[ULOGD PATCH 0/3] Add event type to NFCT plugin

[ULOGD PATCH 0/3] Add event type to NFCT plugin

[Eric Leblond]

Hi,

The following patchset contains a light configuration file improvement and a
work on NFCT.

NFCT default configuration was to compute internally all information relative
to a conntrack entry. With this setup the only logged message is the destroy
event. This patchset adds a configuration variable (event_mask) which is used
to defined the type of message ulogd listen to. It also modify the behaviour
of NFCT plugin to dump the event type (a ct.event key has been added). Finally
support for event type display has been added to the printflow filter.

BR,
--
Eric Leblond
INL: http://www.inl.fr/
NuFW: http://www.nufw.org/

[ULOGD PATCH 1/3] Add some plugin loading and stack example to configuration file.

[Eric Leblond]

This patch updates included configuration file example by adding some plugins
loading and stack example.

Signed-off-by: Eric Leblond <eric@inl.fr>
---
 ulogd.conf.in |   11 +++++++++++
 1 files changed, 11 insertions(+), 0 deletions(-)

diff --git a/ulogd.conf.in b/ulogd.conf.in
index d2c038c..ff46146 100644
--- a/ulogd.conf.in
+++ b/ulogd.conf.in
@@ -33,6 +33,7 @@ bufsize=150000
 
 
 plugin="@libdir@/ulogd/ulogd_inppkt_NFLOG.so"
+#plugin="@libdir@/ulogd/ulogd_inppkt_ULOG.so"
 plugin="@libdir@/ulogd/ulogd_inpflow_NFCT.so"
 plugin="@libdir@/ulogd/ulogd_filter_IFINDEX.so"
 plugin="@libdir@/ulogd/ulogd_filter_IP2STR.so"
@@ -40,7 +41,11 @@ plugin="@libdir@/ulogd/ulogd_filter_IP2BIN.so"
 plugin="@libdir@/ulogd/ulogd_filter_PRINTPKT.so"
 plugin="@libdir@/ulogd/ulogd_filter_PRINTFLOW.so"
 plugin="@libdir@/ulogd/ulogd_output_LOGEMU.so"
+plugin="@libdir@/ulogd/ulogd_output_SYSLOG.so"
 plugin="@libdir@/ulogd/ulogd_output_OPRINT.so"
+#plugin="@libdir@/ulogd/ulogd_output_PCAP.so"
+#plugin="@libdir@/ulogd/ulogd_output_PGSQL.so"
+#plugin="@libdir@/ulogd/ulogd_output_MYSQL.so"
 plugin="@libdir@/ulogd/ulogd_raw2packet_BASE.so"
 
 # this is a stack for IPv4 packet-based logging via LOGEMU
@@ -61,6 +66,9 @@ plugin="@libdir@/ulogd/ulogd_raw2packet_BASE.so"
 # this is a stack for flow-based logging via OPRINT
 #stack=ct1:NFCT,op1:OPRINT
 
+# this is a stack for NFLOG packet-based logging to PCAP
+#stack=log1:NFLOG,base1:BASE,pcap1:PCAP
+
 # this is a stack for logging packet to MySQL
 #stack=log1:NFLOG,base1:BASE,ifi1:IFINDEX,ip2bin1:IP2BIN,mysql1:MYSQL
 
@@ -102,6 +110,9 @@ sync=1
 file="/var/log/ulogd_oprint.log"
 sync=1
 
+[pcap1]
+sync=1
+
 [mysql1]
 db="nulog"
 host="localhost"
-- 
1.5.4.3

Re: [ULOGD PATCH 1/3] Add some plugin loading and stack example to configuration file.

[Pablo Neira Ayuso]

Eric Leblond wrote:
> This patch updates included configuration file example by adding some plugins
> loading and stack example.

Applied. Thanks Eric.

-- 
"Los honestos son inadaptados sociales" -- Les Luthiers

[ULOGD PATCH 2/3] Add event output and make event mask configurable in NFCT.

[Eric Leblond]

This patch contains two linked modifications in NFCT input plugin:
 - event mask is now configurable though the event_mask configuration variable
 - event type is now stored in the ct.event output key. This can be used to
 display the information or to use it to implement some tracking algorithm in
 userspace.

Signed-off-by: Eric Leblond <eric@inl.fr>
---
 input/flow/ulogd_inpflow_NFCT.c |   55 ++++++++++++++++++++++++++++----------
 1 files changed, 40 insertions(+), 15 deletions(-)

diff --git a/input/flow/ulogd_inpflow_NFCT.c b/input/flow/ulogd_inpflow_NFCT.c
index 1843acb..b64e85f 100644
--- a/input/flow/ulogd_inpflow_NFCT.c
+++ b/input/flow/ulogd_inpflow_NFCT.c
@@ -66,9 +66,10 @@ struct nfct_pluginstance {
 
 #define HTABLE_SIZE	(8192)
 #define MAX_ENTRIES	(4 * HTABLE_SIZE)
+#define EVENT_MASK	NF_NETLINK_CONNTRACK_NEW | NF_NETLINK_CONNTRACK_DESTROY
 
 static struct config_keyset nfct_kset = {
-	.num_ces = 5,
+	.num_ces = 6,
 	.ces = {
 		{
 			.key	 = "pollinterval",
@@ -100,6 +101,13 @@ static struct config_keyset nfct_kset = {
 			.options = CONFIG_OPT_NONE,
 			.u.value = MAX_ENTRIES,
 		},
+		{
+			.key	 = "event_mask",
+			.type	 = CONFIG_TYPE_INT,
+			.options = CONFIG_OPT_NONE,
+			.u.value = EVENT_MASK,
+		},
+
 	},
 };
 #define pollint_ce(x)	(x->ces[0])
@@ -107,6 +115,7 @@ static struct config_keyset nfct_kset = {
 #define prealloc_ce(x)	(x->ces[2])
 #define buckets_ce(x)	(x->ces[3])
 #define maxentries_ce(x) (x->ces[4])
+#define eventmask_ce(x) (x->ces[5])
 
 enum nfct_keys {
 	NFCT_ORIG_IP_SADDR = 0,
@@ -127,6 +136,7 @@ enum nfct_keys {
 	NFCT_ICMP_TYPE,
 	NFCT_CT_MARK,
 	NFCT_CT_ID,
+	NFCT_CT_EVENT,
 	NFCT_FLOW_START_SEC,
 	NFCT_FLOW_START_USEC,
 	NFCT_FLOW_END_SEC,
@@ -301,6 +311,12 @@ static struct ulogd_key nfct_okeys[] = {
 		},
 	},
 	{
+		.type	= ULOGD_RET_UINT32,
+		.flags	= ULOGD_RETF_NONE,
+		.name	= "ct.event",
+	},
+
+	{
 		.type 	= ULOGD_RET_UINT32,
 		.flags 	= ULOGD_RETF_NONE,
 		.name	= "flow.start.sec",
@@ -559,28 +575,38 @@ static int event_handler(void *arg, unsigned int flags, int type,
 {
 	struct nfct_conntrack *ct = arg;
 	struct ulogd_pluginstance *upi = data;
-	struct ulogd_pluginstance *npi = NULL;
+	struct ulogd_key *kret = upi->output.keys;
 	struct nfct_pluginstance *cpi = 
 				(struct nfct_pluginstance *) upi->private;
+	struct ct_timestamp *ts = NULL;
+	struct ulogd_pluginstance *npi = NULL;
 	int ret = 0;
 
+
 	if (type == NFCT_MSG_NEW) {
-		if (usehash_ce(upi->config_kset).u.value != 0)
+		if (usehash_ce(upi->config_kset).u.value != 0) {
 			ct_hash_add(cpi->ct_active, ct->id);
+			return 0;
+		}
 	} else if (type == NFCT_MSG_DESTROY) {
-		struct ct_timestamp *ts = NULL;
-
 		if (usehash_ce(upi->config_kset).u.value != 0)
 			ts = ct_hash_get(cpi->ct_active, ct->id);
+	}
 
-		llist_for_each_entry(npi, &upi->plist, plist) {
-			ret = propagate_ct(npi, ct, flags, ts);
-			if (ret != 0)
-				return ret;
-		}
-		return propagate_ct(upi, ct, flags, ts);
+	llist_for_each_entry(npi, &upi->plist, plist) {
+		kret = npi->output.keys;
+		kret[NFCT_CT_EVENT].u.value.ui32 = type;
+		kret[NFCT_CT_EVENT].flags |= ULOGD_RETF_VALID;
+
+		ret = propagate_ct(npi, ct, flags, ts);
+		if (ret != 0)
+			return ret;
 	}
-	return 0;
+
+	kret[NFCT_CT_EVENT].u.value.ui32 = type;
+	kret[NFCT_CT_EVENT].flags |= ULOGD_RETF_VALID;
+
+	return propagate_ct(upi, ct, flags, ts);
 }
 
 static int read_cb_nfct(int fd, unsigned int what, void *param)
@@ -638,9 +664,8 @@ static int constructor_nfct(struct ulogd_pluginstance *upi)
 			(struct nfct_pluginstance *)upi->private;
 	int prealloc;
 
