[prev in list] [next in list] [prev in thread] [next in thread]
List: netfilter-devel
Subject: Re: New logging module
From: Harald Welte <laforge () netfilter ! org>
Date: 2003-08-30 19:04:53
[Download RAW message or body]
On Mon, Aug 25, 2003 at 02:59:02PM +0200, Philipp Gühring wrote:
> Hi,
>
> I developed a Netfilter module, that collects and logs the traffic of all IP
> addresses of several subnets, and dumps the traffic log regulary in a similar
> format as ipt_LOG, so that it can transparently replace the normal logging
> module.
Why did you do that? I think it's from an architectural point of view
the wrong choice. ipt_ULOG was invented for the sole reason that string
processing and parsing/interpretation of logged packets should not be
done inside a softirq inside the kernel. All this should be offloaded
to userspace.
and: iptables rules are not an ideal infrastructure for accounting
anyway.
> It was developed to enhance the speed of our traffic analysis software, by
> filtering and aggregating the packets directly in the kernel instead of the
> userspace.
So what you really want is a session log, similar to netflow? This
should be easy to implement with adding packet/byte counters to struct
ip_conntrack. Several people have been working on session-log systems
based on netfilter/iptables.
> Many greetings,
> Philipp Gühring
--
- Harald Welte <laforge@netfilter.org> http://www.netfilter.org/
============================================================================
"Fragmentation is like classful addressing -- an interesting early
architectural error that shows how much experimentation was going
on while IP was being designed." -- Paul Vixie
[Attachment #3 (application/pgp-signature)]
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic