[00/06]: Netfilter fixes for 2.6.16

[00/06]: Netfilter fixes for 2.6.16

[Patrick McHardy]

Hi Dave,

following are a couple fixes for 2.6.16. mostly concerning nf_queue.
Please apply.


 include/linux/netfilter_bridge/ebt_log.h |    1 
 include/linux/netfilter_ipv4/ipt_LOG.h   |    3 +
 include/linux/netfilter_ipv6/ip6t_LOG.h  |    3 +
 net/bridge/netfilter/ebt_log.c           |    7 +++
 net/ipv4/netfilter/ipt_LOG.c             |    7 +++
 net/ipv6/netfilter/ip6t_LOG.c            |    7 +++
 net/netfilter/nf_queue.c                 |   58 ++++++++++++++-----------------
 7 files changed, 51 insertions(+), 35 deletions(-)

Patrick McHardy:
      [NETFILTER]: nf_queue: don't copy registered rerouter data
      [NETFILTER]: nf_queue: check if rerouter is present before using it
      [NETFILTER]: nf_queue: fix rerouting after packet mangling
      [NETFILTER]: nf_queue: remove unnecessary check for outfn
      [NETFILTER]: nf_queue: fix end-of-list check
      [NETFILTER]: Restore {ipt,ip6t,ebt}_LOG compatibility

[NETFILTER 01/6]: nf_queue: don't copy registered rerouter data

[Patrick McHardy]

[NETFILTER]: nf_queue: don't copy registered rerouter data

Use the registered data structure instead of copying it.

Signed-off-by: Patrick McHardy <kaber@trash.net>

---
commit 139a39bf3a1cc347d77582bea8cdabe7d3a25021
tree fa64e102124cf15c9df8672ac15342464882cea2
parent 5c1ca65c93503b2c94359ba39640f9687bd192a3
author Patrick McHardy <kaber@trash.net> Sat, 25 Feb 2006 13:43:04 +0100
committer Patrick McHardy <kaber@trash.net> Sat, 25 Feb 2006 13:43:04 +0100

 net/netfilter/nf_queue.c |   28 +++++++++-------------------
 1 files changed, 9 insertions(+), 19 deletions(-)

diff --git a/net/netfilter/nf_queue.c b/net/netfilter/nf_queue.c
index d3a4f30..24ad41e 100644
--- a/net/netfilter/nf_queue.c
+++ b/net/netfilter/nf_queue.c
@@ -16,7 +16,7 @@
  * for queueing and must reinject all packets it receives, no matter what.
  */
 static struct nf_queue_handler *queue_handler[NPROTO];
-static struct nf_queue_rerouter *queue_rerouter;
+static struct nf_queue_rerouter *queue_rerouter[NPROTO];
 
 static DEFINE_RWLOCK(queue_handler_lock);
 
@@ -64,7 +64,7 @@ int nf_register_queue_rerouter(int pf, s
 		return -EINVAL;
 
 	write_lock_bh(&queue_handler_lock);
-	memcpy(&queue_rerouter[pf], rer, sizeof(queue_rerouter[pf]));
+	queue_rerouter[pf] = rer;
 	write_unlock_bh(&queue_handler_lock);
 
 	return 0;
@@ -77,7 +77,7 @@ int nf_unregister_queue_rerouter(int pf)
 		return -EINVAL;
 
 	write_lock_bh(&queue_handler_lock);
-	memset(&queue_rerouter[pf], 0, sizeof(queue_rerouter[pf]));
+	queue_rerouter[pf] = NULL;
 	write_unlock_bh(&queue_handler_lock);
 	return 0;
 }
@@ -123,7 +123,7 @@ int nf_queue(struct sk_buff **skb, 
 		return 1;
 	}
 
-	info = kmalloc(sizeof(*info)+queue_rerouter[pf].rer_size, GFP_ATOMIC);
+	info = kmalloc(sizeof(*info)+queue_rerouter[pf]->rer_size, GFP_ATOMIC);
 	if (!info) {
 		if (net_ratelimit())
 			printk(KERN_ERR "OOM queueing packet %p\n",
@@ -155,14 +155,14 @@ int nf_queue(struct sk_buff **skb, 
 		if (physoutdev) dev_hold(physoutdev);
 	}
 #endif
-	if (queue_rerouter[pf].save)
-		queue_rerouter[pf].save(*skb, info);
+	if (queue_rerouter[pf]->save)
+		queue_rerouter[pf]->save(*skb, info);
 
 	status = queue_handler[pf]->outfn(*skb, info, queuenum,
 					  queue_handler[pf]->data);
 
