path: root/util
Commit message (Collapse)AuthorAgeFilesLines
* ulogd: printpkt: always print IPv6 protocolHEADmasterAndreas Jaggi2020-02-231-0/+3
| | | | | | | Print the protocol number for protocols not known by name. Signed-off-by: Andreas Jaggi <> Signed-off-by: Pablo Neira Ayuso <>
* Use stdint types everywhereFelix Janda2015-06-262-4/+4
| | | | Signed-off-by: Felix Janda <>
* printpkt: oob.time.sec was not usedEric Leblond2014-03-071-1/+0
| | | | | | | This patch supresses the oob.time.sec from the input keys as this is not used when creating the string corresponding to the packet. Signed-off-by: Eric Leblond <>
* db: don't loose one packet on reconnectEric Leblond2014-01-261-1/+2
| | | | | | This patch improves database reconnection handling in ring buffer mode. Ulogd now redo the failed query and do not loose anymore one packet.
* db: cancel injection thread when terminatingEric Leblond2014-01-251-0/+17
| | | | | | Injection thread was not cancelled when a termination signal was sent. This was causing a crash in some cases. This patch fixes this by canceling the thread when a SIGTERM or SIGINT signal is received.
* util: fix warning on format stringEric Leblond2014-01-251-20/+21
| | | | | | | pp_print macro was not correctly formatting u64. This patch renames it to pp_print_u as it is only used to print integer. It also use the PRIu* macros to have a correct format string for all integers type.
* nfct: make NFCT packet counter/length 64 bitUlrich Weber2013-10-101-8/+8
| | | | | | | | | | | | | | Kernel and libnetfilter_conntrack counters are 64bit, so use 64bit too in ulogd instead of 32bit. Worked fine on little endian systems but big endian systems had zero counter... Didn't test ipfix output, but RFC allows template with either 32 or 64 counters, so should be safe. Signed-off-by: Ulrich Weber <> Signed-off-by: Eric Leblond <>
* db: db ring has precedence over backlog.Eric Leblond2013-05-211-5/+7
* db: disable SIGHUP if ring buffer is used.Eric Leblond2013-05-211-3/+8
| | | | | | | The handling of signal when using threads can be complicated. When ring buffer is used for query, this means ulogd will have to follow some sort of mutex. Thus, it is easier and better performance wise to disable the reload via SIGHUP when the ring buffer is used.
* db: add ring buffer for DB queryEric Leblond2013-05-211-12/+141
| | | | | | | | | | | This patch adds an optional ring buffer option which modify the way database queries are made. The main thread is only handling kernel message reading and query formatting. The SQL request is made in a separate dedicated thread. The idea is to try to avoid buffer overrun by minimizing the time requested to treat kernel message. Doing synchronous SQL request, as it was made before was causing a delay which could cause some messages to be lost in case of burst from kernel side.
* db: use offset instead of direct pointer.Eric Leblond2013-05-211-7/+9
| | | | | Use an offset approach to get the start of values printing area. It is more generic and will be use soon.
* db: suppress field in db structureEric Leblond2013-05-211-18/+18
| | | | | The field is currently only used in a single function as a string pointer and can thus be removed from the db instance structure.
* db: store data in memory during database downtimeEric Leblond2013-05-211-28/+142
| | | | | | | This patch is adding a mechanism to store query in a backlog build in memory. This allow to store events during downtime in memory and realize the effective insertion when the database comes back. A memory cap is used to avoid any memory flooding.
* Fix warning on formatEric Leblond2013-01-181-1/+1
| | | | | It seems Z is a libc5 only format modifier. Using standard 'z' instead.
* Get rid of SVN tag in comment.Eric Leblond2013-01-183-6/+1
| | | | This patch also update some copyright and licence declaration.
* Add additional ip6 header fields to database scriptsBob Hockney2012-12-191-1/+1
| | | | | Rename internal keyname ip6.payload_len to remove "_" to facilitate this.
* Support stored mysql procedures besides stored functionsJozsef Kadlecsik2012-01-161-0/+2
| | | | | | | | | | | MySQL stored procedures must be invoked by the "CALL" SQL command and not by "SELECT". Add the convention that if the procedure name starts with "CALL", then the issued SQL command is "CALL procedurename(args)". The stored procedure support in MySQL automatically brings transaction support too. Signed-off-by: Jozsef Kadlecsik <>
* DB output: fix crash in SIGHUP handlingEric Leblond2010-09-221-8/+15
| | | | | | This patch fixes the handling of SIGHUP when a SQL plugin is used. A freed structure was previoulsy used to build the request and this was leading to a crash.
