Dâniel Fraga wrote:
On Tue, 28 Oct 2008 18:40:17 +0100
Patrick McHardy <kaber@xxxxxxxxx> wrote:
Seems likely. Is that an SMP machine? Its possible that the ringbuffer
simply overflows before the logging daemon gets a chance to capture it,
but that should only cause truncated lines.
Yes, SMP (Athlon64 X2 and I noticed it on a Xeon 3040 too).
What do your logging rules that might be responsible for this look like?
My rules are pretty simple:
# Generated by iptables-save v1.4.2 on Tue Oct 28 15:49:09 2008
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [454613:1227743602]
:FLDR - [0:0]
:LDR - [0:0]
...
-A FLDR -j LOG --log-prefix "DROP FORWARD: " --log-level 6
-A FLDR -j DROP
-A LDR -j LOG --log-prefix "DROP INPUT: " --log-level 6
-A LDR -j DROP
COMMIT
# Completed on Tue Oct 28 15:49:09 2008
The interesting is that this behaviour started at 2.6.25 kernel version, but
I couldn't find anything that was changed between .24 and .25 to cause this. Very strange.
I have no idea why the log output is corrupted like this, but
some things you could try:
- use serial console, which should at least avoid any corruption
triggered by ringbuffer overflows. It many packets are logged
it will slow down your system considerably though.
- use ULOG or nfnetlink_log: this allows to capture a full copy
of the packet in userspace, which might be helpful for further
analysis.
Is there a way I can trace the function that generates the log output syslog line?
I use Function Tracer included in 2.6.27 kernel already, but I need a way to stop the tracing
it exactly at the point when this happens, otherwise the tracing buffer will be replaced...
I'm not familiar with ftrace, but you could manually instrument it
(net/ipv4/netfilter/ipt_LOG.c). I'd try nfnetlink_log first though.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
