From: "Philipp Gühring" <mailinglists@futureware.at>
To: netfilter-devel@lists.netfilter.org
Subject: New logging module
Date: Mon, 25 Aug 2003 14:59:02 +0200 [thread overview]
Message-ID: <200308251459.03014.mailinglists@futureware.at> (raw)
[-- Attachment #1: Type: text/plain, Size: 488 bytes --]
Hi,
I developed a Netfilter module, that collects and logs the traffic of all IP
addresses of several subnets, and dumps the traffic log regulary in a similar
format as ipt_LOG, so that it can transparently replace the normal logging
module.
It was developed to enhance the speed of our traffic analysis software, by
filtering and aggregating the packets directly in the kernel instead of the
userspace.
The license is GPL.
Many greetings,
Philipp Gühring
[-- Attachment #2: ipt_REGIONET.c --]
[-- Type: text/x-csrc, Size: 5237 bytes --]
/*
* This is a module which is logging the regionet_traffic of IPs of whole subnets.
*/
#include <linux/module.h>
#include <linux/skbuff.h>
#include <linux/ip.h>
#include <linux/spinlock.h>
#include <linux/vmalloc.h>
#include <net/icmp.h>
#include <net/udp.h>
#include <net/tcp.h>
#include <linux/netfilter_ipv4/ip_tables.h>
struct in_device;
#include <net/route.h>
#include <linux/netfilter_ipv4/ipt_LOG.h>
#if 1
#define DEBUGP printk
#else
#define DEBUGP(format, args...)
#endif
/* Use lock to serialize, so printks don't overlap */
static spinlock_t regionet_lock = SPIN_LOCK_UNLOCKED;
static u_int32_t regionet_network[10];
static u_int32_t regionet_netmask[10];
static long regionet_netsize[10];
static int *regionet_traffic[10];
static int regionet_networks;
static unsigned int regionet_counter;
static int regionet_traffic1[256*256*4];
static int regionet_traffic2[256*4];
static int regionet_traffic3[32*4];
static unsigned int
ipt_regionet_target(struct sk_buff **pskb,
unsigned int hooknum,
const struct net_device *in,
const struct net_device *out,
const void *targinfo,
void *userinfo)
{
struct iphdr *iph = (*pskb)->nh.iph;
const struct ipt_log_info *loginfo = targinfo;
char level_string[4] = "< >";
int i;
regionet_counter++;
//printk("saddr: %u\n",ntohl(iph->saddr));
for(i=0;i<regionet_networks;i++)
{
if((ntohl(iph->saddr) & regionet_netmask[i])==regionet_network[i])
{
//printk("Incoming Traffic from Network %u ...\n",i);
(regionet_traffic[i])[ntohl(iph->saddr) - regionet_network[i]] += ntohs(iph->tot_len);
}
if((ntohl(iph->daddr) & regionet_netmask[i])==regionet_network[i])
{
(regionet_traffic[i])[ntohl(iph->daddr) - regionet_network[i]] += ntohs(iph->tot_len);
}
if(regionet_counter>10000)
{
printk("Neue Traffic Liste:\n");
unsigned int j=0;
for(j=0;j<regionet_netsize[i];j++)
{
if((regionet_traffic[i])[j])
{
int myip=regionet_network[i]+j;
level_string[1] = '0' + (loginfo->level % 8);
spin_lock_bh(®ionet_lock);
printk(level_string);
printk("SRC=%u.%u.%u.%u LEN=%u\n",HIPQUAD(myip),(regionet_traffic[i])[j]);
spin_unlock_bh(®ionet_lock);
}
}
}
}
if(regionet_counter>10000)
{
regionet_counter=0;
}
return IPT_CONTINUE;
}
static int ipt_regionet_checkentry(const char *tablename,
const struct ipt_entry *e,
void *targinfo,
unsigned int targinfosize,
unsigned int hook_mask)
{
const struct ipt_log_info *loginfo = targinfo;
if (targinfosize != IPT_ALIGN(sizeof(struct ipt_log_info))) {
DEBUGP("LOG: targinfosize %u != %u\n",
