All of lore.kernel.org
 help / color / mirror / Atom feed
* NFLOG --nflog-group bug?
@ 2007-03-16 23:00 Dan Purcell
  2007-03-17 10:54 ` Patrick McHardy
  0 siblings, 1 reply; 2+ messages in thread
From: Dan Purcell @ 2007-03-16 23:00 UTC (permalink / raw)
  To: netfilter-devel

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I may have found a bug with the NFLOG target.  I am trying to use NFLOG
to log packets to a ulogd program using ip6tables.  I am using iptables
version 1.3.7, and linux kernel version 2.6.20.

I want to use the nflog-group number 32 for the system I have set up.
This is how I am using ip6tables:

      ip6tables -A FORWARD -j NFLOG --nflog-group 32

However, when I do an ip6tables -nvL FORWARD, I see this (note the
nflog-group number):


Chain FORWARD (policy ACCEPT 414 packets, 44089 bytes)
 pkts bytes target  prot opt in  out  source    destination
  112 11744 NFLOG   0        *   *    ::/0      ::/0     nflog-group 0



I was scratching my head why the nflog-group was 0, when I explicitly
told it to use group number 32.  I tried other numbers, such as 31, 30,
and 17, and they all displayed a nflog-group number of 0 after I printed
my ip6tables.  However, ip6tables was printing the correct value when I
 set the group number to 1, 4, 6, and 16.

Looking at the source code for libip6t_NFLOG.c, I see this in the parse
function:

      int n;
      ...
      n = atoi(optarg);
      if (n < 1 || n > 32)
         exit_error(PARAMETER_PROBLEM,
               "--nflog-group has to be between 1 and 32");
      info->group = 1 << (n - 1);
      printf("n is %d, Group is: %u\n", n, info->group);
      break;

The code tells me that any group between 1 and 32 (inclusive) is a
legitimate group number.  I know that the old ULOG target had the same
rules for its group number.  However, the data structure that defines
'info' (in the kernel's include/linux/netfilter/xt_NFLOG.h
file), I see this definition for info->group:

      struct xt_nflog_info {
         u_int32_t   len;
         u_int16_t   group;
         u_int16_t   threshold;
         u_int16_t   flags;
         u_int16_t   pad;
         char     prefix[64];
      };

'group' here is a 16-bit integer.  In effect, the highest nflog-group
that I can potentially achieve is 16, not 32.  Should the 'group' in
'struct xt_nflog_info' be a u_int32_t, and take out the 'u_int16_t pad'?

- -Dan
- --

- --------------------------------------------------------------
Dan Purcell, Software Engineer     dpurcell@nitrosecurity.com
NitroSecurity, Inc.                            (208) 552-5332
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFF+yF1Tqu8TzII/vURAqpGAJ9NI4LFAADeRmCYSRSH8Mr1yWt9hACeICuX
VCVUGiUQlT9AId6ddQVJi7Q=
=/OTu
-----END PGP SIGNATURE-----

^ permalink raw reply	[flat|nested] 2+ messages in thread
* Re: NFLOG --nflog-group bug?
  2007-03-16 23:00 NFLOG --nflog-group bug? Dan Purcell
@ 2007-03-17 10:54 ` Patrick McHardy
  0 siblings, 0 replies; 2+ messages in thread
From: Patrick McHardy @ 2007-03-17 10:54 UTC (permalink / raw)
  To: Dan Purcell; +Cc: netfilter-devel

Dan Purcell wrote:
> I may have found a bug with the NFLOG target.  I am trying to use NFLOG
> to log packets to a ulogd program using ip6tables.  I am using iptables
> version 1.3.7, and linux kernel version 2.6.20.

Try the latest SVN version, there was a bug in 1.3.7. We'll release
1.3.8 soon.

^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2007-03-17 10:54 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2007-03-16 23:00 NFLOG --nflog-group bug? Dan Purcell
2007-03-17 10:54 ` Patrick McHardy

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.