[ULOGD PATCH 0/6] Making NFCT plugin IPv6 compliant

[ULOGD PATCH 0/6] Making NFCT plugin IPv6 compliant

[Eric Leblond]

Hi,

This patchset contains several modifications which were necessary to make
the NFCT plugin IPv6 compliant.

Some code factorization has been made to avoid duplicating code:
- Make arp related key optionnal.
- Use IP2STR keys in PRINTFLOW module.
Last patch suppress IP to string translation in the PRINTFLOW module but
let IP2STR to do the work.

Some fixes have been made on existing code:
- Fix display of IPv6 address.
- Fix typo in error message.
- Fix display of DESTROY event.

And finally, NFCT plugin has been ported to the new API.
- Port of NFCT plugin to new libnetfilter_conntrack API.

I will soon send a other patchset with SQL schema modification and an upgrade
of the example configuration file.

BR,
--
Eric Leblond
INL: http://www.inl.fr/
NuFW: http://www.nufw.org/

[ULOGD PATCH 1/6] Make arp related key optionnal.

[Eric Leblond]

Arp related key have to be optionnal to be able to use the IP2STR module
for flow display.

Signed-off-by: Eric Leblond <eric@inl.fr>
---
:100644 100644 54e7d94... 9f36d60... M	filter/ulogd_filter_IP2STR.c
 filter/ulogd_filter_IP2STR.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/filter/ulogd_filter_IP2STR.c b/filter/ulogd_filter_IP2STR.c
index 54e7d94..9f36d60 100644
--- a/filter/ulogd_filter_IP2STR.c
+++ b/filter/ulogd_filter_IP2STR.c
@@ -89,12 +89,12 @@ static struct ulogd_key ip2str_inp[] = {
 	},
 	[KEY_ARP_SPA] = {
 		.type = ULOGD_RET_IPADDR,
-		.flags = ULOGD_RETF_NONE,
+		.flags = ULOGD_RETF_NONE|ULOGD_KEYF_OPTIONAL,
 		.name = "arp.saddr",
 	},
 	[KEY_ARP_TPA] = {
 		.type = ULOGD_RET_IPADDR,
-		.flags = ULOGD_RETF_NONE,
+		.flags = ULOGD_RETF_NONE|ULOGD_KEYF_OPTIONAL,
 		.name = "arp.daddr",
 	},
 };
-- 
1.5.2.5

[ULOGD PATCH 2/6] Fix display of IPv6 address.

[Eric Leblond]

An error in the type of an argument in the call to inet_ntop was causing IPv6
address to be transformed in a string not really related to the real Ipv6
address.

Signed-off-by: Eric Leblond <eric@inl.fr>
---
:100644 100644 9f36d60... e4ec06d... M	filter/ulogd_filter_IP2STR.c
 filter/ulogd_filter_IP2STR.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/filter/ulogd_filter_IP2STR.c b/filter/ulogd_filter_IP2STR.c
index 9f36d60..e4ec06d 100644
--- a/filter/ulogd_filter_IP2STR.c
+++ b/filter/ulogd_filter_IP2STR.c
@@ -174,7 +174,7 @@ static char *ip2str(struct ulogd_key *inp, int index)
 	switch (convfamily) {
 	case AF_INET6:
 		inet_ntop(AF_INET6,
-			  &GET_VALUE(inp, index).ptr,
+			  GET_VALUE(inp, index).ptr,
 			  tmp, sizeof(tmp));
 		break;
 	case AF_INET:
-- 
1.5.2.5

[ULOGD PATCH 3/6] Fix typo in error message.

[Eric Leblond]

This patch fixes a typo in an error message.

Signed-off-by: Eric Leblond <eric@inl.fr>
---
:100644 100644 ef1c191... 249bde3... M	src/ulogd.c
 src/ulogd.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/src/ulogd.c b/src/ulogd.c
index ef1c191..249bde3 100644
--- a/src/ulogd.c
+++ b/src/ulogd.c
@@ -163,7 +163,7 @@ int ulogd_key_size(struct ulogd_key *key)
 		ret = key->len;
 		break;
 	default:
-		ulogd_log(ULOGD_ERROR, "don't know sizeo f unknown key "
+		ulogd_log(ULOGD_ERROR, "don't know sizeof unknown key "
 			  "`%s' type 0x%x\n", key->name, key->type);
 		ret = -1;
 		break;
-- 
1.5.2.5

[ULOGD PATCH 4/6] Use IP2STR keys in PRINTFLOW module.