-	if (status >= 0 && queue_rerouter[pf].reroute)
-		status = queue_rerouter[pf].reroute(skb, info);
+	if (status >= 0 && queue_rerouter[pf]->reroute)
+		status = queue_rerouter[pf]->reroute(skb, info);
 
 	read_unlock(&queue_handler_lock);
 
@@ -322,22 +322,12 @@ int __init netfilter_queue_init(void)
 {
 #ifdef CONFIG_PROC_FS
 	struct proc_dir_entry *pde;
-#endif
-	queue_rerouter = kmalloc(NPROTO * sizeof(struct nf_queue_rerouter),
-				 GFP_KERNEL);
-	if (!queue_rerouter)
-		return -ENOMEM;
 
-#ifdef CONFIG_PROC_FS
 	pde = create_proc_entry("nf_queue", S_IRUGO, proc_net_netfilter);
-	if (!pde) {
-		kfree(queue_rerouter);
+	if (!pde)
 		return -1;
-	}
 	pde->proc_fops = &nfqueue_file_ops;
 #endif
-	memset(queue_rerouter, 0, NPROTO * sizeof(struct nf_queue_rerouter));
-
 	return 0;
 }
 

[NETFILTER 02/6]: nf_queue: check if rerouter is present before using it

[Patrick McHardy]

[NETFILTER]: nf_queue: check if rerouter is present before using it

Every rerouter needs to provide a save and a reroute function, we don't
need to check for them. But we do need to check if a rerouter is registered
at all for the current family, with bridging for example packets of
unregistered families can hit nf_queue.

Signed-off-by: Patrick McHardy <kaber@trash.net>

---
commit 7ef7e9ed0e79dcb31560fc7d669a23ca2f230e09
tree 1b9fbb5833e5bac3d2bcd4a37cb7440b460988f2
parent 139a39bf3a1cc347d77582bea8cdabe7d3a25021
author Patrick McHardy <kaber@trash.net> Sat, 25 Feb 2006 13:43:44 +0100
committer Patrick McHardy <kaber@trash.net> Sat, 25 Feb 2006 13:43:44 +0100

 net/netfilter/nf_queue.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/net/netfilter/nf_queue.c b/net/netfilter/nf_queue.c
index 24ad41e..1fc7152 100644
--- a/net/netfilter/nf_queue.c
+++ b/net/netfilter/nf_queue.c
@@ -155,13 +155,13 @@ int nf_queue(struct sk_buff **skb, 
 		if (physoutdev) dev_hold(physoutdev);
 	}
 #endif
-	if (queue_rerouter[pf]->save)
+	if (queue_rerouter[pf])
 		queue_rerouter[pf]->save(*skb, info);
 
 	status = queue_handler[pf]->outfn(*skb, info, queuenum,
 					  queue_handler[pf]->data);
 
-	if (status >= 0 && queue_rerouter[pf]->reroute)
+	if (status >= 0 && queue_rerouter[pf])
 		status = queue_rerouter[pf]->reroute(skb, info);
 
 	read_unlock(&queue_handler_lock);

[NETFILTER 03/6]: nf_queue: fix rerouting after packet mangling

[Patrick McHardy]

[NETFILTER]: nf_queue: fix rerouting after packet mangling

Packets should be rerouted when they come back from userspace, not before.
Also move the queue_rerouters to RCU to avoid taking the queue_handler_lock
for each reinjected packet.

Signed-off-by: Patrick McHardy <kaber@trash.net>

---
commit 5409613c1733e5162fb884865637d1607afcfbc9
tree 81e984ae53bd364b368ed77278ffda87202d20fc
parent 7ef7e9ed0e79dcb31560fc7d669a23ca2f230e09
author Patrick McHardy <kaber@trash.net> Sat, 25 Feb 2006 13:43:45 +0100
committer Patrick McHardy <kaber@trash.net> Sat, 25 Feb 2006 13:43:45 +0100

 net/netfilter/nf_queue.c |   22 +++++++++++++++-------
 1 files changed, 15 insertions(+), 7 deletions(-)

diff --git a/net/netfilter/nf_queue.c b/net/netfilter/nf_queue.c
index 1fc7152..c61f723 100644
--- a/net/netfilter/nf_queue.c
+++ b/net/netfilter/nf_queue.c
@@ -6,6 +6,7 @@
 #include <linux/skbuff.h>
 #include <linux/netfilter.h>
 #include <linux/seq_file.h>
+#include <linux/rcupdate.h>
 #include <net/protocol.h>
 
