This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "IPFire 3.x development tree".
The branch, master has been updated via e0b49310826c9e99042b0316b6bc9b17186e5e74 (commit) via ce284ff341d25a4b280023101d324be4e5294bfb (commit) from 3712f5e1e69264bc6b5327625781888f3f8c6e80 (commit)
Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below.
- Log ----------------------------------------------------------------- commit e0b49310826c9e99042b0316b6bc9b17186e5e74 Merge: ce284ff 3712f5e Author: Michael Tremer michael.tremer@ipfire.org Date: Mon Jun 8 19:42:38 2015 +0000
Merge branch 'master' of ssh://git.ipfire.org/pub/git/ipfire-3.x
commit ce284ff341d25a4b280023101d324be4e5294bfb Author: Michael Tremer michael.tremer@ipfire.org Date: Mon Jun 8 13:12:24 2015 +0000
ulogd2: Update to version 2.0.5
This package adds logging of the flows and packets to an sqlite database that can be used to get statistical output.
Logging to syslog as known from IPFire 2 has been added as well but is only temporary until there is a way to view the logged packets on the console.
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
-----------------------------------------------------------------------
Summary of changes: .../ulogd2-2.0.5-better-sqlite-debugging.patch | 26 ++++ ulogd2/sqlite3.table | 145 ++++++++++++++++++--- ulogd2/ulogd.conf | 51 +++----- ulogd2/ulogd.logrotate | 7 - ulogd2/ulogd2.nm | 18 ++- 5 files changed, 180 insertions(+), 67 deletions(-) create mode 100644 ulogd2/patches/ulogd2-2.0.5-better-sqlite-debugging.patch delete mode 100644 ulogd2/ulogd.logrotate
Difference in files: diff --git a/ulogd2/patches/ulogd2-2.0.5-better-sqlite-debugging.patch b/ulogd2/patches/ulogd2-2.0.5-better-sqlite-debugging.patch new file mode 100644 index 0000000..f9c5f7d --- /dev/null +++ b/ulogd2/patches/ulogd2-2.0.5-better-sqlite-debugging.patch @@ -0,0 +1,26 @@ +diff --git a/output/sqlite3/ulogd_output_SQLITE3.c b/output/sqlite3/ulogd_output_SQLITE3.c +index 5c49055..e3eff6f 100644 +--- a/output/sqlite3/ulogd_output_SQLITE3.c ++++ b/output/sqlite3/ulogd_output_SQLITE3.c +@@ -212,7 +212,8 @@ sqlite3_interp(struct ulogd_pluginstance *pi) + return ULOGD_IRET_OK; + + err_bind: +- ulogd_log(ULOGD_ERROR, "SQLITE: bind: %s\n", sqlite3_errmsg(priv->dbh)); ++ ulogd_log(ULOGD_ERROR, "SQLITE: bind: %s (field: %s)\n", sqlite3_errmsg(priv->dbh), ++ f->key->name); + + return ULOGD_IRET_ERR; + } +@@ -353,8 +354,10 @@ sqlite3_init_db(struct ulogd_pluginstance *pi) + } + strncpy(f->name, buf, ULOGD_MAX_KEYLEN); + +- if ((f->key = ulogd_find_key(pi, buf)) == NULL) ++ if ((f->key = ulogd_find_key(pi, buf)) == NULL) { ++ ulogd_log(ULOGD_ERROR, "SQLITE3: Could not find field %s\n", buf); + return -1; ++ } + + TAILQ_INSERT_TAIL(&priv->fields, f, link); + } diff --git a/ulogd2/sqlite3.table b/ulogd2/sqlite3.table index 200a4c4..c38474d 