From: Patrick McHardy <kaber@trash.net>
To: "Dâniel Fraga" <fragabr@gmail.com>
Cc: netfilter-devel@vger.kernel.org
Subject: Re: Every other char with LOG netfilter output (bug?)
Date: Tue, 28 Oct 2008 19:13:33 +0100 [thread overview]
Message-ID: <4907564D.5090103@trash.net> (raw)
In-Reply-To: <49075276.2686460a.0b00.ffff9f09@mx.google.com>
Dâniel Fraga wrote:
> On Tue, 28 Oct 2008 18:40:17 +0100
> Patrick McHardy <kaber@trash.net> wrote:
>
>> Seems likely. Is that an SMP machine? Its possible that the ringbuffer
>> simply overflows before the logging daemon gets a chance to capture it,
>> but that should only cause truncated lines.
>
> Yes, SMP (Athlon64 X2 and I noticed it on a Xeon 3040 too).
>
>> What do your logging rules that might be responsible for this look like?
>
> My rules are pretty simple:
>
> # Generated by iptables-save v1.4.2 on Tue Oct 28 15:49:09 2008
> *filter
> :INPUT DROP [0:0]
> :FORWARD DROP [0:0]
> :OUTPUT ACCEPT [454613:1227743602]
> :FLDR - [0:0]
> :LDR - [0:0]
> ...
> -A FLDR -j LOG --log-prefix "DROP FORWARD: " --log-level 6
> -A FLDR -j DROP
> -A LDR -j LOG --log-prefix "DROP INPUT: " --log-level 6
> -A LDR -j DROP
> COMMIT
> # Completed on Tue Oct 28 15:49:09 2008
>
> The interesting is that this behaviour started at 2.6.25 kernel version, but
> I couldn't find anything that was changed between .24 and .25 to cause this. Very strange.
I have no idea why the log output is corrupted like this, but
some things you could try:
- use serial console, which should at least avoid any corruption
triggered by ringbuffer overflows. It many packets are logged
it will slow down your system considerably though.
- use ULOG or nfnetlink_log: this allows to capture a full copy
of the packet in userspace, which might be helpful for further
analysis.
> Is there a way I can trace the function that generates the log output syslog line?
> I use Function Tracer included in 2.6.27 kernel already, but I need a way to stop the tracing
> it exactly at the point when this happens, otherwise the tracing buffer will be replaced...
I'm not familiar with ftrace, but you could manually instrument it
(net/ipv4/netfilter/ipt_LOG.c). I'd try nfnetlink_log first though.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2008-10-28 18:13 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-10-28 17:09 Every other char with LOG netfilter output (bug?) Dâniel Fraga
2008-10-28 17:40 ` Patrick McHardy
2008-10-28 17:57 ` Dâniel Fraga
2008-10-28 18:13 ` Patrick McHardy [this message]
2008-10-28 18:50 ` Jan Engelhardt
2008-10-28 18:53 ` Patrick McHardy
2008-10-28 19:16 ` Dâniel Fraga
2008-10-30 5:50 ` Dâniel Fraga
2008-10-30 7:15 ` Patrick McHardy
2008-10-30 15:02 ` Pablo Neira Ayuso
2008-10-30 23:23 ` Dâniel Fraga
2008-10-31 2:01 ` Dâniel Fraga
2008-11-03 12:42 ` Patrick McHardy
2008-11-03 15:41 ` Dâniel Fraga
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4907564D.5090103@trash.net \
--to=kaber@trash.net \
--cc=fragabr@gmail.com \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.