[PATCH 0/2] adds ebt_nflog watcher

[PATCH 0/2] adds ebt_nflog watcher

[Peter Warasin]

Hi guys

The following patches add ebt_nflog to the kernel tree and
the ebtables userland tool in order to make it possible to
use ebtables with ulogd2 through nfnetlink_log.

ebtables patches are against svn, kernel patches are against
2.6.22.16. I will rebase if necessary.

For now the ulog2 log lines look like this:

Feb  5 18:52:36 efw-1201175446 ulogd[13898]: EBTABLES IN=br0 \
OUT= MAC=00:e0:4c:77:11:bb:ff:ff:08:00:0c:00 

Not much information, I know. It's necessary to 
teach ulogd_raw2packet_BASE.c to understand the PF_BRIDGE
protocol. I will start with that work now, just wanted to 
post these patches to request comments, in order to make sure
I'm going the right direction.

BTW: As far as I can say, the ebt_ulog watcher is completely
broken. I think it's outdated and could be removed, since it
does log only bogus with recent ulogdX, due to wrong (not
updated) structs.
I tried to fix it also, but i think the effort is not worth.

kind regards,
peter

--

[PATCH 1/2] Adds ebt_nflog watcher to kernel.

[Peter Warasin]

[-- Attachment #1: bridge_netfilter_ebt_nflog.patch --]
[-- Type: text/plain, Size: 4722 bytes --]

This patch adds the ebtables nflog watcher to the
kernel in order to allow ebtables log through the
nfnetlink_log backend.

Signed-off-by: Peter Warasin <peter@endian.com>
---
 include/linux/netfilter_bridge/ebt_nflog.h |   21 ++++++++
 net/bridge/netfilter/Kconfig               |   14 +++++
 net/bridge/netfilter/Makefile              |    1 
 net/bridge/netfilter/ebt_nflog.c           |   73 +++++++++++++++++++++++++++++
 4 files changed, 109 insertions(+)