 #include "nf_internals.h"
@@ -64,7 +65,7 @@ int nf_register_queue_rerouter(int pf, s
 		return -EINVAL;
 
 	write_lock_bh(&queue_handler_lock);
-	queue_rerouter[pf] = rer;
+	rcu_assign_pointer(queue_rerouter[pf], rer);
 	write_unlock_bh(&queue_handler_lock);
 
 	return 0;
@@ -77,8 +78,9 @@ int nf_unregister_queue_rerouter(int pf)
 		return -EINVAL;
 
 	write_lock_bh(&queue_handler_lock);
-	queue_rerouter[pf] = NULL;
+	rcu_assign_pointer(queue_rerouter[pf], NULL);
 	write_unlock_bh(&queue_handler_lock);
+	synchronize_rcu();
 	return 0;
 }
 EXPORT_SYMBOL_GPL(nf_unregister_queue_rerouter);
@@ -114,6 +116,7 @@ int nf_queue(struct sk_buff **skb, 
 	struct net_device *physindev = NULL;
 	struct net_device *physoutdev = NULL;
 #endif
+	struct nf_queue_rerouter *rerouter;
 
 	/* QUEUE == DROP if noone is waiting, to be safe. */
 	read_lock(&queue_handler_lock);
@@ -155,15 +158,13 @@ int nf_queue(struct sk_buff **skb, 
 		if (physoutdev) dev_hold(physoutdev);
 	}
 #endif
-	if (queue_rerouter[pf])
-		queue_rerouter[pf]->save(*skb, info);
+	rerouter = rcu_dereference(queue_rerouter[pf]);
+	if (rerouter)
+		rerouter->save(*skb, info);
 
 	status = queue_handler[pf]->outfn(*skb, info, queuenum,
 					  queue_handler[pf]->data);
 
-	if (status >= 0 && queue_rerouter[pf])
-		status = queue_rerouter[pf]->reroute(skb, info);
-
 	read_unlock(&queue_handler_lock);
 
 	if (status < 0) {
@@ -189,6 +190,7 @@ void nf_reinject(struct sk_buff *skb, st
 {
 	struct list_head *elem = &info->elem->list;
 	struct list_head *i;
+	struct nf_queue_rerouter *rerouter;
 
 	rcu_read_lock();
 
@@ -226,6 +228,12 @@ void nf_reinject(struct sk_buff *skb, st
 	}
 
 	if (verdict == NF_ACCEPT) {
+		rerouter = rcu_dereference(queue_rerouter[info->pf]);
+		if (rerouter && rerouter->reroute(&skb, info) < 0)
+			verdict = NF_DROP;
+	}
+
+	if (verdict == NF_ACCEPT) {
 	next_hook:
 		verdict = nf_iterate(&nf_hooks[info->pf][info->hook],
 				     &skb, info->hook, 

[NETFILTER 04/6]: nf_queue: remove unnecessary check for outfn

[Patrick McHardy]

[NETFILTER]: nf_queue: remove unnecessary check for outfn

The only point of registering a queue handler is to provide an outfn,
so there is no need to check for it.

Signed-off-by: Patrick McHardy <kaber@trash.net>

---
commit 021fe2cbea0df98012b8c96e55855622f885817d
tree 52085a0216748ef3f915c8869b4ea8e0933a8cf2
parent 5409613c1733e5162fb884865637d1607afcfbc9
author Patrick McHardy <kaber@trash.net> Sat, 25 Feb 2006 13:43:46 +0100
committer Patrick McHardy <kaber@trash.net> Sat, 25 Feb 2006 13:43:46 +0100

 net/netfilter/nf_queue.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/net/netfilter/nf_queue.c b/net/netfilter/nf_queue.c
index c61f723..913df7d 100644
--- a/net/netfilter/nf_queue.c
+++ b/net/netfilter/nf_queue.c
@@ -120,7 +120,7 @@ int nf_queue(struct sk_buff **skb, 
 
