From: Patrick McHardy <kaber@trash.net>
To: Gregor Maier <gregor@net.in.tum.de>
Cc: netfilter-devel@lists.netfilter.org, davem@davemloft.net
Subject: Re: [NETFILTER 06/6]: Restore {ipt,ip6t,ebt}_LOG compatibility
Date: Sat, 25 Feb 2006 19:48:09 +0100 [thread overview]
Message-ID: <4400A669.2020000@trash.net> (raw)
In-Reply-To: <440065FD.5020206@net.in.tum.de>
Gregor Maier wrote:
> Patrick McHardy wrote:
>
>>>Restore compatiblity by using the old log functions by default and only use
>>>the nf_log backend if the user explicitly said so.
>>>
>
>
> ipt_LOG still registers itfself as nf_log logger in init(). Good, so
> since conntrack can now log.
>
> Problem: no anthoer loggers can register for PF_INET right away. They
> must unregister the ipt_LOG logger first. Then they can register
> themselves. I don't like the idea of modules and esp. userspace apps
> unregistering handlers from other modules. First Come First Serve.
Exactly, this is how it works now, if we forget about the UNBIND
operation of nf_log (which I'm not a fan of either). Ideally the
log backends should be stackable.
> When ipt_LOG doesn't register a nf_log logger, then the problem would
> not arise, although the conntrack code could not log anything until some
> other logger has been registered (since conntrack uses nf_log_packet).
>
>
>
> Maybe nf_log should have two handlers for each PF:
> - One handler for loginfo.type == NF_LOG_TYPE_LOG. Which can be provided
> by ipt_LOG.
> - One handler for loginfo.type == NF_LOG_TYPE_ULOG, for which
> nfnetlink_log strongly qualifies.
>
>
> So, as long as ipt_LOG is loaded, conntrack et.al. can log to syslog as is.
>
> If netlink_log is used additionally, (as handler for TYPE_ULOG),
> conntrack et.al. won't notice it.
>
> If _everything_ should be logged to userspace, then netlink_log could
> also unregister the TYPE_LOG handler and register itself as handler for it.
I think stackable log backends are the cleanest solution for this.
next prev parent reply other threads:[~2006-02-25 18:48 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-02-25 13:17 [00/06]: Netfilter fixes for 2.6.16 Patrick McHardy
2006-02-25 13:17 ` [NETFILTER 01/6]: nf_queue: don't copy registered rerouter data Patrick McHardy
2006-02-25 13:17 ` [NETFILTER 02/6]: nf_queue: check if rerouter is present before using it Patrick McHardy
2006-02-25 13:18 ` [NETFILTER 03/6]: nf_queue: fix rerouting after packet mangling Patrick McHardy
2006-02-25 13:18 ` [NETFILTER 04/6]: nf_queue: remove unnecessary check for outfn Patrick McHardy
2006-02-25 13:18 ` [NETFILTER 05/6]: nf_queue: fix end-of-list check Patrick McHardy
2006-02-25 13:18 ` [NETFILTER 06/6]: Restore {ipt,ip6t,ebt}_LOG compatibility Patrick McHardy
2006-02-25 14:13 ` Gregor Maier
2006-02-25 18:48 ` Patrick McHardy [this message]
2006-02-27 21:04 ` [00/06]: Netfilter fixes for 2.6.16 David S. Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4400A669.2020000@trash.net \
--to=kaber@trash.net \
--cc=davem@davemloft.net \
--cc=gregor@net.in.tum.de \
--cc=netfilter-devel@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.