* NFLOG --nflog-group bug?
@ 2007-03-16 23:00 Dan Purcell
2007-03-17 10:54 ` Patrick McHardy
0 siblings, 1 reply; 2+ messages in thread
From: Dan Purcell @ 2007-03-16 23:00 UTC (permalink / raw)
To: netfilter-devel
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I may have found a bug with the NFLOG target. I am trying to use NFLOG
to log packets to a ulogd program using ip6tables. I am using iptables
version 1.3.7, and linux kernel version 2.6.20.
I want to use the nflog-group number 32 for the system I have set up.
This is how I am using ip6tables:
ip6tables -A FORWARD -j NFLOG --nflog-group 32
However, when I do an ip6tables -nvL FORWARD, I see this (note the
nflog-group number):
Chain FORWARD (policy ACCEPT 414 packets, 44089 bytes)
pkts bytes target prot opt in out source destination
112 11744 NFLOG 0 * * ::/0 ::/0 nflog-group 0
I was scratching my head why the nflog-group was 0, when I explicitly
told it to use group number 32. I tried other numbers, such as 31, 30,
and 17, and they all displayed a nflog-group number of 0 after I printed
my ip6tables. However, ip6tables was printing the correct value when I
set the group number to 1, 4, 6, and 16.
Looking at the source code for libip6t_NFLOG.c, I see this in the parse
function:
int n;
...
n = atoi(optarg);
if (n < 1 || n > 32)
exit_error(PARAMETER_PROBLEM,
"--nflog-group has to be between 1 and 32");
info->group = 1 << (n - 1);
printf("n is %d, Group is: %u\n", n, info->group);
break;
The code tells me that any group between 1 and 32 (inclusive) is a
legitimate group number. I know that the old ULOG target had the same
rules for its group number. However, the data structure that defines
'info' (in the kernel's include/linux/netfilter/xt_NFLOG.h
file), I see this definition for info->group:
struct xt_nflog_info {
u_int32_t len;
u_int16_t group;
u_int16_t threshold;
u_int16_t flags;
u_int16_t pad;
char prefix[64];
};
'group' here is a 16-bit integer. In effect, the highest nflog-group
that I can potentially achieve is 16, not 32. Should the 'group' in
'struct xt_nflog_info' be a u_int32_t, and take out the 'u_int16_t pad'?
- -Dan
- --
- --------------------------------------------------------------
Dan Purcell, Software Engineer dpurcell@nitrosecurity.com
NitroSecurity, Inc. (208) 552-5332
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFF+yF1Tqu8TzII/vURAqpGAJ9NI4LFAADeRmCYSRSH8Mr1yWt9hACeICuX
VCVUGiUQlT9AId6ddQVJi7Q=
=/OTu
-----END PGP SIGNATURE-----
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: NFLOG --nflog-group bug?
2007-03-16 23:00 NFLOG --nflog-group bug? Dan Purcell
@ 2007-03-17 10:54 ` Patrick McHardy
0 siblings, 0 replies; 2+ messages in thread
From: Patrick McHardy @ 2007-03-17 10:54 UTC (permalink / raw)
To: Dan Purcell; +Cc: netfilter-devel
Dan Purcell wrote:
> I may have found a bug with the NFLOG target. I am trying to use NFLOG
> to log packets to a ulogd program using ip6tables. I am using iptables
> version 1.3.7, and linux kernel version 2.6.20.
Try the latest SVN version, there was a bug in 1.3.7. We'll release
1.3.8 soon.
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2007-03-17 10:54 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2007-03-16 23:00 NFLOG --nflog-group bug? Dan Purcell
2007-03-17 10:54 ` Patrick McHardy
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.