* DB plugins: fixed bug with INSERT* proceduresRomain Bignon2009-04-181-10/+13
| | | | | | | When procedure begins with INSERT* (without space), it considers it as an INSERT statement. Signed-off-by: Romain Bignon <>
* DB plugin: add capability to specify complete INSERT commandEric Leblond2009-04-171-3/+8
| | | | | This patch modifies the procedure name parsing to be able to specify a complete INSERT command.
* db plugins: free memory at exit.Eric Leblond2009-03-101-0/+7
| | | | This patches frees an allocated buffer when ulogd is quitting.
* Allow plain INSERT instead of procedurePierre Chifflier2009-01-071-1/+26
| | | | | | | | | If the procedure name specified in configuration is INSERT, than use a regular insertion instead of a stored procedure. This should be used when performance is needed, with a flat SQL schema, to reduce the cost of SQL procedure calls. Signed-off-by: Pierre Chifflier <>
* SCTP support for PRINTPKT.Eric Leblond2008-12-091-1/+16
| | | | | | This patch modifies PRINTPKT plugin to add SCTP support. Signed-off-by: Eric Leblond <>
* add ukey_* function for key assignationPablo Neira Ayuso2008-12-092-98/+100
| | | | | | | | | This patch cleans up the current key assignation by introducing a set of functions ukey_* to set the key value as Eric Leblond and we discussed during the latest Netfilter Workshop. This patch is based on an idea from Holger Eitzenberger. Signed-off-by: Eric Leblond <>
* cleanup: fix redefinition of TCP_URG key in printpktEric Leblond2008-07-311-1/+0
| | | | | | | This patch fixes a multiple definition of the key TCP_URG. Signed-off-by: Eric Leblond <> Signed-off-by: Pablo Neira Ayuso <>
* cleanup: fix warning about integer formatEric Leblond2008-07-311-2/+3
| | | | | | | | This patch uses PRIu64 and PRId64 macros from inttypes.h to have a correct definition of 64 bit integer format for 64bits and 32bits arch. Signed-off-by: Eric Leblond <> Signed-off-by: Pablo Neira Ayuso <>
* cleanup: fix compilation warnings related to pointer comparisonsEric Leblond2008-07-313-11/+11
| | | | | | | | This patch cast to (char *) some (void *) to avoid a gcc warning in string format parsing. Signed-off-by: Eric Leblond <> Signed-off-by: Pablo Neira Ayuso <
* cleanup: fix compilation warning related to signed and unsigned comparisonsEric Leblond2008-07-311-2/+2
| | | | | | This patch fixes the warning related to signed and unsigned comparaison. Signed-off-by: Eric Leblond <>
* cleanup: fix gcc warningsEric Leblond2008-07-292-6/+1
| | | | | | | | | This patch fixes some gcc warnings: * Unused variables * Functions with wrong return (or without return) Signed-off-by: Eric Leblond <> Signed-off-by: Pablo Neira Ayuso <>
* Fix a trivial typoEric Leblond2008-07-231-1/+1
| | | | | | | This patch fixes a trivial typo. Signed-off-by: Eric Leblond <> Signed-off-by: Pablo Neira Ayuso <>
* Fix computation of allocated size for queryEric Leblond2008-07-101-2/+3
| | | | | | | This patch fixes the computation of the allocation size for the query. It was not taking into account the length of the name of the procedure. Signed-off-by: Eric Leblond <>
* Print GID/MARK in printpkt.c/C=EU/ST=EU/CN=Patrick McHardy/emailAddress=kaber@trash.net2008-04-211-1/+11
* Fix "PROTO=KEY_TCP"/"PROTO=KEY_UDP"/C=EU/ST=EU/CN=Patrick McHardy/emailAddress=kaber@trash.net2008-04-211-2/+2
| | | | | I have no idea what the intention behind this change was, but it seems bogus, the output format should (mostly) match ipt_LOG.
