Description of problem: I installed the ulogd package and the ulogd-mysql. I noticed that the raw_mac field was not correctly filled : mysql> select raw_mac from ulog where id='92'; +---------+ | raw_mac | +---------+ | 00 | +---------+ 1 row in set (0.00 sec) (all the raw_mac contained "00 ") I'v configured ulogd to log to a different device (syslogemu) Jul 7 13:26:55 loki IN=lo OUT= MAC=00 SRC=10.0.0.1 DST=10.0.0.1 LEN=60 TOS=10 PREC=0x00 TTL=64 ID=45158 CE DF PROTO=TCP SPT=54108 DPT=80 SEQ=164683982 ACK=0 WINDOW=32792 SYN URGP=0 MAC is also truncated. i downloaded the following package: wget ftp://fr.rpmfind.net/linux/fedora/extras/development/SRPMS/ulogd-1.24-3.fc7.src.rpm installed it, and compiled it, then i did: service ulogd stop mv /usr/lib64/ulogd/ulogd_BASE.so /usr/lib64/ulogd/ulogd_BASE.so-save cp "new generated ulogd_BASE.so" /usr/lib64/ulogd/ulogd_BASE.so service ulogd start and after that the syslog like logging worked : Jul 7 13:55:08 loki IN=eth1 OUT= MAC=00:04:75:b0:ff:2f:00:07:cb:34:90:28:08:00 SRC=91.121.20.190 DST=82.230.172.5 LEN=60 TOS=00 PREC=0x00 TTL=57 ID=15425 DF PROTO=TCP SPT=43040 DPT=81 SEQ=2218109664 ACK=0 WINDOW=5840 SYN URGP=0 then back to the mysql logging it works also : mysql> select raw_mac from ulog where id='93'; +--------------------------------------------+ | raw_mac | +--------------------------------------------+ | 00:04:75:b0:ff:2f:00:07:cb:34:90:28:08:00 | +--------------------------------------------+ 1 row in set (0.00 sec) i did not see any patches in the source rpm that affects the ulogd_BASE.so so i guess that the package for x86_64 had been badly compiled ? gcc used to compile : gcc version 4.1.2 20070502 (Red Hat 4.1.2-12) kernel : 2.6.21-1.3228.fc7 arch : x86_64 Jean-Baptiste
example of trucated MAC address : ===>PACKET BOUNDARY tcp.res2=0 tcp.res1=0 tcp.fin=0 tcp.syn=1 tcp.rst=0 tcp.psh=0 tcp.ack=0 tcp.urg=0 tcp.window=5840 tcp.reserved=0 tcp.offset=0 tcp.ackseq=0 tcp.seq=3722962661 tcp.dport=80 tcp.sport=57996 ip.fragoff=16384 ip.id=24835 ip.csum=29078 ip.ihl=5 ip.totlen=60 ip.ttl=57 ip.tos=0 ip.protocol=6 ip.daddr=82.230.172.5 ip.saddr=91.121.20.190 oob.out= oob.in=eth1 oob.mark=0 oob.time.usec=274107 oob.time.sec=1183806672 oob.prefix= raw.pktlen=60 raw.pkt=raw.mac=00 and a working one (with recompiled BASE) ===>PACKET BOUNDARY tcp.res2=0 tcp.res1=0 tcp.fin=0 tcp.syn=1 tcp.rst=0 tcp.psh=0 tcp.ack=0 tcp.urg=0 tcp.window=5840 tcp.reserved=0 tcp.offset=0 tcp.ackseq=0 tcp.seq=3494998416 tcp.dport=81 tcp.sport=40171 ip.fragoff=16384 ip.id=17554 ip.csum=36359 ip.ihl=5 ip.totlen=60 ip.ttl=57 ip.tos=0 ip.protocol=6 ip.daddr=82.230.172.5 ip.saddr=91.121.20.190 oob.out= oob.in=eth1 oob.mark=0 oob.time.usec=292586 oob.time.sec=1183810519 oob.prefix= raw.pktlen=60 raw.pkt=raw.mac=00:04:75:b0:ff:2f:00:07:cb:34:90:28:08:00
I can reproduce this bug here on i386, but I can't get it working again simply by rebuilding it. Any details on how you built it ?
Sure; i wanted to debug that, but i was unable to reproduce the problem after rebuild. This is roughly what i did : wget ftp://fr.rpmfind.net/linux/fedora/extras/development/SRPMS/ulogd-1.24-3.fc7.src.rpm mkdir -p /usr/src/redhat/SOURCES rpm -i ulogd-1.24-3.fc7.src.rpm cd /usr/src/redhat/SOURCES tar -xjvf ulogd-1.24.tar.bz2 cd ulogd-1.24 ./configure make cd extensions service ulogd stop locate ulogd_BASE.so mv /usr/lib64/ulogd/ulogd_BASE.so /usr/lib64/ulogd/ulogd_BASE.so-save cp ulogd_BASE.so /usr/lib64/ulogd/ulogd_BASE.so service ulogd start After that i also stripped the /usr/lib64/ulogd/ulogd_BASE.so service ulogd stop strip -a /usr/lib64/ulogd/ulogd_BASE.so service ulogd start But it was still working... Maybe a valgrind/purify can find something ? Did you used the same gcc version that me (gcc version 4.1.2 20070502 (Red Hat 4.1.2-12) ?
OK, after some time debugging, I found that the mac adress is correctly stored if the CFLAGS do *not* contain "-Wp,-D_FORTIFY_SOURCE=2" By default, Fedora's RPM does set this in the CFLAGS. That's about where my knowledge of C compilation stops. Any idea why this happens, before I submit a bug upstream ?
Created attachment 160740 [details] mac address contruction -D_FORTIFY_SOURCE=2 compatible
Certainly related to -D_FORTIFY_SOURCE=2. This is a kind of buffer checking enabled at compile time, that will trigger some extra check in the libc. http://www.redhat.com/magazine/009jul05/features/execshield/#checks I have changed the way the mac address is constructed (see patch). It works for me with -Wp,-D_FORTIFY_SOURCE=2.
Created attachment 160741 [details] mac address contruction -D_FORTIFY_SOURCE=2 compatible Corrected diff format
Is there any news ? I have a solution for the problem (see patch), is it possible for someone to double check it, and eventually create a new official ulogd package ? Or do i need to submit my patch to ulogd author ?
Sorry for not responding, I'm just back from vacation. I've tried your patch, it seems to work fine. I've applied it and sent it upstream for inclusion. Update pending, thanks a lot.
ulogd-1.24-4.fc7 has been pushed to the Fedora 7 testing repository. If problems still persist, please make note of it in this bug report.
ulogd-1.24-4.fc7 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report.