On 05/18/2011 11:27 AM, Ed W wrote: > On 17/05/2011 21:18, Tom Eastep wrote: >> On 05/17/2011 02:27 AM, Ed W wrote: >> >>> I accept your reply that it's not straightforward for now! >> >> As I stated, to do as you suggest (COUNT:NFLOG... or DONE:...) would be >> considerable work. To simple add an NFLOG 'ACTION' to the accounting >> file is trivial. The attached patch does it. >> >> NFLOG[(...)] chain source ... >> >> This will be in 4.4.20 along with the ability to add your accounting >> rules in the mangle table rather than the filter table. The latter will >> allow accounting rules in PREROUTING and POSTROUTING. > > Thanks Tom, > > I need to study this, but it looks exactly spot on? My goal is simply > to get a simple entry that logs every single packet that goes in/out of > the internet route. I think the limitations you list are pretty much as > expected because NFLOG is really intended for more course logging and > you can rely on your log demon to help with aggregation and filtering. I > don't particularly expect to filter the input to nflog, although perhaps > some folks might use some very course filtering (interface, protocol)?
Possibly. > > In fact I think it's more the reverse - if you are NFLOGing then > probably you are trying to centralise some fairly course grained > logging. If you want to trace very specific packets, then probably > adding the entry to the rule table makes more sense? Yes, I think so. For accounting, you need the packet length and the protocol headers and not the payload. So you should only capture the first 40 bytes or so of each packet (second NFLOG parameter). Also, for decreased overhead, the third argument should be set > 1 (I would start at 20 or so which would be 800 bytes if you are capturing 40 bytes/packet). > > Still learning my way around shorewall, so might be completely missing > the point. Many thanks > > Ed W > > P.S. Just checking that this can't be done through the rules table - > the docs suggest that it's not possible to have a "log" only rule there, > ie something which matches but doesn't influence packet destination or > stop the flow of processing? You could use LOG:NFLOG(...) in the rules file, but you would need 3 times as many rules as in the accounting file (your LOG:NFLOG rules would need to be replicated in each of the three sections of the file). Additionally, each logged packet would include the prefix (default is 'Shorewall:<chain>:<disposition>:') which you could care less about. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ What Every C/C++ and Fortran developer Should Know! Read this article and learn how Intel has extended the reach of its next-generation tools to help Windows* and Linux* C/C++ and Fortran developers boost performance applications - including clusters. http://p.sf.net/sfu/intel-dev2devmay
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
