Slavko <linux@xxxxxxxxxx> wrote:
> i want to log ARP headers, thus i create arp family table
> with one chain with only one rule, somethong as:
>
> arp operation request limit ... countef log group 2 prefix ...
>
> It basically works, counter grows and packets are logged
> via ulogd2 stack::
>
> stack=log2a:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,mac2str1:HWHDR,gp1:GPRINT
>
> Except that the log entries has not any ARP headers.
>
> Then i found this article [1], which mentions the ARP as
> sysctlt key:
>
> net.netfilter.nf_log.3
This is only required for logging that is triggered
internally, e.g. for nf_conntrack.log_Invalid.
Its not needed when using LOG or NFLOG targets or
the nftables equivalents, when rule gets triggered
its crytal clear which backend should be used.
> Thus i set it to "nfnetlink_log", but that doesn't help. It
> is hard to find what these numbers are, but i guess that
> family constants, as 2, 7 and 10 (from ulogd2 start log)
> coresponds to inet, inet6 and bridge family, but i am not
> aware of arp family...
>
> I guess that ulogd2 is able to log ARP headers as i found
> them in BASE plugin's info output, but please what i have
> to do to get them into log? Or problem is, that i play with
> it inside LXC container (other logging works in it)?
I think this is missing support in ulogd2.
Untested, to give you some starting point:
(3 is NFPROTO_ARP).
--- a/filter/raw2packet/ulogd_raw2packet_BASE.c
+++ b/filter/raw2packet/ulogd_raw2packet_BASE.c
@@ -959,6 +959,8 @@ static int _interp_pkt(struct ulogd_pluginstance *pi)
return _interp_ipv6hdr(pi, len);
case AF_BRIDGE:
return _interp_bridge(pi, len);
+ case 3:
+ return _interp_arp(pi, len);
}
return ULOGD_IRET_OK;
}
