src.l3num is the protocol number in the ethernet header (ipv4 or ipv6) so what I actually want is: ct->tuplehash[IP_CT_ORIGINAL].tuple.dst.protonum which is the the L4 protocol number i've built and tested this (by forcing a ret of -NF_ACCEPT) and it logs (or not) appropriately with the sysctl settings i'll resubmit the patch with this change cheers, Pete On Wed, Nov 30, 2011 at 10:55 AM, Patrick McHardy <kaber@xxxxxxxxx> wrote: > On 11/30/2011 07:35 PM, Pete Holland wrote: >> >> sorry that should be >> ct->tuplehash[IP_CT_ORIGINAL].tuple.src.l3num > > I'd prefer that to the IPPROTO_RAW usage. > >> On Wed, Nov 30, 2011 at 10:33 AM, Pete Holland<pholland27@xxxxxxxxx> >> wrote: >>> >>> it occurred to me that I should be able to extract the protocol number >>> from the the tuplehash in struct nf_conn. the original >>> direction tuple should always be there, and I could get it from there. >>> >>> so instead of using IPPROTO_RAW, I could use >>> ct->tuplehash[IP_CT_ORIGINAL].src.l3num >>> >>> i'm still pretty new in the netfilter code, so any thoughts are >>> greatly appreciated >>> >>> On Tue, Nov 29, 2011 at 12:08 PM, Pete Holland<pholland27@xxxxxxxxx> >>> wrote: >>>> >>>> From: Peter Holland<pholland27@xxxxxxxxx> >>>> >>>> Make the logging of dropped packets due to ct helper rejection >>>> conditional on LOG_INVALID. >>>> This is consistent with the other uses of nf_log_packet. >>>> Use the IPPROTO_RAW filter since it is unclear based on the caller >>>> what protocol it actually is. >>>> Without this check, there is a possible DoS based on traffic induced >>>> log generation. >>>> (specifically this was noted in the wild by an attacker against the SIP >>>> helper) >>>> >>>> Signed-off-by: Peter Holland<pholland27@xxxxxxxxx> > > -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