* This patch suppress a now unused option. Each database module/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2008-04-071-11/+0
| | | | | | have now to be used with a defined IP storage type. Signed-off-by: Eric Leblond <>
* DESTROY event were not correctly displayed due to a problem in event type/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2008-04-051-1/+1
| | | | | | detection. Signed-off-by: Eric Leblond <>
* The PRINTFLOW module had its own code for string conversion of IPv6 address./C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2008-04-051-12/+16
| | | | | | | This patch change the input key of the module to use conversion made by the IP2STR module. Signed-off-by: Eric Leblond <>
* Length of MAC address was set to big and thus display was wrong. This/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2008-04-051-1/+1
| | | | | | misbehaviour was also causing to read datas out of the correct range. Signed-off-by: Eric Leblond <>
* This patch fixes a problem in SQL reconnection algorithm which is managed in/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2008-04-051-2/+7
| | | | | | | | | | | | | | the db.c file for PgSQL and MySQL. In case of problem during request execution a new connection to the database was immediatly started without closing the previous one. The consequence was to block the database by having too much simultaneous open connections. This patch fixes the problem by disconnectinng from the database after a request failure and trying to reconnect after a delay which is by default of 2 secondes. This delay can be customized via the reconnect configuration variable in the database configuration section. Signed-off-by: Eric Leblond <>
* This patch adds support of event type display in printflow filter. This is used/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2008-03-261-0/+20
| | | | | | | | | | to display event type in textual output modules. Here's an output example: [DESTROY] ORIG: SRC= DST= PROTO=UDP SPT=631 DPT=631 \\ PKTS=1 BYTES=197 , REPLY: SRC= DST= \\ PROTO=UDP SPT=631 DPT=631 PKTS=0 BYTES=0 Signed-off-by: Eric Leblond <>
* IP2BIN filter convert IP address from host storage to a "binary" string which/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2008-03-251-1/+4
| | | | | | | | | | | can be use by MySQL. This is not strictly speaking raw data but it was of type RAW. Following remark from Hugo Mildenberger, I introduce in this patch a dedicated type ULOGD_RET_RAWSTR. The main reason not to use a ULOGD_RET_STRING parameter is that the paramater is not human readable. Signed-off-by: Eric Leblond <>
* This patch adds support for AF_BRIDGE to the PRINTPKT plugin, which allows ↵/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2008-02-191-0/+81
| | | | | | to form log lines for packets coming from ebtables. Currently it supports IPv4, IPv6 and ARP. Signed-off-by: Peter Warasin <>
* From: Eric Leblond <>/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2008-02-091-0/+7
| | | | Add UID display to PRINTPKT filter.
* From: Eric Leblond <>/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2008-02-092-8/+0
| | | | | | | Some macros were defined several time. This was the case of GET_VALUE, pp_is_valid. This patch puts the definition in ulogd.h and fixes the definition of pp_is_valid which was wrong (causing segfault by acessing to fields at NULL).
* From: Eric Leblond <>/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2008-02-031-3/+1
| | | | | MySQL need no to be able to print RAW data to be able to display IP addresses.
* From: Eric leblond <>/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2008-02-031-18/+8
| | | | | - This patch suppress key relative to IPv6 address because IPv4 and IPv6 can be stored in the same key. - Add missing IP2STR line to
* From: Eric leblond <>/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2008-02-031-39/+122
| | | | | This patch update the printflow output module to be able to print a whole conntrack entry on a single line.
* From: Eric leblond <>/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2008-02-032-16/+29
| | | | This patch clarifies code which will be modified in next patch.
* From: Eric leblond <>/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2008-02-031-19/+4
| | | | | | | | | This patch adds new SQL schema for MySQL and PGsql. The goal is to improve the one line per entry format. There is no more a big table with all fields because this sort of storage is causing bad performance (databases don't like to have a lot of NULL fields to store). Main changes are : * Add new schema for MySQL and PGsql * Use call to configurable procedure in SQL OUTPUT modules * Arguments of a procedure are given by the list of fields of a selected table
* Ulogd2: fix db OUTPUT system/C=EU/ST=EU/CN=Patrick McHardy/emailAddress=kaber@trash.net2008-01-121-1/+4
| | | | | | | | | | The following patch fixes MySQL and Pgsql output modules. The callback function was not correctly initialized and this was leading to a crash by calling the a NULL function. This patch correctly inits the callback. Eric Leblond <>
* Add IPv6 support, fix a few incorrect key assignments and make sure this doesn't/C=DE/ST=Berlin/L=Berlin/O=Netfilter Project/OU=Development/CN=kaber/emailAddress=kaber@netfilter.org2007-03-061-116/+282
| | | | | repeat by using symbolic names to make sure the assignment matches the array index.