targinfosize, IPT_ALIGN(sizeof(struct ipt_log_info)));
return 0;
}
if (loginfo->level >= 8) {
DEBUGP("LOG: level %u >= 8\n", loginfo->level);
return 0;
}
if (loginfo->prefix[sizeof(loginfo->prefix)-1] != '\0') {
DEBUGP("LOG: prefix term %i\n",
loginfo->prefix[sizeof(loginfo->prefix)-1]);
return 0;
}
return 1;
}
static struct ipt_target ipt_regionet_reg
= { { NULL, NULL }, "LOG", ipt_regionet_target, ipt_regionet_checkentry, NULL,
THIS_MODULE };
static int __init init(void)
{
regionet_counter=0;
regionet_networks=0;
#if 1
regionet_network[regionet_networks]=0xAC1A0000; // 172.26.0.0
regionet_netmask[regionet_networks]=0xFFFF0000; // 255.255.0.0
regionet_netsize[regionet_networks]=256*256;
regionet_traffic[regionet_networks]=regionet_traffic1;
if(regionet_traffic[regionet_networks]!=NULL)
{
memset(regionet_traffic[regionet_networks],0,regionet_netsize[0]*sizeof(int));
regionet_networks++;
}
#endif
#if 0
regionet_network[regionet_networks]=0xC0A80100; // 192.168.1.0
regionet_netmask[regionet_networks]=0xFFFFFF00; // 255.255.255.0
regionet_netsize[regionet_networks]=256;
regionet_traffic[regionet_networks]=regionet_traffic2;
if(regionet_traffic[regionet_networks]!=NULL)
{
memset(regionet_traffic[regionet_networks],0,regionet_netsize[0]*sizeof(int));
regionet_networks++;
}
#endif
regionet_network[regionet_networks]=0xC36ED680; // 195.110.214.128
regionet_netmask[regionet_networks]=0xFFFFFFE0; // 255.255.255.0
regionet_netsize[regionet_networks]=32;
regionet_traffic[regionet_networks]=regionet_traffic3;
if(regionet_traffic[regionet_networks]!=NULL)
{
memset(regionet_traffic[regionet_networks],0,regionet_netsize[0]*sizeof(int));
regionet_networks++;
}
DEBUGP("REGIONET: Number of monitoring regionet_networks: %u\n", regionet_networks);
if (ipt_register_target(&ipt_regionet_reg))
return -EINVAL;
return 0;
}
static void __exit fini(void)
{
ipt_unregister_target(&ipt_regionet_reg);
}
module_init(init);
module_exit(fini);
MODULE_LICENSE("GPL");
[-- Attachment #3: Makefile --]
[-- Type: text/x-makefile, Size: 588 bytes --]
all: ipt_REGIONET.o
ipt_REGIONET.o: ipt_REGIONET.c
gcc -D__KERNEL__ -I/usr/src/linux-2.4.20.SuSE/include -Wall -Wstrict-prototypes -Wno-trigraphs -O2 -fno-strict-aliasing -fno-common -Wno-sign-compare -finline-limit=2000 -fomit-frame-pointer -pipe -mpreferred-stack-boundary=2 -march=athlon -DMODULE -nostdinc -iwithprefix include -DKBUILD_BASENAME=ipt_REGIONET -c -o ipt_REGIONET.o ipt_REGIONET.c
test: ipt_REGIONET.o
/etc/rc.d/SuSEfirewall2_setup stop
rmmod ipt_REGIONET || true
insmod ipt_REGIONET.o
/etc/rc.d/SuSEfirewall2_setup start
/etc/rc.d/SuSEfirewall2_final start
next reply other threads:[~2003-08-25 12:59 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-08-25 12:59 Philipp Gühring [this message]
2003-08-30 19:04 ` New logging module Harald Welte
[not found] ` <200308302248.h7UMm5r04111@linux1.futureware.at>
2003-09-05 14:04 ` Harald Welte
2003-09-06 1:13 ` Henrik Nordstrom
2003-09-07 19:13 ` Roberto Nibali
2003-09-12 20:39 ` Harald Welte
2003-09-13 7:54 ` Henrik Nordstrom
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200308251459.03014.mailinglists@futureware.at \
--to=mailinglists@futureware.at \
--cc=netfilter-devel@lists.netfilter.org \
--cc=pg@futureware.at \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.