summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
...
* improve netlink overrun handling of NFCTPablo Neira Ayuso2008-06-022-28/+212
| | | | | | | | | | | | | | | This patch improves the overrun handling. The logic behind this patch consists of two steps: 1) duplicate the netlink buffer size if the size does not goes after the upper boundary. 2) scheduling a resynchronization (in two seconds) with the kernel conntrack table if we hit ENOBUFS. During the resynchronization, the NFCT plugin dumps the current table and purges the objects that do not exist anymore. This patch also introduces two new clauses, the netlink_socket_buffer_size and netlink_socket_buffer_maxsize that set the size of the netlink socket buffer.
* rework NFCT to use a generic hashtablePablo Neira Ayuso2008-06-026-145/+548
| | | | | | | | This patch introduces a generic hashtable to store the nf_conntrack objects. The objects are identified by the original and reply tuples instead of the conntrack ID which is not dumped in the event message of linux kernel < 2.6.25. This patch also fixes the NFCT_MSG_* by NFCT_T_* which is the appropriate message type tag.
* This patchset adds support for the "numeric_label" option. For instance, it/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2008-04-295-14/+58
| | | | | | | can be used to determine if the packet has been dropped, rejected or accepted. The meaning of label is completely user-defined. Signed-off-by: Eric Leblond <eric@inl.fr>
* This patch adds oob.hook to the list of output key sof ULOG input plugin./C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2008-04-271-0/+13
| | | | Signed-off-by: Eric Leblond <eric@inl.fr>
* Update PostgreSQL schema to add the insert procedure for conntrack/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2008-04-271-4/+44
| | | | | | connections. Signed-off-by: Pierre Chifflier <chifflier@inl.fr>
* Introduce function to convert binary data to printable strings./C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2008-04-271-2/+37
| | | | | | Update view_tcp_quad and view_udp_quad. Signed-off-by: Pierre Chifflier <chifflier@inl.fr>
* Add function INSERT_CT for conntrack/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2008-04-271-27/+29
|
* Fix a bug in definition of seq_global_ce macro./C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2008-04-271-2/+2
| | | | Signed-off-by: Eric Leblond <eric@inl.fr>
* [ULOGD PATCH, RFC] Modify NFLOG to be able to use it with older libnetfilter_log/C=EU/ST=EU/CN=Patrick McHardy/emailAddress=kaber@trash.net2008-04-222-1/+6
| | | | | | | | NFLOG has been modified to support GID display. There is a problem as this feature is only available in latest subversion of libnetfilter_log. This patch made this feature optional: * It detects if system support the nflog_get_gid() function * Compilation of nflog_get_gid() related code is conditional
* Fix missing chunk for GID logging/C=EU/ST=EU/CN=Patrick McHardy/emailAddress=kaber@trash.net2008-04-211-1/+5
|
* Print GID/MARK in printpkt.c/C=EU/ST=EU/CN=Patrick McHardy/emailAddress=kaber@trash.net2008-04-213-2/+19
|
* Fix "PROTO=KEY_TCP"/"PROTO=KEY_UDP"/C=EU/ST=EU/CN=Patrick McHardy/emailAddress=kaber@trash.net2008-04-211-2/+2
| | | | | I have no idea what the intention behind this change was, but it seems bogus, the output format should (mostly) match ipt_LOG.
