lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <20220124072111.GB14018@breakpoint.cc> Date: Mon, 24 Jan 2022 08:21:11 +0100 From: Florian Westphal <fw@...len.de> To: kai zhang <zhangkaiheb@....com> Cc: pablo@...filter.org, kadlec@...filter.org, fw@...len.de, davem@...emloft.net, yoshfuji@...ux-ipv6.org, dsahern@...nel.org, kuba@...nel.org, netfilter-devel@...r.kernel.org, coreteam@...filter.org, netdev@...r.kernel.org, linux-kernel@...r.kernel.org Subject: Re: [PATCH] net: fix duplicate logs of iptables TRACE target kai zhang <zhangkaiheb@....com> wrote: > Below configuration, mangle,filter and security tables have no rule: > > There are 5 logs for incoming ssh packet: > > kernel: [ 7018.727278] TRACE: raw:PREROUTING:policy:2 IN=enp9s0 ... > kernel: [ 7018.727304] TRACE: mangle:PREROUTING:policy:1 IN=enp9s0 ... > kernel: [ 7018.727327] TRACE: mangle:INPUT:policy:1 IN=enp9s0 ... > kernel: [ 7018.727343] TRACE: filter:INPUT:policy:1 IN=enp9s0 ... > kernel: [ 7018.727359] TRACE: security:INPUT:policy:1 IN=enp9s0 ... Thats correct and exactly whats supposed to happen. > #if IS_ENABLED(CONFIG_NETFILTER_XT_TARGET_TRACE) > /* The packet is traced: log it */ > - if (unlikely(skb->nf_trace)) > + if (unlikely(skb->nf_trace)) { > trace_packet(state->net, skb, hook, state->in, > state->out, table->name, private, e); > + nf_reset_trace(skb); > + } This breaks the long established behavior of TRACE, we don't want users to have to TRACE tables individually which may also be hard when nat is involved.
Powered by blists - more mailing lists