sqlite3: add configuration examples and new tables layout

This patch adds two configuration examples for sqlite3 to log
flows and packets.

We use two tables, one for packet logging information, and
another for flow-based information.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

1 files changed, 28 insertions, 21 deletions

diff --git a/doc/sqlite3.table b/doc/sqlite3.table
index 7b5e99a..393b386 100644
--- a/doc/sqlite3.table
+++ b/doc/sqlite3.table
@@ -1,22 +1,29 @@
-CREATE TABLE ulog (
-			raw_mac		VARCHAR(80),
-			oob_time_sec	INT UNSIGNED,
-			oob_time_usec	INT UNSIGNED,
-			ip_saddr	INT UNSIGNED,
-			ip_daddr	INT UNSIGNED,
-			ip_protocol	TINYINT UNSIGNED,
-			ip_totlen       SMALLINT UNSIGNED,
-			tcp_sport	SMALLINT UNSIGNED,
-			tcp_dport	SMALLINT UNSIGNED,
-			udp_sport	SMALLINT UNSIGNED,
-			udp_dport	SMALLINT UNSIGNED,
-			udp_len		SMALLINT UNSIGNED,
-			icmp_type	TINYINT UNSIGNED,
-			icmp_code	TINYINT UNSIGNED,
-			icmp_echoid	SMALLINT UNSIGNED,
-			icmp_echoseq	SMALLINT UNSIGNED,
-			icmp_gateway	INT UNSIGNED,
-			icmp_fragmtu	SMALLINT UNSIGNED
+CREATE TABLE ulog_ct (
+			flow_start_sec		INT UNSIGNED,
+			flow_start_usec		INT UNSIGNED,
+			flow_end_sec		INT UNSIGNED,
+			flow_end_usec		INT UNSIGNED,
+			orig_ip_saddr		INT UNSIGNED,
+			orig_ip_daddr		INT UNSIGNED,
+			orig_l4_sport		SMALLINT UNSIGNED,
+			orig_l4_dport		SMALLINT UNSIGNED,
+			orig_ip_protocol	TINYINT UNSIGNED,
+			icmp_type		TINYINT UNSIGNED,
+			icmp_code		TINYINT UNSIGNED,
+			orig_raw_pktlen		INT UNSIGNED,
+			orig_raw_pktcount	INT UNSIGNED,
+			reply_raw_pktlen	INT UNSIGNED,
+			reply_raw_pktcount	INT UNSIGNED,
+			ct_mark			INT UNSIGNED
+		);
+CREATE TABLE ulog_pkt (
+			raw_pktlen		INT UNSIGNED,
+			raw_pktcount		INT UNSIGNED,
+			oob_prefix		VARCHAR(64),
+			oob_time_sec		INT UNSIGNED,
+			oob_time_usec		INT UNSIGNED,
+			oob_mark		INT UNSIGNED,
+			oob_hook		TINYINT UNSIGNED,
+			oob_uid			INT UNSIGNED,
+			oob_gid			INT UNSIGNED
 		);
-
-