Eric Leblond [Thu, 12 Jun 2008 09:10:58 +0000 (11:10 +0200)]
Fix hexadecimal parsing in config file
The config file parsing was not able to parse integer given in hex notation.
This patch modify the parsing of configfile to be able to use different
integers notation.
Eric Leblond [Thu, 12 Jun 2008 09:08:31 +0000 (11:08 +0200)]
New MARK-based filter
This module filters message by using the mark to decide wether or not a
packet or a flow has to be logged. It takes a mark and a mask option. It
demonstrates the usage of ULOGD_IRET_STOP which can be used to abort
iteration through the stack.
Eric Leblond [Thu, 12 Jun 2008 09:06:28 +0000 (11:06 +0200)]
Fix the propagation through the stack
When a plugin returns ULOGD_IRET_STOP, the propagation should
stop. This was not the case as break was used to do so but it was called
inside a switch and thus apply to the switch instruction and not to
the llist iteration.
regit [Wed, 4 Jun 2008 13:19:05 +0000 (15:19 +0200)]
Fix crash when using NFCT with hash_enable=0.
This patch fixes NFCT when hash_enable is 0. Limitation of treatment to
NFCT_DESTROY message type causes usage of the hashtable function and
hence a crash because it is not initiated.
Signed-off-by: regit <regit@ghlodit.inl.fr> Signed-off-by: Patrick McHardy <kaber@trash.net>
Eric Leblond [Mon, 2 Jun 2008 00:02:09 +0000 (02:02 +0200)]
Source and destination addresses were put in ptr field of the target structure
instead of being put in the new type ui128. The result was an improper value
of the IPv6 source add destination addresses.
This patch improves the overrun handling. The NFLOG plugin duplicates the
netlink buffer size if the size does not goes after the upper boundary.
This patch also introduces two new clauses, the netlink_socket_buffer_size
and netlink_socket_buffer_maxsize that set the size of the netlink socket
buffer.
cleanup for key builder and fix IPv6 support and introduce 128-bits type
This patch cleans up the key building by breaking lines at 80 columns and
it fixes the IPv6 support (use of a pointer after free) by introducing a new
128 bit type.
This patch improves the overrun handling. The logic behind this patch
consists of two steps:
1) duplicate the netlink buffer size if the size does not goes after the
upper boundary.
2) scheduling a resynchronization (in two seconds) with the kernel conntrack
table if we hit ENOBUFS. During the resynchronization, the NFCT plugin dumps
the current table and purges the objects that do not exist anymore.
This patch also introduces two new clauses, the netlink_socket_buffer_size
and netlink_socket_buffer_maxsize that set the size of the netlink socket
buffer.
This patch introduces a generic hashtable to store the nf_conntrack objects.
The objects are identified by the original and reply tuples instead of the
conntrack ID which is not dumped in the event message of linux kernel < 2.6.25.
This patch also fixes the NFCT_MSG_* by NFCT_T_* which is the appropriate
message type tag.
This patchset adds support for the "numeric_label" option. For instance, it
can be used to determine if the packet has been dropped, rejected or accepted.
The meaning of label is completely user-defined.
[ULOGD PATCH, RFC] Modify NFLOG to be able to use it with older libnetfilter_log
NFLOG has been modified to support GID display. There is a problem as this
feature is only available in latest subversion of libnetfilter_log. This
patch made this feature optional:
* It detects if system support the nflog_get_gid() function
* Compilation of nflog_get_gid() related code is conditional
[ULOGD PATCH] Fix multiple usage of DB output plugin.
Due to the modifications done to be able to use multiple time the SOURCE
plugin, a single instance of database output plugin could not anymore be
used in separate stack. This patch fixes this by limiting the effect of
the previous modification on SOURCE plugin.
NACCT was IPv4 only and was heavily dependant of the order of NFCT keys.
This patch introduces a explicit list of input keys and obtains IPv6
compliance by using IP2STR output as input for IP address.
This patch is a port to the new libnetfilter_conntrack API of the NFCT
plugin. To be able to send IP addresses to the IP2STR and IP2BIN module
oob.family and oob.protocol keys have been added.
The PRINTFLOW module had its own code for string conversion of IPv6 address.
This patch change the input key of the module to use conversion made by the
IP2STR module.
An error in the type of an argument in the call to inet_ntop was causing IPv6
address to be transformed in a string not really related to the real Ipv6
address.
