Re: [PATCH] add new nfnetlink_log subsystem

[Thomas Graf]

* Harald Welte <[EMAIL PROTECTED]> 2005-08-07 17:03
> On Sun, Aug 07, 2005 at 01:20:39PM +0200, Thomas Graf wrote:
> > Same very minor issues as nfnetlink regarding some of the
> > new netlink message construction policies. I'll "fix" them
> > during the conversion to the generic netlink attributes.
> 
> is this supposed to happen soon?  I also need to update the userspace
> side in case you make any changes, so I'd appreciate any changes going
> in ASAP.  Alternatively just tell me what needs to change and I'll
> change it even before the generalization.

Within the next days. It is compatible to the old macros so
as long as we don't delete the old ones userspace can stay
as-is for the moment.
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH] add new nfnetlink_log subsystem

[Harald Welte]

On Sun, Aug 07, 2005 at 01:20:39PM +0200, Thomas Graf wrote:
> * Harald Welte <[EMAIL PROTECTED]> 2005-07-30 12:30
> > This (long-awaited) patch adds the generic nfnetlink-based userspace
> > logging.  nfnetlink_log can be used for any protocol family, and
> > supports upt to 65535 logging groups (that could go to separate logging
> > daemons, e.g.).
> 
> Same very minor issues as nfnetlink regarding some of the
> new netlink message construction policies. I'll "fix" them
> during the conversion to the generic netlink attributes.

is this supposed to happen soon?  I also need to update the userspace
side in case you make any changes, so I'd appreciate any changes going
in ASAP.  Alternatively just tell me what needs to change and I'll
change it even before the generalization.

thanks

-- 
- Harald Welte <[EMAIL PROTECTED]> http://netfilter.org/

  "Fragmentation is like classful addressing -- an interesting early
   architectural error that shows how much experimentation was going
   on while IP was being designed."-- Paul Vixie


pgp1ev23kZFgq.pgp
Description: PGP signature

Re: [PATCH] add new nfnetlink_log subsystem

[Thomas Graf]

* Harald Welte <[EMAIL PROTECTED]> 2005-07-30 12:30
> This (long-awaited) patch adds the generic nfnetlink-based userspace
> logging.  nfnetlink_log can be used for any protocol family, and
> supports upt to 65535 logging groups (that could go to separate logging
> daemons, e.g.).

Same very minor issues as nfnetlink regarding some of the
new netlink message construction policies. I'll "fix" them
during the conversion to the generic netlink attributes.
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH] add new nfnetlink_log subsystem

[Harald Welte]

On Thu, Aug 04, 2005 at 06:49:46AM -0700, David S. Miller wrote:
> From: Harald Welte <[EMAIL PROTECTED]>
> Date: Thu, 4 Aug 2005 00:03:53 +0200
> 
> > However, all nfnetlink-based protocols are supposed to be both endian
> > and 32/64 as well as alignment (*) safe.   the protocol definitions
> > always use u_intXX_t types, all network byte order, and no kernel pointers
> > passed to userspace or similar crap ;)
> 
> You cannot use "u64" objects, even though that is supposed to
> be a portable type.  i386 does not align u64's on an 8-byte
> boundary, whereas every sane platform in the world (including
> x86_64) does.
> 
> This is where the compatability problems come from.

We only have one case where 64byte types are used: timestamps.  the
structure consists of two u_int64_t members - nothing before that and
nothing behind (so no padding required).  This structure
(nfqnl_msg_packet_timestamp and nfulnl_msg_packet_timestamp) is put into
one nfattr (like rtattr).

Also, this data structure is only passed from kernel->userspace, and
kernel will always be 64bit (who has more stringend alignment rules). 

Even if we chose to send it from userspace to kernel at some point in
the future, it would be something that i386 userspace would have to take
care of, not the kernel.

Unless I'm overlooking something, to the best of my knowledge I don't
think we could still run into any trouble here.

-- 
- Harald Welte <[EMAIL PROTECTED]>  http://gnumonks.org/

"Privacy in residential applications is a desirable marketing option."
  (ETSI EN 300 175-7 Ch. A6)


pgpFkxSoOM0qe.pgp
Description: PGP signature

Re: [PATCH] add new nfnetlink_log subsystem

[Andi Kleen]

> Unless I'm overlooking something, to the best of my knowledge I don't
> think we could still run into any trouble here.

