summaryrefslogtreecommitdiffstats
path: root/README
blob: a2b8b99f557072507517ef5facffc1210c4eabf4 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
Userspace logging facility for netfilter / linux 2.4
$Id$

===> IDEA

This packages is intended for passing packets from the kernel to userspace 
to do some logging there. It should work like that:

- Register a target called ULOG with netfilter
- if the target is hit: 
	- send the packet out using netlink multicast facility
	- return NF_ACCEPT immediately

We don't have to enqueue packets, just send them out as datagrams. If the
user process isn't fast enough this isn't our problem. 

More than one logging daemon may listen to the netlink multicast address.

===> CONTENTS

The package is consisting out of three parts:

1. Netfilter target ipt_ULOG
This is the kernel module which does the kernel part of packet passing to 
the userspace. This module is inserted on demand through the netfilter 
subsystem as soon as You add a rule with the target ULOG to any chain.

2. iptables plugin (libipt_ULOG.so)
This is a plugin for the netfilter configuration tool iptables. Just put 
it to /usr/local/lib/iptables and it is loaded on demand from iptables.

3. Ulog library (libipulog.a)
Just a little library like libipq.a which provides a convenient way to 
write userspace logging daemons. The functions provided are described 
in the source code, a small demo program (ulog_test) is also included.

4. ulogd daemon (ulogd) 
A sophisticated logging daemon which uses libipulog. The daemon provides 
an easy to use plugin interface to write additional packet interpreters and
output targets. Example plugins (interpreter: ip, tcp, icmp output: simple
logging to a file) are included.

===> USAGE

Just apply the kernel patch and enable the kernel config option 
CONFIG_IP_NF_TARGET_ULOG in the netfilter subsection of the network options. 
Then recompile the kernel or just recompile the netfilter modules using 
'make modules SUBDIRS=net/ipv4/netfilter'. 
Next step is installing the module using 'make modules_install'

To use the iptables plugin, copy libipt_ULOG.so to /usr/local/lib/iptables

Now You are ready to go. You may now insert logging rules to every chain.
To see the full syntax, type 'iptables -j ULOG -h'

===> EXAMPLES

At first a simple example, which passes every outgoing packet to the 
userspace logging, using netlink multicast group 3.

iptables -A OUTPUT -j ULOG --ulog-nlgroup 3

A more advanced one, passing all incoming tcp packets with destination 
port 80 to the userspace logging daemon listening on netlink multicast 
group 32. All packets get tagged with the ulog prefix "inp"

iptables -A INPUT -j ULOG -p tcp --dport 80 --ulog-nlgroup 32 --ulog-prefix inp

In the latest Version (0.2) I added another parameter (--ulog-cprange). 
Using this parameter You are able to specify how much octets of the 
packet should be copied from the kernel to userspace. 
Setting --ulog-cprange to 0 does always copy the whole packet. Default is 0

===> COPYRIGHT + CREDITS

The code is (C) 2000 by Harald Welte <laforge@sunbeam.franken.de>

Credits to Rusty Russel, James Morris, Marc Boucher and all the other 
netfilter hackers.