Find the answer to your Linux question:
Results 1 to 2 of 2
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1

    netfilter/iptables TRACE filling up syslog


    I recently ran out of diskspace on my file server and in the investigation found that /var/log/firewall was the culprit, it is full of entries such as this:

    Jan 4 16:46:55 myserver kernel: TRACE: filter:OUTPUT:rule:1 IN= OUT=eth0 SRC= DST= LEN=1300 TOS=0x00 PREC=0x00 TTL=64 ID=18942 DF PROTO=TCP SPT=139 DPT=1303 SEQ=4008826297 ACK=2671083022 WINDOW=12864 RES=0x00 ACK URGP=0 UID=0

    These entries appear several times per second, so it doesn't take long for the log file to fill up the disk.


    It appears to be some sort of debugging info of netfilter, or at least it looks like it, but I have not enabled anything of the sort.

    I have tried to find information on netfilter and TRACE, but the results were not so informative. At least I found out that in recent kernels there is a TRACE target for netfilter that can be enabled. However, in my system, this is a loadable module called xt_TRACE, and it is not even loaded!
    And even if I completely shut down the firewall:

    # Generated by iptables-save v1.3.6 on Fri Jan 4 17:59:22 2008
    :INPUT ACCEPT [1046:56056]
    :OUTPUT ACCEPT [1831:2199470]
    # Completed on Fri Jan 4 17:59:22 2008

    the syslog still clogs up like crazy.

    Can anyone tell me what is going on here? And how I can get rid of it?

    My kernel is 2.6.23, iptables is used as a local firewall, no complicated setup.


    Last edited by arnoschaefer; 01-04-2008 at 04:02 PM. Reason: additional info

  2. #2
    Well, I made some progress. It appears that whenever the TRACE target is enabled in the kernel config, even as a module, these TRACEs appear in the syslog. After disabling it entirely, the log entries are gone.

    So far so good. However, I can not for the life of me understand why this is set up like this in the kernel? This fills up the firewall log file so fast that you need to run for cover once it starts. It should be labeled in the kernel config with a big red warning sign. Maybe syslog can be configured to ignore these traces, but why then generate them in the first place? Why isn't this set up as a kernel runtime configuration that you need to explicitly enable if you want to debug? This is so weird...

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts