[prev in list] [next in list] [prev in thread] [next in thread] 

List:       netfilter-devel
Subject:    Re: New logging module
From:       Harald Welte <laforge () netfilter ! org>
Date:       2003-08-30 19:04:53
[Download RAW message or body]


On Mon, Aug 25, 2003 at 02:59:02PM +0200, Philipp Gühring wrote:
> Hi,
> 
> I developed a Netfilter module, that collects and logs the traffic of all IP 
> addresses of several subnets, and dumps the traffic log regulary in a similar 
> format as ipt_LOG, so that it can transparently replace the normal logging 
> module.

Why did you do that?  I think it's from an architectural point of view
the wrong choice.  ipt_ULOG was invented for the sole reason that string
processing and parsing/interpretation of logged packets should not be
done inside a softirq inside the kernel.  All this should be offloaded
to userspace.

and: iptables rules are not an ideal infrastructure for accounting
anyway.

> It was developed to enhance the speed of our traffic analysis software, by 
> filtering and aggregating the packets directly in the kernel instead of the 
> userspace.

So what you really want is a session log, similar to netflow?  This
should be easy to implement with adding packet/byte counters to struct
ip_conntrack.  Several people have been working on session-log systems
based on netfilter/iptables.

> Many greetings,
> Philipp Gühring

-- 
- Harald Welte <laforge@netfilter.org>             http://www.netfilter.org/
============================================================================
  "Fragmentation is like classful addressing -- an interesting early
   architectural error that shows how much experimentation was going
   on while IP was being designed."                    -- Paul Vixie

[Attachment #3 (application/pgp-signature)]

[prev in list] [next in list] [prev in thread] [next in thread]