On Tue, Jan 31, 2006 at 12:32:21AM +0100, Patrick McHardy wrote: > Harald Welte wrote: > > Hi Dave, > > > > please apply, thanks! > > > > [NETFILTER] nfnetlink_log: add sequence numbers for log events > > > > By using a sequence number for every logged netfilter event, we can > > determine from userspace whether logging information was lots somewhere > > downstream. > > BTW, I have a patch I wanted to submit on top of this, which changes the > *LOG targets to do "reliable" logging, which means if we encounter any > errors during logging (for example from netlink), the packet will be > dropped. This makes as sure as possible that no connections will be > silently accepted. Its a slight change of user-visible behaviour, but > since it only affects corner-cases I think it should be OK. I could add > some flags to retain the current behaviour, but I think its not worth > it.
I think it is very much required to have such a flag. (we can actually add it to the nfnetlink_log flags). It really depends on your setup. Some people really really want to have logging reliable, others fear that they might easily be DoS'ed, if logging has higher priority than packet forwarding. > Any objections? If it's optional (and the default is unreliable), then I think it's a great idea. -- - Harald Welte <[EMAIL PROTECTED]> http://netfilter.org/ ============================================================================ "Fragmentation is like classful addressing -- an interesting early architectural error that shows how much experimentation was going on while IP was being designed." -- Paul Vixie
pgpnfOO9W6O2I.pgp
Description: PGP signature
