summaryrefslogtreecommitdiffstats
path: root/README
blob: 545e7f753021697a282c70535befc051fcac87fe (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
Userspace logging facility for iptables / linux 2.4
$Id$

Project Homepage: http://www.gnumonks.org/projects/ulogd
Mailinglist: http://lists.gnumonks.org/mailman/listinfo/ulogd/

This is just a short README, pleaes see the more extensive documentation
in the doc/ subdirectory.

===> IDEA

This packages is intended for passing packets from the kernel to userspace 
to do some logging there. It should work like that:

- Register a target called ULOG with iptables
- if the target is hit: 
	- send the packet out using netlink multicast facility
	- return NF_CONTINUE immediately

New with ipt_ULOG 0.8 we can accumulate packets in userspace and send
them in small batches (1-50) to userspace. This reduces the amount of
expensive context switches.

More than one logging daemon may listen to the netlink multicast address.

===> CONTENTS

= Ulog library (libipulog.a)
Just a little library like libipq.a which provides a convenient way to 
write userspace logging daemons. The functions provided are described 
in the source code, a small demo program (ulog_test) is also included.

= ulogd daemon (ulogd) 
A sophisticated logging daemon which uses libipulog. The daemon provides 
an easy to use plugin interface to write additional packet interpreters and
output targets. Example plugins (interpreter: ip, tcp, icmp output: simple
logging to a file) are included.

= documentation (doc)
A quite verbose documentation of this package and it's configuration exists,
please actually make use of it and read it :)

===> USAGE

The kernel part of the userspace logging facility (ipt_ULOG.o) is included
in kernels >= 2.4.18-pre8.  If you are running older kernel versions, you MUST
install the ulog-patch from netfilter patch-o-matic FIRST !!

Please go to the netfilter homepage (http://www.netfilter.org/)
and download the latest iptables package.  There is a system called
patch-o-matic, which manages recent netfilter development, which has
not been included in the stock kernel yet.

Just apply the ulog-patch from patch-o-matic (there is some documentation
included in the iptables package how to use patch-o-matic).

Next you have to enable the kernel config option CONFIG_IP_NF_TARGET_ULOG in
the netfilter subsection of the network options. 

Then recompile the kernel or just recompile the netfilter modules using 'make
modules SUBDIRS=net/ipv4/netfilter'.  Next step is installing the module using
'make modules_install'

It is also a good idea to recompile and re-install the iptables package,
if you don't already have libipt_ULOG.so in /usr/local/lib/iptables or
/usr/lib/iptables

Now You are ready to go. You may now insert logging rules to every chain.
To see the full syntax, type 'iptables -j ULOG -h'

===> EXAMPLES

At first a simple example, which passes every outgoing packet to the 
userspace logging, using netlink multicast group 3.

iptables -A OUTPUT -j ULOG --ulog-nlgroup 3

A more advanced one, passing all incoming tcp packets with destination 
port 80 to the userspace logging daemon listening on netlink multicast 
group 32. All packets get tagged with the ulog prefix "inp"

iptables -A INPUT -j ULOG -p tcp --dport 80 --ulog-nlgroup 32 --ulog-prefix inp

Since version 0.2,  I added another parameter (--ulog-cprange). 
Using this parameter You are able to specify how much octets of the 
packet should be copied from the kernel to userspace. 
Setting --ulog-cprange to 0 does always copy the whole packet. Default is 0

===> COPYRIGHT + CREDITS

The code is (C) 2000-2004 by Harald Welte <laforge@gnumonks.org>

Thanks also to the valuable Contributions of Daniel Stone, Alexander
Janssen and Michael Stolovitzsky.

Credits to Rusty Russell, James Morris, Marc Boucher and all the other 
netfilter hackers.