| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
| |
A couple of library dependencies are specified in `_LDFLAGS` variables.
They are supposed to be specified in `_LIBADD` variables. Move them.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
There are a few of commented-out variable definitions left over from
the introduction of Automake. Remove them.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently, make enters all sub-directories containing source-code, even
if they only contain optional targets which are not configured to be
built. Instead, change the Makefiles so that the sub-directories are
optional, rather than the targets.
Group sub-directory definitions consistently at the top of the Makefiles
that contain them.
Trim a few leading and trailing blank lines.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
| |
Move `${regular_CFLAGS}` from configure.ac to Make_global.am, renaming
it to `AM_CFLAGS`. Add `AM_CPPFGLAGS` to include
`$(top_srcdir)/include`. Include the new file in the Makefiles that
require it.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds an IPFIX output plugin to ulogd2. It generates NetFlow/IPFIX
traces and sends them to a remote server (collector) via TCP or UDP.
Based on original work by Holger Eitzenberger <holger@eitzenberger.org>.
How to test this
----------------
I am currently testing this with the NFCT input and Wireshark.
Place the following in ulogd.conf:
# this will print all flows on screen
loglevel=1
# load NFCT and IPFIX plugins
plugin="/lib/ulogd/ulogd_inpflow_NFCT.so"
plugin="/lib/ulogd/ulogd_output_IPFIX.so"
stack=ct1:NFCT,ipfix1:IPFIX
[ct1]
netlink_socket_buffer_size=217088
netlink_socket_buffer_maxsize=1085440
accept_proto_filter=tcp,sctp
[ipfix1]
oid=1
host="127.0.0.1"
#port=4739
#send_template="once"
I am currently testing it by launching a plain NetCat listener on port
4739 (the default for IPFIX) and then running Wireshark and see that it
dissects the IPFIX/NetFlow traffic correctly (obviously this relies on
the Wireshark NetFlow dissector being correct).
First:
nc -vvvv -l 127.0.0.1 4739
Then:
sudo ulogd -vc ulogd.conf
Signed-off-by: Ander Juaristi <a@juaristi.eus>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
When hash table is not used, the start timestamp was not used even
if the kernel is sending it. This patch modifies the code to use it
when available. This allows to log connection with start and end
with a single message per connection and without the cost of
maintaining the hash table.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Kernel and libnetfilter_conntrack counters are 64bit,
so use 64bit too in ulogd instead of 32bit.
Worked fine on little endian systems but big endian systems
had zero counter...
Didn't test ipfix output, but RFC allows template with
either 32 or 64 counters, so should be safe.
Signed-off-by: Ulrich Weber <uw@xyne.com>
Signed-off-by: Eric Leblond <eric@regit.org>
|
|
|
|
|
|
|
| |
If conntrack object sent by connection tracking system is containing
a timestamp we use it instead of a gettimeofday() based counter.
Signed-off-by: Eric Leblond <eric@regit.org>
|
|
|
|
|
|
|
| |
This patch adds a new configuration variable which is used to limit
conntrack event to connection of these protocols:
For example:
accept_proto_filter=tcp,sctp
|
|
|
|
|
|
|
| |
This patch implements two filtering options in NFCT input plugin.
If 'accept_src_filter' is set to a network it will only catch the
event where the source is that specific network. 'accept_dst_filter'
does the same for the destination.
|
|
|
|
|
| |
nfctp_callback_register was called on the regular handler instead
of begin called on the newly opened handler dedicated to the dump.
|
|
|
|
|
|
|
|
| |
There is no harm in putting the includes in the global AM_CPPFLAGS;
this can generally save number of compilations of a file when a
source file is used multiple times.
Signed-off-by: Jan Engelhardt <jengelh@inai.de>
|
| |
|
|
|
|
|
|
|
| |
It was wrong, use VERSION constant which uses the version
information available in configure.ac.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
CC ulogd_inpflow_NFCT_la-ulogd_inpflow_NFCT.lo
ulogd_inpflow_NFCT.c: In function 'configure_nfct':
ulogd_inpflow_NFCT.c:977:28: warning: unused variable 'cpi' [-Wunused-variable]
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
The polling timer initialisation code was put in the configurator
code. It was then created for all instances. But only first one has
a valid NFCT handle. This was resulting in a crash.
This patch moves the timer initialisation in the constructor which
is called only once on the main NFCT instance.
Signed-off-by: Eric Leblond <eric@regit.org>
Reported-by: Gomathivinayagam Muthuvinayagam <sankarmail@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
| |
This fixes the following problem while running `autoreconf -fi`
`pkglibexecdir' is not a legitimate directory for `LTLIBRARIES'
variable `ulogd_filter_PRINTPKT_la_SOURCES' is defined but no program or
library has `ulogd_filter_PRINTPKT_la' as canonical name (possible typo)
Signed-off-by: Björn Lässig <laessig@bitformer.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Reliability comes at the cost of dropping new flows if the
destroy event that ctnetlink delivers to us is lost. Under
heavy stress this may imply dropping packets, you've been
warned.
If you do want not to lose one single flow-logging information,
enable this.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
| |
nfct_sizeof() allows memcpy() of ct objects, which violates the
library design (that aims to hide binary layout).
We use nfct_copy() with the override flag instead as added by
libnetfilter_conntrack 0.9.1.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Modules - since they are dependent on the executable - generally go to
libexec/.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
|
|
|
|
|
| |
This closes the following bug:
http://bugzilla.netfilter.org/show_bug.cgi?id=684
This problem was introduced with the XML output plugin.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
We must not override CFLAGS, because that will break when the user
overrides CFLAGS again at make time (which he is entitled to). So,
name our CFLAGS regular_CFLAGS, and also include that across all
Makefiles so that they are actually uesd for all the code.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
| |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
|
|
| |
libtool automatically adds PIC flags as needed.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
|
|
|
| |
With this patch, we copy the conntrack object that we propagate
to the output plugin instances *only once*.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
| |
This patch fixes a problem in configurations that use the NFCT
plugin as input in several stacks. The first plugin loaded contains
the hashtable and other important NFCT private data. Other plugin
instances of NFCT are dummies that are only used to store the
output keys.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
This patch adds XML that allows to log information in XML for
ulogd2. It supports packet and flow-based accounting.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
This patch fixes a feature that allows to force the logging of
the existing entries and reset the counters.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
This patch fixes the number of options in NFCT that is
actually 8, not 7.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
This patch splits event_handler into two functions:
event_handler_hashtable and event_handler_no_hashtable.
Thus, we register the appropriate handler during the
initialization time. This patch is a cleanup.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
This patch replaces the existing hashtable implementation with
a newer that provide better performance since it reduces the
number of hash computations.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds support for poll-based logging. Basically,
ulogd polls from the kernel periodically to log entries. You
can use the `pollinterval' option in the configuration file to
set the polling period.
This patch changes the current behaviour of `pollinterval'
that allowed to mix both the event-driven logging with
polling periodically from the kernel. I have tried to look
for anyone in google (and asking Eric Leblond) using this
feature but I found noone.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
This patch cleans up the destructor and the destructor functions
in the NFCT plugin. I know, this patch isn't easy to review
because it includes too many changes in one.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
This patch reduces the verbosity of the log messages that report
netlink overruns.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
This patch adds `netlink_resync_timeout' that allows you to set
the number of seconds that we wait to perform a resynchronization
due to a netlink overrun. This patch changes the default timeout
from 2 to 60 seconds (less agressive).
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
| |
With this patch, we schedule one resynchronization against the
kernel conntrack table that will occur in two seconds (still
we need a patch to make this configurable). Before this, we
scheduled a resynchronization for every overrun, that is very
bad in a scenario in which overruns occurs very frequently.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
This patch fixes a NULL dereference to the timestamp structure when
hashtable_add() fails, for example, because the hashtable is full.
Reported-by: Bernhard Schmidt <berni@birkenwald.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
| |
This patch deletes the overrun timer in the destructor function.
|
|
|
|
|
| |
This patch fixes autotools warning about deprecated usage of INCLUDES in
Makefile.am.
|
|
|
|
|
|
|
| |
The modules are pretty much bound to ulogd, and it does not seem
to make sense to specially version these.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
|
|
|
|
|
| |
ulogd_inpflow_NFCT.c: In function 'propagate_ct':
ulogd_inpflow_NFCT.c:483: error: 'IPPROTO_UDPLITE' undeclared (first use in this function)
(and more for IPPROTO_SCTP)
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
|
| |
This patch fixes a memory leak in the destructor function which was not
releasing the memory allocated for each connection tracking entry.
|
|
|
|
|
| |
This patch fixes some crashes in NFCT plugin that were triggered
by the call of the destructor_nfct function (during stop).
|
|
|
|
|
|
|
|
|
| |
This patch cleans up the current key assignation by introducing a
set of functions ukey_* to set the key value as Eric Leblond and
we discussed during the latest Netfilter Workshop. This patch is
based on an idea from Holger Eitzenberger.
Signed-off-by: Eric Leblond <eric@inl.fr>
|
| |
|
|
|
|
|
|
|
|
|
| |
Fixes compilation of NFLOG and NFCT plugin when libnetfilter libraries
are installed under a non standard prefix. Include path and libs path
for libnetfilter_conntrack and libnetfilter_log were not correctly set even
if pkg-config found them.
Signed-off-by: Eric Leblond <eric@inl.fr>
|
|
|
|
|
|
|
|
| |
This patch fixes some messages in the NFCT and NFLOG input
plugin (end of line before quote). It also fixes indenting by
suppressing some spaces on empty line and replacing spaces by tab.
Signed-off-by: Eric Leblond <eric@inl.fr>
|
|
|
|
|
|
|
|
|
| |
This patch fixes NFCT when hash_enable is 0. Limitation of treatment to
NFCT_DESTROY message type causes usage of the hashtable function and
hence a crash because it is not initiated.
Signed-off-by: regit <regit@ghlodit.inl.fr>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|
|
|
| |
is used (hash_enable=1 which is the default)
|
|
|
|
| |
STOP timestamp for DESTROY packet
|