* Target IP monitoring...
@ 2008-08-11 18:51 Grant Taylor
2008-08-11 19:55 ` Jan Engelhardt
0 siblings, 1 reply; 3+ messages in thread
From: Grant Taylor @ 2008-08-11 18:51 UTC (permalink / raw)
To: Mail List - Netfilter
I'm going to be working on a project that will need to monitor what
destination IPs traffic is sent to. I was wondering if I could not use
the ULOG in side of the nat table to do this. I am really only wanting
the target (and possibly the source) IP of each connection. I do not
want any of the IP payload or any of the packets, just the target IP.
I was hoping to exploit the fact that the nat table only sees the first
packet in a connection to help reduce the likelihood that I would see
the same target IP multiple times.
I am not doing any filtering with this so the fact that ULOG is a non
terminating target is not a problem for me.
Grant. . . .
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Target IP monitoring...
2008-08-11 18:51 Target IP monitoring Grant Taylor
@ 2008-08-11 19:55 ` Jan Engelhardt
2008-08-11 20:03 ` Grant Taylor
0 siblings, 1 reply; 3+ messages in thread
From: Jan Engelhardt @ 2008-08-11 19:55 UTC (permalink / raw)
To: Grant Taylor; +Cc: Mail List - Netfilter
On Monday 2008-08-11 14:51, Grant Taylor wrote:
> I'm going to be working on a project that will need to monitor what destination
> IPs traffic is sent to. I was wondering if I could not use the ULOG in side of
> the nat table to do this. I am really only wanting the target (and possibly
> the source) IP of each connection. I do not want any of the IP payload or any
> of the packets, just the target IP.
>
> I was hoping to exploit the fact that the nat table only sees the first packet
> in a connection to help reduce the likelihood that I would see the same target
> IP multiple times.
Eww no, don't do that. Though Netfilter is written like that,
there is no hard guarantee that only first packets are seen.
(Like, we forget to take our medication and all packets go
through the then-semi-stateless nat table ;-)
Better use -m conntrack --ctstate NEW -j ULOG.
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Target IP monitoring...
2008-08-11 19:55 ` Jan Engelhardt
@ 2008-08-11 20:03 ` Grant Taylor
0 siblings, 0 replies; 3+ messages in thread
From: Grant Taylor @ 2008-08-11 20:03 UTC (permalink / raw)
To: Mail List - Netfilter
On 08/11/08 14:55, Jan Engelhardt wrote:
> Eww no, don't do that. Though Netfilter is written like that, there
> is no hard guarantee that only first packets are seen. (Like, we
> forget to take our medication and all packets go through the
> then-semi-stateless nat table ;-) Better use -m conntrack --ctstate
> NEW -j ULOG.
*nod*
So technically it /would/ work, but it would also be bad form to do it
that way.
Grant. . . .
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2008-08-11 20:03 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2008-08-11 18:51 Target IP monitoring Grant Taylor
2008-08-11 19:55 ` Jan Engelhardt
2008-08-11 20:03 ` Grant Taylor
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox