blob: a2b8b99f557072507517ef5facffc1210c4eabf4 (plain
Userspace logging facility for netfilter / linux 2.4
This packages is intended for passing packets from the kernel to userspace
to do some logging there. It should work like that:
- Register a target called ULOG with netfilter
- if the target is hit:
- send the packet out using netlink multicast facility
- return NF_ACCEPT immediately
We don't have to enqueue packets, just send them out as datagrams. If the
user process isn't fast enough this isn't our problem.
More than one logging daemon may listen to the netlink multicast address.
The package is consisting out of three parts:
1. Netfilter target ipt_ULOG
This is the kernel module which does the kernel part of packet passing to
the userspace. This module is inserted on demand through the netfilter
subsystem as soon as You add a rule with the target ULOG to any chain.
2. iptables plugin (libipt_ULOG.so)
This is a plugin for the netfilter configuration tool iptables. Just put
it to /usr/local/lib/iptables and it is loaded on demand from iptables.
3. Ulog library (libipulog.a)
Just a little library like libipq.a which provides a convenient way to
write userspace logging daemons. The functions provided are described
in the source code, a small demo program (ulog_test) is also included.
4. ulogd daemon (ulogd)
A sophisticated logging daemon which uses libipulog. The daemon provides
an easy to use plugin interface to write additional packet interpreters and
output targets. Example plugins (interpreter: ip, tcp, icmp output: simple
logging to a file) are included.
Just apply the kernel patch and enable the kernel config option
CONFIG_IP_NF_TARGET_ULOG in the netfilter subsection of the network options.
Then recompile the kernel or just recompile the netfilter modules using
'make modules SUBDIRS=net/ipv4/netfilter'.
Next step is installing the module using 'make modules_install'
To use the iptables plugin, copy libipt_ULOG.so to /usr/local/lib/iptables
Now You are ready to go. You may now insert logging rules to every chain.
To see the full syntax, type 'iptables -j ULOG -h'
At first a simple example, which passes every outgoing packet to the
userspace logging, using netlink multicast group 3.
iptables -A OUTPUT -j ULOG --ulog-nlgroup 3
A more advanced one, passing all incoming tcp packets with destination
port 80 to the userspace logging daemon listening on netlink multicast
group 32. All packets get tagged with the ulog prefix "inp"
iptables -A INPUT -j ULOG -p tcp --dport 80 --ulog-nlgroup 32 --ulog-prefix inp
In the latest Version (0.2) I added another parameter (--ulog-cprange).
Using this parameter You are able to specify how much octets of the
packet should be copied from the kernel to userspace.
Setting --ulog-cprange to 0 does always copy the whole packet. Default is 0
===> COPYRIGHT + CREDITS
The code is (C) 2000 by Harald Welte <email@example.com>
Credits to Rusty Russel, James Morris, Marc Boucher and all the other