Avatar

Michael's Blog

Home | Gallery | Stats | Downloads | Links | Scripts | Fuel Stats | Wiki | RSS
Quote:
I blame cows.
-- paulis     Add quote.

Prevent iptables from spamming your console

2015-08-14 13:41:00 by Michael 2 Comments
Tags: linux kernel iptables sysadmin netfilter

How to disable firewall "spam" on your console.

I worked on a ticket recently for a customer concerned about firewall messages being sent to every user's console by the kernel. After doing a bit of research I discovered that the nf_ct_ftp module logs messages to syslog as *emergency* level by default which results in every console being spammed by firewall messages. To prevent this you can make a few simple changes as follows.

First, set up a custom rsyslog conf file to send iptables messages to a different file.

cat << EOF > /etc/rsyslog.d/iptables.conf 
:msg, contains, "nf_ct_ftp:" -/var/log/iptables.log
& ~
EOF

The first line means send all messages that contain the “nf_ct_ftp:” string to /var/log/iptables.log. The second line causes rsyslog to discard messages that were matched on the previous line. Adjust this rule according to your needs.

Second, update sysctl.conf with the following lines and then run "sysctl -p".

kernel.printk = 4 4 1 7

sysctl -p

See https://www.kernel.org/doc/Documentation/sysctl/kernel.txt for a description of these values.

Now restart rsyslog and test your changes using the "logger" command.

service rsyslog restart
logger -p kern.emerg -t kernel "nf_ct_ftp: dropping packet test"

You should not see anything on the console. cat /var/log/iptables.log to confirm that the entry was logged properly. After you have confirmed that the messages are being logged properly you can set up logrotate to manage the logs. Create a config file to do this similar to below.

cat << EOF > /etc/logrotate.d/iptables 
/var/log/iptables.log
{
	rotate 7
	daily
	missingok
	notifempty
	delaycompress
	compress
	postrotate
		invoke-rc.d rsyslog rotate > /dev/null
	endscript
}
EOF

There is nothing else to do at this point.

Building the wl module on linux 3.2

2012-04-02 21:57:00 by Michael 0 Comments
Tags: linux kernel hardware hacking

After upgrading my netbook kernel to the latest stable version available on backports.org I soon discovered that my wireless interface no longer worked. Trying to rebuild the module resulted in the following error:

/usr/src/modules/broadcom-sta/amd64/src/wl/sys/wl_linux.c: In function ‘_wl_set_multicast_list’:
/usr/src/modules/broadcom-sta/amd64/src/wl/sys/wl_linux.c:1435: error: ‘struct net_device’ has no member named ‘mc_list’
/usr/src/modules/broadcom-sta/amd64/src/wl/sys/wl_linux.c:1435: error: ‘struct net_device’ has no member named ‘mc_count’
/usr/src/modules/broadcom-sta/amd64/src/wl/sys/wl_linux.c:1436: error: dereferencing pointer to incomplete type
/usr/src/modules/broadcom-sta/amd64/src/wl/sys/wl_linux.c:1442: error: dereferencing pointer to incomplete type
make[4]: *** [/usr/src/modules/broadcom-sta/amd64/src/wl/sys/wl_linux.o] Error 1
make[3]: *** [_module_/usr/src/modules/broadcom-sta/amd64] Error 2
make[2]: *** [sub-make] Error 2
make[1]: *** [all] Error 2
make[1]: Leaving directory `/usr/src/linux-headers-3.2.0-0.bpo.2-amd64'
make: *** [all] Error 2
root@netbook:/usr/src/modules/broadcom-sta/amd64#  run "make API=WEXT"
bash: run: command not found
root@netbook:/usr/src/modules/broadcom-sta/amd64# "make API=WEXT"
bash: make API=WEXT: command not found
root@netbook:/usr/src/modules/broadcom-sta/amd64# make API=WEXT
KBUILD_NOPEDANTIC=1 make -C /lib/modules/`uname -r`/build M=`pwd`
make[1]: Entering directory `/usr/src/linux-headers-3.2.0-0.bpo.2-amd64'
  CC [M]  /usr/src/modules/broadcom-sta/amd64/src/wl/sys/wl_linux.o
/usr/src/modules/broadcom-sta/amd64/src/wl/sys/wl_linux.c: In function ‘_wl_set_multicast_list’:
/usr/src/modules/broadcom-sta/amd64/src/wl/sys/wl_linux.c:1435: error: ‘struct net_device’ has no member named ‘mc_list’
/usr/src/modules/broadcom-sta/amd64/src/wl/sys/wl_linux.c:1435: error: ‘struct net_device’ has no member named ‘mc_count’
/usr/src/modules/broadcom-sta/amd64/src/wl/sys/wl_linux.c:1436: error: dereferencing pointer to incomplete type
/usr/src/modules/broadcom-sta/amd64/src/wl/sys/wl_linux.c:1442: error: dereferencing pointer to incomplete type
make[4]: *** [/usr/src/modules/broadcom-sta/amd64/src/wl/sys/wl_linux.o] Error 1
make[3]: *** [_module_/usr/src/modules/broadcom-sta/amd64] Error 2
make[2]: *** [sub-make] Error 2
make[1]: *** [all] Error 2
make[1]: Leaving directory `/usr/src/linux-headers-3.2.0-0.bpo.2-amd64'
make: *** [all] Error 2

A bit of googling lead me to a few patches that helped solve the issue. Here is a unified diff of my changes which should allow you to cleanly build and install the wl module using module-assistant.

http://www.watters.ws/broadcom_bcm4313_linux3.2.patch

One thing to note is that the source code needs to be patched BEFORE you run m-a, i.e. cd to /usr/src/modules/broadcom_sta/amd64/src/wl/sys and run patch the patch from there.

I hope that somebody will find this useful.