ulogd(一)
Userspace logging daemon for netfilter/iptables.
===> IDEA
This packages is intended for doing all netfilter related logging inside a
userspace process. This includes
- logging of ruleset violations via ipt_ULOG (kernel 2.4.18+)
- logging of ruleset violations via nfnetlink_log (kernel 2.6.14+)
- logging of connection startup/teardown (kernel 2.6.14+)
- connection-based accounting (kernel 2.6.14+)
在守护进程中做netfilter相关的各种统计工作。
工作原理
- Register a target called ULOG with iptables
- if the target is hit:
- send the packet out using netlink multicast facility
- return NF_CONTINUE immediately
简单翻译一下,工作原理就是:
通过 iptables 下发规则到内核,匹配相应规则之后,内核将通过 netlink 将消息
发送到用户态,然后报文在内核态继续执行。
输出支持直接将结果写到database中,需要提前预设database,修改ulogd配置。
关于下边相关的几个插件:
- Input Plugins
-
Input plugins acts data source. They get data from somewhere outside of ulogd, and convert it into a list of ulogd keys.
- Filter Plugins
-
Filter plugins interpret(解释) and/or filter(过滤) data that was received from the Input Plugin. A good example is parsing a raw packet into IPv4 / TCP / ... header information.
- Output Plugins
-
Output plugins describe how and where to put the information gained by the Input Plugin and processed by one or more Filter Plugins. The easiest way is to build a line per packet and fprint it to a file. Some people might want to log into a SQL database or want an output conforming to the IETF IPFIX language.
5.Available plugins
It is important to understand that ulogd without plugins does nothing. It will receive packets, and do nothing with them.
There are two kinds of plugins, interpreter and output plugins. Interpreter plugins parse the packet, output plugins write the interpreted information to some logfile/database/...
===> CONTENTS
= ulogd daemon (ulogd)
A sophisticated logging daemon core which uses a plugin for about anything. The
daemon provides a plugin API for
- input plugins
- filter plugins
- output plugins
= documentation (doc)
A quite verbose documentation of this package and it's configuration exists,
please actually make use of it and read it :)
===> USAGE
To be able to build ulogd, you need to have working developement files and
and libraries for:
- libnfnetlink
- libmnl
- libnetfilter_log [optional]
- libnetfilter_conntrack [optional]
- libnetfilter_acct [optional]
Output plugins are build if the needed library and headers are found. This
includes:
- PCAP: libpcap
- PGSQL: libpq
- MySQL: libmysqlclient
- SQLITE3: libsqlite3
- DBI: libdbi
The build procedure is standard:
$ ./configure
$ make
$ sudo make install
After build, you need to edit the ulogd.conf file to define a stack or more
to use.
===> EXAMPLES
= NFLOG(防火墙log) usage
At first a simple example, which passes every outgoing packet to the
userspace logging, using nfnetlink group 3.
iptables -A OUTPUT -j NFLOG --nflog-group 3
A more advanced one, passing all incoming tcp packets with destination
port 80 to the userspace logging daemon listening on netlink multicast
group 32. All packets get tagged with the ulog prefix "inp"
iptables -A INPUT -j NFLOG -p tcp --dport 80 --nflog-group 32 --nflog-prefix inp
See iptables -j NFLOG -h for complete information about NFLOG.
= NFCT(链接跟踪) usage
To use connection logging, simply activate in ulogd.conf one stack using
the NFCT plugin.
For example, the following stack will do flow-based logging via
LOGEMU:
stack=ct1:NFCT,ip2str1:IP2STR,print1:PRINTFLOW,emu1:LOGEMU(配置文件中的相关配置)
= NFACCT(防火墙统计) usage
On ulogd side, activate a stack using the NFACCT module.
You then need to create counters:
# nfacct add ipv4.tcp
# nfacct add ipv6.tcp.443 (是一个新的命令,需要重新安装)
Once this is done, you can then create iptables matching rule that will increment
each time a packet hit them:
# iptables -A FORWARD -p tcp -m nfacct --nfacct-name ipv4.tcp(配置的是一个转发链,pc机验证时候建议设置成INPUT、OUTPUT)
# ip6tables -A FORWARD -p tcp --dport 443 -m nfacct --nfacct-name ipv6.tcp.443
# ip6tables -A FORWARD -p tcp --sport 443 -m nfacct --nfacct-name ipv6.tcp.443
NFACCT plugin will then dump periodically the counters and trigger an update of the
output corresponding to the active stacks.
===> COPYRIGHT + CREDITS
The code and documentation is
(C) 2000-2006 by Harald Welte <laforge@gnumonks.org>
(C) 2008-2012 Pablo Neira Ayuso <pablo@netfilter.org>
(C) 2008-2013 Eric Leblond <eric@regit.org>
Thanks also to the valuable contributions of Daniel Stone, Alexander Janssen,
Michael Stolovitzsky and Jozsef Kadlecsik.
Credits to Rusty Russell, James Morris, Marc Boucher and all the other
netfilter hackers.
参考资料:
https://blog.csdn.net/eydwyz/article/details/52456335
https://blog.csdn.net/chinalinuxzend/article/details/1765249
https://rlworkman.net/howtos/ulogd.html
