iptables target for libnetfilter_log
gregor at net.in.tum.de
Sat Feb 25 14:18:26 CET 2006
-----BEGIN PGP SIGNED MESSAGE-----
Patrick McHardy wrote:
> The LOG target uses is as a backend if it is loaded, but this is IMO
> actually a mistake, the LOG target should keep working the same way
> as it always did. Which reminds me that I wanted to restore the old
> way before 2.6.16 is out ..
The LOG target uses the nf_log mechanism and tries to register a logger
to nf_log. Problem is, that userspace apps can unregister this LOG
logger and register the netlink logger.
>>If not I'd write one.
> Mhh maybe we could add a flag to the LOG target to use whatever nf_log
> backend is registered. I'd prefer that to a full new target.
The problem is, that packets that should be logged to syslog take
log-level, log-prefix, log-tcp-sequence, log-tcp-iptions, ... as
parameters, whereas a target for logging to userspace must provide a
group/queuenum and a prefix.
If there's a only one target, the userland iptables must check if the
packet should be queued to userspace or logged to syslog.
If its syslog, then accept log-prefox, log-level, log-tcp-sequence et.
al parameters. If it should be queued to userspace it should only accept
log-prefix and log-group. I think that's awful semantics from a
userspace point of view.
IMHO having the LOG target log directly to syslog and having e.g. NFLOG
log/queue to userspace (as ULOG) is straighter.
Furthermore a new NFLOG target could use xtables.
Gregor Maier Lehrstuhl Informatik 8
gregor at net.in.tum.de Tel: +49 89 289-18010
http://www.net.in.tum.de TU Muenchen
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (Darwin)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----
More information about the netfilter-devel