| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
`format_ipv6()` formats IPv6 addresses as hex-strings. However, sizing for the
output buffer is not done quite right.
The elements of the `ipbin_array` array in ulogd_filter_IP2BIN.c are sized using
a local macro, `IPADDR_LENGTH`, which is defined as 128, the number of bits in
an IPv6 address; this is much larger than necessary.
Define an appropriate macro and use that instead.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The new namespace helper provides an internal stable interface for
plugins to use for switching various linux namespaces. Currently only
network namespaces are supported/implemented, but can easily be extended
if needed. autoconf will enable it automatically if the required symbols
are available. If ulogd is compiled without namespace support, the
functions will simply return an error, there is no need for conditional
compilation or special handling in plugin code.
Signed-off-by: Corubba Smith <corubba@gmx.de>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
| |
The ULOG target was removed from linux kernel with 7200135bc1e6
("netfilter: kill ulog targets") aka v3.17, so remove the userspace
library for it. libnetfilter_log provides the same functionality for
NFLOG, and also a compatibility layer to use NFLOG through the libipulog
api.
Signed-off-by: Corubba Smith <corubba@gmx.de>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
| |
The ULOG target was removed from the linux kernel with 7200135bc1e6
("netfilter: kill ulog targets") aka v3.17, so remove the input plugin
for it. It's successor NFLOG should be used instead, which has its own
input plugin.
Signed-off-by: Corubba Smith <corubba@gmx.de>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The `value` union member in `struct config_entry` is declared as `int`
since basically the beginning in e07722e46001 ("config stuff added").
The parsing was switched from the original `atoi()` in 015849995f7f
("Fix hexadecimal parsing in config file") to `strtoul()`.
Switch the function for parsing to the signed `strtol()` variant since
the result will be stored in a signed int, and it makes sense to support
negative numbers. Detect when `strtol()` does not properly consume the
whole argument and return a new format error. Also check the numerical
value to make sure the signed int does not overflow, in which case
a new range error is returned.
Unfortunately there is no `strtoi()` which would do the proper range
check itself, so the intermediate `long` and range-check for `int` is
required. I also considered changing the `value` union member from
`int` to `long`, which would make it possible to use the parsed value
as-is. But since this is part of the api towards plugins (including
third party) such a potentially breaking change felt unwarranted. This
also means that still only 16bit integer values are *guaranteed* to
work, although most platforms use bigger widths for int.
Signed-off-by: Corubba Smith <corubba@gmx.de>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Provide a new function `ulogd_parse_configfile()` in the public
interface, which wraps `parse_config_file()` to parse a section of the
config file and communicates found errors to the user. It can be used
as a drop-in replacement because arguments and return value are
compatible.
This relieves plugins of the need to translate the individual error
codes to human readable messages, and plugins are mostly interested if
there is any error, not what specific error.
This reuses the existing `parse_conffile()` function with slight
adjustments.
Signed-off-by: Corubba Smith <corubba@gmx.de>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
| |
Move a `ULOGD_RET_BOOL` case for consistency.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
| |
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The ipfix.h header includes three macros which expand to compiler attributes.
Presumably, at some point the definitions were one branch of an if-else
preprocessor conditional where the definitions in the other branch expanded to
nothing. This is no longer the case. Only one of the macros (`__packed`) is
used and the raw attribute is used elsewhere in the code-base. Remove the
macros.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
gcc warns about undocumented fall-throughs in switches. In this case,
the fall-throughs are intended, so add commnts to indicate this to the
compiler.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
`__ulogd_log` takes a printf-style format string and matching arguments.
Add the gcc `format` attribute to its declaration in order to allow the
compiler to type-check the function arguments against the specifiers in
the format string.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently, make enters all sub-directories containing source-code, even
if they only contain optional targets which are not configured to be
built. Instead, change the Makefiles so that the sub-directories are
optional, rather than the targets.
Group sub-directory definitions consistently at the top of the Makefiles
that contain them.
Trim a few leading and trailing blank lines.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This commit adds the ability to send template records
to the remote collector.
In addition, it also introduces a new
configuration parameter 'send_template', which tells when template
records should be sent. It accepts the following string values:
- "once": Send the template record only the first time (might be coalesced
with data records).
- "always": Send the template record always, with every data record that is sent
to the collector (multiple data records might be sent together).
- "never": Assume the collector knows the schema already. Do not send template records.
If omitted, the default value for 'send_template' is "once".
Signed-off-by: Ander Juaristi <a@juaristi.eus>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds an IPFIX output plugin to ulogd2. It generates NetFlow/IPFIX
traces and sends them to a remote server (collector) via TCP or UDP.
Based on original work by Holger Eitzenberger <holger@eitzenberger.org>.
How to test this
----------------
I am currently testing this with the NFCT input and Wireshark.
Place the following in ulogd.conf:
# this will print all flows on screen
loglevel=1
# load NFCT and IPFIX plugins
plugin="/lib/ulogd/ulogd_inpflow_NFCT.so"
plugin="/lib/ulogd/ulogd_output_IPFIX.so"
stack=ct1:NFCT,ipfix1:IPFIX
[ct1]
netlink_socket_buffer_size=217088
netlink_socket_buffer_maxsize=1085440
accept_proto_filter=tcp,sctp
[ipfix1]
oid=1
host="127.0.0.1"
#port=4739
#send_template="once"
I am currently testing it by launching a plain NetCat listener on port
4739 (the default for IPFIX) and then running Wireshark and see that it
dissects the IPFIX/NetFlow traffic correctly (obviously this relies on
the Wireshark NetFlow dissector being correct).
