-
Notifications
You must be signed in to change notification settings - Fork 4.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[iptables module] Accept TOS to not provide 0x HEX format #32126
Conversation
It might happen that some appliances send a `TOS` value without the `0x` prefix for HEX values. Some users hit this problem with NFLOG and ulogd2 extension. As I am not an expert on this domain, I let you review this change
Pinging @elastic/integrations (Team:Integrations) |
Pinging @elastic/security-external-integrations (Team:Security-External Integrations) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good so far.
It's going to need sample logs added to the test files, ideally if you can find ones with a TOS value that confirms this is still hexadecimal.
Also a changelog entry.
This pull request does not have a backport label.
|
@lucabelluccini Are you able to find a real example that we can use in tests that does not include the |
OK. I have a confirmation on this. The ulogd v2 code clearly emits a two-digit hex value without a
So I think we are good. I'll add the test examples that are included in the PR message. |
This pull request is now in conflicts. Could you fix it? 🙏
|
Hello @efd6 - I opened this following an example provided by a user. |
@lucabelluccini No worries, I'm happy with the answer now. I think we are good now. |
…non-0x prefixed TOS field (#32126) The formatting of log lines by ulogd v2 does not prefix the TOS field with a hex 0x syntax[1]. buf_cur += sprintf(buf_cur,"LEN=%u TOS=%02X PREC=0x%02X TTL=%u ID=%u ", ikey_get_u16(&res[KEY_IP_TOTLEN]), ikey_get_u8(&res[KEY_IP_TOS]) & IPTOS_TOS_MASK, ikey_get_u8(&res[KEY_IP_TOS]) & IPTOS_PREC_MASK, ikey_get_u8(&res[KEY_IP_TTL]), ikey_get_u16(&res[KEY_IP_ID])); So make sure that we allow log lines without this syntax to be parsed. [1]https://github.com/bootc/ulogd2/blob/f985da47cbfa24b6ec0b6fcbebe1ada09e31ee35/util/printpkt.c#L213-L218
What does this PR do?
It might happen that some appliances send a
TOS
value without the0x
prefix for HEX values.Some users hit this problem with NFLOG and ulogd2 extension.
As I am not an expert on this domain, I let you review this change.
Why is it important?
It can allow parsing logs for IPTables and be slightly more flexible on the
TOS
format.Checklist
CHANGELOG.next.asciidoc
orCHANGELOG-developer.next.asciidoc
.How to test this PR locally
TODO, need to add:
Related issues
None
Use cases