-	/* FIXME: make eventmask configurable */
-	cpi->cth = nfct_open(NFNL_SUBSYS_CTNETLINK, NF_NETLINK_CONNTRACK_NEW|
-			     NF_NETLINK_CONNTRACK_DESTROY);
+	cpi->cth = nfct_open(NFNL_SUBSYS_CTNETLINK,
+			     eventmask_ce(upi->config_kset).u.value);
 	if (!cpi->cth) {
 		ulogd_log(ULOGD_FATAL, "error opening ctnetlink\n");
 		return -1;
-- 
1.5.4.3

Re: [ULOGD PATCH 2/3] Add event output and make event mask configurable in NFCT.

[Pablo Neira Ayuso]

Eric Leblond wrote:
> This patch contains two linked modifications in NFCT input plugin:
>  - event mask is now configurable though the event_mask configuration variable
>  - event type is now stored in the ct.event output key. This can be used to
>  display the information or to use it to implement some tracking algorithm in
>  userspace.

Just minor a cleanup glitch.

> @@ -559,28 +575,38 @@ static int event_handler(void *arg, unsigned int flags, int type,
>  {
>  	struct nfct_conntrack *ct = arg;
>  	struct ulogd_pluginstance *upi = data;
> -	struct ulogd_pluginstance *npi = NULL;
> +	struct ulogd_key *kret = upi->output.keys;
>  	struct nfct_pluginstance *cpi = 
>  				(struct nfct_pluginstance *) upi->private;
> +	struct ct_timestamp *ts = NULL;
> +	struct ulogd_pluginstance *npi = NULL;
>  	int ret = 0;
>  
> +
>  	if (type == NFCT_MSG_NEW) {
> -		if (usehash_ce(upi->config_kset).u.value != 0)
> +		if (usehash_ce(upi->config_kset).u.value != 0) {
>  			ct_hash_add(cpi->ct_active, ct->id);
> +			return 0;
> +		}
>  	} else if (type == NFCT_MSG_DESTROY) {
> -		struct ct_timestamp *ts = NULL;
> -
>  		if (usehash_ce(upi->config_kset).u.value != 0)
>  			ts = ct_hash_get(cpi->ct_active, ct->id);
> +	}
>  
> -		llist_for_each_entry(npi, &upi->plist, plist) {
> -			ret = propagate_ct(npi, ct, flags, ts);
> -			if (ret != 0)
> -				return ret;
> -		}
> -		return propagate_ct(upi, ct, flags, ts);
> +	llist_for_each_entry(npi, &upi->plist, plist) {
> +		kret = npi->output.keys;
> +		kret[NFCT_CT_EVENT].u.value.ui32 = type;
> +		kret[NFCT_CT_EVENT].flags |= ULOGD_RETF_VALID;

Better move this ^^^^ inside propagate_ct()?

-- 
"Los honestos son inadaptados sociales" -- Les Luthiers

[Resend ULOGD PATCH] Add event output and make event mask configurable in NFCT.

[Eric Leblond]

Hello,

Here's the modification following your recommandation. That's better like that :)

BR,

Signed-off-by: Eric Leblond <eric@inl.fr>
---
 input/flow/ulogd_inpflow_NFCT.c |   53 ++++++++++++++++++++++++++++-----------
 1 files changed, 38 insertions(+), 15 deletions(-)

diff --git a/input/flow/ulogd_inpflow_NFCT.c b/input/flow/ulogd_inpflow_NFCT.c
index 1843acb..7ca545f 100644
--- a/input/flow/ulogd_inpflow_NFCT.c
+++ b/input/flow/ulogd_inpflow_NFCT.c
@@ -66,9 +66,10 @@ struct nfct_pluginstance {
 
