From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Eric Leblond <eric@inl.fr>
Cc: netfilter-devel@vger.kernel.org
Subject: Re: [ULOGD2 PATCH 0/3] cleaning and build feature
Date: Fri, 12 Sep 2008 01:49:40 +0200 [thread overview]
Message-ID: <48C9AE94.1000208@netfilter.org> (raw)
In-Reply-To: <1221166085-23435-1-git-send-email-eric@inl.fr>
Eric Leblond wrote:
> Hello,
>
> This small patchset contains some cleaning and implement conditionnal compilation
> of NFLOG and NFCT input plugins. This feature was contained in the TODO list and I
> think it could be useful on system where one of the NFCT or NFLOG plugin can not
> be used.
>
> Las tpatch update the TODO list. The remaining item in this TODO list are:
> - add support for capabilities to run as non-root: It could be interesting but
> I don't know if we could achieve it with libnetfilter_log or libnetfilter_conntrack.
The binding and the sending requires CAP_NET_ADMIN, so we can initially
bind as root and them change to a non-root user to receiver messages,
this seem feasiable with libnetfilter_log. However, the problem here is
the resynchronize routine that I have introduced in NFCT: we request a
dump when we hit ENOBUFS and that's a sending.
Let me think about, maybe we can do something with a fork and a pipe.
> - support for static linking: As ulogd2 is plugin based, it may be strange but some
> embedded system could use it.
> - issues with ulogd_BASE and partially copied packets (--ulog-cprange): Has somebody
> encounter the problem ?
> - problem with ulogd_BASE and fragments: same remark
Probably outdated comment? We can ask Harald during workshop days.
> - port SQLITE3 plugin: Holger's work could be reused but the code was not really clean.
We can recover that work. We also have to add a change to db.c since
SQLITE3 has no procedures IIRC.
> - convert db layer and pgsql + mysql plugin to a 'parameter bind' scheme for efficiency:
> I don't understand the point.
Probably Harald can put some light on it.
> - autoconf detection of SCTP / DCCP support: Well, why not ;)
>
> From my point of view, there is no other thing in the TODO list before a RC release.
>
> Am I missing something ?
I have added BSF support to libnetfilter_conntrack. This could be
interesting to filter ctnetlink event messages from kernel-space. You
can find an example in the configuration file of conntrackd, see the
Filter clause.
The problem is the current configuration file format which is quite
cryptic. Using something flex/bison-based would be more flexible, but we
have to think about the file format before.
I have other concerns, I'm willing to schedule some time for ulogd to
make a new TODO list, we can probably discuss them during the workshop.
--
"Los honestos son inadaptados sociales" -- Les Luthiers
next prev parent reply other threads:[~2008-09-11 23:56 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-09-11 20:48 [ULOGD2 PATCH 0/3] cleaning and build feature Eric Leblond
2008-09-11 23:49 ` Pablo Neira Ayuso [this message]
2008-09-12 1:24 ` Pablo Neira Ayuso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=48C9AE94.1000208@netfilter.org \
--to=pablo@netfilter.org \
--cc=eric@inl.fr \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.