Re: NFULNL_CFG_F_CONNTRACK and IPv6

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, Jan 12, 2021, at 3:01 PM, Rafael David Tinoco wrote:
> > > Ha, that's weird. 
> > > 
> > > log received (prefix="TRACE: raw:OUTPUT:policy:3 " hw=0x86dd hook=3 mark=0)
> > > <log><when><hour>14</hour><min>27</min><sec>16</sec><wday>3</wday><day>12</day><month>1</month><year>2021</year></when><prefix>TRACE: raw:OUTPUT:policy:3 </prefix><hook>3</hook><hw><proto>86dd</proto></hw><outdev>12</outdev><payload>600041d600200640fe8000000000000014535dfffe1aca68fe8000000000000002163efffe7faedd9b1000161118d258a85cd4bb801001fb267100000101080a011250252a763edf</payload></log> (ret=393)
> > > 
> > > here... kernel 5.8.0-26-generic and latest libnetfilter-log, using:
> > > 
> > > ip6tables-legacy -t raw -I OUTPUT 1 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
> > > ip6tables-legacy -t raw -I PREROUTING 1 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
> > > ip6tables-legacy -t raw -A OUTPUT -j TRACE
> > > ip6tables-legacy -t raw -A PREROUTING -j TRACE
> > 
> > ?  You need a -j NFLOG rule.  -j TRACE might not even use netlink events
> > but raw printk() when used with classic iptables (rather than
> > iptables-nft, where this maps to 'meta nftrace set 1'.
> 
> -j TRACE uses netlink communication for IPv4, why would it not use for 
> IPv6 if my nf_log:
> 
> $ sudo cat /proc/net/netfilter/nf_log 
>  0 NONE (nfnetlink_log)
>  1 NONE (nfnetlink_log)
>  2 nfnetlink_log (nfnetlink_log)
>  3 NONE (nfnetlink_log)
>  4 NONE (nfnetlink_log)
>  5 NONE (nfnetlink_log)
>  6 NONE (nfnetlink_log)
>  7 NONE (nfnetlink_log)
>  8 NONE (nfnetlink_log)
>  9 NONE (nfnetlink_log)
> 10 nfnetlink_log (nfnetlink_log)
> 11 NONE (nfnetlink_log)
> 12 NONE (nfnetlink_log)
> 
> has proto 2 and 10 to use nfnetlink_log.. and, from kernel:
> 
> static struct nf_logger nfulnl_logger __read_mostly = {
> 	.name	= "nfnetlink_log",
> 	.type	= NF_LOG_TYPE_ULOG,
> 	.logfn	= nfulnl_log_packet,
> 	.me	= THIS_MODULE,
> };
> 
> nfnetlink_log shows me that the function nfulnl_log_packet() is the one 
> that builds the netlink packet to userland. So, if it works for IPv4, 
> why would it not work for IPv6 ? 
> 
> Note: My intent is to have a single rule that gives me one netlink msg 
> to each of the traced events (instead of adding a bunch of NFLOG rules 
> working each one as triggers for the events, which I also could).

As a quick side note, with the same IPv4 rules:

  tcp      6 300 ESTABLISHED src=10.250.97.135 dst=10.250.97.1 sport=36444 dport=6000 src=10.250.97.1 dst=10.250.97.135 sport=6000 dport=36444 [ASSURED]
log received (prefix="TRACE: raw:PREROUTING:policy:3 " hw=0x0800 hook=0 mark=0)
<log><when><hour>15</hour><min>15</min><sec>40</sec><wday>3</wday><day>12</day><month>1</month><year>2021</year></when><prefix>TRACE: raw:PREROUTING:policy:3 </prefix><hook>0</hook><hw><proto>0800</proto><src>00163e7faedd</src></hw><indev>12</indev><payload>450000340efc40004006534c0afa61870afa61018e5c1770fd1122e186613618801001bdd8a200000101080a4f4ed56aa18dbb50</payload></log> (ret=378)
log received (prefix="TRACE: filter:INPUT:policy:1 " hw=0x0800 hook=1 mark=0)
<log><when><hour>15</hour><min>15</min><sec>40</sec><wday>3</wday><day>12</day><month>1</month><year>2021</year></when><prefix>TRACE: filter:INPUT:policy:1 </prefix><hook>1</hook><hw><proto>0800</proto><src>00163e7faedd</src></hw><indev>12</indev><payload>450000340efc40004006534c0afa61870afa61018e5c1770fd1122e186613618801001bdd8a200000101080a4f4ed56aa18dbb50</payload></log> (ret=376)
  ip_conntrack_info: ORIGINAL / ESTABLISHED
  tcp      6 432000 ESTABLISHED src=10.250.97.135 dst=10.250.97.1 sport=36444 dport=6000 src=10.250.97.1 dst=10.250.97.135 sport=6000 dport=36444 [ASSURED]

the conntrack feature is added to the netlink log msg.



[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux