Re: ULOG and vlans

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 27.07.2011 20:59, Stig wrote:
> I'm using ULOG iptables target to capture packets for pmacct (a
> netflow exporter).  I noticed when ulog gets a packet from a vlan
> interface that the ulog header shows a mac_len of 18 bytes, but it
> appears that the vlan tag has already been stripped from the packet
> header:
> 
> (gdb) p/x *ulog_pkt
> $7 = {
>   mark = 0x0,
>   timestamp_sec = 0x4e2f6077,
>   timestamp_usec = 0x222f3,
>   hook = 0x0,
>   indev_name = {0x65, 0x74, 0x68, 0x31, 0x2e, 0x31, 0x30, 0x30, 0x0, 0x0, 0x0,
>     0x0, 0x0, 0x0, 0x0, 0x0},
>   outdev_name = {0x0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x5, 0xf, 0x0,
>     0x0, 0x5, 0xf, 0x0, 0x0},
>   data_len = 0x40,
>   prefix = {0x0, 0x0, 0x2, 0x0, 0x72, 0x60, 0x2f, 0x4e, 0xed, 0x6, 0x0, 0x0,
>     0xa, 0x40, 0x80, 0xfd, 0x2, 0x0, 0x0, 0x0, 0x14, 0x0, 0x1, 0x0, 0xfe,
>     0x80, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
>   mac_len = 0x12,
>   mac = {0x0, 0xd, 0xb9, 0x15, 0x6d, 0x1, 0x0, 0xf, 0x30, 0x4, 0x35, 0x4f,
>     0x8, 0x0, 0x45, 0x0, 0x0, 0x54, 0xff, 0x21, 0x12, 0x0, 0x0, 0x21, 0x12,
>     0x0, 0x0, 0x40, 0x0, 0x0, 0x0, 0x14, 0x0, 0x2, 0x0, 0x72, 0x60, 0x2f,
>     0x4e, 0xed, 0x6, 0x0, 0x0, 0xa, 0x40, 0x80, 0xfd, 0x3, 0x0, 0x0, 0x0,
>     0x14, 0x0, 0x1, 0x0, 0xfe, 0x80, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2, 0xd,
>     0xb9, 0xff, 0xfe, 0x15, 0x6d, 0x1, 0x14, 0x0, 0x6, 0x0, 0xff, 0xff, 0xff,
>     0xff, 0xff},
>   payload = 0x941cc35
> }
> 
> 
> If the vlan has been remove, shouldn't the mac_len be reduced to 14?

Yes. How is your vlan device configured (ip -s link show vlanX)?

> 
> This causes parsing problems of the ip header for pmacct because it
> does the following:
> 
>   if (ulog_pkt->mac_len) {
>      	memcpy(jumbo_container, ulog_pkt->mac, ulog_pkt->mac_len);
> 	memcpy(jumbo_container+ulog_pkt->mac_len, ulog_pkt->payload, hdr.caplen);
> 	hdr.caplen += ulog_pkt->mac_len;
> 	hdr.len += ulog_pkt->mac_len;
> 
> 
> Obviously I can work around it, but I'm wondering if this is the
> expected behavior for ulog with vlans?

No, if the tag is stripped, the length should reflect that.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Netfitler Users]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux