacement is such that it can only be used by
> iptables modules then it is not generic at all.

Bart, please stop it.

Secondly, let it be very clearly be known that the bridging netfilter
layer is the largest source of problems in the netfilter and
networking code.  All of the nf_reset() garbage that we went through
over the last month only exists because of the funky things that
ebtables does.  The ebtables code that made those requiments necessary
should never have gone in to begin with.  If I had understood the
implications, that the netfilter caching in the SKB had to be held
on for such an unreasonably long time in the stack, I would have never
let that code into the tree.  And I know other netfilter developers
feel the same way about this as I do.

Now people use that stuff, and WE ARE STUCK with the crap as a result.
We can't rip it out, even though that is exactly what we should do.

Therefore, I will highly support inclusion of any change that
decreases the number of broken dependencies and things that ebtables
enforces upon the rest of the tree.

I doubt you can document more than a hand full of ebt_log users, and
they can convert easily over to the generic mechanism.

And we're not going to stop development and stop all of our progress
just because you won't be around until the end of the first week of
August :-)

Re: [NETFILTER]: Kill ebt_ulog

[Bart De Schuymer]

Op zo, 24-07-2005 te 17:52 -0700, schreef David S. Miller:
> > Removing ebt_ulog would be stupid. So what if it conflicts with
> > ipt_ULOG, there is no kernel panic, they just can't be used together
> > currently. That problem should be solved by the generic replacement. To
> > say that ebt_ulog is broken is plain false.
> > If the "generic" replacement is such that it can only be used by
> > iptables modules then it is not generic at all.
> 
> Bart, please stop it.

A simple question: is it the intention to make it simple for ip6tables
to get a ULOG target? I hope so. If so, then it should be very simple to
alter ebt_ulog to use the generic code. There is then no need to first
remove it.

> Secondly, let it be very clearly be known that the bridging netfilter
> layer is the largest source of problems in the netfilter and
> networking code.  All of the nf_reset() garbage that we went through
> over the last month only exists because of the funky things that
> ebtables does.  The ebtables code that made those requiments necessary
> should never have gone in to begin with.  If I had understood the
> implications, that the netfilter caching in the SKB had to be held
> on for such an unreasonably long time in the stack, I would have never
> let that code into the tree.  And I know other netfilter developers
> feel the same way about this as I do.

I made it very clear before even submitting the bridge-nf code into the
2.5 kernel that it was very intrusive. I remember very well that it was
you who asked me to get it into 2.5. I never hid the fact that iptables
calls were postponed until in the bridging code.

> Now people use that stuff, and WE ARE STUCK with the crap as a result.
> We can't rip it out, even though that is exactly what we should do.
> 
> Therefore, I will highly support inclusion of any change that
> decreases the number of broken dependencies and things that ebtables
> enforces upon the rest of the tree.
> 
> I doubt you can document more than a hand full of ebt_log users, and
> they can convert easily over to the generic mechanism.

I haven't seen any explanation of how an ebtables user will be able to
use netlink logging without an ebtables module.

> And we're not going to stop development and stop all of our progress
> just because you won't be around until the end of the first week of
> August :-)

I think I made my opinion clear about the removal of ebt_ulog.
Now I'm off on holidays.

Bart