Index: linux-2.6.22.i586/include/linux/netfilter_bridge/ebt_nflog.h
===================================================================
--- /dev/null	1970-01-01 00:00:00.000000000 +0000
+++ linux-2.6.22.i586/include/linux/netfilter_bridge/ebt_nflog.h	2008-02-04 20:53:51.000000000 +0100
@@ -0,0 +1,21 @@
+#ifndef __LINUX_BRIDGE_EBT_NFLOG_H
+#define __LINUX_BRIDGE_EBT_NFLOG_H
+
+#define EBT_NFLOG_MASK 0x0
+
+#define EBT_NFLOG_PREFIX_SIZE 30
+#define EBT_NFLOG_WATCHER "nflog"
+
+#define EBT_NFLOG_DEFAULT_GROUP		0x1
+#define EBT_NFLOG_DEFAULT_THRESHOLD	1
+
+struct ebt_nflog_info {
+	u_int32_t len;
+	u_int16_t group;
+	u_int16_t threshold;
+	u_int16_t flags;
+	u_int16_t pad;
+	char prefix[EBT_NFLOG_PREFIX_SIZE];
+};
+
+#endif				/* __LINUX_BRIDGE_EBT_NFLOG_H */
Index: linux-2.6.22.i586/net/bridge/netfilter/ebt_nflog.c
===================================================================
--- /dev/null	1970-01-01 00:00:00.000000000 +0000
+++ linux-2.6.22.i586/net/bridge/netfilter/ebt_nflog.c	2008-02-05 17:17:37.000000000 +0100
@@ -0,0 +1,73 @@
+/*
+ * ebt_nflog
+ *
+ *	Author:
+ *	Peter Warasin <peter@endian.com>
+ *
+ *  February, 2008
+ *
+ * Based on:
+ *  xt_NFLOG.c, (C) 2006 by Patrick McHardy <kaber@trash.net>
+ *  ebt_ulog.c, (C) 2004 by Bart De Schuymer <bdschuym@pandora.be>
+ *
+ */
+
+#include <linux/module.h>
+#include <linux/spinlock.h>
+#include <linux/netfilter_bridge/ebtables.h>
+#include <linux/netfilter_bridge/ebt_nflog.h>
+
+static void ebt_nflog(const struct sk_buff *skb,
+		      unsigned int hooknr,
+		      const struct net_device *in,
+		      const struct net_device *out,
+		      const void *data, unsigned int datalen)
+{
+	struct ebt_nflog_info *info = (struct ebt_nflog_info *)data;
+	struct nf_loginfo li;
+
+	li.type = NF_LOG_TYPE_ULOG;
+	li.u.ulog.copy_len = info->len;
+	li.u.ulog.group = info->group;
+	li.u.ulog.qthreshold = info->threshold;
+
+	nf_log_packet(PF_BRIDGE, hooknr, skb, in, out, &li, "%s", info->prefix);
+}
+
+static int ebt_nflog_check(const char *tablename,
+			   unsigned int hookmask,
+			   const struct ebt_entry *e,
+			   void *data, unsigned int datalen)
+{
+	struct ebt_nflog_info *info = (struct ebt_nflog_info *)data;
+
+	if (datalen != EBT_ALIGN(sizeof(struct ebt_nflog_info)))
+		return -EINVAL;
+	if (info->flags & ~EBT_NFLOG_MASK)
+		return -EINVAL;
+	info->prefix[EBT_NFLOG_PREFIX_SIZE - 1] = '\0';
+	return 0;
+}
+
+static struct ebt_watcher nflog = {
+	.name = EBT_NFLOG_WATCHER,
+	.watcher = ebt_nflog,
+	.check = ebt_nflog_check,
+	.me = THIS_MODULE,
+};
+
+static int __init ebt_nflog_init(void)
+{
+	return ebt_register_watcher(&nflog);
+}
+
+static void __exit ebt_nflog_fini(void)
+{
+	ebt_unregister_watcher(&nflog);
+}
+
+module_init(ebt_nflog_init);
+module_exit(ebt_nflog_fini);
+MODULE_LICENSE("GPL");
+MODULE_AUTHOR("Peter Warasin <peter@endian.com>");
+MODULE_DESCRIPTION("ebtables NFLOG netfilter logging module");
Index: linux-2.6.22.i586/net/bridge/netfilter/Kconfig
===================================================================
--- linux-2.6.22.i586.orig/net/bridge/netfilter/Kconfig	2008-02-04 19:59:07.000000000 +0100
+++ linux-2.6.22.i586/net/bridge/netfilter/Kconfig	2008-02-04 20:04:46.000000000 +0100
@@ -212,4 +212,18 @@
 
 	  To compile it as a module, choose M here.  If unsure, say N.
 
+config BRIDGE_EBT_NFLOG
+	tristate "ebt: nflog support"
+	depends on BRIDGE_NF_EBTABLES
+	help
+	  This option enables the nflog watcher, which allows to LOG
+	  messages through the netfilter logging API, which can use
+	  either the old LOG target, the old ULOG target or nfnetlink_log
+	  as backend.
+
+	  This option adds the ulog watcher, that you can use in any rule
+	  in any ebtables table.
+
+	  To compile it as a module, choose M here.  If unsure, say N.
+
 endmenu
Index: linux-2.6.22.i586/net/bridge/netfilter/Makefile
===================================================================
--- linux-2.6.22.i586.orig/net/bridge/netfilter/Makefile	2008-02-04 19:59:09.000000000 +0100
+++ linux-2.6.22.i586/net/bridge/netfilter/Makefile	2008-02-04 19:59:26.000000000 +0100
@@ -30,3 +30,4 @@
 # watchers
 obj-$(CONFIG_BRIDGE_EBT_LOG) += ebt_log.o
 obj-$(CONFIG_BRIDGE_EBT_ULOG) += ebt_ulog.o
+obj-$(CONFIG_BRIDGE_EBT_NFLOG) += ebt_nflog.o

--

[PATCH 2/2] Adds nflog watcher to ebtables

[Peter Warasin]

[-- Attachment #1: ebtables-nflog.patch --]
[-- Type: text/plain, Size: 7946 bytes --]

This patch adds ebt_nflog watcher extension to the ebtables
userland tool.
It's based on xt_NFLOG, so options are basically the same.

Signed-off-by: Peter Warasin <peter@endian.com>
---
 ebtables2/ebtables.8             |   35 +++++++
 ebtables2/extensions/Makefile    |    2 
 ebtables2/extensions/ebt_nflog.c |  179 +++++++++++++++++++++++++++++++++++++++
 3 files changed, 215 insertions(+), 1 deletion(-)

Index: ebtables2/extensions/Makefile
===================================================================
--- ebtables2/extensions/Makefile.orig	2008-02-05 17:43:28.000000000 +0100
+++ ebtables2/extensions/Makefile	2008-02-05 18:27:26.000000000 +0100
@@ -1,7 +1,7 @@
 #! /usr/bin/make
 
 EXT_FUNC+=802_3 nat arp arpreply ip standard log redirect vlan mark_m mark \
-          pkttype stp among limit ulog
+          pkttype stp among limit ulog nflog
 EXT_TABLES+=filter nat broute
 EXT_OBJS+=$(foreach T,$(EXT_FUNC), extensions/ebt_$(T).o)
 EXT_OBJS+=$(foreach T,$(EXT_TABLES), extensions/ebtable_$(T).o)
Index: ebtables2/extensions/ebt_nflog.c
===================================================================
--- /dev/null	1970-01-01 00:00:00.000000000 +0000
+++ ebtables2/extensions/ebt_nflog.c	2008-02-05 18:27:26.000000000 +0100
@@ -0,0 +1,179 @@
+/* ebt_nflog
+ *
+ * Authors:
+ * Peter Warasin <peter@endian.com>
+ *
+ *  February, 2008
+ *
+ * Based on:
+ *  ebt_ulog.c, (C) 2004, Bart De Schuymer <bdschuym@pandora.be>
+ *  libxt_NFLOG.c
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <getopt.h>
+#include "../include/ebtables_u.h"
+#include <linux/netfilter_bridge/ebt_nflog.h>
+
+enum {
+	NFLOG_GROUP = 0x1,
+	NFLOG_PREFIX = 0x2,
+	NFLOG_RANGE = 0x4,
+	NFLOG_THRESHOLD = 0x8,
+	NFLOG_NFLOG = 0x16,
+};
+
+static struct option nflog_opts[] = {
+	{"nflog-group", required_argument, NULL, NFLOG_GROUP},
+	{"nflog-prefix", required_argument, NULL, NFLOG_PREFIX},
+	{"nflog-range", required_argument, NULL, NFLOG_RANGE},
+	{"nflog-threshold", required_argument, NULL, NFLOG_THRESHOLD},
+	{"nflog", no_argument, NULL, NFLOG_NFLOG},
+	{.name = NULL}
+};
+
+static void nflog_help()
+{
+	printf("nflog options:\n"
+	       "--nflog               : use the default nflog parameters\n"
+	       "--nflog-prefix prefix : Prefix string for log message\n"
+	       "--nflog-group group   : NETLINK group used for logging\n"
+	       "--nflog-range range   : Number of byte to copy\n"
+	       "--nflog-threshold     : Message threshold of"
+	       "in-kernel queue\n");
+}
+
+static void nflog_init(struct ebt_entry_watcher *watcher)
+{
+	struct ebt_nflog_info *info = (struct ebt_nflog_info *)watcher->data;
+
+	info->prefix[0] = '\0';
+	info->group = EBT_NFLOG_DEFAULT_GROUP;
+	info->threshold = EBT_NFLOG_DEFAULT_THRESHOLD;
+}
+
+static int nflog_parse(int c, char **argv, int argc,
+		       const struct ebt_u_entry *entry, unsigned int *flags,
+		       struct ebt_entry_watcher **watcher)
+{
+	struct ebt_nflog_info *info;
+	unsigned int i;
+	char *end;
+
+	info = (struct ebt_nflog_info *)(*watcher)->data;
+	switch (c) {
+	case NFLOG_PREFIX:
+		if (ebt_check_inverse2(optarg))
+			goto inverse_invalid;
+		ebt_check_option2(flags, NFLOG_PREFIX);
+		if (strlen(optarg) > EBT_NFLOG_PREFIX_SIZE - 1)
+			ebt_print_error("Prefix too long for nflog-prefix");
+		strcpy(info->prefix, optarg);
+		break;
+
+	case NFLOG_GROUP:
+		if (ebt_check_inverse2(optarg))
+			goto inverse_invalid;
+		ebt_check_option2(flags, NFLOG_GROUP);
+		i = strtoul(optarg, &end, 10);
+		if (*end != '\0')
+			ebt_print_error2("--nflog-group must be a number!");
+		if (i < 0)
+			ebt_print_error2("--nflog-group can not be negative");
+		info->group = i;
+		break;
+
+	case NFLOG_RANGE:
+		if (ebt_check_inverse2(optarg))
+			goto inverse_invalid;
+		ebt_check_option2(flags, NFLOG_RANGE);
+		i = strtoul(optarg, &end, 10);
+		if (*end != '\0')
+			ebt_print_error2("--nflog-range must be a number!");
+		if (i < 0)
+			ebt_print_error2("--nflog-range can not be negative");
+		info->len = i;
+		break;
+
+	case NFLOG_THRESHOLD:
