| Message ID | 20220124053455.55858-1-zhangkaiheb@126.com (mailing list archive) |
|---|---|
| State | Superseded |
| Delegated to: | Netdev Maintainers |
| Headers | show |
| Series | net: fix duplicate logs of iptables TRACE target | expand |
kai zhang <zhangkaiheb@126.com> wrote: > Below configuration, mangle,filter and security tables have no rule: > > There are 5 logs for incoming ssh packet: > > kernel: [ 7018.727278] TRACE: raw:PREROUTING:policy:2 IN=enp9s0 ... > kernel: [ 7018.727304] TRACE: mangle:PREROUTING:policy:1 IN=enp9s0 ... > kernel: [ 7018.727327] TRACE: mangle:INPUT:policy:1 IN=enp9s0 ... > kernel: [ 7018.727343] TRACE: filter:INPUT:policy:1 IN=enp9s0 ... > kernel: [ 7018.727359] TRACE: security:INPUT:policy:1 IN=enp9s0 ... Thats correct and exactly whats supposed to happen. > #if IS_ENABLED(CONFIG_NETFILTER_XT_TARGET_TRACE) > /* The packet is traced: log it */ > - if (unlikely(skb->nf_trace)) > + if (unlikely(skb->nf_trace)) { > trace_packet(state->net, skb, hook, state->in, > state->out, table->name, private, e); > + nf_reset_trace(skb); > + } This breaks the long established behavior of TRACE, we don't want users to have to TRACE tables individually which may also be hard when nat is involved.
diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c index 2ed7c58b4..5f0e6096e 100644 --- a/net/ipv4/netfilter/ip_tables.c +++ b/net/ipv4/netfilter/ip_tables.c @@ -304,9 +304,11 @@ ipt_do_table(void *priv, #if IS_ENABLED(CONFIG_NETFILTER_XT_TARGET_TRACE) /* The packet is traced: log it */ - if (unlikely(skb->nf_trace)) + if (unlikely(skb->nf_trace)) { trace_packet(state->net, skb, hook, state->in, state->out, table->name, private, e); + nf_reset_trace(skb); + } #endif /* Standard target? */ if (!t->u.kernel.target->target) { diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c index 2d816277f..ae842a835 100644 --- a/net/ipv6/netfilter/ip6_tables.c +++ b/net/ipv6/netfilter/ip6_tables.c @@ -327,9 +327,11 @@ ip6t_do_table(void *priv, struct sk_buff *skb, #if IS_ENABLED(CONFIG_NETFILTER_XT_TARGET_TRACE) /* The packet is traced: log it */ - if (unlikely(skb->nf_trace)) + if (unlikely(skb->nf_trace)) { trace_packet(state->net, skb, hook, state->in, state->out, table->name, private, e); + nf_reset_trace(skb); + } #endif /* Standard target? */ if (!t->u.kernel.target->target) {
Below configuration, mangle,filter and security tables have no rule: There are 5 logs for incoming ssh packet: kernel: [ 7018.727278] TRACE: raw:PREROUTING:policy:2 IN=enp9s0 ... kernel: [ 7018.727304] TRACE: mangle:PREROUTING:policy:1 IN=enp9s0 ... kernel: [ 7018.727327] TRACE: mangle:INPUT:policy:1 IN=enp9s0 ... kernel: [ 7018.727343] TRACE: filter:INPUT:policy:1 IN=enp9s0 ... kernel: [ 7018.727359] TRACE: security:INPUT:policy:1 IN=enp9s0 ... Signed-off-by: kai zhang <zhangkaiheb@126.com> --- net/ipv4/netfilter/ip_tables.c | 4 +++- net/ipv6/netfilter/ip6_tables.c | 4 +++- 2 files changed, 6 insertions(+), 2 deletions(-)