Still risky.

Here's a different idea. Define a new aligned u64 type and use that
on i386 too.

Like

/* Must be #define because __attribute__ doesn't work on typedefs */
#define __aligned_u64 unsigned long long __attribute__((aligned(8)))


Then use __aligned_u64 instead of plain __u64 in all user visible parts. 
Should DTRT in all cases.

-Andi
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH] add new nfnetlink_log subsystem

[Harald Welte]

On Thu, Aug 04, 2005 at 06:50:42AM -0700, David S. Miller wrote:
> From: Andi Kleen <[EMAIL PROTECTED]>
> Subject: Re: [PATCH] add new nfnetlink_log subsystem
> Date: Thu, 4 Aug 2005 00:19:41 +0200
> 
> > > no, it hasn't.  I am travelling and don't have the space for a
> > > debian/i386 installation in addition to the debian/x86_64 on this box,
> > > sorry :(
> > 
> > That sounds risky. I would ask for this stuff not being merged before
> > it isn't tested.
> 
> Andi, stop this, you yourself, can test and verify this and suggest
> changes to the protocol structure layout if you want to.

I understand Andi's reasons and they're perfectly valid.  

When I started to get involved with netfilter/iptables, I didn't know
about the 32/64bit and alignment issues that exist in kernel/userspace
interfaces at all.  During the years however, I've suffered enough of
this for the rest of my life.

At this time I can assure him that greatest care was taken to not run
into any endian, 32/64, alignment or other issues - at least to the
degree of my (maybe limited) knowledge of this matter.

I have scheduled testing over the next week, although it's a bit
exhausting (and I'm too lazy) to test all the possible
arch/endian/... combinations.

> [...] more than ample time to do this, as this feature is
> scheduled to go into 2.6.14 and we haven't even gotten 2.6.13 out
> the door yet :-)

ACK.  

-- 
- Harald Welte <[EMAIL PROTECTED]>  http://gnumonks.org/

"Privacy in residential applications is a desirable marketing option."
  (ETSI EN 300 175-7 Ch. A6)


pgpwjezAPI6l1.pgp
Description: PGP signature

Re: [PATCH] add new nfnetlink_log subsystem

[Andi Kleen]

On Thu, Aug 04, 2005 at 06:49:46AM -0700, David S. Miller wrote:
> From: Harald Welte <[EMAIL PROTECTED]>
> Date: Thu, 4 Aug 2005 00:03:53 +0200
> 
> > However, all nfnetlink-based protocols are supposed to be both endian
> > and 32/64 as well as alignment (*) safe.   the protocol definitions
> > always use u_intXX_t types, all network byte order, and no kernel pointers
> > passed to userspace or similar crap ;)
> 
> You cannot use "u64" objects, even though that is supposed to
> be a portable type.  i386 does not align u64's on an 8-byte
> boundary, whereas every sane platform in the world (including
> x86_64) does.

Well you can, just you need to make sure they are properly aligned
by hand. And a more subtle issue is that structures are padded
to a multiple of the largest alignment of any member. So when a structure 
has an u64 member it must be padded at the end to 8 bytes too.

But this is all relatively subtle, so some review and some testing
before fixing the interface would be good.

-Andi

-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH] add new nfnetlink_log subsystem

[David S. Miller]

From: Andi Kleen <[EMAIL PROTECTED]>
Subject: Re: [PATCH] add new nfnetlink_log subsystem
Date: Thu, 4 Aug 2005 00:19:41 +0200

> > no, it hasn't.  I am travelling and don't have the space for a
> > debian/i386 installation in addition to the debian/x86_64 on this box,
> > sorry :(
> 
> That sounds risky. I would ask for this stuff not being merged before
> it isn't tested.

Andi, stop this, you yourself, can test and verify this and suggest
changes to the protocol structure layout if you want to.