+		if (ebt_check_inverse2(optarg))
+			goto inverse_invalid;
+		ebt_check_option2(flags, NFLOG_THRESHOLD);
+		i = strtoul(optarg, &end, 10);
+		if (*end != '\0')
+			ebt_print_error2("--nflog-threshold must be a number!");
+		if (i < 0)
+			ebt_print_error2
+			    ("--nflog-threshold can not be negative");
+		info->threshold = i;
+		break;
+	case NFLOG_NFLOG:
+		if (ebt_check_inverse(optarg))
+			goto inverse_invalid;
+		ebt_check_option2(flags, NFLOG_NFLOG);
+		break;
+
+	default:
+		return 0;
+	}
+	return 1;
+
+ inverse_invalid:
+	ebt_print_error("The use of '!' makes no sense for the nflog watcher");
+	return 1;
+}
+
+static void nflog_final_check(const struct ebt_u_entry *entry,
+			      const struct ebt_entry_watcher *watcher,
+			      const char *name, unsigned int hookmask,
+			      unsigned int time)
+{
+}
+
+static void nflog_print(const struct ebt_u_entry *entry,
+			const struct ebt_entry_watcher *watcher)
+{
+	struct ebt_nflog_info *info = (struct ebt_nflog_info *)watcher->data;
+
+	if (info->prefix[0] != '\0')
+		printf("--nflog-prefix \"%s\"", info->prefix);
+	if (info->group)
+		printf("--nflog-group %d ", info->group);
+	if (info->len)
+		printf("--nflog-range %d", info->len);
+	if (info->threshold != EBT_NFLOG_DEFAULT_THRESHOLD)
+		printf(" --nflog-threshold %d ", info->threshold);
+}
+
+static int nflog_compare(const struct ebt_entry_watcher *w1,
+			 const struct ebt_entry_watcher *w2)
+{
+	struct ebt_nflog_info *info1 = (struct ebt_nflog_info *)w1->data;
+	struct ebt_nflog_info *info2 = (struct ebt_nflog_info *)w2->data;
+
+	if (info1->group != info2->group ||
+	    info1->len != info2->len ||
+	    info1->threshold != info2->threshold ||
+	    strcmp(info1->prefix, info2->prefix))
+		return 0;
+	return 1;
+}
+
+static struct ebt_u_watcher nflog_watcher = {
+	.name = "nflog",
+	.size = sizeof(struct ebt_nflog_info),
+	.help = nflog_help,
+	.init = nflog_init,
+	.parse = nflog_parse,
+	.final_check = nflog_final_check,
+	.print = nflog_print,
+	.compare = nflog_compare,
+	.extra_ops = nflog_opts,
+};
+
+void _init(void)
+{
+	ebt_register_watcher(&nflog_watcher);
+}
Index: ebtables2/ebtables.8
===================================================================
--- ebtables2/ebtables.8.orig	2008-02-05 18:27:08.000000000 +0100
+++ ebtables2/ebtables.8	2008-02-05 18:27:26.000000000 +0100
@@ -804,6 +804,41 @@
 .br
 Will log the (r)arp information when a frame made by the (r)arp protocols
 matches the rule. The default is no (r)arp information logging.
+.SS nflog
+The nflog watcher passes the packet to the loaded logging backend
+in order to log the packet. This is usually used in combination with
+nfnetlink_log as logging backend, which will multicast the packet
+through a
+.IR netlink
+socket to the specified multicast group. One or more userspace processes
+may subscribe to the group to receive the packets.
+.TP
+.B "--nflog"
+.br
+Log with the default logging options
+.TP
+.B --nflog-group "\fInlgroup\fP"
+.br
+The netlink group (1 - 2^32-1) to which packets are (only applicable for
+nfnetlink_log). The default value is 1.
+.TP
+.B --nflog-prefix "\fIprefix\fP"
+.br
+A prefix string to include in the log message, up to 30 characters
+long, useful for distinguishing messages in the logs.
+.TP
+.B --nflog-range "\fIsize\fP"
+.br
+The number of bytes to be copied to userspace (only applicable for
+nfnetlink_log). nfnetlink_log instances may specify their own
+range, this option overrides it.
+.TP
+.B --nflog-threshold "\fIsize\fP"
+.br
+Number of packets to queue inside the kernel before sending them
+to userspace (only applicable for nfnetlink_log). Higher values
+result in less overhead per packet, but increase delay until the
+packets reach userspace. The default value is 1.
 .SS ulog
 The ulog watcher passes the packet to a userspace
 logging daemon using netlink multicast sockets. This differs

