On Tue, Jan 31, 2006 at 12:32:21AM +0100, Patrick McHardy wrote:

Harald Welte wrote:

quoted

Hi Dave,

please apply, thanks!

[NETFILTER] nfnetlink_log: add sequence numbers for log events

By using a sequence number for every logged netfilter event, we can
determine from userspace whether logging information was lots somewhere
downstream.

BTW, I have a patch I wanted to submit on top of this, which changes the
*LOG targets to do "reliable" logging, which means if we encounter any
errors during logging (for example from netlink), the packet will be
dropped. This makes as sure as possible that no connections will be
silently accepted. Its a slight change of user-visible behaviour, but
since it only affects corner-cases I think it should be OK. I could add
some flags to retain the current behaviour, but I think its not worth
it. 

I think it is very much required to have such a flag.  (we can actually
add it to the nfnetlink_log flags).  It really depends on your setup.
Some people really really want to have logging reliable, others fear
that they might easily be DoS'ed, if logging has higher priority than
packet forwarding.
 

Any objections?

If it's optional (and the default is unreliable), then I think it's a
great idea.

-- 
- Harald Welte [off-list ref]                 http://netfilter.org/
============================================================================
  "Fragmentation is like classful addressing -- an interesting early
   architectural error that shows how much experimentation was going
   on while IP was being designed."                    -- Paul Vixie