You will have more than ample time to do this, as this feature is
scheduled to go into 2.6.14 and we haven't even gotten 2.6.13 out
the door yet :-)
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH] add new nfnetlink_log subsystem

[David S. Miller]

From: Harald Welte <[EMAIL PROTECTED]>
Date: Thu, 4 Aug 2005 00:03:53 +0200

> However, all nfnetlink-based protocols are supposed to be both endian
> and 32/64 as well as alignment (*) safe.   the protocol definitions
> always use u_intXX_t types, all network byte order, and no kernel pointers
> passed to userspace or similar crap ;)

You cannot use "u64" objects, even though that is supposed to
be a portable type.  i386 does not align u64's on an 8-byte
boundary, whereas every sane platform in the world (including
x86_64) does.

This is where the compatability problems come from.
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH] add new nfnetlink_log subsystem

[Andi Kleen]

> no, it hasn't.  I am travelling and don't have the space for a
> debian/i386 installation in addition to the debian/x86_64 on this box,
> sorry :(

That sounds risky. I would ask for this stuff not being merged before
it isn't tested.

> However, all nfnetlink-based protocols are supposed to be both endian
> and 32/64 as well as alignment (*) safe.   the protocol definitions

Well, there is theory and there is practice.

-Andi
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH] add new nfnetlink_log subsystem

[Harald Welte]

On Wed, Aug 03, 2005 at 10:02:28PM +0200, Andi Kleen wrote:
> Harald Welte <[EMAIL PROTECTED]> writes:
> 
> > Hi Dave!
> > 
> > This (long-awaited) patch adds the generic nfnetlink-based userspace
> > logging.  nfnetlink_log can be used for any protocol family, and
> > supports upt to 65535 logging groups (that could go to separate logging
> > daemons, e.g.).
> 
> Hi - I hope it has been tested with 32bit userland on x86-64 already, right?

no, it hasn't.  I am travelling and don't have the space for a
debian/i386 installation in addition to the debian/x86_64 on this box,
sorry :(

However, all nfnetlink-based protocols are supposed to be both endian
and 32/64 as well as alignment (*) safe.   the protocol definitions
always use u_intXX_t types, all network byte order, and no kernel pointers
passed to userspace or similar crap ;)

So the only part in host byte order are the nlmsghdr and the nfattr
(similar rtattr).   We wanted to make it netwokr byte order, too - but
then we would be different then all other netlink users :(  so for now,
we go for host byte order of Tag and Length, but network byte order
value.  This way a simple, generic program can parse the structure and
convert everything to network byte order without having to know the
content of the attributes.

> Just to avoid another similar problem with non compat compatible structures
> like old style iptables or PF_KEY.

We've learned our lesson, thanks :)

(*) I've been told there are 64bit alignment issues with netlink on
x86_64 in general.  Thomas Graf is somehow working on this, IIRC.  I
didn't investigate this.  We do pass 64bit values in attributes between
kernel and userspace.

-- 
- Harald Welte <[EMAIL PROTECTED]>  http://gnumonks.org/

"Privacy in residential applications is a desirable marketing option."
  (ETSI EN 300 175-7 Ch. A6)


pgpSgU81VJ4uZ.pgp
Description: PGP signature

Re: [PATCH] add new nfnetlink_log subsystem

[Andi Kleen]

Harald Welte <[EMAIL PROTECTED]> writes:

> Hi Dave!
> 
> This (long-awaited) patch adds the generic nfnetlink-based userspace
> logging.  nfnetlink_log can be used for any protocol family, and
> supports upt to 65535 logging groups (that could go to separate logging
> daemons, e.g.).

Hi - I hope it has been tested with 32bit userland on x86-64 already, right?

Just to avoid another similar problem with non compat compatible structures
like old style iptables or PF_KEY.

-Andi
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH] add new nfnetlink_log subsystem

[Harald Welte]

Hi Acme!

On Mon, Aug 01, 2005 at 09:54:47PM -0300, Arnaldo Carvalho de Melo wrote:

> > Are you aware of this one? :-) Perhaps Dave commited some mistake
> > while merging, this is on 2.6.14.git latest.
> 
> Ah, this is with 'make allyesconfig'.

Dave's tree is missing the attached patch.

