iptables target for libnetfilter_log

Gregor Maier gregor at net.in.tum.de
Sat Feb 25 14:18:26 CET 2006

Hash: SHA1

Patrick McHardy wrote:

> The LOG target uses is as a backend if it is loaded, but this is IMO
> actually a mistake, the LOG target should keep working the same way
> as it always did. Which reminds me that I wanted to restore the old
> way before 2.6.16 is out ..

The LOG target uses the nf_log mechanism and tries to register a logger
to nf_log. Problem is, that userspace apps can unregister this LOG
logger and register the netlink logger.

>>If not I'd write one.
> Mhh maybe we could add a flag to the LOG target to use whatever nf_log
> backend is registered. I'd prefer that to a full new target.
The problem is, that packets that should be logged to syslog take
log-level, log-prefix, log-tcp-sequence, log-tcp-iptions, ... as
parameters, whereas a target for logging to userspace must provide a
group/queuenum and a prefix.

If there's a only one target, the userland iptables must check if the
packet should be queued to userspace or logged to syslog.
If its syslog, then accept log-prefox, log-level, log-tcp-sequence et.
al parameters. If it should be queued to userspace it should only accept
log-prefix and log-group. I think that's awful semantics from a
userspace point of view.

IMHO having the LOG target log directly to syslog and having e.g. NFLOG
log/queue to userspace (as ULOG) is straighter.

Furthermore a new NFLOG target could use xtables.

- --
Gregor Maier                                      Lehrstuhl Informatik 8
gregor at net.in.tum.de                              Tel: +49 89  289-18010
http://www.net.in.tum.de                                     TU Muenchen
Version: GnuPG v1.2.4 (Darwin)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org


More information about the netfilter-devel mailing list