| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 24 Jan 2022 08:21:11 +0100
From: Florian Westphal <fw@...len.de>
To: kai zhang <zhangkaiheb@....com>
Cc: pablo@...filter.org, kadlec@...filter.org, fw@...len.de,
davem@...emloft.net, yoshfuji@...ux-ipv6.org, dsahern@...nel.org,
kuba@...nel.org, netfilter-devel@...r.kernel.org,
coreteam@...filter.org, netdev@...r.kernel.org,
linux-kernel@...r.kernel.org
Subject: Re: [PATCH] net: fix duplicate logs of iptables TRACE target
kai zhang <zhangkaiheb@....com> wrote:
> Below configuration, mangle,filter and security tables have no rule:
>
> There are 5 logs for incoming ssh packet:
>
> kernel: [ 7018.727278] TRACE: raw:PREROUTING:policy:2 IN=enp9s0 ...
> kernel: [ 7018.727304] TRACE: mangle:PREROUTING:policy:1 IN=enp9s0 ...
> kernel: [ 7018.727327] TRACE: mangle:INPUT:policy:1 IN=enp9s0 ...
> kernel: [ 7018.727343] TRACE: filter:INPUT:policy:1 IN=enp9s0 ...
> kernel: [ 7018.727359] TRACE: security:INPUT:policy:1 IN=enp9s0 ...
Thats correct and exactly whats supposed to happen.
> #if IS_ENABLED(CONFIG_NETFILTER_XT_TARGET_TRACE)
> /* The packet is traced: log it */
> - if (unlikely(skb->nf_trace))
> + if (unlikely(skb->nf_trace)) {
> trace_packet(state->net, skb, hook, state->in,
> state->out, table->name, private, e);
> + nf_reset_trace(skb);
> + }
This breaks the long established behavior of TRACE,
we don't want users to have to TRACE tables individually which may also
be hard when nat is involved.
Powered by blists - more mailing lists