Re: [PATCH] Don't call nf_log_packet in NFLOG module.

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Patrick McHardy <kaber@trash.net>
To: Eric Leblond <eric@inl.fr>, netfilter-devel@vger.kernel.org
Subject: Re: [PATCH] Don't call nf_log_packet in NFLOG module.
Date: Thu, 09 Oct 2008 15:51:59 +0200	[thread overview]
Message-ID: <48EE0C7F.5050001@trash.net> (raw)
In-Reply-To: <20081008141523.GN7518@khasse.inl.fr>

Eric Leblond wrote:
> Hi,
> 
> On Wednesday, 2008 October  8 at 15:02:54 +0200, Patrick McHardy wrote:
>> Eric Leblond wrote:
>>> This patch modifies xt_NFLOG to suppress the call to nf_log_packet()
>>> function. The call of this wrapper in xt_NFLOG was causing NFLOG to
>>> use the first initialized module. Thus, if ipt_ULOG is loaded before
>>> nfnetlink_log all NFLOG rules are treated as plain LOG rules.
>> Oops, this slipped through somehow. It has been an intentional
>> decision to use the registered logging backends though, just changing
>> it to unconditionally use nfnetlink_log only solves the problem
>> partially.
> 
> Hmm, looks like my explanation is not correct. This patch fixes the
> following bug :
> 
> modprobe ipt_LOG
> modprobe nfnetlink_log
> iptables -A OUTPUT -j NFLOG
> Then : logged packet are treated as packet reaching the LOG target.

Yes, I know. That behaviour was intentional in the original design.
But I agree, it sucks, so I'll apply your patch.

>> The main problem is that the policy which backend to use is defined
>> by module load order, which is obviously a pretty bad idea. This does
>> not only affect xt_NFLOG, but also internal conntrack logging and
>> anything else we might want to use this for in the future.
>>
>> So I think what we should do instead is introduce a proper way to
>> select among the logging backends. We could introduce a global
>> policy, or split by subsystem, which would currently be just
>> "conntrack" and "NFLOG".
> 
> Yes, I currently working on doing that. I plan to send it in an other
> patch. I've send the following patch alone to fix this weird NFLOG
> target working as LOG target problem.

Great, thanks.

next prev parent reply	other threads:[~2008-10-09 13:52 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2008-10-06 19:40 [PATCH] Don't call nf_log_packet in NFLOG module Eric Leblond
2008-10-08 13:02 ` Patrick McHardy
2008-10-08 14:15   ` Eric Leblond
2008-10-09 13:51     ` Patrick McHardy [this message]
2008-10-09 13:54 ` Patrick McHardy
2008-10-09 22:48   ` Eric Leblond
2008-10-10 12:45     ` Patrick McHardy

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=48EE0C7F.5050001@trash.net \
    --to=kaber@trash.net \
    --cc=eric@inl.fr \
    --cc=netfilter-devel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.