summaryrefslogtreecommitdiffstats
path: root/input
Commit message (Collapse)AuthorAgeFilesLines
* IPFIX: Add IPFIX output pluginAnder Juaristi2019-04-301-2/+0
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch adds an IPFIX output plugin to ulogd2. It generates NetFlow/IPFIX traces and sends them to a remote server (collector) via TCP or UDP. Based on original work by Holger Eitzenberger <holger@eitzenberger.org>. How to test this ---------------- I am currently testing this with the NFCT input and Wireshark. Place the following in ulogd.conf: # this will print all flows on screen loglevel=1 # load NFCT and IPFIX plugins plugin="/lib/ulogd/ulogd_inpflow_NFCT.so" plugin="/lib/ulogd/ulogd_output_IPFIX.so" stack=ct1:NFCT,ipfix1:IPFIX [ct1] netlink_socket_buffer_size=217088 netlink_socket_buffer_maxsize=1085440 accept_proto_filter=tcp,sctp [ipfix1] oid=1 host="127.0.0.1" #port=4739 #send_template="once" I am currently testing it by launching a plain NetCat listener on port 4739 (the default for IPFIX) and then running Wireshark and see that it dissects the IPFIX/NetFlow traffic correctly (obviously this relies on the Wireshark NetFlow dissector being correct). First: nc -vvvv -l 127.0.0.1 4739 Then: sudo ulogd -vc ulogd.conf Signed-off-by: Ander Juaristi <a@juaristi.eus> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* Use stdint types everywhereFelix Janda2015-06-262-25/+25
| | | | Signed-off-by: Felix Janda <felix.janda@posteo.de>
* Add flag to disable ULOG input pluginEric Leblond2015-04-241-1/+6
| | | | | ULOG target is removed from kernel so we can prepare the removal of the plugin for ulogd. For now, we just add a configure flag.
* nfct: use start timestamp if providedEric Leblond2014-02-221-4/+14
| | | | | | | | When hash table is not used, the start timestamp was not used even if the kernel is sending it. This patch modifies the code to use it when available. This allows to log connection with start and end with a single message per connection and without the cost of maintaining the hash table.
* ulogd: ulogd_inppkt_NFLOG: close nflog handle after unbindingChris Boot2013-11-181-1/+1
| | | | | | | | The nflog handle is closed, and then nflog_unbind_pf() is called on it, which triggers an assertion failure within libnfnetlink. This patch simply moves the nflog_close() just after the nflog_unbind_pf() calls. Signed-off-by: Chris Boot <bootc@bootc.net>
* nfct: make NFCT packet counter/length 64 bitUlrich Weber2013-10-101-12/+12
| | | | | | | | | | | | | | Kernel and libnetfilter_conntrack counters are 64bit, so use 64bit too in ulogd instead of 32bit. Worked fine on little endian systems but big endian systems had zero counter... Didn't test ipfix output, but RFC allows template with either 32 or 64 counters, so should be safe. Signed-off-by: Ulrich Weber <uw@xyne.com> Signed-off-by: Eric Leblond <eric@regit.org>
* nfct: use timestamp of conntrack object.Eric Leblond2013-03-051-10/+32
| | | | | | | If conntrack object sent by connection tracking system is containing a timestamp we use it instead of a gettimeofday() based counter. Signed-off-by: Eric Leblond <eric@regit.org>
* Suppress dead FIXME.Eric Leblond2013-02-181-2/+0
|
* nfct: add protocol filterEric Leblond2013-01-051-2/+58
| | | | | | | This patch adds a new configuration variable which is used to limit conntrack event to connection of these protocols: For example: accept_proto_filter=tcp,sctp
* nfct: implement src and dst filterEric Leblond2013-01-051-2/+214
| | | | | | | This patch implements two filtering options in NFCT input plugin. If 'accept_src_filter' is set to a network it will only catch the event where the source is that specific network. 'accept_dst_filter' does the same for the destination.
* nfct: call register callback on opened handlerEric Leblond2013-01-051-1/+1
| | | | | nfctp_callback_register was called on the regular handler instead of begin called on the newly opened handler dedicated to the dump.
* build: avoid per-target CFLAGSJan Engelhardt2012-11-272-4/+2
| | | | | | | | There is no harm in putting the includes in the global AM_CPPFLAGS; this can generally save number of compilations of a file when a source file is used multiple times. Signed-off-by: Jan Engelhardt <jengelh@inai.de>
* configure: add flag to disable NFLOG buildEric Leblond2012-11-041-2/+4
|
* configure: add flag to disable NFCT buildEric Leblond2012-11-041-0/+2
|
* configure: add flag to disable NFACCT buildEric Leblond2012-11-041-2/+2
| | | | | | It is now possible to pass the --disable-nfacct flag to disable compilation of NFACCT input plugin. Doing this the build of ulogd is possible on system where nfacct is not available.
