Jozsef Kadlecsik wrote:
On Mon, 20 Apr 2009, Patrick McHardy wrote:
Jozsef Kadlecsik wrote:
On Mon, 20 Apr 2009, Pablo Neira Ayuso wrote:
I wasn't refering to any iptables target. New ulogd2 includes support
for ctnetlink, which can do this. I know, that means the extra libraries
dependencies.
I see. Thanks the info, good to know that ulogd2 is capable of this.
(Calling 'conntrack' for logging looked really ugly. :-)
In the kernel, we could log the information from the conntrack
entry, if any. That would allow to log the manips after they
have been set up.
Yes, but I'd not want an unconditional logging.
I missed the point, you're already doing what I had in mind (use
ct->tuplehash->...) and the new hook is needed to even get a chance
to log the packet after SNAT.
Would Pablo's suggestion or the conntrack method work for you?
Oh, it's not for me at all: at a workshop I was asked how to log the info
(hint: conflicker ;-) and embarrased enough I had to admit there was no
easy way. That's why I put together the patch, with all it's questionable
details.
I can see that it has some informational value, but for things like
locating infected hosts, why not simply look at the traffic before
it is NATed? I currently can't come up with a real use case for
this ...
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html