 #define HTABLE_SIZE	(8192)
 #define MAX_ENTRIES	(4 * HTABLE_SIZE)
+#define EVENT_MASK	NF_NETLINK_CONNTRACK_NEW | NF_NETLINK_CONNTRACK_DESTROY
 
 static struct config_keyset nfct_kset = {
-	.num_ces = 5,
+	.num_ces = 6,
 	.ces = {
 		{
 			.key	 = "pollinterval",
@@ -100,6 +101,13 @@ static struct config_keyset nfct_kset = {
 			.options = CONFIG_OPT_NONE,
 			.u.value = MAX_ENTRIES,
 		},
+		{
+			.key	 = "event_mask",
+			.type	 = CONFIG_TYPE_INT,
+			.options = CONFIG_OPT_NONE,
+			.u.value = EVENT_MASK,
+		},
+
 	},
 };
 #define pollint_ce(x)	(x->ces[0])
@@ -107,6 +115,7 @@ static struct config_keyset nfct_kset = {
 #define prealloc_ce(x)	(x->ces[2])
 #define buckets_ce(x)	(x->ces[3])
 #define maxentries_ce(x) (x->ces[4])
+#define eventmask_ce(x) (x->ces[5])
 
 enum nfct_keys {
 	NFCT_ORIG_IP_SADDR = 0,
@@ -127,6 +136,7 @@ enum nfct_keys {
 	NFCT_ICMP_TYPE,
 	NFCT_CT_MARK,
 	NFCT_CT_ID,
+	NFCT_CT_EVENT,
 	NFCT_FLOW_START_SEC,
 	NFCT_FLOW_START_USEC,
 	NFCT_FLOW_END_SEC,
@@ -301,6 +311,12 @@ static struct ulogd_key nfct_okeys[] = {
 		},
 	},
 	{
+		.type	= ULOGD_RET_UINT32,
+		.flags	= ULOGD_RETF_NONE,
+		.name	= "ct.event",
+	},
+
+	{
 		.type 	= ULOGD_RET_UINT32,
 		.flags 	= ULOGD_RETF_NONE,
 		.name	= "flow.start.sec",
@@ -454,11 +470,16 @@ static struct ct_timestamp *ct_hash_get(struct ct_htable *htable, uint32_t id)
 static int propagate_ct(struct ulogd_pluginstance *upi,
 			struct nfct_conntrack *ct,
 			unsigned int flags,
+			int type,
 			struct ct_timestamp *ts)
 {
 	struct ulogd_key *ret = upi->output.keys;
 	int dir;
 	
+
+	ret[NFCT_CT_EVENT].u.value.ui32 = type;
+	ret[NFCT_CT_EVENT].flags |= ULOGD_RETF_VALID;
+
 	dir = NFCT_DIR_ORIGINAL;
 	ret[NFCT_ORIG_IP_SADDR].u.value.ui32 = htonl(ct->tuple[dir].src.v4);
 	ret[NFCT_ORIG_IP_SADDR].flags |= ULOGD_RETF_VALID;
@@ -559,28 +580,31 @@ static int event_handler(void *arg, unsigned int flags, int type,
 {
 	struct nfct_conntrack *ct = arg;
 	struct ulogd_pluginstance *upi = data;
-	struct ulogd_pluginstance *npi = NULL;
+	struct ulogd_key *kret = upi->output.keys;
 	struct nfct_pluginstance *cpi = 
 				(struct nfct_pluginstance *) upi->private;
+	struct ct_timestamp *ts = NULL;
+	struct ulogd_pluginstance *npi = NULL;
 	int ret = 0;
 
+
 	if (type == NFCT_MSG_NEW) {
-		if (usehash_ce(upi->config_kset).u.value != 0)
+		if (usehash_ce(upi->config_kset).u.value != 0) {
 			ct_hash_add(cpi->ct_active, ct->id);
+			return 0;
+		}
 	} else if (type == NFCT_MSG_DESTROY) {
-		struct ct_timestamp *ts = NULL;
-
 		if (usehash_ce(upi->config_kset).u.value != 0)
 			ts = ct_hash_get(cpi->ct_active, ct->id);
+	}
 
-		llist_for_each_entry(npi, &upi->plist, plist) {
-			ret = propagate_ct(npi, ct, flags, ts);
-			if (ret != 0)
-				return ret;
-		}
-		return propagate_ct(upi, ct, flags, ts);
+	llist_for_each_entry(npi, &upi->plist, plist) {
+		ret = propagate_ct(npi, ct, flags, type, ts);
+		if (ret != 0)
+			return ret;
 	}
-	return 0;
+
+	return propagate_ct(upi, ct, flags, type, ts);
 }
 
 static int read_cb_nfct(int fd, unsigned int what, void *param)
@@ -638,9 +662,8 @@ static int constructor_nfct(struct ulogd_pluginstance *upi)
 			(struct nfct_pluginstance *)upi->private;
 	int prealloc;
 
