Hi Pablo, On Mon, 20 Apr 2009, Pablo Neira Ayuso wrote: > Jozsef Kadlecsik wrote: > > > > On Mon, 20 Apr 2009, Pablo Neira Ayuso wrote: > > > >>> Attached you can find patches for netfilter and iptabes to support the > >>> logging of the original and NAT-ed IP addresses together. > >>> > >>> Currently there's no way to do it by netfilter/iptables. If we log in the > >>> filter table, there we can record the original src IP address only. > >>> However, we cannot log the src IP address after NAT at all: SNAT happens > >>> in the nat table at POSTROUTING, and there's no other table to which the > >>> logging rule could be added (and the NAT targets return ACCEPT, so we > >>> cannot add the loggin rule to the nat table either). > >>> > >>> The only way to log src/dst IP before/after NAT presently is to run > >>> 'conntrack' in event mode like this: > >>> > >>> conntrack -E -e NEW | logger -p kernel.info > >> We can also do this by means of ulogd2 or, alternatively, conntrackd in > >> its very basic statistics mode. > > > > But ulogd2 requires the ULOG target and ULOG cannot log the SNAT-ed > > address either, similarly to the vanilla LOG target: there's presently no > > hook at which the information is available for the LOG/ULOG targets. > > I wasn't refering to any iptables target. New ulogd2 includes support > for ctnetlink, which can do this. I know, that means the extra libraries > dependencies. I see. Thanks the info, good to know that ulogd2 is capable of this. (Calling 'conntrack' for logging looked really ugly. :-) Best regards, Jozsef - E-mail : kadlec@xxxxxxxxxxxxxxxxx, kadlec@xxxxxxxxxxxx PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt Address : KFKI Research Institute for Particle and Nuclear Physics H-1525 Budapest 114, POB. 49, Hungary -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
