Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753038AbcJKA7B (ORCPT ); Mon, 10 Oct 2016 20:59:01 -0400 Received: from mail-vk0-f51.google.com ([209.85.213.51]:32907 "EHLO mail-vk0-f51.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752679AbcJKA66 (ORCPT ); Mon, 10 Oct 2016 20:58:58 -0400 MIME-Version: 1.0 In-Reply-To: References: From: Liping Zhang Date: Tue, 11 Oct 2016 08:58:57 +0800 Message-ID: Subject: Re: kernel v4.8: iptables logs are truncated with the 4.8 kernel? To: Chris Caputo Cc: Vishwanath Pai , Pablo Neira Ayuso , Justin Piszcz , linux-kernel@vger.kernel.org, Linux Kernel Network Developers Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 2493 Lines: 59 2016-10-11 2:33 GMT+08:00 Chris Caputo : >> >> What numbers did you specify after --nflog-size option? >> --nflog-size 0 or ...? If you want log the whole packet to >> the ulogd, please do not specify this nflog-size option. > > Not specifying nflog-size does not appear to log the whole packet... > > If "--nflog-size" is unspecified, and the iptables config is left > unchanged when the kernel is upgraded to 4.8, ulogd-2.0.5 crashes. > > If "--nflog-size 0" is used, ulogd-2.0.5 crashes. > > If "--nflog-size" is used with size 1 or greater, ulogd-2.0.5 is fine. > >> > I'm surprised to see a kernel change cause unexpected userspace segfaults, >> > so further investigation into a kernel fix would seem a good idea. >> >> According to the original user's manual, nflog-range option was >> designed to be the number of bytes copied to userspace, but >> unfortunately there's a bug from the beginning and it never works, >> i.e. in kernel, it just ignored this option. >> >> Try to change the current nflog-range option's semantics may >> cause unexpected results(maybe like this ulogd crash) ... >> >> In order to keep compatibility, Vishwanath introduce a new >> nflog-size option and keep nflog-range unchanged. If you just >> upgrade the kernel, and do not change iptables rules, this >> problem will not happen. > > I am reporting that the problem does happen simply with an upgrade to > kernel 4.8 and no other changes. When "--nflog-size" is unspecified or > set to 0, the bug in ulogd-2.0.5 gets triggered. > > I agree there is a bug in ulogd-2.0.5 that this kernel change exposed, but > I am trying to explain that all ulogd users risk this segfault if they > upgrade to kernel 4.8 and don't either update to a fixed ulogd (possibly > using your patch below) or an unreleased iptables with iptables config > changes to implement nflog-size on each NFLOG target. Yes, thanks for clarifying this. There's a bug in kernel, can you try this patch: diff --git a/net/netfilter/xt_NFLOG.c b/net/netfilter/xt_NFLOG.c index 018eed7..8c069b4 100644 --- a/net/netfilter/xt_NFLOG.c +++ b/net/netfilter/xt_NFLOG.c @@ -32,6 +32,7 @@ nflog_tg(struct sk_buff *skb, const struct xt_action_param *par) li.u.ulog.copy_len = info->len; li.u.ulog.group = info->group; li.u.ulog.qthreshold = info->threshold; + li.u.ulog.flags = 0; if (info->flags & XT_NFLOG_F_COPY_LEN) li.u.ulog.flags |= NF_LOG_F_COPY_LEN; Thanks