diff options
| author |   Liping Zhang <liping.zhang@spreadtrum.com> | 2016-10-11 21:03:45 +0800 |
|---|---|---|
| committer |   Pablo Neira Ayuso <pablo@netfilter.org> | 2016-10-17 17:38:19 +0200 |
| commit | 6d19375b58763fefc2f215fb45117d3353ced888 (patch) | |
| tree | d95306abba2a48574b5db719455f92f79d18b2f1 /net/netfilter/xt_NFLOG.c | |
| parent | netfilter: conntrack: remove obsolete sysctl (nf_conntrack_events_retry_timeout) (diff) | |
| download | linux-dev-6d19375b58763fefc2f215fb45117d3353ced888.tar.xz linux-dev-6d19375b58763fefc2f215fb45117d3353ced888.zip | |
netfilter: xt_NFLOG: fix unexpected truncated packet
Justin and Chris spotted that iptables NFLOG target was broken when they
upgraded the kernel to 4.8: "ulogd-2.0.5- IPs are no longer logged" or
"results in segfaults in ulogd-2.0.5".
Because "struct nf_loginfo li;" is a local variable, and flags will be
filled with garbage value, not inited to zero. So if it contains 0x1,
packets will not be logged to the userspace anymore.
Fixes: 7643507fe8b5 ("netfilter: xt_NFLOG: nflog-range does not truncate packets")
Reported-by: Justin Piszcz <jpiszcz@lucidpixels.com>
Reported-by: Chris Caputo <ccaputo@alt.net>
Tested-by: Chris Caputo <ccaputo@alt.net>
Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'net/netfilter/xt_NFLOG.c')
| -rw-r--r-- | net/netfilter/xt_NFLOG.c | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/net/netfilter/xt_NFLOG.c b/net/netfilter/xt_NFLOG.c index 018eed7e1ff1..8668a5c18dc3 100644 --- a/net/netfilter/xt_NFLOG.c +++ b/net/netfilter/xt_NFLOG.c @@ -32,6 +32,7 @@ nflog_tg(struct sk_buff *skb, const struct xt_action_param *par) li.u.ulog.copy_len = info->len; li.u.ulog.group = info->group; li.u.ulog.qthreshold = info->threshold; + li.u.ulog.flags = 0; if (info->flags & XT_NFLOG_F_COPY_LEN) li.u.ulog.flags |= NF_LOG_F_COPY_LEN; |