[Eric Leblond]

The PRINTFLOW module had its own code for string conversion of IPv6 address.
This patch change the input key of the module to use conversion made by the
IP2STR module.

Signed-off-by: Eric Leblond <eric@inl.fr>
---
:100644 100644 6c2ffd5... 272ee4f... M	util/printflow.c
 util/printflow.c |   20 ++++++++------------
 1 files changed, 8 insertions(+), 12 deletions(-)

diff --git a/util/printflow.c b/util/printflow.c
index 6c2ffd5..272ee4f 100644
--- a/util/printflow.c
+++ b/util/printflow.c
@@ -52,12 +52,12 @@ struct ulogd_key printflow_keys[FLOW_IDS] = {
 	{
 		.type = ULOGD_RET_IPADDR,
 		.flags = ULOGD_RETF_NONE,
-		.name = "orig.ip.saddr",
+		.name = "orig.ip.saddr.str",
 	},
 	{
 		.type = ULOGD_RET_IPADDR,
 		.flags = ULOGD_RETF_NONE,
-		.name = "orig.ip.daddr",
+		.name = "orig.ip.daddr.str",
 	},
 	{
 		.type = ULOGD_RET_UINT8,
@@ -87,12 +87,12 @@ struct ulogd_key printflow_keys[FLOW_IDS] = {
 	{
 		.type = ULOGD_RET_IPADDR,
 		.flags = ULOGD_RETF_NONE,
-		.name = "reply.ip.saddr",
+		.name = "reply.ip.saddr.str",
 	},
 	{
 		.type = ULOGD_RET_IPADDR,
 		.flags = ULOGD_RETF_NONE,
-		.name = "reply.ip.daddr",
+		.name = "reply.ip.daddr.str",
 	},
 	{
 		.type = ULOGD_RET_UINT8,
@@ -162,12 +162,10 @@ int printflow_print(struct ulogd_key *res, char *buf)
 	buf_cur += sprintf(buf_cur, "ORIG: ");
 
 	if (pp_is_valid(res, PRINTFLOW_ORIG_IP_SADDR))
-		buf_cur += sprintf(buf_cur, "SRC=%s ", inet_ntoa(
-				(struct in_addr) {htonl(GET_VALUE(res, PRINTFLOW_ORIG_IP_SADDR).ui32)}));
+		buf_cur += sprintf(buf_cur, "SRC=%s ", GET_VALUE(res, PRINTFLOW_ORIG_IP_SADDR).ptr);
 
 	if (pp_is_valid(res, PRINTFLOW_ORIG_IP_DADDR))
-		buf_cur += sprintf(buf_cur, "DST=%s ", inet_ntoa(
-				(struct in_addr) {htonl(GET_VALUE(res, PRINTFLOW_ORIG_IP_DADDR).ui32)}));
+		buf_cur += sprintf(buf_cur, "DST=%s ", GET_VALUE(res, PRINTFLOW_ORIG_IP_DADDR).ptr);
 
 	if (!pp_is_valid(res, PRINTFLOW_ORIG_IP_PROTOCOL))
 		goto orig_out;
@@ -211,12 +209,10 @@ orig_out:
 	buf_cur += sprintf(buf_cur, ", REPLY: ");
 
 	if (pp_is_valid(res, PRINTFLOW_REPLY_IP_SADDR))
-		buf_cur += sprintf(buf_cur, "SRC=%s ", inet_ntoa(
-				(struct in_addr) {htonl(GET_VALUE(res, PRINTFLOW_REPLY_IP_SADDR).ui32)}));
+		buf_cur += sprintf(buf_cur, "SRC=%s ", GET_VALUE(res, PRINTFLOW_REPLY_IP_SADDR).ptr);
 
 	if (pp_is_valid(res, PRINTFLOW_REPLY_IP_DADDR))
-		buf_cur += sprintf(buf_cur, "DST=%s ", inet_ntoa(
-				(struct in_addr) {htonl(GET_VALUE(res, PRINTFLOW_REPLY_IP_DADDR).ui32)}));
+		buf_cur += sprintf(buf_cur, "DST=%s ", GET_VALUE(res, PRINTFLOW_REPLY_IP_DADDR).ptr);
 
 	if (!pp_is_valid(res, PRINTFLOW_REPLY_IP_PROTOCOL))
 		goto reply_out;
-- 
1.5.2.5

[ULOGD PATCH 5/6] Port of NFCT plugin to new libnetfilter_conntrack API.