 	/* QUEUE == DROP if noone is waiting, to be safe. */
 	read_lock(&queue_handler_lock);
-	if (!queue_handler[pf] || !queue_handler[pf]->outfn) {
+	if (!queue_handler[pf]) {
 		read_unlock(&queue_handler_lock);
 		kfree_skb(*skb);
 		return 1;

[NETFILTER 05/6]: nf_queue: fix end-of-list check

[Patrick McHardy]

[NETFILTER]: nf_queue: fix end-of-list check

The comparison wants to find out if the last list iteration reached the
end of the list. It needs to compare the iterator with the list head to
do this, not the element it is looking for.

Signed-off-by: Patrick McHardy <kaber@trash.net>

---
commit 37fcebcd2adf3cd2124437ff1fb7836be0a9c207
tree a0a6c39916362c4b1f7125282d66d97c67a397fa
parent 021fe2cbea0df98012b8c96e55855622f885817d
author Patrick McHardy <kaber@trash.net> Sat, 25 Feb 2006 13:43:47 +0100
committer Patrick McHardy <kaber@trash.net> Sat, 25 Feb 2006 13:43:47 +0100

 net/netfilter/nf_queue.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/net/netfilter/nf_queue.c b/net/netfilter/nf_queue.c
index 913df7d..d9f0d7e 100644
--- a/net/netfilter/nf_queue.c
+++ b/net/netfilter/nf_queue.c
@@ -214,7 +214,7 @@ void nf_reinject(struct sk_buff *skb, st
   			break;
   	}
   
-	if (elem == &nf_hooks[info->pf][info->hook]) {
+	if (i == &nf_hooks[info->pf][info->hook]) {
 		/* The module which sent it to userspace is gone. */
 		NFDEBUG("%s: module disappeared, dropping packet.\n",
 			__FUNCTION__);

[NETFILTER 06/6]: Restore {ipt,ip6t,ebt}_LOG compatibility

[Patrick McHardy]

[NETFILTER]: Restore {ipt,ip6t,ebt}_LOG compatibility

The nfnetlink_log infrastructure changes broke compatiblity of the LOG
targets. They currently use whatever log backend was registered first,
which means that if ipt_ULOG was loaded first, no messages will be printed
to the ring buffer anymore.

Restore compatiblity by using the old log functions by default and only use
the nf_log backend if the user explicitly said so.

Signed-off-by: Patrick McHardy <kaber@trash.net>

---
commit c3fbb1dc63d9433a59fcbcbc446564e6619da165
tree c45a4915e64289b3fc656c834456e2d956328605
parent 37fcebcd2adf3cd2124437ff1fb7836be0a9c207
author Patrick McHardy <kaber@trash.net> Sat, 25 Feb 2006 13:56:37 +0100
committer Patrick McHardy <kaber@trash.net> Sat, 25 Feb 2006 13:56:37 +0100

 include/linux/netfilter_bridge/ebt_log.h |    1 +
 include/linux/netfilter_ipv4/ipt_LOG.h   |    3 ++-
 include/linux/netfilter_ipv6/ip6t_LOG.h  |    3 ++-
 net/bridge/netfilter/ebt_log.c           |    7 ++++++-
 net/ipv4/netfilter/ipt_LOG.c             |    7 ++++++-
 net/ipv6/netfilter/ip6t_LOG.c            |    7 ++++++-
 6 files changed, 23 insertions(+), 5 deletions(-)

diff --git a/include/linux/netfilter_bridge/ebt_log.h b/include/linux/netfilter_bridge/ebt_log.h
index 358fbc8..96e231a 100644
--- a/include/linux/netfilter_bridge/ebt_log.h
+++ b/include/linux/netfilter_bridge/ebt_log.h
@@ -3,6 +3,7 @@
 
 #define EBT_LOG_IP 0x01 /* if the frame is made by ip, log the ip information */
 #define EBT_LOG_ARP 0x02
+#define EBT_LOG_NFLOG 0x04
 #define EBT_LOG_MASK (EBT_LOG_IP | EBT_LOG_ARP)
 #define EBT_LOG_PREFIX_SIZE 30
 #define EBT_LOG_WATCHER "log"
diff --git a/include/linux/netfilter_ipv4/ipt_LOG.h b/include/linux/netfilter_ipv4/ipt_LOG.h
index 22d1617..892f9a3 100644
--- a/include/linux/netfilter_ipv4/ipt_LOG.h
+++ b/include/linux/netfilter_ipv4/ipt_LOG.h
@@ -6,7 +6,8 @@
 #define IPT_LOG_TCPOPT		0x02	/* Log TCP options */
 #define IPT_LOG_IPOPT		0x04	/* Log IP options */
 #define IPT_LOG_UID		0x08	/* Log UID owning local socket */
-#define IPT_LOG_MASK		0x0f
+#define IPT_LOG_NFLOG		0x10	/* Log using nf_log backend */
+#define IPT_LOG_MASK		0x1f
 
 struct ipt_log_info {
 	unsigned char level;
diff --git a/include/linux/netfilter_ipv6/ip6t_LOG.h b/include/linux/netfilter_ipv6/ip6t_LOG.h
index 9008ff5..060c1a1 100644
--- a/include/linux/netfilter_ipv6/ip6t_LOG.h
+++ b/include/linux/netfilter_ipv6/ip6t_LOG.h
@@ -6,7 +6,8 @@
 #define IP6T_LOG_TCPOPT		0x02	/* Log TCP options */
 #define IP6T_LOG_IPOPT		0x04	/* Log IP options */
 #define IP6T_LOG_UID		0x08	/* Log UID owning local socket */
-#define IP6T_LOG_MASK		0x0f
+#define IP6T_LOG_NFLOG		0x10	/* Log using nf_log backend */
+#define IP6T_LOG_MASK		0x1f
 
 struct ip6t_log_info {
 	unsigned char level;
diff --git a/net/bridge/netfilter/ebt_log.c b/net/bridge/netfilter/ebt_log.c
index 0128fbb..288ff1d 100644
--- a/net/bridge/netfilter/ebt_log.c
+++ b/net/bridge/netfilter/ebt_log.c
@@ -166,7 +166,12 @@ static void ebt_log(const struct sk_buff
 	li.u.log.level = info->loglevel;
 	li.u.log.logflags = info->bitmask;
 
-	nf_log_packet(PF_BRIDGE, hooknr, skb, in, out, &li, info->prefix);
+	if (info->bitmask & EBT_LOG_NFLOG)
+		nf_log_packet(PF_BRIDGE, hooknr, skb, in, out, &li,
+		              info->prefix);
+	else
+		ebt_log_packet(PF_BRIDGE, hooknr, skb, in, out, &li,
+		               info->prefix);
 }
 
 static struct ebt_watcher log =
diff --git a/net/ipv4/netfilter/ipt_LOG.c b/net/ipv4/netfilter/ipt_LOG.c
index 6606ddb..cc27545 100644
--- a/net/ipv4/netfilter/ipt_LOG.c
+++ b/net/ipv4/netfilter/ipt_LOG.c
@@ -425,7 +425,12 @@ ipt_log_target(struct sk_buff **pskb,
 	li.u.log.level = loginfo->level;
 	li.u.log.logflags = loginfo->logflags;
 
-	nf_log_packet(PF_INET, hooknum, *pskb, in, out, &li, loginfo->prefix);
+	if (loginfo->logflags & IPT_LOG_NFLOG)
+		nf_log_packet(PF_INET, hooknum, *pskb, in, out, &li,
+		              loginfo->prefix);
+	else
+		ipt_log_packet(PF_INET, hooknum, *pskb, in, out, &li,
+		               loginfo->prefix);
 
 	return IPT_CONTINUE;
 }
diff --git a/net/ipv6/netfilter/ip6t_LOG.c b/net/ipv6/netfilter/ip6t_LOG.c
index 77c7258..6b930ef 100644
--- a/net/ipv6/netfilter/ip6t_LOG.c
+++ b/net/ipv6/netfilter/ip6t_LOG.c
@@ -436,7 +436,12 @@ ip6t_log_target(struct sk_buff **pskb,
 	li.u.log.level = loginfo->level;
 	li.u.log.logflags = loginfo->logflags;
 
-	nf_log_packet(PF_INET6, hooknum, *pskb, in, out, &li, loginfo->prefix);
+	if (loginfo->logflags & IP6T_LOG_NFLOG)
+		nf_log_packet(PF_INET6, hooknum, *pskb, in, out, &li,
+		              loginfo->prefix);
+	else
+		ip6t_log_packet(PF_INET6, hooknum, *pskb, in, out, &li,
+		                loginfo->prefix);
 
 	return IP6T_CONTINUE;
 }

Re: [NETFILTER 06/6]: Restore {ipt,ip6t,ebt}_LOG compatibility

[Gregor Maier]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Patrick McHardy wrote:
> [NETFILTER]: Restore {ipt,ip6t,ebt}_LOG compatibility

> Restore compatiblity by using the old log functions by default and only use
> the nf_log backend if the user explicitly said so.
> 

ipt_LOG still registers itfself as nf_log logger in init(). Good, so
since conntrack can now log.

Problem: no anthoer loggers can register for PF_INET right away. They
must unregister the ipt_LOG logger first. Then they can register
themselves. I don't like the idea of modules and esp. userspace apps
unregistering handlers from other modules. First Come First Serve.


When ipt_LOG doesn't register a nf_log logger, then the problem would
not arise, although the conntrack code could not log anything until some
other logger has been registered (since conntrack uses nf_log_packet).



Maybe nf_log should have two handlers for each PF:
- - One handler for loginfo.type == NF_LOG_TYPE_LOG. Which can be provided
by ipt_LOG.
- - One handler for loginfo.type == NF_LOG_TYPE_ULOG, for which
nfnetlink_log strongly qualifies.


So, as long as ipt_LOG is loaded, conntrack et.al. can log to syslog as is.

If netlink_log is used additionally, (as handler for TYPE_ULOG),
conntrack et.al. won't notice it.

If _everything_ should be logged to userspace, then netlink_log could
also unregister the TYPE_LOG handler and register itself as handler for it.


cu
Gregor

PS: Hope you don't mind that I make so much noise here on the list.
- --
Gregor Maier                                      Lehrstuhl Informatik 8
gregor@net.in.tum.de                              Tel: +49 89  289-18010
http://www.net.in.tum.de                                     TU Muenchen
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (Darwin)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFEAGX9dGiwgbikMYMRAp7jAJ9ZZVVe2UWAybxqOA97GPHwy5/8TwCfR5nG
kUDhWbnPadrpi9x2nTyNo2M=
=LS7O
-----END PGP SIGNATURE-----

Re: [NETFILTER 06/6]: Restore {ipt,ip6t,ebt}_LOG compatibility

[Patrick McHardy]

Gregor Maier wrote:
> Patrick McHardy wrote:
> 
>>>Restore compatiblity by using the old log functions by default and only use
>>>the nf_log backend if the user explicitly said so.
>>>
> 
> 
> ipt_LOG still registers itfself as nf_log logger in init(). Good, so
> since conntrack can now log.
> 
> Problem: no anthoer loggers can register for PF_INET right away. They
> must unregister the ipt_LOG logger first. Then they can register
> themselves. I don't like the idea of modules and esp. userspace apps
> unregistering handlers from other modules. First Come First Serve.

Exactly, this is how it works now, if we forget about the UNBIND
operation of nf_log (which I'm not a fan of either). Ideally the
log backends should be stackable.

> When ipt_LOG doesn't register a nf_log logger, then the problem would
> not arise, although the conntrack code could not log anything until some
> other logger has been registered (since conntrack uses nf_log_packet).
> 
> 
> 
> Maybe nf_log should have two handlers for each PF:
> - One handler for loginfo.type == NF_LOG_TYPE_LOG. Which can be provided
> by ipt_LOG.
> - One handler for loginfo.type == NF_LOG_TYPE_ULOG, for which
> nfnetlink_log strongly qualifies.
> 
> 
> So, as long as ipt_LOG is loaded, conntrack et.al. can log to syslog as is.
> 
> If netlink_log is used additionally, (as handler for TYPE_ULOG),
> conntrack et.al. won't notice it.
> 
> If _everything_ should be logged to userspace, then netlink_log could
> also unregister the TYPE_LOG handler and register itself as handler for it.

I think stackable log backends are the cleanest solution for this.

Re: [00/06]: Netfilter fixes for 2.6.16

[David S. Miller]

From: Patrick McHardy <kaber@trash.net>
Date: Sat, 25 Feb 2006 14:17:30 +0100 (MET)

> following are a couple fixes for 2.6.16. mostly concerning nf_queue.
> Please apply.

All applied, thanks a lot Patrick.