This patch adds MAC address handling to the postgresql output plugin. This
patch also removes mac_daddr which does not provide any interesting
logging information.
This patch introduces a new plugin MAC2STR which is in charge
of conversion to string of MAC address. It is used by database
output plugin to store MAC related information.
This patch fixes a problem in SQL reconnection algorithm which is managed in
the db.c file for PgSQL and MySQL. In case of problem during request execution
a new connection to the database was immediatly started without closing the
previous one. The consequence was to block the database by having too much
simultaneous open connections.
This patch fixes the problem by disconnectinng from the database after a
request failure and trying to reconnect after a delay which is by default
of 2 secondes. This delay can be customized via the reconnect configuration
variable in the database configuration section.
This patch adds support of event type display in printflow filter. This is used
to display event type in textual output modules. Here's an output example:
This patch contains two linked modifications in NFCT input plugin:
- event mask is now configurable though the event_mask configuration variable
- event type is now stored in the ct.event output key. This can be used to
display the information or to use it to implement some tracking algorithm in
userspace.
This patch adds plist a linked list to the pluginstance
structure. It can be used by input modules to duplicate an
entry. This solves the issue of not being able to use the same
plugin instance twice.
IP2BIN filter convert IP address from host storage to a "binary" string which
can be use by MySQL. This is not strictly speaking raw data but it was of type
RAW.
Following remark from Hugo Mildenberger, I introduce in this patch a dedicated
type ULOGD_RET_RAWSTR. The main reason not to use a ULOGD_RET_STRING parameter
is that the paramater is not human readable.
This patch adds oob.hook to the list of fields export to the databases. This
adds the capability to know where the packet has been logged and will be used
to make a link between connection and logged packets.
This patch adds support for AF_BRIDGE to the PRINTPKT plugin, which allows to form log lines for packets coming from ebtables. Currently it supports IPv4, IPv6 and ARP.
Adds AF_BRIDGE and ARP header interpreter to BASE plugin
This patch adds an AF_BRIDGE interpreter to ulogd_raw2packet_BASE plugin, which allows to log packets coming from ebtables. It also adds an ARP header decoder.
Adds AF_BRIDGE and ARP header interpreter to BASE plugin
This patch adds an AF_BRIDGE interpreter to
ulogd_raw2packet_BASE plugin, which allows to log
packets coming from ebtables.
It also adds an ARP header decoder.
From: Eric Leblond <eric@inl.fr>
Some macros were defined several time. This was the case of GET_VALUE,
pp_is_valid. This patch puts the definition in ulogd.h and fixes the
definition of pp_is_valid which was wrong (causing segfault by acessing to
fields at NULL).
From: Eric Leblond <eric@inl.fr>
The treatment of the return of some functions from libnetfilter_log API was wrong and this was preventing some fields to be propagated through the stack.
This patch adds some examples of stack to the configuration file.
It also fixes some comments to avoid confusion. IP2BIN has been
added to the list of loaded modules.
When using NFLOG or ULOG, obb.family (protocol IPv4 or IPv6) has
to be setup manually in ulogd.conf configuration file. This is
used by the BASE filter to properly parse the packet. This
patch suppress oob.family as output keys of NFLOG and ULOG and let
the BASE filter determine the family of the packet by itself (by
parsing the raw header).
A good side effect is to be able to log in IPv6 and IPv4 in the
same group. Before that, two loggers have to be setup separatly.
From Eric Leblond <eric@inl.fr>:
This patch modify ulogd_filter_IFINDEX to use libnfnetlink for index to
interface name mapping instead of using local version. This requires at least
libnfnetlink 0.0.30. This dependancy is checked in configure (thanks to
Sebastien Tricaud for his patch).
From: Pierre Chifflier <chifflier@inl.fr>
This patch adds oob_family to the schema. Thus it is now possible to easily select IPv4 or IPv6 entries in the database. This patch also explicitly selects fields to create view.
From: Eric leblond <eric@inl.fr>
This module convert IP from internal notation to a string in binary notation
which is used by the MySQL output plugin.
From: Eric leblond <eric@inl.fr>
- This patch suppress key relative to IPv6 address because IPv4 and IPv6 can be stored in the same key.
- Add missing IP2STR line to ulogd.conf.in
This module is a generic module which is used to convert an IP from internal representation to string representation. This is a task needed by several modules like printpkt or pgsql. This module factorizes the code.
projects / thirdparty / ulogd2.git / log
