From: Roberto Nibali <ratz@drugphish.ch>
To: Henrik Nordstrom <hno@marasystems.com>
Cc: netfilter-devel@lists.netfilter.org
Subject: Re: New logging module
Date: Sun, 07 Sep 2003 21:13:00 +0200 [thread overview]
Message-ID: <3F5B833C.601@drugphish.ch> (raw)
In-Reply-To: <Pine.LNX.4.44.0309060259570.4937-100000@filer.marasystems.com>
Hi Henrik,
> 3 looks very intersting and is something which we have been thinking we
> need for a long time to implement meaningful accounting in a
> iptables+conntrack+NAT based firewall.
>
> What we have considered to log from conntrack is maybe a little more than
> described above:
>
> 1. Start of session
>
> 2. Periodically while the conntrack session is active (preferably
> by a configurable interval)
>
> 3. End of session
SLOG was designed to handle 1 and 3 but is easily extensible with 2,
provided someone finishes the work.
> with byte and packet counters in both directions.
>
> '2' to be able to account "last 5 minutes of traffic" even if there is
> long-running sessions, but not too often. Once per accounting interval
> used is required, more often is overhead, less gives less accuracy than
> desired for the accounting.
> Do you know if anyone else is attempting to do this? If not we might give
> it a stab shortly..
As Harald mentioned, there is the SLOG target patch which we started
once in our company based on a student's semester work. You can find the
current drop here:
http://www.drugphish.ch/patches/ratz/netfilter/
I have not touched much of it since its first write and it currently
crashes the kernel. Another problem is that I simply didn't have the
time to track {ct,nf}-netlink changes. So the status of the patch is the
following:
o based on 2.4.18, which means that it will _not_ work and most
definitely not even apply to recent kernels anymore.
o The development version (the one with the correct implementation of 1
and 3) crashes upon reception of the first packet for SLOG which is
most probably a missing initialisation in the timer handling.
o the user-space patch should be pretty easy to forward port.
o I had 4 people using the non-development version and giving me
feedback but I haven't heard back from them since.
Please contact me privately if you're interested in working on SLOG.
Best regards,
Roberto Nibali, ratz
--
echo '[q]sa[ln0=aln256%Pln256/snlbx]sb3135071790101768542287578439snlbxq'|dc
next prev parent reply other threads:[~2003-09-07 19:13 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-08-25 12:59 New logging module Philipp Gühring
2003-08-30 19:04 ` Harald Welte
[not found] ` <200308302248.h7UMm5r04111@linux1.futureware.at>
2003-09-05 14:04 ` Harald Welte
2003-09-06 1:13 ` Henrik Nordstrom
2003-09-07 19:13 ` Roberto Nibali [this message]
2003-09-12 20:39 ` Harald Welte
2003-09-13 7:54 ` Henrik Nordstrom
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3F5B833C.601@drugphish.ch \
--to=ratz@drugphish.ch \
--cc=hno@marasystems.com \
--cc=netfilter-devel@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.