[Eric Leblond]

This patch is a port to the new libnetfilter_conntrack API of the NFCT
plugin. To be able to send IP addresses to the IP2STR and IP2BIN module
oob.family and oob.protocol keys have been added.

There is only a single function which is marked as deprecated. This is
nfct_dump_conntrack_table_reset_counters. This function is used to dump
periodically counters. By default, this feature is not used. IMHO we could
suppress this code and use conntrackd for similar tasks.

Signed-off-by: Eric Leblond <eric@inl.fr>
---
:100644 100644 19df32f... 5e5af87... M	input/flow/ulogd_inpflow_NFCT.c
 input/flow/ulogd_inpflow_NFCT.c |  146 ++++++++++++++++++++++-----------------
 1 files changed, 82 insertions(+), 64 deletions(-)

diff --git a/input/flow/ulogd_inpflow_NFCT.c b/input/flow/ulogd_inpflow_NFCT.c
index 19df32f..5e5af87 100644
--- a/input/flow/ulogd_inpflow_NFCT.c
+++ b/input/flow/ulogd_inpflow_NFCT.c
@@ -141,6 +141,8 @@ enum nfct_keys {
 	NFCT_FLOW_START_USEC,
 	NFCT_FLOW_END_SEC,
 	NFCT_FLOW_END_USEC,
+	NFCT_OOB_FAMILY,
+	NFCT_OOB_PROTOCOL,
 };
 
 static struct ulogd_key nfct_okeys[] = {
@@ -352,6 +354,16 @@ static struct ulogd_key nfct_okeys[] = {
 			.field_id	= IPFIX_flowEndSeconds,
 		},
 	},
+	{
+		.type	= ULOGD_RET_UINT8,
+		.flags	= ULOGD_RETF_NONE,
+		.name	= "oob.family",
+	},
+	{
+		.type	= ULOGD_RET_UINT8,
+		.flags	= ULOGD_RETF_NONE,
+		.name	= "oob.protocol",
+	},
 };
 
 static struct ct_htable *htable_alloc(int htable_size, int prealloc)
@@ -468,94 +480,100 @@ static struct ct_timestamp *ct_hash_get(struct ct_htable *htable, uint32_t id)
 }
 
 static int propagate_ct(struct ulogd_pluginstance *upi,
-			struct nfct_conntrack *ct,
-			unsigned int flags,
+			struct nf_conntrack *ct,
 			int type,
 			struct ct_timestamp *ts)
 {
 	struct ulogd_key *ret = upi->output.keys;
-	int dir;
-
+	
 	ret[NFCT_CT_EVENT].u.value.ui32 = type;
 	ret[NFCT_CT_EVENT].flags |= ULOGD_RETF_VALID;
 
-	dir = NFCT_DIR_ORIGINAL;
-	ret[NFCT_ORIG_IP_SADDR].u.value.ui32 = htonl(ct->tuple[dir].src.v4);
-	ret[NFCT_ORIG_IP_SADDR].flags |= ULOGD_RETF_VALID;
+	ret[NFCT_OOB_FAMILY].u.value.ui8 = nfct_get_attr_u8(ct, ATTR_L3PROTO);
+	ret[NFCT_OOB_FAMILY].flags |= ULOGD_RETF_VALID;
+	/* FIXME */
+	ret[NFCT_OOB_PROTOCOL].u.value.ui8 = 0;
+	ret[NFCT_OOB_PROTOCOL].flags |= ULOGD_RETF_VALID;
 
-	ret[NFCT_ORIG_IP_DADDR].u.value.ui32 = htonl(ct->tuple[dir].dst.v4);
-	ret[NFCT_ORIG_IP_DADDR].flags |= ULOGD_RETF_VALID;
+	switch (nfct_get_attr_u8(ct, ATTR_L3PROTO)) {
+		case AF_INET:
+			ret[NFCT_ORIG_IP_SADDR].u.value.ui32 = nfct_get_attr_u32(ct, ATTR_ORIG_IPV4_SRC);
+			ret[NFCT_ORIG_IP_SADDR].flags |= ULOGD_RETF_VALID;
+			ret[NFCT_ORIG_IP_DADDR].u.value.ui32 = nfct_get_attr_u32(ct, ATTR_ORIG_IPV4_DST);
+			ret[NFCT_ORIG_IP_DADDR].flags |= ULOGD_RETF_VALID;
 
-	ret[NFCT_ORIG_IP_PROTOCOL].u.value.ui8 = ct->tuple[dir].protonum;
+			ret[NFCT_REPLY_IP_SADDR].u.value.ui32 = nfct_get_attr_u32(ct, ATTR_REPL_IPV4_SRC);
+			ret[NFCT_REPLY_IP_SADDR].flags |= ULOGD_RETF_VALID;
+			ret[NFCT_REPLY_IP_DADDR].u.value.ui32 = nfct_get_attr_u32(ct, ATTR_REPL_IPV4_DST);
+			ret[NFCT_REPLY_IP_DADDR].flags |= ULOGD_RETF_VALID;
+
+			break;
+		case AF_INET6:
+			ret[NFCT_ORIG_IP_SADDR].u.value.ptr = (struct in6_addr *)nfct_get_attr(ct, ATTR_ORIG_IPV6_SRC);
+			ret[NFCT_ORIG_IP_SADDR].flags |= ULOGD_RETF_VALID;
+			ret[NFCT_ORIG_IP_DADDR].u.value.ptr = (struct in6_addr *)nfct_get_attr(ct, ATTR_ORIG_IPV6_DST);
+			ret[NFCT_ORIG_IP_DADDR].flags |= ULOGD_RETF_VALID;
+
+			ret[NFCT_REPLY_IP_SADDR].u.value.ptr = (struct in6_addr *)nfct_get_attr(ct, ATTR_REPL_IPV6_SRC);
+			ret[NFCT_REPLY_IP_SADDR].flags |= ULOGD_RETF_VALID;
+			ret[NFCT_REPLY_IP_DADDR].u.value.ptr = (struct in6_addr *)nfct_get_attr(ct, ATTR_REPL_IPV6_DST);
+			ret[NFCT_REPLY_IP_DADDR].flags |= ULOGD_RETF_VALID;
+
+			break;
+		default:
+			ulogd_log(ULOGD_NOTICE, "Unknown protocol family (%d)\n",
+				  nfct_get_attr_u8(ct, ATTR_L3PROTO));
+	}
+	ret[NFCT_ORIG_IP_PROTOCOL].u.value.ui8 = nfct_get_attr_u8(ct, ATTR_ORIG_L4PROTO);
 	ret[NFCT_ORIG_IP_PROTOCOL].flags |= ULOGD_RETF_VALID;
+	ret[NFCT_REPLY_IP_PROTOCOL].u.value.ui8 = nfct_get_attr_u8(ct, ATTR_REPL_L4PROTO);
+	ret[NFCT_REPLY_IP_PROTOCOL].flags |= ULOGD_RETF_VALID;
 
-	switch (ct->tuple[dir].protonum) {
+	switch (nfct_get_attr_u8(ct, ATTR_ORIG_L4PROTO)) {
 	case IPPROTO_TCP:
 	case IPPROTO_UDP:
 	case IPPROTO_SCTP:
 		/* FIXME: DCCP */
-		ret[NFCT_ORIG_L4_SPORT].u.value.ui16 = htons(ct->tuple[dir].l4src.tcp.port);
+		ret[NFCT_ORIG_L4_SPORT].u.value.ui16 = htons(nfct_get_attr_u16(ct, ATTR_ORIG_PORT_SRC));
 		ret[NFCT_ORIG_L4_SPORT].flags |= ULOGD_RETF_VALID;
-		ret[NFCT_ORIG_L4_DPORT].u.value.ui16 = htons(ct->tuple[dir].l4dst.tcp.port);
+		ret[NFCT_ORIG_L4_DPORT].u.value.ui16 = htons(nfct_get_attr_u16(ct, ATTR_ORIG_PORT_DST));
 		ret[NFCT_ORIG_L4_DPORT].flags |= ULOGD_RETF_VALID;
 		break;
 	case IPPROTO_ICMP:
-		ret[NFCT_ICMP_CODE].u.value.ui8 = ct->tuple[dir].l4src.icmp.code;
+		ret[NFCT_ICMP_CODE].u.value.ui8 = nfct_get_attr_u8(ct, ATTR_ICMP_CODE);
 		ret[NFCT_ICMP_CODE].flags |= ULOGD_RETF_VALID;
-		ret[NFCT_ICMP_TYPE].u.value.ui8 = ct->tuple[dir].l4src.icmp.type;
+		ret[NFCT_ICMP_TYPE].u.value.ui8 = nfct_get_attr_u8(ct, ATTR_ICMP_TYPE);
 		ret[NFCT_ICMP_TYPE].flags |= ULOGD_RETF_VALID;
 		break;
 	}
 
-	ret[NFCT_ORIG_RAW_PKTLEN].u.value.ui64 = ct->counters[dir].bytes;
+	switch (nfct_get_attr_u8(ct, ATTR_REPL_L4PROTO)) {
+		case IPPROTO_TCP:
+		case IPPROTO_UDP:
+		case IPPROTO_SCTP:
+			ret[NFCT_REPLY_L4_SPORT].u.value.ui16 = htons(nfct_get_attr_u16(ct, ATTR_REPL_PORT_SRC));
+			ret[NFCT_REPLY_L4_SPORT].flags |= ULOGD_RETF_VALID;
+			ret[NFCT_REPLY_L4_DPORT].u.value.ui16 = htons(nfct_get_attr_u16(ct, ATTR_REPL_PORT_DST));
+			ret[NFCT_REPLY_L4_DPORT].flags |= ULOGD_RETF_VALID;
+	}
+
+	ret[NFCT_ORIG_RAW_PKTLEN].u.value.ui32 = nfct_get_attr_u32(ct, ATTR_ORIG_COUNTER_BYTES);
 	ret[NFCT_ORIG_RAW_PKTLEN].flags |= ULOGD_RETF_VALID;
 
-	ret[NFCT_ORIG_RAW_PKTCOUNT].u.value.ui64 = ct->counters[dir].packets;
+	ret[NFCT_ORIG_RAW_PKTCOUNT].u.value.ui32 = nfct_get_attr_u32(ct, ATTR_ORIG_COUNTER_PACKETS);
 	ret[NFCT_ORIG_RAW_PKTCOUNT].flags |= ULOGD_RETF_VALID;
 
-	dir = NFCT_DIR_REPLY;
-	ret[NFCT_REPLY_IP_SADDR].u.value.ui32 = htonl(ct->tuple[dir].src.v4);
-	ret[NFCT_REPLY_IP_SADDR].flags |= ULOGD_RETF_VALID;
-
-	ret[NFCT_REPLY_IP_DADDR].u.value.ui32 = htonl(ct->tuple[dir].dst.v4);
-	ret[NFCT_REPLY_IP_DADDR].flags |= ULOGD_RETF_VALID;
-
-	ret[NFCT_REPLY_IP_PROTOCOL].u.value.ui8 = ct->tuple[dir].protonum;
-	ret[NFCT_REPLY_IP_PROTOCOL].flags |= ULOGD_RETF_VALID;
-
-	switch (ct->tuple[dir].protonum) {
-	case IPPROTO_TCP:
-	case IPPROTO_UDP:
-	case IPPROTO_SCTP:
-		/* FIXME: DCCP */
-		ret[NFCT_REPLY_L4_SPORT].u.value.ui16 = htons(ct->tuple[dir].l4src.tcp.port);
-		ret[NFCT_REPLY_L4_SPORT].flags |= ULOGD_RETF_VALID;
-		ret[NFCT_REPLY_L4_DPORT].u.value.ui16 = htons(ct->tuple[dir].l4dst.tcp.port);
-		ret[NFCT_REPLY_L4_DPORT].flags |= ULOGD_RETF_VALID;
-		break;
-	case IPPROTO_ICMP:
-		ret[NFCT_ICMP_CODE].u.value.ui8 = ct->tuple[dir].l4src.icmp.code;
-		ret[NFCT_ICMP_CODE].flags |= ULOGD_RETF_VALID;
-		ret[NFCT_ICMP_TYPE].u.value.ui8 = ct->tuple[dir].l4src.icmp.type;
-		ret[NFCT_ICMP_TYPE].flags |= ULOGD_RETF_VALID;
-		break;
-	}
-
-	ret[NFCT_REPLY_RAW_PKTLEN].u.value.ui64 = ct->counters[dir].bytes;
+	ret[NFCT_REPLY_RAW_PKTLEN].u.value.ui32 = nfct_get_attr_u32(ct, ATTR_REPL_COUNTER_BYTES);;
 	ret[NFCT_REPLY_RAW_PKTLEN].flags |= ULOGD_RETF_VALID;
 
-	ret[NFCT_REPLY_RAW_PKTCOUNT].u.value.ui64 = ct->counters[dir].packets;
+	ret[NFCT_REPLY_RAW_PKTCOUNT].u.value.ui32 = nfct_get_attr_u32(ct, ATTR_REPL_COUNTER_PACKETS);
 	ret[NFCT_REPLY_RAW_PKTCOUNT].flags |= ULOGD_RETF_VALID;
 
-	if (flags & NFCT_MARK) {
-		ret[NFCT_CT_MARK].u.value.ui32 = ct->mark;
-		ret[NFCT_CT_MARK].flags |= ULOGD_RETF_VALID;
-	}
+	ret[NFCT_CT_MARK].u.value.ui32 = nfct_get_attr_u32(ct, ATTR_MARK);
+	ret[NFCT_CT_MARK].flags |= ULOGD_RETF_VALID;
 
-	if (flags & NFCT_ID) {
-		ret[NFCT_CT_ID].u.value.ui32 = ct->id;
-		ret[NFCT_CT_ID].flags |= ULOGD_RETF_VALID;
-	}
+	ret[NFCT_CT_ID].u.value.ui32 = nfct_get_attr_u32(ct, ATTR_ID);
+	ret[NFCT_CT_ID].flags |= ULOGD_RETF_VALID;
 
 	if (ts) {
 		ret[NFCT_FLOW_START_SEC].u.value.ui32 = ts->time[START].tv_sec;
@@ -574,36 +592,36 @@ static int propagate_ct(struct ulogd_pluginstance *upi,
 }
 
 /* XXX: pollinterval needs a different handler */
-static int event_handler(void *arg, unsigned int flags, int type,
+static int event_handler(enum nf_conntrack_msg_type type,
+			 struct nf_conntrack *ct,
 			 void *data)
 {
-	struct nfct_conntrack *ct = arg;
 	struct ulogd_pluginstance *upi = data;
-	struct ulogd_pluginstance *npi = NULL;
 	struct nfct_pluginstance *cpi = 
 				(struct nfct_pluginstance *) upi->private;
 	struct ct_timestamp *ts = NULL;
+	struct ulogd_pluginstance *npi = NULL;
 	int ret = 0;
 
 	if (type == NFCT_MSG_NEW) {
 		if (usehash_ce(upi->config_kset).u.value != 0) {
-			ct_hash_add(cpi->ct_active, ct->id);
+			ct_hash_add(cpi->ct_active, nfct_get_attr_u32(ct, ATTR_ID));
 			return 0;
 		}
 	} else if (type == NFCT_MSG_DESTROY) {
 		if (usehash_ce(upi->config_kset).u.value != 0)
-			ts = ct_hash_get(cpi->ct_active, ct->id);
+			ts = ct_hash_get(cpi->ct_active, nfct_get_attr_u32(ct, ATTR_ID));
 	}
 
 	/* since we support the re-use of one instance in
 	 * several different stacks, we duplicate the message
 	 * to let them know */
 	llist_for_each_entry(npi, &upi->plist, plist) {
-		ret = propagate_ct(npi, ct, flags, type, ts);
+		ret = propagate_ct(npi, ct, type, ts);
 		if (ret != 0)
 			return ret;
 	}
-	return propagate_ct(upi, ct, flags, type, ts);
+	return propagate_ct(upi, ct, type, ts);
 }
 
 static int read_cb_nfct(int fd, unsigned int what, void *param)
@@ -614,7 +632,7 @@ static int read_cb_nfct(int fd, unsigned int what, void *param)
 		return 0;
 
