| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
| |
Keys of type `ULOGD_RET_IPADDR` may be ipv4 or ipv6. ARP protocol
addresses are 32-bits (i.e., ipv4). By using `okey_set_u32` we keep
track of the size and allow downstream plug-ins to handle them
correctly.
Reported-by: Robert O'Brien <robrien@foxtrot-research.com>
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
| |
Everywhere else ipv4 addresses are left in NBO until output. The only
exception is the IP2HBIN filter, which is explicitly intended to convert
from NBO to HBO.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
| |
Signed-off-by: Timon Ulrich <t.ulrich@anapur.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
If ipv4 packet is truncated, we should not try to dereference the
iph pointer. Otherwise, if the user add such iptables rules
"-j NFLOG --nflog-size 0", we will dereference the NULL pointer
and crash may happen.
Reported-by: Chris Caputo <ccaputo@alt.net>
Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
| |
Signed-off-by: Felix Janda <felix.janda@posteo.de>
|
| |
|
|
|
|
|
|
| |
The source uses linux names for members of tcphdr. For example
"source" instead of "th_sport", ... musl libc's headers need
_GNU_SOURCE defined in order to expose these.
Signed-off-by: Felix Janda <felix.janda@posteo.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds storage for CIM field name in ulogd key. This
will be used by JSON output to interoperate with logging
collector such as logstash or splunk.
Common Information Model is an open standard that defines how managed
elements in an IT environment are represented as a common set of objects
and relationships between them:
http://www.dmtf.org/standards/cim
This seems to be mainly XML based but there is a JSON version of some
aspects of the model. One of the main documentation on CIM in JSON
format seems to be:
http://docs.splunk.com/Documentation/PCI/2.0/DataSource/CommonInformationModelFieldReference
Using the correct CIM field name allow events coming from ulogd to be
correlated with events coming from other sources.
|
| | |
|
| |
|
|
| |
This patch also update some copyright and licence declaration.
|
| |
|
|
|
| |
Rename internal keyname ip6.payload_len to remove "_"
to facilitate this.
|
| |
|
|
| |
Mask should be applied after ntohl conversion.
|
| |
|
|
|
|
|
| |
It was wrong, use VERSION constant which uses the version
information available in configure.ac.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
| |
Signed-off-by: Thomas Jacob <jacob@internet24.de>
Signed-off-by: Eric Leblond <eric@inl.fr>
|
| |
|
|
|
|
| |
THis patch adds basic support for SCTP in the BASE plugin.
Signed-off-by: Eric Leblond <eric@inl.fr>
|
| |
|
|
|
|
|
|
|
| |
This patch cleans up the current key assignation by introducing a
set of functions ukey_* to set the key value as Eric Leblond and
we discussed during the latest Netfilter Workshop. This patch is
based on an idea from Holger Eitzenberger.
Signed-off-by: Eric Leblond <eric@inl.fr>
|
| |
|
|
|
|
| |
This patch fixes the warning related to signed and unsigned comparaison.
Signed-off-by: Eric Leblond <eric@inl.fr>
|
| |
|
|
|
|
|
|
|
| |
This patch fixes some gcc warnings:
* Unused variables
* Functions with wrong return (or without return)
Signed-off-by: Eric Leblond <eric@inl.fr>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
This patch modifies plugins to use the already defined but not used
define. This also fixes some weird behaviours in error treatment (like
not stopping after OOM).
Signed-off-by: Eric Leblond <eric@inl.fr>
|
| |
|
|
|
| |
instead of being put in the new type ui128. The result was an improper value
of the IPv6 source add destination addresses.
|
| |
|
|
|
|
| |
This patch adds an AF_BRIDGE interpreter to ulogd_raw2packet_BASE plugin, which allows to log packets coming from ebtables. It also adds an ARP header decoder.
Signed-off-by: Peter Warasin <peter@endian.com>
|
| | |
|
| |
|
|
|
|
|
|
|
| |
This patch adds an AF_BRIDGE interpreter to
ulogd_raw2packet_BASE plugin, which allows to log
packets coming from ebtables.
It also adds an ARP header decoder.
Signed-off-by: Peter Warasin <peter@endian.com>
|
| |
|
|
|
|
|
| |
with symbols instead of numbers.
Shortens the lines by the use of GET_VALUE()
Signed-off-by: Peter Warasin <peter@endian.com>
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
When using NFLOG or ULOG, obb.family (protocol IPv4 or IPv6) has
to be setup manually in ulogd.conf configuration file. This is
used by the BASE filter to properly parse the packet. This
patch suppress oob.family as output keys of NFLOG and ULOG and let
the BASE filter determine the family of the packet by itself (by
parsing the raw header).
A good side effect is to be able to log in IPv6 and IPv4 in the
same group. Before that, two loggers have to be setup separatly.
|
| |
|
|
|
| |
With this patch, BASE filter module is able fill oob_family when parsing IPv6
address.
|
| |
|
|
|
| |
- This patch suppress key relative to IPv6 address because IPv4 and IPv6 can be stored in the same key.
- Add missing IP2STR line to ulogd.conf.in
|
| |
|
|
|
| |
repeat by using symbolic names to make sure the assignment matches the array
index.
|
| | |
|
| |
|
|
| |
version
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
generic packet interpreter but is rather specific to the ULOG input plugin.
|
| | |
|
| |
|
|
| |
- add new "raw.pktcount" field
|
| |
|
