On 10/24/2013 9:53 AM, Wayne S wrote: > I would like to log to multiple outputs, one to log file, second to > PCAP file using NFLOG in ulogd. > > I noticed some developer discussions in the past and followed some > possible ways to do this in policy: For example, I changed the > policy: > > net all DROP $LOG to net all DROP:N2LOG > > actions ~~~~~~ N2LOG inline > > action.N2LOG ~~~~~~~~~ Drop NFLOG(1,0,1) NFLOG(2,0,1) > > I noticed that DROP $LOG will insert the Drop chain before the log, > which filters a lot of cruft. However, I have to manually add it if I > use DROP:N2LOG.
That's correct. 'DROP' in the POLICY column is the same as 'DROP:Drop', since 'Drop' is the default action for a DROP policy. > > Is this the correct way to go about this? Yes. > It seems to be working. I tried putting the N2LOG action in the log > level, but that did not work (or macro). I was not clear on log level > option. I should add a 'shorewall-logging' manpage. In the meantime, see http://www.shorewall.net/shorewall_logging.html > The reason for inline is so the log tag is loc2fw instead an > N2LOG chain. Is there another way to control the prefix without using > inline? 'inline' is certainly the most convenient. But within an action, the @chain and @disposition variables, together with the LOGPREFIX setting, are used to form the log prefix. So if you include this in the action body: ?set @chain @caller then the logging will be correct. Note that you don't really gain anything by doing that; with that directive in the action body, each invocation of N2LOG will generate a separate chain. So you may as well just use 'inline'. > > Also, I noticed that the manual says NFLOG(,0,1) will default to > group 1 but in the ulogd stack it seems to go to group 0, also just > NFLOG defaults to group 0. I'm running arch linux kernel > 3.11.5-1-ARCH and ulogd Version 2.0.2 at the moment. With Arch, > though, the moment can change often. I'll correct the documentation. Thanks, -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