100644 --- a/ulogd2/sqlite3.table +++ b/ulogd2/sqlite3.table @@ -1,21 +1,126 @@ -CREATE TABLE ulog ( - raw_mac VARCHAR(80), - oob_time_sec INT UNSIGNED, - oob_time_usec INT UNSIGNED, - ip_saddr INT UNSIGNED, - ip_daddr INT UNSIGNED, - ip_protocol TINYINT UNSIGNED, - ip_totlen SMALLINT UNSIGNED, - tcp_sport SMALLINT UNSIGNED, - tcp_dport SMALLINT UNSIGNED, - udp_sport SMALLINT UNSIGNED, - udp_dport SMALLINT UNSIGNED, - udp_len SMALLINT UNSIGNED, - icmp_type TINYINT UNSIGNED, - icmp_code TINYINT UNSIGNED, - icmp_echoid SMALLINT UNSIGNED, - icmp_echoseq SMALLINT UNSIGNED, - icmp_gateway INT UNSIGNED, - icmp_fragmtu SMALLINT UNSIGNED - ); +CREATE TABLE hits ( + oob_time_sec INTEGER NOT NULL, + oob_time_usec INTEGER NOT NULL, + oob_hook INTEGER, + oob_prefix TEXT, + mac_saddr_str TEXT, + mac_daddr_str TEXT, + oob_in TEXT, + oob_out TEXT, + oob_family INTEGER, + oob_protocol INTEGER, + oob_uid INTEGER, + oob_gid INTEGER, + oob_mark INTEGER, + ip_saddr BLOB, + ip_saddr_str TEXT, + ip_daddr BLOB, + ip_daddr_str TEXT, + ip_protocol INTEGER, + ip_tos INTEGER, + ip_ttl INTEGER, + ip_totlen INTEGER, + ip_id INTEGER, + ip_fragoff INTEGER, + ip6_payloadlen INTEGER, + ip6_priority INTEGER, + ip6_hoplimit INTEGER, + ip6_flowlabel INTEGER, + ip6_nexthdr INTEGER, + ip6_fragoff INTEGER, + ip6_fragid INTEGER, + tcp_sport INTEGER, + tcp_dport INTEGER, + tcp_seq INTEGER, + tcp_ackseq INTEGER, + tcp_window INTEGER, + tcp_syn INTEGER, + tcp_ack INTEGER, + tcp_rst INTEGER, + tcp_fin INTEGER, + tcp_urg INTEGER, + tcp_urgp INTEGER, + udp_sport INTEGER, + udp_dport INTEGER, + udp_len INTEGER, + icmp_type INTEGER, + icmp_code INTEGER, + icmp_echoid INTEGER, + icmp_echoseq INTEGER, + icmp_gateway INTEGER, + icmp_fragmtu INTEGER, + icmpv6_type INTEGER, + icmpv6_code INTEGER, + icmpv6_echoid INTEGER, + icmpv6_echoseq INTEGER, + icmpv6_csum INTEGER, + ahesp_spi INTEGER, + arp_hwtype INTEGER, + arp_protocoltype INTEGER, + arp_operation INTEGER, + arp_shwaddr BLOB, + arp_saddr_str TEXT, + arp_dhwaddr BLOB, + arp_daddr_str TEXT, + sctp_sport INTEGER, + sctp_dport INTEGER, + sctp_csum INTEGER +);
+CREATE INDEX hits_time ON hits(oob_time_sec); +CREATE INDEX hits_prefix ON hits(oob_prefix); +CREATE INDEX hits_oob_family ON hits(oob_family); + +/* Layer 2 - MAC addresses */ +CREATE INDEX hits_mac_saddr ON hits(mac_saddr_str); +CREATE INDEX hits_mac_daddr ON hits(mac_daddr_str); + +/* Layer 3 - IP */ +CREATE INDEX hits_ip_saddr ON hits(ip_saddr); +CREATE INDEX hits_ip_daddr ON hits(ip_daddr); +CREATE INDEX hits_ip_protocol ON hits(ip_protocol); + +/* Layer 4 protocols */ +CREATE INDEX hits_tcp_sport ON hits(tcp_sport); +CREATE INDEX hits_tcp_dport ON hits(tcp_dport); +CREATE INDEX hits_udp_sport ON hits(udp_sport); +CREATE INDEX hits_udp_dport ON hits(udp_dport); +CREATE INDEX hits_sctp_sport ON hits(sctp_sport); +CREATE