* nfacct: add timestamp optionEric Leblond2012-08-031-1/+31
| | | | | | | | | This patch adds a timestamp option to the nfacct plugin. If activated, nfacct output a timestamp which is computed just after sending the nfacct request. Signed-off-by: Eric Leblond <eric@regit.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: fix version that -V displaysPablo Neira Ayuso2012-08-035-5/+5
| | | | | | | It was wrong, use VERSION constant which uses the version information available in configure.ac. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* input: NFCT: fix compilation warning with gcc-4.7Pablo Neira Ayuso2012-08-031-2/+0
| | | | | | | | CC ulogd_inpflow_NFCT_la-ulogd_inpflow_NFCT.lo ulogd_inpflow_NFCT.c: In function 'configure_nfct': ulogd_inpflow_NFCT.c:977:28: warning: unused variable 'cpi' [-Wunused-variable] Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nfacct: add variable to not zero counter after readEric Leblond2012-08-031-9/+20
| | | | | | | | | | | | The default nfacct input plugin zeroes counter after each read. This is a limitation as other software can't use the counter at the same time as ulogd2. This patch adds the zerocounter variable to the NFACCT input plugin. If set to zero, the counters are not zeroed. Signed-off-by: Eric Leblond <eric@regit.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* NFCT: fix crash in polling mode if used by two stacksEric Leblond2012-07-201-5/+5
| | | | | | | | | | | | The polling timer initialisation code was put in the configurator code. It was then created for all instances. But only first one has a valid NFCT handle. This was resulting in a crash. This patch moves the timer initialisation in the constructor which is called only once on the main NFCT instance. Signed-off-by: Eric Leblond <eric@regit.org> Reported-by: Gomathivinayagam Muthuvinayagam <sankarmail@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* output: XML: support for NFACCT input pluginPablo Neira Ayuso2012-06-221-3/+10
| | | | | | | | | This patch extends XML plugin to support NFACCT. You can use the following line in ulogd.conf to test it: stack=acct1:NFACCT,xml1:XML Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add ULOGD_DTYPE_SUM for nfacct-based accountingPablo Neira Ayuso2012-06-221-1/+1
| | | | | | This new type will be used in flow-up patch to support XML output. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nfacct: resolve build failureJan Engelhardt2012-06-051-3/+3
| | | | | | | | | | | CC ulogd_inpflow_NFACCT_la-ulogd_inpflow_NFACCT.lo ulogd_inpflow_NFACCT.c:24:27: fatal error: libmnl/libmnl.h: No such file or directory compilation terminated. LIBS is not interchangeable with C(PP)FLAGS. Signed-off-by: Jan Engelhardt <jengelh@inai.de>
* build: use pkglibdir instead of pkglibexecdir for automakeBjörn Lässig2012-05-183-3/+3
| | | | | | | | | | | This fixes the following problem while running `autoreconf -fi` `pkglibexecdir' is not a legitimate directory for `LTLIBRARIES' variable `ulogd_filter_PRINTPKT_la_SOURCES' is defined but no program or library has `ulogd_filter_PRINTPKT_la' as canonical name (possible typo) Signed-off-by: Björn Lässig <laessig@bitformer.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* NFCT: add `reliable' config option to enable reliable flow-based loggingPablo Neira Ayuso2012-03-051-1/+18
| | | | | | | | | | | | Reliability comes at the cost of dropping new flows if the destroy event that ctnetlink delivers to us is lost. Under heavy stress this may imply dropping packets, you've been warned. If you do want not to lose one single flow-logging information, enable this. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* input: add nfacct pluginPablo Neira Ayuso2012-02-223-1/+274
| | | | | | This patch adds the nfacct plugin. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* NFLOG: don't display overrun message once we have reach the buffer limitPablo Neira Ayuso2011-02-251-1/+12
| | | | | | | We only report the overrun once with this patch, instead of spamming the ulogd.log file. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* NFCT: use nfct_copy() instead of deprecated nfct_sizeof() functionPablo Neira Ayuso2011-02-251-1/+1
| | | | | | | | | | nfct_sizeof() allows memcpy() of ct objects, which violates the library design (that aims to hide binary layout). We use nfct_copy() with the override flag instead as added by libnetfilter_conntrack 0.9.1. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* build: use appropriate location for program modulesJan Engelhardt2011-02-012-2/+3
| | | | | | | Modules - since they are dependent on the executable - generally go to libexec/. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* build: avoid use of LIBS variableJan Engelhardt2011-02-011-1/+0
| | | | | | | The variable contains global libraries linked into every possible object, which is unwanted. Clean up things. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* NFCT: fix bug in polling modePablo Neira Ayuso2010-12-091-0/+6
| | | | | | | | | This closes the following bug: http://bugzilla.netfilter.org/show_bug.cgi?id=684 This problem was introduced with the XML output plugin. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* build: propagate global CFLAGSJan Engelhardt2010-11-052-2/+2
| | | | | | | | | We must not override CFLAGS, because that will break when the user overrides CFLAGS again at make time (which he is entitled to). So, name our CFLAGS regular_CFLAGS, and also include that across all Makefiles so that they are actually uesd for all the code. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* build: remove unused $(all_includes)Jan Engelhardt2010-11-052-2/+2
| | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* build: remove -fPIC flagJan Engelhardt2010-11-052-2/+2
| | | | | | libtool automatically adds PIC flags as needed. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* Add new input plugin UNIXSOCKPierre Chifflier2010-10-232-1/+830
| | | | | | | | | This input plugins creates a unix socket which can be used to log packets. Scripts or applications can connect to the socket (only one client allowed per socket) and send data in a Key-Length-Value format (including the payload). Signed-off-by: Pierre Chifflier <chifflier@edenwall.com>
* NFCT: copy the conntrack object to the plugin oncePablo Neira Ayuso2010-06-171-1/+8
| | | | | | | With this patch, we copy the conntrack object that we propagate to the output plugin instances *only once*. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* NFCT: fix plugin re-use in different stacksPablo Neira Ayuso2010-06-171-4/+6
| | | | | | | | | | This patch fixes a problem in configurations that use the NFCT plugin as input in several stacks. The first plugin loaded contains the hashtable and other important NFCT private data. Other plugin instances of NFCT are dummies that are only used to store the output keys. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* output: add new plugin XML to output logs in XMLPablo Neira Ayuso2010-06-172-1/+26
| | | | | | | This patch adds XML that allows to log information in XML for ulogd2. It supports packet and flow-based accounting. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: use ARRAY_SIZE to calculate the array size of keysPablo Neira Ayuso2010-04-022-2/+2
| | | | | | | This patch is a cleanup to use ARRAY_SIZE in NFLOG and ULOG input plugins. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* NFCT: fix reset counters via SIGUSR2 signalPablo Neira Ayuso2010-01-171-3/+52
| | | | | | | This patch fixes a feature that allows to force the logging of the existing entries and reset the counters. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* NFCT: fix number of options (missing one)Pablo Neira Ayuso2010-01-171-1/+1
| | | | | | | This patch fixes the number of options in NFCT that is actually 8, not 7. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* NFCT: split event handler if hashtable is used or notPablo Neira Ayuso2010-01-171-28/+39
| | | | | | | | | This patch splits event_handler into two functions: event_handler_hashtable and event_handler_no_hashtable. Thus, we register the appropriate handler during the initialization time. This patch is a cleanup. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* NFCT: use new hashtable implementation for better performancePablo Neira Ayuso2010-01-171-40/+79
| | | | | | | | This patch replaces the existing hashtable implementation with a newer that provide better performance since it reduces the number of hash computations. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* NFCT: change `pollinterval' behaviourPablo Neira Ayuso2010-01-171-8/+120
| | | | | | | | | | | | | | | This patch adds support for poll-based logging. Basically, ulogd polls from the kernel periodically to log entries. You can use the `pollinterval' option in the configuration file to set the polling period. This patch changes the current behaviour of `pollinterval' that allowed to mix both the event-driven logging with polling periodically from the kernel. I have tried to look for anyone in google (and asking Eric Leblond) using this feature but I found noone. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* NFCT: cleanup constructor and destructor functionsPablo Neira Ayuso2010-01-111-41/+67
| | | | | | | | This patch cleans up the destructor and the destructor functions in the NFCT plugin. I know, this patch isn't easy to review because it includes too many changes in one. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* NFCT: avoid spamming report about netlink overrunsPablo Neira Ayuso2009-07-221-1/+9
| | | | | | | This patch reduces the verbosity of the log messages that report netlink overruns. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* NFCT: add configurable option to set the value of the resynchronization timerPablo Neira Ayuso2009-07-221-8/+15
| | | | | | | | | This patch adds `netlink_resync_timeout' that allows you to set the number of seconds that we wait to perform a resynchronization due to a netlink overrun. This patch changes the default timeout from 2 to 60 seconds (less agressive). Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* NFCT: improve netlink overrun handlingPablo Neira Ayuso2009-07-221-12/+12
| | | | | | | | | | With this patch, we schedule one resynchronization against the kernel conntrack table that will occur in two seconds (still we need a patch to make this configurable). Before this, we scheduled a resynchronization for every overrun, that is very bad in a scenario in which overruns occurs very frequently. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* NFCT: fix NULL dereference when hashtable is fullPablo Neira Ayuso2009-06-231-0/+9
| | | | | | | | This patch fixes a NULL dereference to the timestamp structure when hashtable_add() fails, for example, because the hashtable is full. Reported-by: Bernhard Schmidt <berni@birkenwald.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* Delete timer in destructor function.Eric Leblond2009-02-081-0/+2
| | | | This patch deletes the overrun timer in the destructor function.