* [ULOGD PATCH] Fix multiple usage of DB output plugin./C=EU/ST=EU/CN=Patrick McHardy/emailAddress=kaber@trash.net2008-04-211-7/+11
| | | | | | | | | Due to the modifications done to be able to use multiple time the SOURCE plugin, a single instance of database output plugin could not anymore be used in separate stack. This patch fixes this by limiting the effect of the previous modification on SOURCE plugin. Signed-off-by: Eric Leblond <eric@inl.fr>
* example for logging IPv6 packet to PGsql after a collect via NFLOG/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2008-04-131-1/+2
| | | | Signed-off-by: Anton Vazir <anton.vazir@gmail.com>
* fix PGSql types/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2008-04-121-8/+8
| | | | Signed-off-by: Eric Leblond <eric@inl.fr>
* This patch adds some example to the default configuration file. It modify/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2008-04-091-2/+9
| | | | | | some stack to take my latest patches into account. Signed-off-by: Eric Leblond <eric@inl.fr>
* Fix an inconsistency of field naming among the different tables and/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2008-04-091-2/+2
| | | | | | | accross the stack NFCT IP2BIN MYSQL.In fact IP2BIN out .bin suffixed fields. Signed-off-by: Eric Leblond <eric@inl.fr>
* NACCT was IPv4 only and was heavily dependant of the order of NFCT keys./C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2008-04-091-41/+96
| | | | | | | This patch introduces a explicit list of input keys and obtains IPv6 compliance by using IP2STR output as input for IP address. Signed-off-by: Eric Leblond <eric@inl.fr>
* add missing ulogd_filter_MAC2STR/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2008-04-091-0/+111
|
* This patch suppress a now unused option. Each database module/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2008-04-072-19/+3
| | | | | | have now to be used with a defined IP storage type. Signed-off-by: Eric Leblond <eric@inl.fr>
* DESTROY event were not correctly displayed due to a problem in event type/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2008-04-051-1/+1
| | | | | | detection. Signed-off-by: Eric Leblond <eric@inl.fr>
* This patch is a port to the new libnetfilter_conntrack API of the NFCT/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2008-04-051-64/+82
| | | | | | | plugin. To be able to send IP addresses to the IP2STR and IP2BIN module oob.family and oob.protocol keys have been added. Signed-off-by: Eric Leblond <eric@inl.fr>
* The PRINTFLOW module had its own code for string conversion of IPv6 address./C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2008-04-051-12/+16
| | | | | | | This patch change the input key of the module to use conversion made by the IP2STR module. Signed-off-by: Eric Leblond <eric@inl.fr>
* This patch fixes a typo in an error message./C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2008-04-051-1/+1
| | | | Signed-off-by: Eric Leblond <eric@inl.fr>
* An error in the type of an argument in the call to inet_ntop was causing IPv6/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2008-04-051-1/+1
| | | | | | | address to be transformed in a string not really related to the real Ipv6 address. Signed-off-by: Eric Leblond <eric@inl.fr>
* Arp related key have to be optionnal to be able to use the IP2STR module/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2008-04-051-2/+2
| | | | | | for flow display. Signed-off-by: Eric Leblond <eric@inl.fr>
* Length of MAC address was set to big and thus display was wrong. This/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2008-04-051-1/+1
| | | | | | misbehaviour was also causing to read datas out of the correct range. Signed-off-by: Eric Leblond <eric@inl.fr>
* This patch adds MAC address handling to the postgresql output plugin./C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2008-04-051-4/+19
| | | | Signed-off-by: Eric Leblond <eric@inl.fr>
* This patch adds MAC address handling to the postgresql output plugin. This/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2008-04-051-18/+13
| | | | | | | patch also removes mac_daddr which does not provide any interesting logging information. Signed-off-by: Eric Leblond <eric@inl.fr>
* This patch introduces a new plugin MAC2STR which is in charge/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2008-04-051-1/+5
| | | | | | | of conversion to string of MAC address. It is used by database output plugin to store MAC related information. Signed-off-by: Eric Leblond <eric@inl.fr>
* Type of the raw.mac_len key was set to string but this is an unsigned/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2008-04-051-1/+1
| | | | | | interger. This patch fix this in the ULOG module. Signed-off-by: Eric Leblond <eric@inl.fr>
* Type of the raw.mac_len key was set to string but this is an unsigned/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2008-04-051-1/+1
| | | | | | interger. This patch fix this in the NFLOG module. Signed-off-by: Eric Leblond <eric@inl.fr>
* This patch fixes a problem in SQL reconnection algorithm which is managed in/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2008-04-052-2/+9