--

Re: [PATCH 1/2] Adds ebt_nflog watcher to kernel.

[Patrick McHardy]

Peter Warasin wrote:

 > This patch adds the ebtables nflog watcher to the
 > kernel in order to allow ebtables log through the
 > nfnetlink_log backend.

This seems mostly fine to me. A few minor comments:

 > +#define EBT_NFLOG_PREFIX_SIZE 30

People found the 30 character limit to small for iptables,
which is why I increased it to 64 in NFLOG. For consistency
it would be better to use the same value here in my opinion.

 > +static struct ebt_watcher nflog = {

This could be __read_mostly.

If you'll resend the patch based on net-2.6.26 I'll queue it
if Bart has no objections.

Re: [PATCH resend 1/2] Adds ebt_nflog watcher to kernel.

[Peter Warasin]

[-- Attachment #1: Type: text/plain, Size: 356 bytes --]

Hi

Patrick McHardy wrote:
> Peter Warasin wrote:
>  > This patch adds the ebtables nflog watcher to the
>  > kernel
> This seems mostly fine to me. A few minor comments:

> If you'll resend the patch based on net-2.6.26 I'll queue it
> if Bart has no objections.

I re-based on net-2.6.26 and changed what you mentioned.
Patch is attached

regards,
peter

[-- Attachment #2: 0001-Adds-ebt_nflog-watcher.patch --]
[-- Type: text/x-patch, Size: 4324 bytes --]

>From de032f8a95d42401603c6a69d02016700e71ffea Mon Sep 17 00:00:00 2001
From: Peter Warasin <peter@endian.com>
Date: Thu, 21 Feb 2008 22:28:49 +0100
Subject: [PATCH] Adds ebt_nflog watcher

This patch adds the ebtables nflog watcher to the
kernel in order to allow ebtables log through the
nfnetlink_log backend.

Signed-off-by: Peter Warasin <peter@endian.com>

diff --git a/include/linux/netfilter_bridge/ebt_nflog.h b/include/linux/netfilter_bridge/ebt_nflog.h
new file mode 100644
index 0000000..0528178
--- /dev/null
+++ b/include/linux/netfilter_bridge/ebt_nflog.h
@@ -0,0 +1,21 @@
+#ifndef __LINUX_BRIDGE_EBT_NFLOG_H
+#define __LINUX_BRIDGE_EBT_NFLOG_H
+
+#define EBT_NFLOG_MASK 0x0
+
+#define EBT_NFLOG_PREFIX_SIZE 64
+#define EBT_NFLOG_WATCHER "nflog"
+
+#define EBT_NFLOG_DEFAULT_GROUP		0x1
+#define EBT_NFLOG_DEFAULT_THRESHOLD	1
+
+struct ebt_nflog_info {
+	u_int32_t len;
+	u_int16_t group;
+	u_int16_t threshold;
+	u_int16_t flags;
+	u_int16_t pad;
+	char prefix[EBT_NFLOG_PREFIX_SIZE];
+};
+
+#endif				/* __LINUX_BRIDGE_EBT_NFLOG_H */
diff --git a/net/bridge/netfilter/Kconfig b/net/bridge/netfilter/Kconfig
index 4a3e2bf..7beeefa 100644
--- a/net/bridge/netfilter/Kconfig
+++ b/net/bridge/netfilter/Kconfig
@@ -212,4 +212,18 @@ config BRIDGE_EBT_ULOG
 
 	  To compile it as a module, choose M here.  If unsure, say N.
 
+config BRIDGE_EBT_NFLOG
+	tristate "ebt: nflog support"
+	depends on BRIDGE_NF_EBTABLES
+	help
+	  This option enables the nflog watcher, which allows to LOG
+	  messages through the netfilter logging API, which can use
+	  either the old LOG target, the old ULOG target or nfnetlink_log
+	  as backend.
+
+	  This option adds the ulog watcher, that you can use in any rule
+	  in any ebtables table.
+
+	  To compile it as a module, choose M here.  If unsure, say N.
+
 endmenu
diff --git a/net/bridge/netfilter/Makefile b/net/bridge/netfilter/Makefile
index 905087e..83715d7 100644
--- a/net/bridge/netfilter/Makefile
+++ b/net/bridge/netfilter/Makefile
@@ -30,3 +30,4 @@ obj-$(CONFIG_BRIDGE_EBT_SNAT) += ebt_snat.o
 # watchers
 obj-$(CONFIG_BRIDGE_EBT_LOG) += ebt_log.o
 obj-$(CONFIG_BRIDGE_EBT_ULOG) += ebt_ulog.o
+obj-$(CONFIG_BRIDGE_EBT_NFLOG) += ebt_nflog.o
diff --git a/net/bridge/netfilter/ebt_nflog.c b/net/bridge/netfilter/ebt_nflog.c
new file mode 100644
index 0000000..8e799aa
--- /dev/null
+++ b/net/bridge/netfilter/ebt_nflog.c
@@ -0,0 +1,74 @@
+/*
+ * ebt_nflog
+ *
+ *	Author:
+ *	Peter Warasin <peter@endian.com>
+ *
+ *  February, 2008
+ *
+ * Based on:
+ *  xt_NFLOG.c, (C) 2006 by Patrick McHardy <kaber@trash.net>
+ *  ebt_ulog.c, (C) 2004 by Bart De Schuymer <bdschuym@pandora.be>
+ *
+ */
+
+#include <linux/module.h>
+#include <linux/spinlock.h>
+#include <linux/netfilter_bridge/ebtables.h>
+#include <linux/netfilter_bridge/ebt_nflog.h>
+#include <net/netfilter/nf_log.h>
+
+static void ebt_nflog(const struct sk_buff *skb,
+		      unsigned int hooknr,
+		      const struct net_device *in,
+		      const struct net_device *out,
+		      const void *data, unsigned int datalen)
+{
+	struct ebt_nflog_info *info = (struct ebt_nflog_info *)data;
+	struct nf_loginfo li;
+
+	li.type = NF_LOG_TYPE_ULOG;
+	li.u.ulog.copy_len = info->len;
+	li.u.ulog.group = info->group;
+	li.u.ulog.qthreshold = info->threshold;
+
+	nf_log_packet(PF_BRIDGE, hooknr, skb, in, out, &li, "%s", info->prefix);
+}
+
+static int ebt_nflog_check(const char *tablename,
+			   unsigned int hookmask,
+			   const struct ebt_entry *e,
+			   void *data, unsigned int datalen)
+{
+	struct ebt_nflog_info *info = (struct ebt_nflog_info *)data;
+
+	if (datalen != EBT_ALIGN(sizeof(struct ebt_nflog_info)))
+		return -EINVAL;
+	if (info->flags & ~EBT_NFLOG_MASK)
+		return -EINVAL;
+	info->prefix[EBT_NFLOG_PREFIX_SIZE - 1] = '\0';
+	return 0;
+}
+
+static struct ebt_watcher nflog __read_mostly = {
+	.name = EBT_NFLOG_WATCHER,
+	.watcher = ebt_nflog,
+	.check = ebt_nflog_check,
+	.me = THIS_MODULE,
+};
+
+static int __init ebt_nflog_init(void)
+{
+	return ebt_register_watcher(&nflog);
+}
+
+static void __exit ebt_nflog_fini(void)
+{
+	ebt_unregister_watcher(&nflog);
+}
+
+module_init(ebt_nflog_init);
+module_exit(ebt_nflog_fini);
+MODULE_LICENSE("GPL");
+MODULE_AUTHOR("Peter Warasin <peter@endian.com>");
+MODULE_DESCRIPTION("ebtables NFLOG netfilter logging module");
-- 
1.5.2.5