-	/* FIXME: make eventmask configurable */
-	cpi->cth = nfct_open(NFNL_SUBSYS_CTNETLINK, NF_NETLINK_CONNTRACK_NEW|
-			     NF_NETLINK_CONNTRACK_DESTROY);
+	cpi->cth = nfct_open(NFNL_SUBSYS_CTNETLINK,
+			     eventmask_ce(upi->config_kset).u.value);
 	if (!cpi->cth) {
 		ulogd_log(ULOGD_FATAL, "error opening ctnetlink\n");
 		return -1;
-- 
1.5.2.5

Re: [Resend ULOGD PATCH] Add event output and make event mask configurable in NFCT.

[Pablo Neira Ayuso]

Eric Leblond wrote:
> Hello,
> 
> Here's the modification following your recommandation. That's better like that :)

Applied. Thanks. Eric, please refresh your tree against SVN to make sure
that patches apply cleanly. I'll keep iterating over the remaining
patches along today.

-- 
"Los honestos son inadaptados sociales" -- Les Luthiers

Re: [Resend ULOGD PATCH] Add event output and make event mask configurable in NFCT.

[Eric Leblond]

[-- Attachment #1: Type: text/plain, Size: 822 bytes --]

Hi,

On Wednesday, 2008 March 26 at 10:34:03 +0100, Pablo Neira Ayuso wrote:
> Eric Leblond wrote:
> > Hello,
> > 
> > Here's the modification following your recommandation. That's better like that :)
> 
> Applied. Thanks. Eric, please refresh your tree against SVN to make sure
> that patches apply cleanly. I'll keep iterating over the remaining
> patches along today.

I've tested and applied all my not applied ulogd2 patches other current
subversion tree. They apply cleanly. I've published a git tree which
contains this patches.

Git tree: http://home.regit.org/~regit/git/ulogd2.git
Gitweb: http://home.regit.org/cgi-bin/gitweb.cgi?p=ulogd2.git;a=shortlog;h=ML

The ML branch is the one containing all the patches.

BR,
-- 
Eric Leblond
INL: http://www.inl.fr/
NuFW: http://www.nufw.org/

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [Resend ULOGD PATCH] Add event output and make event mask configurable in NFCT.

[Pablo Neira Ayuso]

Eric Leblond wrote:
> I've tested and applied all my not applied ulogd2 patches other current
> subversion tree. They apply cleanly. I've published a git tree which
> contains this patches.
> 
> Git tree: http://home.regit.org/~regit/git/ulogd2.git
> Gitweb: http://home.regit.org/cgi-bin/gitweb.cgi?p=ulogd2.git;a=shortlog;h=ML
> 
> The ML branch is the one containing all the patches.

I'm not against the fact of having you all personal git trees with your
developments. However, it make more sense to me to keep development
trees if you have something that will take some time (for different
reasons [1]) to get into mainline, like for example, Krisztian Kovacs's
tproxy.

For ulogd patches or, in general, patches for whatever that has been
posted in the ML. I think it's a bit too much as we'll keep in sync as
soon as I apply them, and that will happen once I remove a bit the load
of work that I have on top of me :)

Of course, this is my personal opinion.

[1] features that requires several patch-rounds in order to discuss the
best solution, features that implies intrusive changes, etc.

-- 
"Los honestos son inadaptados sociales" -- Les Luthiers

Re: [Resend ULOGD PATCH] Add event output and make event mask configurable in NFCT.

[Eric Leblond]

[-- Attachment #1: Type: text/plain, Size: 1119 bytes --]

Hello,

On Saturday, 2008 April  5 at 17:29:20 +0200, Pablo Neira Ayuso wrote:
> Eric Leblond wrote:
> > I've tested and applied all my not applied ulogd2 patches other current
> > subversion tree. They apply cleanly. I've published a git tree which
> > contains this patches.
> > 
> > Git tree: http://home.regit.org/~regit/git/ulogd2.git
> > Gitweb: http://home.regit.org/cgi-bin/gitweb.cgi?p=ulogd2.git;a=shortlog;h=ML
> > 
> > The ML branch is the one containing all the patches.
> 
> I'm not against the fact of having you all personal git trees with your
> developments. However, it make more sense to me to keep development
> trees if you have something that will take some time (for different
> reasons [1]) to get into mainline, like for example, Krisztian Kovacs's
> tproxy.