| | | | | | | | | | | | | | the db.c file for PgSQL and MySQL. In case of problem during request execution a new connection to the database was immediatly started without closing the previous one. The consequence was to block the database by having too much simultaneous open connections. This patch fixes the problem by disconnectinng from the database after a request failure and trying to reconnect after a delay which is by default of 2 secondes. This delay can be customized via the reconnect configuration variable in the database configuration section. Signed-off-by: Eric Leblond <eric@inl.fr>
* This patch adds support of event type display in printflow filter. This is used/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2008-03-262-1/+21
| | | | | | | | | | to display event type in textual output modules. Here's an output example: [DESTROY] ORIG: SRC=192.168.1.2 DST=192.168.1.255 PROTO=UDP SPT=631 DPT=631 \\ PKTS=1 BYTES=197 , REPLY: SRC=192.168.1.255 DST=192.168.1.2 \\ PROTO=UDP SPT=631 DPT=631 PKTS=0 BYTES=0 Signed-off-by: Eric Leblond <eric@inl.fr>
* This patch contains two linked modifications in NFCT input plugin:/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2008-03-261-18/+37
| | | | | | | | | - event mask is now configurable though the event_mask configuration variable - event type is now stored in the ct.event output key. This can be used to display the information or to use it to implement some tracking algorithm in userspace. Signed-off-by: Eric Leblond <eric@inl.fr>
* This patch updates included configuration file example by adding some plugins/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2008-03-261-0/+11
| | | | | | loading and stack example. Signed-off-by: Eric Leblond <eric@inl.fr>
* This patch adds support for duplication of the message to be/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2008-03-251-0/+10
| | | | | | able to use multiple time the same instance of NFCT. Signed-off-by: Eric Leblond <eric@inl.fr>
* A specific instance of NFLOG can now be use in multiple stacks. This is done/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2008-03-251-0/+6
| | | | | | by duplicating the interpretation of the message. Signed-off-by: Eric Leblond <eric@inl.fr>
* An instance of NFLOG can now be use in multiple stacks. This is done/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2008-03-251-1/+10
| | | | | | by duplicating the interpretation of the message. Signed-off-by: Eric Leblond <eric@inl.fr>
* This patch adds plist a linked list to the pluginstance/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2008-03-252-0/+4
| | | | | | | | structure. It can be used by input modules to duplicate an entry. This solves the issue of not being able to use the same plugin instance twice. Signed-off-by: Eric Leblond <eric@inl.fr>
* When a plugin instance is used in multiple stack it is not necessary to/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2008-03-251-5/+27
| | | | | | call the start function for each stack. Signed-off-by: Eric Leblond <eric@inl.fr>
* Minor indentation fix in ulogd_inppkt_NFLOG.c./C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2008-03-251-1/+1
| | | | Signed-off-by: Eric Leblond <eric@inl.fr>
* IP2BIN filter convert IP address from host storage to a "binary" string which/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2008-03-253-7/+11
| | | | | | | | | | | can be use by MySQL. This is not strictly speaking raw data but it was of type RAW. Following remark from Hugo Mildenberger, I introduce in this patch a dedicated type ULOGD_RET_RAWSTR. The main reason not to use a ULOGD_RET_STRING parameter is that the paramater is not human readable. Signed-off-by: Eric Leblond <eric@inl.fr>
* This patch adds oob.hook to the list of fields export to the databases. This/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2008-03-252-14/+23
| | | | | | | adds the capability to know where the packet has been logged and will be used to make a link between connection and logged packets. Signed-off-by: Eric Leblond <eric@inl.fr>
* add missing timer.h/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2008-02-221-0/+26
|
* Improve fd_sets handling. Based on a previous patch from Holger Eitzenberger./C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2008-02-191-20/+34
|
* - implement a synchronous timer framework/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2008-02-199-155/+687
| | | | - fix crash when enabling pollinterval clause in flow-based accounting
* Sends one message for each connection event instead of two/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2008-02-191-68/+168
| | | | Signed-off-by: Eric Leblond <eric@inl.fr>
* This patch adds a sample configuration for logging with ebtables through ↵/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2008-02-191-1/+15
| | | | | | nflog out to LOGEMU and SYSLOG. It also fixes a config bug with ipv6 (log2) Signed-off-by: Peter Warasin <peter@endian.com>
* adds AF_BRIDGE support to IP2STR/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2008-02-191-17/+71
| | | | | | This patch make the ip address string converter AF_BRIDGE compatible and add ip address ARP keys in order to make them also convert. Signed-off-by: Peter Warasin <peter@endian.com>