Hi, On Wednesday, 2008 October 8 at 15:02:54 +0200, Patrick McHardy wrote: > Eric Leblond wrote: >> This patch modifies xt_NFLOG to suppress the call to nf_log_packet() >> function. The call of this wrapper in xt_NFLOG was causing NFLOG to >> use the first initialized module. Thus, if ipt_ULOG is loaded before >> nfnetlink_log all NFLOG rules are treated as plain LOG rules. > > Oops, this slipped through somehow. It has been an intentional > decision to use the registered logging backends though, just changing > it to unconditionally use nfnetlink_log only solves the problem > partially. Hmm, looks like my explanation is not correct. This patch fixes the following bug : modprobe ipt_LOG modprobe nfnetlink_log iptables -A OUTPUT -j NFLOG Then : logged packet are treated as packet reaching the LOG target. > The main problem is that the policy which backend to use is defined > by module load order, which is obviously a pretty bad idea. This does > not only affect xt_NFLOG, but also internal conntrack logging and > anything else we might want to use this for in the future. > > So I think what we should do instead is introduce a proper way to > select among the logging backends. We could introduce a global > policy, or split by subsystem, which would currently be just > "conntrack" and "NFLOG". Yes, I currently working on doing that. I plan to send it in an other patch. I've send the following patch alone to fix this weird NFLOG target working as LOG target problem. BR, -- Eric Leblond INL: http://www.inl.fr/ NuFW: http://www.nufw.org/
Attachment:
signature.asc
Description: Digital signature