INDEX hits_sctp_dport ON hits(sctp_dport); + +CREATE INDEX hits_icmpv6_type ON hits(icmpv6_type); +CREATE INDEX hits_icmp_type ON hits(icmp_type); + +CREATE TABLE flows ( + flow_start_sec INTEGER, + flow_start_usec INTEGER, + flow_end_sec INTEGER, + flow_end_usec INTEGER, + orig_ip_saddr BLOB NOT NULL, + orig_ip_saddr_str TEXT NOT NULL, + orig_ip_daddr BLOB NOT NULL, + orig_ip_daddr_str TEXT NOT NULL, + orig_ip_protocol INTEGER NOT NULL, + orig_l4_sport INTEGER, + orig_l4_dport INTEGER, + orig_raw_pktcount INTEGER NOT NULL, + orig_raw_pktlen INTEGER NOT NULL, + reply_ip_saddr BLOB NOT NULL, + reply_ip_saddr_str BLOB NOT NULL, + reply_ip_daddr BLOB NOT NULL, + reply_ip_daddr_str BLOB NOT NULL, + reply_ip_protocol INTEGER NOT NULL, + reply_l4_sport INTEGER, + reply_l4_dport INTEGER, + reply_raw_pktcount INTEGER NOT NULL, + reply_raw_pktlen INTEGER NOT NULL, + icmp_code INTEGER, + icmp_type INTEGER, + ct_id INTEGER NOT NULL, + ct_event INTEGER NOT NULL, + ct_mark INTEGER +); + +CREATE INDEX flows_ip_saddr ON flows(orig_ip_saddr); +CREATE INDEX flows_ip_daddr ON flows(orig_ip_daddr); +CREATE INDEX flows_ip_protocol ON flows(orig_ip_protocol); diff --git a/ulogd2/ulogd.conf b/ulogd2/ulogd.conf index c2b8e6d..565579f 100644 --- a/ulogd2/ulogd.conf +++ b/ulogd2/ulogd.conf @@ -5,9 +5,6 @@ # GLOBAL OPTIONS ######################################################################
-# logfile for status messages -logfile="/var/log/ulogd/ulogd.log" - # loglevel: debug(1), info(3), notice(5), error(7) or fatal(8) loglevel=7
@@ -22,7 +19,7 @@ loglevel=7 # 2. options for each plugin in seperate section below
plugin="/usr/lib/ulogd/ulogd_inppkt_NFLOG.so" -plugin="/usr/lib/ulogd/ulogd_inppkt_ULOG.so" +#plugin="/usr/lib/ulogd/ulogd_inppkt_ULOG.so" plugin="/usr/lib/ulogd/ulogd_inpflow_NFCT.so" plugin="/usr/lib/ulogd/ulogd_filter_IFINDEX.so" plugin="/usr/lib/ulogd/ulogd_filter_IP2STR.so" @@ -31,7 +28,7 @@ plugin="/usr/lib/ulogd/ulogd_filter_PRINTPKT.so" plugin="/usr/lib/ulogd/ulogd_filter_HWHDR.so" plugin="/usr/lib/ulogd/ulogd_filter_PRINTFLOW.so" #plugin="/usr/lib/ulogd/ulogd_filter_MARK.so" -plugin="/usr/lib/ulogd/ulogd_output_LOGEMU.so" +#plugin="/usr/lib/ulogd/ulogd_output_LOGEMU.so" plugin="/usr/lib/ulogd/ulogd_output_SYSLOG.so" #plugin="/usr/lib/ulogd/ulogd_output_OPRINT.so" #plugin="/usr/lib/ulogd/ulogd_output_NACCT.so" @@ -42,38 +39,26 @@ plugin="/usr/lib/ulogd/ulogd_output_SYSLOG.so" plugin="/usr/lib/ulogd/ulogd_output_SQLITE3.so" plugin="/usr/lib/ulogd/ulogd_raw2packet_BASE.so"
-# this is a stack for logging packet send by system via LOGEMU -stack=log1:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,emu1:LOGEMU - -# this is a stack for NFLOG packet-based logging to PCAP -#stack=log1:NFLOG,base1:BASE,pcap1:PCAP - -# this is a stack for logging packet to sqlite -#stack=log1:NFLOG,base1:BASE,ifi1:IFINDEX,ip2bin1:IP2BIN,mac2str1:HWHDR,sqlite1:SQLITE3 +# Log packets +stack=src-pkt:NFLOG,base:BASE,ifindex:IFINDEX,ip2str:IP2STR,hw:HWHDR,db-packets:SQLITE3 +stack=src-pkt:NFLOG,base:BASE,ifindex:IFINDEX,ip2str:IP2STR,print:PRINTPKT,syslog:SYSLOG
