Re: ulogd packet based logging with CT info

Blažej Krajňák <blazej.krajnak@xxxxxxxxx> · Wed, 18 Aug 2021 22:06:40 +0200

I'm really confused from searching a bug.

Getting nf_conntrack via nflog_nlmsg_parse(ph, attrs); is (I think)
bad because ph parameter must be nlmsghdr not nfulnl_msg_packet_hdr

So different way. I added new getters to libnetfilter_log.c:

struct nf_conntrack *nflog_get_ct(struct nflog_data *nfad)
{
    return nfnl_get_pointer_to_data(nfad->nfa, NFULA_CT, struct nf_conntrack);
}

uint32_t nflog_get_ct_info(struct nflog_data *nfad)
{
return ntohs(nfnl_get_data(nfad->nfa, NFULA_CT_INFO, uint32_t));
}

nflog_get_ct_info works correctly. But from nflog_get_ct I'm unable to
read anything.

struct nf_conntrack *ct = nflog_get_ct(ldata);
printf("test value %" PRIu64 " /n", ct->timestamp.start);

is returning random numbers. What am I missing? How to properly parse
output of nflog_get_ct to be able to use for ex. nfct_get_attr_u32?

st 18. 8. 2021 o 13:52 Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> napísal(a):
>
> Hi Blažej,
>
> On Wed, Aug 18, 2021 at 12:06:40PM +0200, Blažej Krajňák wrote:
> > st 18. 8. 2021 o 9:23 Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> napísal(a):
> > > You need this kernel patch to add this information to nfnetlink_queue,
> > > compile-tested only.
> >
> > Hey Pablo,
> > patch is working like a charm. Thank you! Now I see timestamps and
> > packets/bytes counters in JSON output correctly.
> > At the end I will post customized input plugin for everyone.
> >
> > The last thing I want to ask is what's correct way to get
> >
> > attrs[NFULA_CT]
> >
> > from
> >
> > struct nfulnl_msg_packet_hdr *ph = nflog_get_msg_packet_hdr(ldata);
> >
> >
> > Now I use the following code which is working but throwing random
> > errors "something went wrong (Numerical result out of range)" I'm
> > mixing struct nfulnl_msg_packet_hdr with const struct nlmsghdr *nlh
>
> That might be a bug in nflog_nlmsg_parse(): maybe
> nflog_parse_attr_cb() is finding a mismatch in the datatype of the
> attribute payload.
>
> Could you have a look at what attribute is hitting this error?
>
> > struct nfulnl_msg_packet_hdr *ph = nflog_get_msg_packet_hdr(ldata);
> > struct nlattr *attrs[NFULA_MAX + 1] = { NULL };
> > int retb;
> >
> > retb = nflog_nlmsg_parse(ph, attrs);
> > if (retb != MNL_CB_OK) {
> >     printf("something went wrong");
> >     printf(" (%s)\n", strerror(errno));
> >     return retb;
> > }