From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Cc: netfilter-devel@vger.kernel.org
Subject: Re: [PATCH] Add support to log original and NAT-ed IP addresses
Date: Mon, 20 Apr 2009 11:58:38 +0200 [thread overview]
Message-ID: <49EC474E.8090604@netfilter.org> (raw)
In-Reply-To: <alpine.DEB.2.00.0904201012170.10463@blackhole.kfki.hu>
Hi Jozsef,
Jozsef Kadlecsik wrote:
> Hi,
>
> Attached you can find patches for netfilter and iptabes to support the
> logging of the original and NAT-ed IP addresses together.
>
> Currently there's no way to do it by netfilter/iptables. If we log in the
> filter table, there we can record the original src IP address only.
> However, we cannot log the src IP address after NAT at all: SNAT happens
> in the nat table at POSTROUTING, and there's no other table to which the
> logging rule could be added (and the NAT targets return ACCEPT, so we
> cannot add the loggin rule to the nat table either).
>
> The only way to log src/dst IP before/after NAT presently is to run
> 'conntrack' in event mode like this:
>
> conntrack -E -e NEW | logger -p kernel.info
We can also do this by means of ulogd2 or, alternatively, conntrackd in
its very basic statistics mode.
> which is a little bit cumbersome and requires the libnfnetlink,
> libnetfilter_conntrack libraries too.
Yes, this needs some extra user-space software. With regards to logging,
I think that the current policy is to move most of the logics to
user-space, I don't think that overloading iptables with yet another
logging facility is the way to go.
> The attached netfilter patch is questionable/incomplete in the sense that:
>
> - it adds the POST_ROUTING hook to the raw table and in the IPv4 case
> only: but there's no much point to add the hook to IPv6
> - for the sake of completeness the LOCAL_IN hook should be added too,
> in order to make possilbe the logging of local SNAT-ed addresses
> - the original src/dst ports could be logged as well: in practice the
> original src IP address matters only when one wants to hunt down
> an infected machine on a NATed network
I think that Patrick is not going to like the idea of adding more hooks,
what do you think Patrick?
--
"Los honestos son inadaptados sociales" -- Les Luthiers
next prev parent reply other threads:[~2009-04-20 9:58 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-04-20 9:21 [PATCH] Add support to log original and NAT-ed IP addresses Jozsef Kadlecsik
2009-04-20 9:58 ` Pablo Neira Ayuso [this message]
2009-04-20 10:12 ` Jozsef Kadlecsik
2009-04-20 10:33 ` Jan Engelhardt
2009-04-20 10:49 ` Jozsef Kadlecsik
2009-04-20 11:08 ` Pablo Neira Ayuso
2009-04-20 11:23 ` Jozsef Kadlecsik
2009-04-20 14:40 ` Patrick McHardy
2009-04-20 16:47 ` Jozsef Kadlecsik
2009-04-21 12:22 ` Patrick McHardy
2009-04-21 18:18 ` Jozsef Kadlecsik
2009-04-22 15:59 ` Patrick McHardy
2009-04-22 20:39 ` Jozsef Kadlecsik
2009-04-23 12:12 ` Patrick McHardy
2009-04-24 8:06 ` Jozsef Kadlecsik
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=49EC474E.8090604@netfilter.org \
--to=pablo@netfilter.org \
--cc=kadlec@blackhole.kfki.hu \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.