 	/* FIXME: implement this */
-	nfct_event_conntrack(cpi->cth);
+	nfct_catch(cpi->cth);
 	return 0;
 }
 
@@ -668,7 +686,7 @@ static int constructor_nfct(struct ulogd_pluginstance *upi)
 		return -1;
 	}
 
-	nfct_register_callback(cpi->cth, &event_handler, upi);
+	nfct_callback_register(cpi->cth, NFCT_T_ALL, &event_handler, upi);
 
 	cpi->nfct_fd.fd = nfct_fd(cpi->cth);
 	cpi->nfct_fd.cb = &read_cb_nfct;
-- 
1.5.2.5

[ULOGD PATCH 6/6] Fix display of DESTROY event.

[Eric Leblond]

DESTROY event were not correctly displayed due to a problem in event type
detection.

Signed-off-by: Eric Leblond <eric@inl.fr>
---
:100644 100644 272ee4f... d2ce952... M	util/printflow.c
 util/printflow.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/util/printflow.c b/util/printflow.c
index 272ee4f..d2ce952 100644
--- a/util/printflow.c
+++ b/util/printflow.c
@@ -153,7 +153,7 @@ int printflow_print(struct ulogd_key *res, char *buf)
 			case 2:
 				buf_cur += sprintf(buf_cur, "[UPDATE] ");
 				break;
-			case 3:
+			case 4:
 				buf_cur += sprintf(buf_cur, "[DESTROY] ");
 				break;
 		}
-- 
1.5.2.5

Re: [ULOGD PATCH 1/6] Make arp related key optionnal.

[Pablo Neira Ayuso]

Eric Leblond wrote:
> Arp related key have to be optionnal to be able to use the IP2STR module
> for flow display.

Applied. Thanks.

-- 
"Los honestos son inadaptados sociales" -- Les Luthiers

Re: [ULOGD PATCH 2/6] Fix display of IPv6 address.

[Pablo Neira Ayuso]

Eric Leblond wrote:
> An error in the type of an argument in the call to inet_ntop was causing IPv6
> address to be transformed in a string not really related to the real Ipv6
> address.

Applied.

-- 
"Los honestos son inadaptados sociales" -- Les Luthiers

Re: [ULOGD PATCH 3/6] Fix typo in error message.

[Pablo Neira Ayuso]

Eric Leblond wrote:
> This patch fixes a typo in an error message.

Applied.

-- 
"Los honestos son inadaptados sociales" -- Les Luthiers

Re: [ULOGD PATCH 4/6] Use IP2STR keys in PRINTFLOW module.

[Pablo Neira Ayuso]

Eric Leblond wrote:
> The PRINTFLOW module had its own code for string conversion of IPv6 address.
> This patch change the input key of the module to use conversion made by the
> IP2STR module.

Applied. Thanks.

-- 
"Los honestos son inadaptados sociales" -- Les Luthiers

Re: [ULOGD PATCH 5/6] Port of NFCT plugin to new libnetfilter_conntrack API.

[Pablo Neira Ayuso]

Eric Leblond wrote:
> This patch is a port to the new libnetfilter_conntrack API of the NFCT
> plugin. To be able to send IP addresses to the IP2STR and IP2BIN module
> oob.family and oob.protocol keys have been added.

Applied, thanks. A patch on top of it to break lines at 80 columns would
be great.

> There is only a single function which is marked as deprecated. This is
> nfct_dump_conntrack_table_reset_counters. This function is used to dump
> periodically counters. By default, this feature is not used. IMHO we could
> suppress this code and use conntrackd for similar tasks.

As the counters are 32 bits, we can store 64 bits counters in userspace
and periodically dump-and-reset the counters. Thus, we ensure that the
probability of an overflow is low while using little memory in kernel
space. We think that we should fix this in ulogd.

The problem that I see, not directly related with this, is that if ulogd
does this counter-and-reset, it may break other existing application
polling to obtain the counters. Probably we need a netlink event to
notify to all processes that the counters have been reset.

-- 
"Los honestos son inadaptados sociales" -- Les Luthiers