-# this is a stack for logging packets to syslog after a collect via NFLOG -#stack=log1:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,sys1:SYSLOG +# Log connection tracking events +stack=src-ct:NFCT,ip2bin:IP2BIN,ip2str:IP2STR,print-flow:PRINTFLOW,db-flows:SQLITE3
-# Logging of system packet through NFLOG -[log1] -# netlink multicast group (the same as the iptables --nflog-group param) -# Group O is used by the kernel to log connection tracking invalid message +[src-pkt] group=0 -#netlink_socket_buffer_size=217088 -#netlink_socket_buffer_maxsize=1085440 -# set number of packet to queue inside kernel -#netlink_qthreshold=1 -# set the delay before flushing packet in the queue inside kernel (in ms) -#netlink_qtimeout=1000 bind=1
-[emu1] -file="/var/log/ulogd/syslogemu.log" -sync=1 +[src-ct] +# Only receive DESTROY events +event_mask=0x00000004 +hash_enable=1
-[pcap1] -sync=1 +[db-packets] +db=/var/lib/ulogd/ulogd.db +table=hits
-[sqlite1] -db=/var/log/ulogd/ulogd.db -table=ulog +[db-flows] +db=/var/lib/ulogd/ulogd.db +table=flows diff --git a/ulogd2/ulogd.logrotate b/ulogd2/ulogd.logrotate deleted file mode 100644 index b3fb6d1..0000000 --- a/ulogd2/ulogd.logrotate +++ /dev/null @@ -1,7 +0,0 @@ -/var/log/ulogd.log /var/log/ulogd.syslogemu /var/log/ulogd.pktlog /var/log/ulogd.pcap { - missingok - sharedscripts - postrotate - /bin/killall -HUP ulogd 2> /dev/null || true - endscript -} diff --git a/ulogd2/ulogd2.nm b/ulogd2/ulogd2.nm index 5a153a2..4d639a8 100644 --- a/ulogd2/ulogd2.nm +++ b/ulogd2/ulogd2.nm @@ -4,7 +4,7 @@ ###############################################################################
name = ulogd2 -version = 2.0.4 +version = 2.0.5 release = 1 epoch = 1
@@ -40,15 +40,15 @@ build # Set libdir to "/usr/lib" for every architecture to install the ulogd2 plugins # to this folder. configure_options+= \ - --sysconfdir=/etc \ --libdir=%{prefix}/lib
install_cmds - mkdir -pv %{BUILDROOT}/etc - cp -vf %{DIR_SOURCE}/ulogd.conf %{BUILDROOT}/etc/ulogd.conf + mkdir -pv %{BUILDROOT}%{sysconfdir} + cp -vf %{DIR_SOURCE}/ulogd.conf %{BUILDROOT}%{sysconfdir}/ulogd.conf
- mkdir -pv %{BUILDROOT}/var/log/ulogd - sqlite3 -echo %{BUILDROOT}/var/log/ulogd/ulogd.db < %{DIR_SOURCE}/sqlite3.table + mkdir -pv %{BUILDROOT}%{sharedstatedir}/ulogd + sqlite3 -echo %{BUILDROOT}%{sharedstatedir}/ulogd/ulogd.db \ + < %{DIR_SOURCE}/sqlite3.table end end
@@ -61,7 +61,11 @@ packages end
configfiles - /etc/ulogd.conf + %{sysconfdir}/ulogd.conf + end + + datafiles + %{sharedstatedir}/ulogd/ulogd.db end
script postin
hooks/post-receive -- IPFire 3.x development tree