Logging NAT translations?

Logging NAT translations?

[Chris Green]

Hey folks,

Is there a way to log the translations that occur in the NAT table?

I'd prefer an something along the lines of listening to a netlink
socket but I'm having a hard time finding information on doing this.
If this doesn't exist already, can anyone give me pointers on
implementing it?

The closest I've found is nfnetlink-ctnetlink.  Anyone know what the
status of this is?  I know it doesn't work with 2.6 and I've been told
it doesn't work with recent 2.4s either.

Cheers,
Chris
-- 
Chris Green <cmg@dok.org>
You now have 14 minutes to reach minimum safe distance.

Re: Logging NAT translations?

[Harald Welte]

[-- Attachment #1: Type: text/plain, Size: 898 bytes --]

On Wed, Jul 28, 2004 at 05:07:41PM -0400, Chris Green wrote:

> The closest I've found is nfnetlink-ctnetlink.  

Yes, this should provide you with all information you need.

> Anyone know what the status of this is?  I know it doesn't work with
> 2.6 and I've been told it doesn't work with recent 2.4s either.

then someone needs to do some porting/merging work... patches
appreciated ;)

This is still not in the mainline kernel, because the netlink message
format is still not stable.

> Cheers,
> Chris

-- 
- Harald Welte <laforge@netfilter.org>             http://www.netfilter.org/
============================================================================
  "Fragmentation is like classful addressing -- an interesting early
   architectural error that shows how much experimentation was going
   on while IP was being designed."                    -- Paul Vixie

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: Logging NAT translations?

[Chris Green]

[-- Attachment #1: Type: text/plain, Size: 831 bytes --]

Harald Welte <laforge@netfilter.org> writes:

> then someone needs to do some porting/merging work... patches
> appreciated ;)

Ok... I'm happy to work on it if I can get some pointers on where/how
development should happen.

I'm guessing HEAD iptables, HEAD patch-o-matic-ng, linux-2.6.7?

The requirements hierarchy is a pain for me to figure out. Shouldn't
be too bad to generate a graphviz digraph for it though.

For POM-NG, should I be doing:

./runme pending
./runme nfnetlink-ctnetlink-0.13

or should I walk through the deps in nfnetlink-ctnetlink-0.13/info,
apply/fix all of those patches recursively.

For fixing a single patch, what should the .orig tree be? The tree
with all dependencies applied?

Any guidance on tree mangagement would be appreciated.

Thanks,
Chris
-- 
Chris Green <cmg@dok.org>
Chicken's thinkin'

[-- Attachment #2: Type: application/pgp-signature, Size: 188 bytes --]

Re: Logging NAT translations?

[Chris Green]

[-- Attachment #1: Type: text/plain, Size: 415 bytes --]

Chris Green <cmg@dok.org> writes:
>
> The requirements hierarchy is a pain for me to figure out. Shouldn't
> be too bad to generate a graphviz digraph for it though.

I'm a fool.  Didn't realize that ! meant conflict not obscure
dependency syntax.

I would still appreciate patch management recommendations however :>
-- 
Chris Green <cmg@dok.org>
This is my signature. There are many like it but this one is mine.

[-- Attachment #2: Type: application/pgp-signature, Size: 188 bytes --]

Re: Logging NAT translations?

[Sven Schuster]

[-- Attachment #1: Type: text/plain, Size: 1527 bytes --]


Hi Harald, hi Chris,

On Sun, Aug 01, 2004 at 07:01:53PM +0200, Harald Welte told us:
> On Wed, Jul 28, 2004 at 05:07:41PM -0400, Chris Green wrote:
> 
> > The closest I've found is nfnetlink-ctnetlink.  
> 
> Yes, this should provide you with all information you need.
> 
> > Anyone know what the status of this is?  I know it doesn't work with
> > 2.6 and I've been told it doesn't work with recent 2.4s either.
> 
> then someone needs to do some porting/merging work... patches
> appreciated ;)


just jumping in here as I've done some basic porting work on
nfnetlink-ctnetlink some time ago which wasn't a big pain to get it
working on a 2.6.x kernel.  But in the meantime there were some changes
in the NAT/conntrack subsystem which I had to resolve to get the patch
working and still have to, but, you know, no time left for this :-) I
think those changes were around 2.6.3 kernel.
I'll see if I still can find my old work and if I can do something
to get it working on a recent 2.6.x kernel. But don't hold your
breath, time is quite limited as always (like probably everybody
here knows :-)


Sven

> 
> This is still not in the mainline kernel, because the netlink message
> format is still not stable.
> 
> > Cheers,
> > Chris
> 
> -- 
> - Harald Welte <laforge@netfilter.org>             http://www.netfilter.org/

-- 
Linux zion 2.6.8-rc2 #1 Sun Jul 18 15:00:48 CEST 2004 i686 athlon i386 GNU/Linux
 18:10:07  up 14 days, 19:38,  1 user,  load average: 0.00, 0.03, 0.00

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: Logging NAT translations?

[Harald Welte]

[-- Attachment #1: Type: text/plain, Size: 736 bytes --]

> I'll see if I still can find my old work and if I can do something
> to get it working on a recent 2.6.x kernel. But don't hold your
> breath, time is quite limited as always (like probably everybody
> here knows :-)

even if it only works with 2.6.2/2.6.3, it might be worth sending your
patch to the devel list, so somebody else can pick up.

> Sven

-- 
- Harald Welte <laforge@netfilter.org>             http://www.netfilter.org/
============================================================================
  "Fragmentation is like classful addressing -- an interesting early
   architectural error that shows how much experimentation was going
   on while IP was being designed."                    -- Paul Vixie

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: Logging NAT translations?

[Sven Schuster]

[-- Attachment #1.1: Type: text/plain, Size: 1186 bytes --]


[Resending this to netfilter-devel as this has been rejected because
 of the size of the attached patch. Patch is now gzipped.]


Hi Harald,

On Mon, Aug 02, 2004 at 07:13:01PM +0200, Harald Welte told us:
> > I'll see if I still can find my old work and if I can do something
> > to get it working on a recent 2.6.x kernel. But don't hold your
> > breath, time is quite limited as always (like probably everybody
> > here knows :-)
>
> even if it only works with 2.6.2/2.6.3, it might be worth sending your
> patch to the devel list, so somebody else can pick up.
>

this was actually what I was intended to do. Attached you'll find a
patch against current pom-ng which updates nfnetlink-ctnetlink to
be able to apply it to 2.6. I did a short test with 2.6.3, it applied
cleanly and should compile, too. I tested it using the ctnltest.c
program which is now located in the libctnetlink module in CVS.


Sven

> -- 
> - Harald Welte <laforge@netfilter.org>             http://www.netfilter.org/

-- 
Linux zion 2.6.8-rc2 #1 Sun Jul 18 15:00:48 CEST 2004 i686 athlon i386 GNU/Linux
 19:56:19  up 14 days, 21:24,  2 users,  load average: 0.38, 0.84, 0.49

[-- Attachment #1.2: nfnl-ctnl.patch.gz --]
[-- Type: application/x-gzip, Size: 52465 bytes --]

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]