From 7070b1f3c88a0c3d4e315c00cca61f05b0fbc882 Mon Sep 17 00:00:00 2001 From: Vishwanath Pai Date: Fri, 24 Jun 2016 16:42:31 -0400 Subject: extensions: libxt_NFLOG: nflog-range does not truncate packets The option --nflog-range has never worked, but we cannot just fix this because users might be using this feature option and their behavior would change. Instead add a new option --nflog-size. This option works the same way nflog-range should have, and both of them are mutually exclusive. When someone uses --nflog-range we print a warning message informing them that this feature has no effect. To indicate the kernel that the user has set --nflog-size we have to pass a new flag XT_NFLOG_F_COPY_LEN. Also updated the man page to reflect the new option and added tests to extensions/libxt_NFLOG.t Reported-by: Joe Dollard Reviewed-by: Josh Hunt Signed-off-by: Vishwanath Pai Signed-off-by: Pablo Neira Ayuso --- extensions/libxt_NFLOG.t | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'extensions/libxt_NFLOG.t') diff --git a/extensions/libxt_NFLOG.t b/extensions/libxt_NFLOG.t index f9768aae..78076b56 100644 --- a/extensions/libxt_NFLOG.t +++ b/extensions/libxt_NFLOG.t @@ -7,6 +7,10 @@ -j NFLOG --nflog-range 4294967295;=;OK -j NFLOG --nflog-range 4294967296;;FAIL -j NFLOG --nflog-range -1;;FAIL +-j NFLOG --nflog-size 1;=;OK +-j NFLOG --nflog-size 4294967295;=;OK +-j NFLOG --nflog-size 4294967296;;FAIL +-j NFLOG --nflog-size -1;;FAIL # ERROR: cannot find: iptables -I INPUT -j NFLOG --nflog-prefix xxxxxx [...] # -j NFLOG --nflog-prefix xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx;=;OK # ERROR: should fail: iptables -A INPUT -j NFLOG --nflog-prefix xxxxxxx [...] -- cgit v1.2.3