In fact, it was just informative. I just give you the address in case
you may find some advantage in using it to retrieve the patches.

This git tree is only used internally at INL to be able to develop other
the subversion tree.

BR,
-- 
Eric Leblond
INL: http://www.inl.fr/
NuFW: http://www.nufw.org/

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

[ULOGD PATCH 3/3] Modify printflow filter to display event type in output message.

[Eric Leblond]

This patch adds support of event type display in printflow filter. This is used
to display event type in textual output modules. Here's an output example:

[DESTROY] ORIG: SRC=192.168.1.2 DST=192.168.1.255 PROTO=UDP SPT=631 DPT=631 \\
	PKTS=1 BYTES=197 , REPLY: SRC=192.168.1.255 DST=192.168.1.2 \\
	PROTO=UDP SPT=631 DPT=631 PKTS=0 BYTES=0

Signed-off-by: Eric Leblond <eric@inl.fr>
---
 include/ulogd/printflow.h |    2 +-
 util/printflow.c          |   20 ++++++++++++++++++++
 2 files changed, 21 insertions(+), 1 deletions(-)

diff --git a/include/ulogd/printflow.h b/include/ulogd/printflow.h
index 979f673..b793426 100644
--- a/include/ulogd/printflow.h
+++ b/include/ulogd/printflow.h
@@ -1,7 +1,7 @@
 #ifndef _PRINTFLOW_H
 #define _PRINTFLOW_H
 
-#define FLOW_IDS 16
+#define FLOW_IDS 17
 extern struct ulogd_key printflow_keys[FLOW_IDS];
 
 int printflow_print(struct ulogd_key *res, char *buf);
diff --git a/util/printflow.c b/util/printflow.c
index 92c4f0f..6c2ffd5 100644
--- a/util/printflow.c
+++ b/util/printflow.c
@@ -45,6 +45,7 @@ enum printflow_fields {
 	PRINTFLOW_REPLY_RAW_PKTCOUNT,
 	PRINTFLOW_ICMP_CODE,
 	PRINTFLOW_ICMP_TYPE,
+	PRINTFLOW_EVENT_TYPE,
 };
 
 struct ulogd_key printflow_keys[FLOW_IDS] = {
@@ -128,6 +129,11 @@ struct ulogd_key printflow_keys[FLOW_IDS] = {
 		.flags = ULOGD_RETF_NONE,
 		.name = "icmp.type",
 	},
+	{
+		.type = ULOGD_RET_UINT32,
+		.flags = ULOGD_RETF_NONE,
+		.name = "ct.event",
+	},
 };
 int printflow_keys_num = sizeof(printflow_keys)/sizeof(*printflow_keys);
 
@@ -139,6 +145,20 @@ int printflow_print(struct ulogd_key *res, char *buf)
 {
 	char *buf_cur = buf;
 
+	if (pp_is_valid(res, PRINTFLOW_EVENT_TYPE)) {
+		switch (GET_VALUE(res, PRINTFLOW_EVENT_TYPE).ui32) {
+			case 1:
+				buf_cur += sprintf(buf_cur, "[NEW] ");
+				break;
+			case 2:
+				buf_cur += sprintf(buf_cur, "[UPDATE] ");
+				break;
+			case 3:
+				buf_cur += sprintf(buf_cur, "[DESTROY] ");
+				break;
+		}
+	}
+
 	buf_cur += sprintf(buf_cur, "ORIG: ");
 
 	if (pp_is_valid(res, PRINTFLOW_ORIG_IP_SADDR))
-- 
1.5.4.3

Re: [ULOGD PATCH 3/3] Modify printflow filter to display event type in output message.

[Pablo Neira Ayuso]

Eric Leblond wrote:
> This patch adds support of event type display in printflow filter. This is used
> to display event type in textual output modules. Here's an output example:
> 
> [DESTROY] ORIG: SRC=192.168.1.2 DST=192.168.1.255 PROTO=UDP SPT=631 DPT=631 \\
> 	PKTS=1 BYTES=197 , REPLY: SRC=192.168.1.255 DST=192.168.1.2 \\
> 	PROTO=UDP SPT=631 DPT=631 PKTS=0 BYTES=0

Also applied. Thanks.

-- 
"Los honestos son inadaptados sociales" -- Les Luthiers