Re: [PATCH resend 1/2] Adds ebt_nflog watcher to kernel.

[Bart De Schuymer]

Op di, 26-02-2008 te 00:03 +0100, schreef Peter Warasin:
> Hi
> 
> Patrick McHardy wrote:
> > Peter Warasin wrote:
> >  > This patch adds the ebtables nflog watcher to the
> >  > kernel
> > This seems mostly fine to me. A few minor comments:
> 
> > If you'll resend the patch based on net-2.6.26 I'll queue it
> > if Bart has no objections.
> 
> I re-based on net-2.6.26 and changed what you mentioned.
> Patch is attached

It looks fine, I'm just wondering what the flags and the pad in struct
ebt_nflog_info are for...

cheers,
Bart



-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

Re: [PATCH resend 1/2] Adds ebt_nflog watcher to kernel.

[Patrick McHardy]

Bart De Schuymer wrote:
> Op di, 26-02-2008 te 00:03 +0100, schreef Peter Warasin:
>> Hi
>>
>> Patrick McHardy wrote:
>>> Peter Warasin wrote:
>>>  > This patch adds the ebtables nflog watcher to the
>>>  > kernel
>>> This seems mostly fine to me. A few minor comments:
>>> If you'll resend the patch based on net-2.6.26 I'll queue it
>>> if Bart has no objections.
>> I re-based on net-2.6.26 and changed what you mentioned.
>> Patch is attached
> 
> It looks fine, I'm just wondering what the flags and the pad in struct
> ebt_nflog_info are for...

Both have their origin in NFLOG.

The flags were intended for something I still want to add, a reliable
log mode where packets are dropped when netlink transmission or
memory allocation fails. I can't really remember why I added the
padding, but in any case it doesn't hurt since the structure size
is usually padded to a multiple of 4/8 anyways.


-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

Re: [PATCH resend 1/2] Adds ebt_nflog watcher to kernel.