-- 
- Harald Welte <[EMAIL PROTECTED]>  http://gnumonks.org/

"Privacy in residential applications is a desirable marketing option."
  (ETSI EN 300 175-7 Ch. A6)
[NETFILTER] Extend netfilter logging API

This patch is in preparation to nfnetlink_log:
- loggers now have to register struct nf_logger instead of nf_logfn
- nf_log_unregister() replaced by nf_log_unregister_pf() and
  nf_log_unregister_logger()
- add comment to ip[6]t_LOG.h to assure nobody redefines flags
- add /proc/net/netfilter/nf_log to tell user which logger is currently
  registered for which address family
- if user has configured logging, but no logging backend (logger) is
  available, always spit a message to syslog, not just the first time.
- split ip[6]t_LOG.c into two parts:
  Backend: Always try to register as logger for the respective address family
  Frontend: Always log via nf_log_packet() API
- modify all users of nf_log_packet() to accomodate additional argument

Signed-off-by: Harald Welte <[EMAIL PROTECTED]>

---
commit 3770e25a01055bfa8bee52ed1db1f3a5141f
tree bb6232f07be1a0ec617f99d0e479964ac2d66119
parent 70715270f9cedc76099ed628b5444a11127912ca
author laforge <[EMAIL PROTECTED]> Do, 28 Jul 2005 21:27:14 +0200
committer laforge <[EMAIL PROTECTED]> Do, 28 Jul 2005 21:27:14 +0200

 include/linux/netfilter.h|   48 +-
 include/linux/netfilter_ipv4/ipt_LOG.h   |1 
 include/linux/netfilter_ipv6/ip6t_LOG.h  |1 
 net/core/netfilter.c |  127 +++---
 net/ipv4/netfilter/ip_conntrack_proto_icmp.c |8 +-
 net/ipv4/netfilter/ip_conntrack_proto_tcp.c  |   21 ++--
 net/ipv4/netfilter/ip_conntrack_proto_udp.c  |6 +
 net/ipv4/netfilter/ipt_LOG.c |   84 +
 net/ipv4/netfilter/ipt_ULOG.c|   33 +--
 net/ipv6/netfilter/ip6t_LOG.c|   91 ++-
 10 files changed, 295 insertions(+), 125 deletions(-)

diff --git a/include/linux/netfilter.h b/include/linux/netfilter.h
--- a/include/linux/netfilter.h
+++ b/include/linux/netfilter.h
@@ -114,15 +114,51 @@ void nf_unregister_sockopt(struct nf_soc
 
 extern struct list_head nf_hooks[NPROTO][NF_MAX_HOOKS];
 
-typedef void nf_logfn(unsigned int hooknum,
+/* those NF_LOG_* defines and struct nf_loginfo are legacy definitios that will
+ * disappear once iptables is replaced with pkttables.  Please DO NOT use them
+ * for any new code! */
+#define NF_LOG_TCPSEQ  0x01/* Log TCP sequence numbers */
+#define NF_LOG_TCPOPT  0x02/* Log TCP options */
+#define NF_LOG_IPOPT   0x04/* Log IP options */
+#define NF_LOG_UID 0x08/* Log UID owning local socket */
+#define NF_LOG_MASK0x0f
+
+#define NF_LOG_TYPE_LOG0x01
+#define NF_LOG_TYPE_ULOG   0x02
+
+struct nf_loginfo {
+   u_int8_t type;
+   union {
+   struct {
+   u_int32_t copy_len;
+   u_int16_t group;
+   u_int16_t qthreshold;
+   } ulog;
+   struct {
+   u_int8_t level;
+   u_int8_t logflags;
+   } log;
+   } u;
+};
+
+typedef void nf_logfn(unsigned int pf,
+ unsigned int hooknum,
  const struct sk_buff *skb,
  const struct net_device *in,
  const struct net_device *out,
+ const struct nf_loginfo *li,
  const char *prefix);
 
+struct nf_logger {
+   struct module   *me;
+   nf_logfn*logfn;
+   char*name;
+};
+
 /* Function to register/unregister log function. */
-int nf_log_register(int pf, nf_logfn *logfn);
-void nf_log_unregister(int pf, nf_logfn *logfn);
+int nf_log_register(int pf, struct nf_logger *logger);
+void nf_log_unregister_pf(int pf);
+void nf_log_unregister_logger(struct nf_logger *logger);
 
