|author||Bart De Schuymer <firstname.lastname@example.org>||2004-11-21 23:08:19 +0000|
|committer||Bart De Schuymer <email@example.com>||2004-11-21 23:08:19 +0000|
add ulog entry
1 files changed, 62 insertions, 6 deletions
@@ -1,4 +1,4 @@
-.TH EBTABLES 8 "18 January 2004"
+.TH EBTABLES 8 "22 November 2004"
.\" Man page written by Bart De Schuymer <firstname.lastname@example.org>
.\" It is based on the iptables man page.
@@ -673,7 +673,8 @@ from
Watchers are things that only look at frames passing by. These watchers only
-see the frame if the frame matches the rule.
+see the frame if the frame matches the rule. Watchers see the packet before the
+target is executed.
The fact that the log module is a watcher lets us log stuff while giving a target
by choice. Note that the log module therefore is not a target.
@@ -685,23 +686,78 @@ settings: log-prefix="", no arp logging, no ip logging, log-level=info.
.B --log-level "\fIlevel\fP"
-defines the logging level. For the possible values: ebtables -h log.
+Defines the logging level. For the possible values: ebtables -h log.
The default level is
.IR info .
.BR --log-prefix " \fItext\fP"
-defines the prefix to be printed before the logging information.
+Defines the prefix to be printed before the logging information.
-will log the ip information when a frame made by the ip protocol matches
+Will log the ip information when a frame made by the ip protocol matches
the rule. The default is no ip information logging.
-will log the (r)arp information when a frame made by the (r)arp protocols
+Will log the (r)arp information when a frame made by the (r)arp protocols
matches the rule. The default is no (r)arp information logging.
+The ulog watcher passes the packet to a userspace
+logging daemon using netlink multicast sockets. This differs
+from the log watcher in the sense that the complete packet is
+sent to userspace instead of a descriptive text and that
+netlink multicast sockets are used instead of the syslog.
+This watcher enables parsing of packets with userspace programs, the
+physical bridge in and out ports are also included in the netlink messages.
+The ulog watcher module accepts 2 parameters when the module is loaded
+into the kernel (e.g. with modprobe):
+specifies how big the buffer for each netlink multicast
+group is. E.g. If you say nlbufsiz=8192, up to eight kB of packets will
+get accumulated in the kernel until they are sent to userspace. It is
+not possible to allocate more than 128kB. Please also keep in mind that
+this buffer size is allocated for each nlgroup you are using, so the
+total kernel memory usage increases by that factor. The default is 4096.
+specifies after how many hundredths of a second the queue should be
+flushed, even if it is not full yet. The default is 10 (one tenth of
+Use the default settings: ulog-prefix="", ulog-nlgroup=1,
+.B --ulog-prefix "\fItext\fP"
+Defines the prefix included with the packets sent to userspace.
+.BR --ulog-nlgroup " \fIgroup\fP"
+Defines which netlink group number to use (a number from 1 to 32).
+Make sure the netlink group numbers used for the iptables ULOG
+target differ from those used for the ebtables ulog watcher.
+The default group number is 1.
+.BR --ulog-cprange " \fIrange\fP"
+Defines the maximum copy range to userspace, for packets matching the
+rule. The default range is 0, which means the maximum copy range is
+.BR nlbufsiz .
+A maximum copy range larger than
+128*1024 is meaningless as the packets sent to userspace have an upper
+size limit of 128*1024.
+.BR --ulog-qthreshold " \fIthreshold\fP"
+Queue at most threshold number of packets before sending them to
+userspace with a netlink socket. Note that packets can be sent to
+userspace before the queue is full, this happens when the ulog
+kernel timer goes off (the frequency of this timer depends on
+.BR flushtimeout .
.SS TARGET EXTENSIONS