On Mon, 14 May 2012, pablo@xxxxxxxxxxxxx wrote: > From: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> > > Extend log message if packets are ignored to include the TCP state, ie. > replace: > > [ 3968.070196] nf_ct_tcp: invalid packet ignored IN= OUT= SRC=... > > by: > > [ 3968.070196] nf_ct_tcp: invalid packet ignored in state ESTABLISHED IN= OUT= SRC=... > > This information is useful to know in what state we were while ignoring the > packet. > > Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> > --- > net/netfilter/nf_conntrack_proto_tcp.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/net/netfilter/nf_conntrack_proto_tcp.c b/net/netfilter/nf_conntrack_proto_tcp.c > index 4dfbfa8..21ff1a9 100644 > --- a/net/netfilter/nf_conntrack_proto_tcp.c > +++ b/net/netfilter/nf_conntrack_proto_tcp.c > @@ -952,7 +952,8 @@ static int tcp_packet(struct nf_conn *ct, > spin_unlock_bh(&ct->lock); > if (LOG_INVALID(net, IPPROTO_TCP)) > nf_log_packet(pf, 0, skb, NULL, NULL, NULL, > - "nf_ct_tcp: invalid packet ignored "); > + "nf_ct_tcp: invalid packet ignored in " > + "state %s ", tcp_conntrack_names[old_state]); > return NF_ACCEPT; > case TCP_CONNTRACK_MAX: > /* Invalid packet */ > -- > 1.7.10 > Acked-by: Jozsef Kadlecsik <kadlec@xxxxxxxxxxxxxxxxx> Best regards, Jozsef - E-mail : kadlec@xxxxxxxxxxxxxxxxx, kadlecsik.jozsef@xxxxxxxxxxxxx PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt Address : Wigner Research Centre for Physics, Hungarian Academy of Sciences H-1525 Budapest 114, POB. 49, Hungary -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