 /* Calls the registered backend logging function */
 void nf_log_packet(int pf,
@@ -130,6 +166,7 @@ void nf_log_packet(int pf,
   const struct sk_buff *skb,
   const struct net_device *in,
   const struct net_device *out,
+  struct nf_loginfo *li,
   const char *fmt, ...);

 /* Activate hook; either okfn or kfree_skb called, unless a hook
@@ -221,6 +258,11 @@ struct nf_queue_rerouter {
 extern int nf_register_queue_rerouter(int pf, struct nf_queue_rerouter *rer);
 exte

Re: [PATCH] add new nfnetlink_log subsystem

[Harald Welte]

On Mon, Aug 01, 2005 at 09:54:47PM -0300, Arnaldo Carvalho de Melo wrote:
> On 8/1/05, Arnaldo Carvalho de Melo <[EMAIL PROTECTED]> wrote:
> >   CC  net/netfilter/nfnetlink_queue.o
> > net/netfilter/nfnetlink_queue.c: In function `init_or_cleanup':
> > net/netfilter/nfnetlink_queue.c:1030: error: `proc_net_netfilter'
> > undeclared (first use in this function)
> > net/netfilter/nfnetlink_queue.c:1030: error: (Each undeclared
> > identifier is reported only once
> > net/netfilter/nfnetlink_queue.c:1030: error: for each function it appears 
> > in.)
> > make[2]: ** [net/netfilter/nfnetlink_queue.o] Erro 1
> > make[1]: ** [net/netfilter] Erro 2
> > make: ** [net/] Erro 2
> > [EMAIL PROTECTED] net-2.6.14]$
> > 
> > Are you aware of this one? :-) Perhaps Dave commited some mistake
> > while merging, this is on 2.6.14.git latest.

Yes, it's a problem in davem's tree.  my tree (and the patches I sent)
contain that directory.  I'll try to send a cleanup.

-- 
- Harald Welte <[EMAIL PROTECTED]>  http://gnumonks.org/

"Privacy in residential applications is a desirable marketing option."
  (ETSI EN 300 175-7 Ch. A6)


pgpYKFooIFxK0.pgp
Description: PGP signature

Re: [PATCH] add new nfnetlink_log subsystem

[Arnaldo Carvalho de Melo]

On 8/1/05, Arnaldo Carvalho de Melo <[EMAIL PROTECTED]> wrote:
>   CC  net/netfilter/nfnetlink_queue.o
> net/netfilter/nfnetlink_queue.c: In function `init_or_cleanup':
> net/netfilter/nfnetlink_queue.c:1030: error: `proc_net_netfilter'
> undeclared (first use in this function)
> net/netfilter/nfnetlink_queue.c:1030: error: (Each undeclared
> identifier is reported only once
> net/netfilter/nfnetlink_queue.c:1030: error: for each function it appears in.)
> make[2]: ** [net/netfilter/nfnetlink_queue.o] Erro 1
> make[1]: ** [net/netfilter] Erro 2
> make: ** [net/] Erro 2
> [EMAIL PROTECTED] net-2.6.14]$
> 
> Are you aware of this one? :-) Perhaps Dave commited some mistake while 
> merging,
> this is on 2.6.14.git latest.

Ah, this is with 'make allyesconfig'.

- Arnaldo
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH] add new nfnetlink_log subsystem

[Arnaldo Carvalho de Melo]

  CC  net/netfilter/nfnetlink_queue.o
net/netfilter/nfnetlink_queue.c: In function `init_or_cleanup':
net/netfilter/nfnetlink_queue.c:1030: error: `proc_net_netfilter'
undeclared (first use in this function)
net/netfilter/nfnetlink_queue.c:1030: error: (Each undeclared
identifier is reported only once
net/netfilter/nfnetlink_queue.c:1030: error: for each function it appears in.)
make[2]: ** [net/netfilter/nfnetlink_queue.o] Erro 1
make[1]: ** [net/netfilter] Erro 2
make: ** [net/] Erro 2
[EMAIL PROTECTED] net-2.6.14]$

Are you aware of this one? :-) Perhaps Dave commited some mistake while merging,
this is on 2.6.14.git latest.