First:
nc -vvvv -l 127.0.0.1 4739
Then:
sudo ulogd -vc ulogd.conf
Signed-off-by: Ander Juaristi <a@juaristi.eus>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
| |
Signed-off-by: Felix Janda <felix.janda@posteo.de>
|
| |
|
|
| |
Signed-off-by: Felix Janda <felix.janda@posteo.de>
|
| |
|
|
|
|
|
|
|
|
| |
This fixes compilation if you use a Linux kernel >= 3.17. This problem
occurs since ULOG was removed from mainstream:
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=7200135bc1e61f1437dc326ae2ef2f310c50b4eb
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=986
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
This patch supresses the oob.time.sec from the input keys as this
is not used when creating the string corresponding to the packet.
Signed-off-by: Eric Leblond <eric@regit.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds storage for CIM field name in ulogd key. This
will be used by JSON output to interoperate with logging
collector such as logstash or splunk.
Common Information Model is an open standard that defines how managed
elements in an IT environment are represented as a common set of objects
and relationships between them:
http://www.dmtf.org/standards/cim
This seems to be mainly XML based but there is a JSON version of some
aspects of the model. One of the main documentation on CIM in JSON
format seems to be:
http://docs.splunk.com/Documentation/PCI/2.0/DataSource/CommonInformationModelFieldReference
Using the correct CIM field name allow events coming from ulogd to be
correlated with events coming from other sources.
|
| |
|
|
|
|
|
|
|
| |
As default size was non null, the ring system was activated by
default. It was only possible to desactivate the ring system
by setting it to ring_buffer_size to 0 in the configuration.
This was not the attended behavior. This patch set it to 0 to have
only explicit activation of the ring feature.
|
| |
|
|
|
|
| |
Some counter have been recently switch to u64. This has caused warnings
relative to format string. This patch uses PRIu64 macro to fix these
warnings.
|
| |
|
|
|
|
|
|
|
|
|
| |
This patch adds an optional ring buffer option which modify
the way database queries are made. The main thread is only handling
kernel message reading and query formatting. The SQL request is made
in a separate dedicated thread.
The idea is to try to avoid buffer overrun by minimizing the time
requested to treat kernel message. Doing synchronous SQL request, as
it was made before was causing a delay which could cause some messages
to be lost in case of burst from kernel side.
|
| |
|
|
|
| |
Use an offset approach to get the start of values printing area. It
is more generic and will be use soon.
|
| |
|
|
|
| |
The field is currently only used in a single function as a string
pointer and can thus be removed from the db instance structure.
|
| |
|
|
|
|
|
| |
This patch is adding a mechanism to store query in a backlog build
in memory. This allow to store events during downtime in memory and
realize the effective insertion when the database comes back.
A memory cap is used to avoid any memory flooding.
|
| |
|
|
|
| |
When an argument or a line is too long, it can not be store
into ulogd configuration and this must results in a error.
|
| | |
|
| |
|
|
| |
Recently introduced addr.h was missing from Makefile.am.
|
| |
|
|
| |
This patch also update some copyright and licence declaration.
|
| |
|
|
|
|
| |
This patch adds a flag to the config_entry structure to be able to
tune setup. First usage is to ask config parser not to update a key
if it has been already set.
|
| | |
|
| | |
|
| |
|
|
|
|
|
| |
It was wrong, use VERSION constant which uses the version
information available in configure.ac.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
This new type will be used in flow-up patch to support XML output.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
This patch adds the nfacct plugin.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
This patch adds reference counting for plugins. This is used to fix
a double stop for input plugins that are reused.
This problem was reported by Salih Gonullu <sag@open.ch>:
http://marc.info/?l=netfilter&m=129439584700693&w=2
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
This patch replaces the existing hashtable implementation with
a newer that provide better performance since it reduces the
number of hash computations.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
This reverts commit 0ff525cb0506b2c043bc9df6d7e7b486c865bc38. A stable
and clean API should be provided if we choose to offer for external
module capability.
|
| |
|
|
|
| |
This patch modifies Makefile.am to install the headers needed for
compilation of plugins outside of the source tree.
|
| |
|
|
|
| |
This patch adds config.h inclusion in ulogd.h to be able to use all
defined value in the whole project.
|
| |
|
|
|
| |
Incorrect definition of a IPv6 input key handling function was causing
a crash in ulogd.
|
| |
|
|
|
| |
This patch adds the config_stop function which is in charge of releasing
ressources allocated for configuration file parsing.
|
| |
|
|
|
| |
This patch adds unloading of plugins (call dlclose()) in ulogd2. This
make valgrind happy and will be useful for daemon live reconfiguration.
|
| |
|
|
|
|
| |
This patch modifies PRINTPKT plugin to add SCTP support.
Signed-off-by: Eric Leblond <eric@inl.fr>
|
| |
|
|
|
|
|
|
|
| |
This patch cleans up the current key assignation by introducing a
set of functions ukey_* to set the key value as Eric Leblond and
we discussed during the latest Netfilter Workshop. This patch is
based on an idea from Holger Eitzenberger.
Signed-off-by: Eric Leblond <eric@inl.fr>
|
| |
|
|
|
|
| |
This patch fixes the `make distcheck' magic
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
The function ipulog_read had a timeout parameter which was not
used in the code.
Signed-off-by: Eric Leblond <eric@inl.fr>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
This patch cleans up the key building by breaking lines at 80 columns and
it fixes the IPv6 support (use of a pointer after free) by introducing a new
128 bit type.
|
| |
|
|
|
|
|
|
| |
This patch introduces a generic hashtable to store the nf_conntrack objects.
The objects are identified by the original and reply tuples instead of the
conntrack ID which is not dumped in the event message of linux kernel < 2.6.25.
This patch also fixes the NFCT_MSG_* by NFCT_T_* which is the appropriate
message type tag.
|
