[Shorewall-users] NFLOG to multiple groups

Thu, 24 Oct 2013 07:29:36 -0700 

I would like to log to multiple outputs, one to log file, second to PCAP file 
using NFLOG in ulogd.

I noticed some developer discussions in the past and followed some possible 
ways to do this in policy:
For example, I changed the policy:

net    all   DROP     $LOG
to
net    all   DROP:N2LOG

actions
~~~~~~
N2LOG     inline

action.N2LOG
~~~~~~~~~
Drop
NFLOG(1,0,1)
NFLOG(2,0,1)

I noticed that DROP  $LOG will insert the Drop chain before the log, which 
filters a lot of cruft.
However, I have to manually add it if I use DROP:N2LOG.

Is this the correct way to go about this? It seems to be working. I tried 
putting the N2LOG action in the log level, but that did not work (or macro). I 
was not clear on log level option. The reason for inline is so the log tag is 
loc2fw instead an N2LOG chain. Is there another way to control the prefix 
without using inline?

Also, I noticed that the manual says NFLOG(,0,1) will default to group 1 but in 
the ulogd stack it seems to go to group 0, also just NFLOG defaults to group 0. 
I'm running arch linux kernel 3.11.5-1-ARCH and ulogd Version 2.0.2 at the 
moment. With Arch, though, the moment can change often.

Here is the working ulogd stack:
/etc/ulogd.conf
~~~~~~~~~~~
[global]
logfile="/var/log/ulogd.log"
loglevel=5
rmem=131071
bufsize=300000

plugin="/usr/lib/ulogd/ulogd_inppkt_NFLOG.so"
plugin="/usr/lib/ulogd/ulogd_raw2packet_BASE.so"
plugin="/usr/lib/ulogd/ulogd_filter_IFINDEX.so"
plugin="/usr/lib/ulogd/ulogd_filter_IP2STR.so"
plugin="/usr/lib/ulogd/ulogd_filter_PRINTPKT.so"
plugin="/usr/lib/ulogd/ulogd_output_LOGEMU.so"
plugin="/usr/lib/ulogd/ulogd_output_PCAP.so"

# shorewall logging packets
stack=log1:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,emu1:LOGEMU

# capture bad packets
stack=log2:NFLOG,base1:BASE,pcap1:PCAP

[log1]
group=1
#sync=1

[log2]
group=2

[emu1]
file=/var/log/ulogd.syslogemu

[pcap1]

----------
Wayne S


------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from 
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to