- Arnaldo
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH] add new nfnetlink_log subsystem

[David S. Miller]

From: Harald Welte <[EMAIL PROTECTED]>
Date: Sat, 30 Jul 2005 19:33:15 +0200

> [NETFILTER] add proc_net_remove() to nfnetlink_queue and nfnetlink_log
> 
> Also fixes a typo inside a comment.
> Thanks to Sven Schuster <[EMAIL PROTECTED]>
> 
> Signed-off-by: Harald Welte <[EMAIL PROTECTED]>

Applied, thanks.
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH] add new nfnetlink_log subsystem

[Harald Welte]

Thanks for your comments, Sven.

Dave: Please apply the attached patch on top of all other patches I sent
you. It also fixes the same bug in nfnetlink_queue. Thanks!

-- 
- Harald Welte <[EMAIL PROTECTED]> http://netfilter.org/

  "Fragmentation is like classful addressing -- an interesting early
   architectural error that shows how much experimentation was going
   on while IP was being designed."-- Paul Vixie
[NETFILTER] add proc_net_remove() to nfnetlink_queue and nfnetlink_log

Also fixes a typo inside a comment.
Thanks to Sven Schuster <[EMAIL PROTECTED]>

Signed-off-by: Harald Welte <[EMAIL PROTECTED]>

---
commit a04a82e4fe4be531383909217bcb2d4ad096ecda
tree 1424e9d687c2b5217d82bcf04abb97a2f8aced69
parent bd4123d85f932f9bd60da9d2ed3523dc7b792075
author laforge <[EMAIL PROTECTED]> Sa, 30 Jul 2005 19:30:32 +0200
committer laforge <[EMAIL PROTECTED]> Sa, 30 Jul 2005 19:30:32 +0200

 net/netfilter/nfnetlink_log.c   |3 ++-
 net/netfilter/nfnetlink_queue.c |1 +
 2 files changed, 3 insertions(+), 1 deletions(-)

diff --git a/net/netfilter/nfnetlink_log.c b/net/netfilter/nfnetlink_log.c
--- a/net/netfilter/nfnetlink_log.c
+++ b/net/netfilter/nfnetlink_log.c
@@ -314,7 +314,7 @@ static struct sk_buff *nfulnl_alloc_skb(
 
UDEBUG("entered (%u, %u)\n", inst_size, pkt_size);
 
-   /* alloc skb whihc should be big enough for a whole multipart
+   /* alloc skb which should be big enough for a whole multipart
 * message.  WARNING: has to be <= 128k due to slab restrictions */
 
skb = alloc_skb(inst_size, GFP_ATOMIC);
@@ -965,6 +965,7 @@ init_or_cleanup(int init)
 cleanup:
nf_log_unregister_logger(&nfulnl_logger);
 #ifdef CONFIG_PROC_FS
+   remove_proc_entry("nfnetlink_log", proc_net_netfilter);
 cleanup_subsys:
 #endif
nfnetlink_subsys_unregister(&nfulnl_subsys);
diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c
--- a/net/netfilter/nfnetlink_queue.c
+++ b/net/netfilter/nfnetlink_queue.c
@@ -1041,6 +1041,7 @@ cleanup:
nf_unregister_queue_handlers(nfqnl_enqueue_packet);
unregister_netdevice_notifier(&nfqnl_dev_notifier);
 #ifdef CONFIG_PROC_FS
+   remove_proc_entry("nfnetlink_queue", proc_net_netfilter);
 cleanup_subsys:
 #endif 
nfnetlink_subsys_unregister(&nfqnl_subsys);


pgp82Pd51eRIV.pgp
Description: PGP signature

Re: [PATCH] add new nfnetlink_log subsystem

[David S. Miller]

From: Harald Welte <[EMAIL PROTECTED]>
Date: Sat, 30 Jul 2005 12:30:05 +0200

> This (long-awaited) patch adds the generic nfnetlink-based userspace
> logging.  nfnetlink_log can be used for any protocol family, and
> supports upt to 65535 logging groups (that could go to separate logging
> daemons, e.g.).
> 
> The patch is incremental to my nf_log update in
> <[EMAIL PROTECTED]>.

Applied, thanks Harald.
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH] add new nfnetlink_log subsystem

[Sven Schuster]

Hi Harald,

On Sat, Jul 30, 2005 at 12:30:05PM +0200, Harald Welte told us:
> diff --git a/net/netfilter/nfnetlink_log.c b/net/netfilter/nfnetlink_log.c
> new file mode 100644
> --- /dev/null
> +++ b/net/netfilter/nfnetlink_log.c
> @@ -0,0 +1,992 @@
...
> +static struct sk_buff *nfulnl_alloc_skb(unsigned int inst_size, 
> + unsigned int pkt_size)
> +{
> + struct sk_buff *skb;
> +
> + UDEBUG("entered (%u, %u)\n", inst_size, pkt_size);
> +
> + /* alloc skb whihc should be big enough for a whole multipart

typo, which

> +  * message.  WARNING: has to be <= 128k due to slab restrictions */
> +

...

> +
> +static int
> +init_or_cleanup(int init)
> +{

...

> +#ifdef CONFIG_PROC_FS
> + proc_nful = create_proc_entry("nfnetlink_log", 0440,
> +   proc_net_netfilter);
> + if (!proc_nful)
> + goto cleanup_subsys;
> + proc_nful->proc_fops = &nful_file_ops;
> +#endif
> +
> + return status;
> +
> +cleanup:
> + nf_log_unregister_logger(&nfulnl_logger);
> +#ifdef CONFIG_PROC_FS
> +cleanup_subsys:

no remove_proc_entry??

> +#endif
> + nfnetlink_subsys_unregister(&nfulnl_subsys);
> +cleanup_netlink_notifier:
> + netlink_unregister_notifier(&nfulnl_rtnl_notifier);
> + return status;
> +}
> +

Kind regards,

Sven

-- 
Linux zion 2.6.13-rc3-mm1 #17 PREEMPT Thu Jul 28 02:56:37 CEST 2005 i686 athlon 
i386 GNU/Linux
 18:34:22 up 19:35,  2 users,  load average: 0.28, 0.11, 0.03


pgp9CYkcccjzu.pgp
Description: PGP signature

[PATCH] add new nfnetlink_log subsystem

[Harald Welte]

Hi Dave!

This (long-awaited) patch adds the generic nfnetlink-based userspace
logging.  nfnetlink_log can be used for any protocol family, and
supports upt to 65535 logging groups (that could go to separate logging
daemons, e.g.).

The patch is incremental to my nf_log update in
<[EMAIL PROTECTED]>.

Please apply to net-2.6.14,
thanks.
-- 
- Harald Welte <[EMAIL PROTECTED]>  http://gnumonks.org/

"Privacy in residential applications is a desirable marketing option."
  (ETSI EN 300 175-7 Ch. A6)
[NETFILTER] Add new "nfnetlink_log" userspace packet logging facility

This is a generic (layer3 independent) version of what ipt_ULOG is already
doing for IPv4 today.  ipt_ULOG, ebt_ulog and finally also ip[6]t_LOG will
be deprecated by this mechanism in the long term.

Signed-off-by: Harald Welte <[EMAIL PROTECTED]>

---
commit 66ad9b079da5c6a181506fba350aa33d26417431
tree 4b4bda3788bf34d1946ff0239100a4f235cfa120
parent 3770e25a01055bfa8bee52ed1db1f3a5141f
author laforge <[EMAIL PROTECTED]> Sa, 30 Jul 2005 12:11:19 +0200
committer laforge <[EMAIL PROTECTED]> Sa, 30 Jul 2005 12:11:19 +0200

 include/linux/netfilter/nfnetlink_log.h |   85 +++
 net/netfilter/Kconfig   |   11 
 net/netfilter/Makefile  |1 
 net/netfilter/nfnetlink_log.c   |  992 +++
 4 files changed, 1089 insertions(+), 0 deletions(-)

diff --git a/include/linux/netfilter/nfnetlink_log.h 
b/include/linux/netfilter/nfnetlink_log.h
new file mode 100644
--- /dev/null
+++ b/include/linux/netfilter/nfnetlink_log.h
@@ -0,0 +1,85 @@
+#ifndef _NFNETLINK_LOG_H
+#define _NFNETLINK_LOG_H
+
+/* This file describes the netlink messages (i.e. 'protocol packets'),
+ * and not any kind of function definitions.  It is shared between kernel and
+ * userspace.  Don't put kernel specific stuff in here */
+
+#include 
+
+enum nfulnl_msg_types {
+   NFULNL_MSG_PACKET,  /* packet from kernel to userspace */
+   NFULNL_MSG_CONFIG,  /* connect to a particular queue */
+
+   NFULNL_MSG_MAX
+};
+
+struct nfulnl_msg_packet_hdr {
+   u_int16_t   hw_protocol;/* hw protocol (network order) */
+   u_int8_thook;   /* netfilter hook */
+   u_int8_t_pad;
+} __attribute__ ((packed));
+
+struct nfulnl_msg_packet_hw {
+   u_int16_t   hw_addrlen;
+   u_int16_t   _pad;
+   u_int8_thw_addr[8];
+} __attribute__ ((packed));
+
+struct nfulnl_msg_packet_timestamp {
+   u_int64_t   sec;
+   u_int64_t   usec;
+} __attribute__ ((packed));
+
+#define NFULNL_PREFIXLEN   30  /* just like old log target */
+
+enum nfulnl_attr_type {
+   NFULA_UNSPEC,
+   NFULA_PACKET_HDR,
+   NFULA_MARK, /* u_int32_t nfmark */
+   NFULA_TIMESTAMP,/* nfulnl_msg_packet_timestamp */
+   NFULA_IFINDEX_INDEV,/* u_int32_t ifindex */
+   NFULA_IFINDEX_OUTDEV,   /* u_int32_t ifindex */
+   NFULA_HWADDR,   /* nfulnl_msg_packet_hw */
+   NFULA_PAYLOAD,  /* opaque data payload */
+   NFULA_PREFIX,   /* string prefix */
+   NFULA_UID,  /* user id of socket */
+
+   __NFULA_MAX
+};
+#define NFULA_MAX (__NFULA_MAX - 1)
+
+enum nfulnl_msg_config_cmds {
+   NFULNL_CFG_CMD_NONE,
+   NFULNL_CFG_CMD_BIND,
+   NFULNL_CFG_CMD_UNBIND,
+   NFULNL_CFG_CMD_PF_BIND,
+   NFULNL_CFG_CMD_PF_UNBIND,
+};
+
+struct nfulnl_msg_config_cmd {
+   u_int8_tcommand;/* nfulnl_msg_config_cmds */
+} __attribute__ ((packed));
+
+struct nfulnl_msg_config_mode {
+   u_int32_t   copy_range;
+   u_int8_tcopy_mode;
+   u_int8_t_pad;
+} __attribute__ ((packed));
+
+enum nfulnl_attr_config {
+   NFULA_CFG_UNSPEC,
+   NFULA_CFG_CMD,  /* nfulnl_msg_config_cmd */
+   NFULA_CFG_MODE, /* nfulnl_msg_config_mode */
+   NFULA_CFG_NLBUFSIZ, /* u_int32_t buffer size */
+   NFULA_CFG_TIMEOUT,  /* u_int32_t in 1/100 s */
+   NFULA_CFG_QTHRESH,  /* u_int32_t */
+   __NFULA_CFG_MAX
+};
+#define NFULA_CFG_MAX (__NFULA_CFG_MAX -1)
+
+#define NFULNL_COPY_NONE   0x00
+#define NFULNL_COPY_META   0x01
+#define NFULNL_COPY_PACKET 0x02
+
+#endif /* _NFNETLINK_LOG_H */
diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@@ -11,3 +11,14 @@ config NETFILTER_NETLINK_QUEUE
  If this option isenabled, the kernel will include support
  for queueing packets via NFNETLINK.
  
+config NETFILTER_NETLINK_LOG
+   tristate "Netfilter LOG over NFNETLINK interface"
+   depends on NETFILTER_NETLINK
+   help
+