[Pablo Neira Ayuso]

Patrick McHardy wrote:
> Bart De Schuymer wrote:
>> Op di, 26-02-2008 te 00:03 +0100, schreef Peter Warasin:
>>> Hi
>>>
>>> Patrick McHardy wrote:
>>>> Peter Warasin wrote:
>>>>  > This patch adds the ebtables nflog watcher to the
>>>>  > kernel
>>>> This seems mostly fine to me. A few minor comments:
>>>> If you'll resend the patch based on net-2.6.26 I'll queue it
>>>> if Bart has no objections.
>>> I re-based on net-2.6.26 and changed what you mentioned.
>>> Patch is attached
>>
>> It looks fine, I'm just wondering what the flags and the pad in struct
>> ebt_nflog_info are for...
> 
> Both have their origin in NFLOG.
> 
> The flags were intended for something I still want to add, a reliable
> log mode where packets are dropped when netlink transmission or
> memory allocation fails.

Not really related with the main thread of the discussion. I thought of
something similar for the conntrack events, however, I'd like to have
some numbers on the maximum throughput reached if we apply such reliable
netlink transmission based on packet dropping under stress situations :).

-- 
"Los honestos son inadaptados sociales" -- Les Luthiers

Re: [Ebtables-devel] [PATCH resend 1/2] Adds ebt_nflog watcher to kernel.

[Peter Warasin]

Hi

Bart De Schuymer wrote:
> Op di, 26-02-2008 te 00:03 +0100, schreef Peter Warasin:
>> I re-based on net-2.6.26 and changed what you mentioned.
>> Patch is attached
> It looks fine, I'm just wondering what the flags and the pad in struct
> ebt_nflog_info are for...

I have not seen the submit on net-2.6.26 and in ebtables cvs. Is the 
patch queued or is there something to do for me?

peter

Re: [Ebtables-devel] [PATCH resend 1/2] Adds ebt_nflog watcher to kernel.

[Patrick McHardy]

Peter Warasin wrote:
> Hi
> 
> Bart De Schuymer wrote:
>> Op di, 26-02-2008 te 00:03 +0100, schreef Peter Warasin:
>>> I re-based on net-2.6.26 and changed what you mentioned.
>>> Patch is attached
>> It looks fine, I'm just wondering what the flags and the pad in struct
>> ebt_nflog_info are for...
> 
> I have not seen the submit on net-2.6.26 and in ebtables cvs. Is the 
> patch queued or is there something to do for me?


I'm currently holding off netfilter 2.6.26 patches because
there are some conflicts with the net-2.6.26 tree. I'll
apply it once Dave has rebased to Linus' current tree.

Re: [Ebtables-devel] [PATCH resend 1/2] Adds ebt_nflog watcher to kernel.

[Bart De Schuymer]

Op ma, 17-03-2008 te 17:25 +0100, schreef Peter Warasin:
> Hi
> 
> Bart De Schuymer wrote:
> > Op di, 26-02-2008 te 00:03 +0100, schreef Peter Warasin:
> >> I re-based on net-2.6.26 and changed what you mentioned.
> >> Patch is attached
> > It looks fine, I'm just wondering what the flags and the pad in struct
> > ebt_nflog_info are for...
> 
> I have not seen the submit on net-2.6.26 and in ebtables cvs. Is the 
> patch queued or is there something to do for me?

I've just committed the userspace part in cvs. Thanks for reminding me.

cheers,
Bart

Re: [PATCH resend 1/2] Adds ebt_nflog watcher to kernel.

[Patrick McHardy]

Peter Warasin wrote:
> Hi
> 
> Patrick McHardy wrote:
>> Peter Warasin wrote:
>>  > This patch adds the ebtables nflog watcher to the
>>  > kernel
>> This seems mostly fine to me. A few minor comments:
> 
>> If you'll resend the patch based on net-2.6.26 I'll queue it
>> if Bart has no objections.
> 
> I re-based on net-2.6.26 and changed what you mentioned.
> Patch is attached

Applied, thanks.