From: Florian Westphal <fw@strlen.de>
To: Pablo Neira Ayuso <pablo@netfilter.org>
Cc: lvxiafei <xiafei_xupt@163.com>,
coreteam@netfilter.org, davem@davemloft.net, edumazet@google.com,
horms@kernel.org, kadlec@netfilter.org, kuba@kernel.org,
linux-kernel@vger.kernel.org, lvxiafei@sensetime.com,
netdev@vger.kernel.org, netfilter-devel@vger.kernel.org,
pabeni@redhat.com
Subject: Re: [PATCH V2] netfilter: nf_conntrack: table full detailed log
Date: Fri, 25 Jul 2025 01:55:33 +0200 [thread overview]
Message-ID: <aILH9Z_C3V7BH6of@strlen.de> (raw)
In-Reply-To: <aILC8COcZTQsj6sG@calendula>
Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> I was thinking, does the packet logging exposes already the
> net->ns.inum? IIUC the goal is to find what netns is dropping what
> packet and the reason for the packet drop, not only in this case but
> in every case, to ease finding the needle in the stack. If so, then it
> probably makes sense to consolidate this around nf_log()
> infrastructure.
No, it doesn't. It also depends on the backend:
for syslog, nothing will be logged unless nf_log_all_netns sysctl is
enabled.
For nflog, it is logged, to the relevant namespaces ulogd, or not in
case that netns doesn't have ulogd running.
For syslog one could extend nf_log_dump_packet_common() but I'm not sure
how forgiving existing log parsers are when this gets additional
field.
Also, would (in case we use this for the "table full" condition), should
this log unconditionally or does it need a new sysctl?
Does it need auto-ratelimit (probably yes, its called during packet
flood so we dont want to flood syslog/ulog)?
> Anyway, maybe I'm overdoing, I'll be fine with this approach if you
> consider it good enough to improve the situation.
I think its better than current state of affairs since it at least
allows to figure out which netns is experiencing this.
next prev parent reply other threads:[~2025-07-24 23:55 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-05-08 8:13 [PATCH] netfilter: nf_conntrack: table full detailed log lvxiafei
2025-05-21 10:28 ` Pablo Neira Ayuso
2025-05-22 9:13 ` lvxiafei
2025-05-22 9:19 ` [PATCH V2] " lvxiafei
2025-07-23 1:02 ` Pablo Neira Ayuso
2025-07-24 15:26 ` Florian Westphal
2025-07-24 23:34 ` Pablo Neira Ayuso
2025-07-24 23:55 ` Florian Westphal [this message]
2025-07-25 9:55 ` Pablo Neira Ayuso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aILH9Z_C3V7BH6of@strlen.de \
--to=fw@strlen.de \
--cc=coreteam@netfilter.org \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=horms@kernel.org \
--cc=kadlec@netfilter.org \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=lvxiafei@sensetime.com \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=pablo@netfilter.org \
--cc=xiafei_xupt@163.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).