ulogd（一）

参考资料：

　　https://blog.csdn.net/eydwyz/article/details/52456335

　　https://blog.csdn.net/chinalinuxzend/article/details/1765249

　　https://rlworkman.net/howtos/ulogd.html

./README

===> IDEA

This packages is intended for doing all netfilter related logging inside a
userspace process.  This includes
    - logging of ruleset violations via ipt_ULOG (kernel 2.4.18+)
    - logging of ruleset violations via nfnetlink_log (kernel 2.6.14+)
    - logging of connection startup/teardown (kernel 2.6.14+)
    - connection-based accounting  (kernel 2.6.14+)

在守护进程中做netfilter相关的各种统计工作。

工作原理
- Register a target called ULOG with iptables
- if the target is hit:
- send the packet out using netlink multicast facility
- return NF_CONTINUE immediately

简单翻译一下，工作原理就是:

　　通过 iptables 下发规则到内核，匹配相应规则之后，内核将通过 netlink 将消息

发送到用户态，然后报文在内核态继续执行。

　　输出支持直接将结果写到database中，需要提前预设database，修改ulogd配置。

关于下边相关的几个插件：

Input Plugins

Input plugins acts data source. They get data from somewhere outside of ulogd, and convert it into a list of ulogd keys.

Filter Plugins

Filter plugins interpret(解释) and/or filter(过滤) data that was received from the Input Plugin. A good example is parsing a raw packet into IPv4 / TCP / ... header information.

Output Plugins

Output plugins describe how and where to put the information gained by the Input Plugin and processed by one or more Filter Plugins. The easiest way is to build a line per packet and fprint it to a file. Some people might want to log into a SQL database or want an output conforming to the IETF IPFIX language.

5. Available plugins

It is important to understand that ulogd without plugins does nothing. It will receive packets, and do nothing with them.

There are two kinds of plugins, interpreter and output plugins. Interpreter plugins parse the packet, output plugins write the interpreted information to some logfile/database/...

===> CONTENTS
= ulogd daemon (ulogd)
A sophisticated logging daemon core which uses a plugin for about anything. The
daemon provides a plugin API for
    - input plugins
    - filter plugins
    - output plugins
= documentation (doc)
A quite verbose documentation of this package and it's configuration exists,
please actually make use of it and read it :)

===> USAGE

To be able to build ulogd, you need to have working developement files and
and libraries for:
 - libnfnetlink
 - libmnl
 - libnetfilter_log         [optional]
 - libnetfilter_conntrack    [optional]
 - libnetfilter_acct        [optional]

Output plugins are build if the needed library and headers are found. This
includes:
 - PCAP: libpcap
 - PGSQL: libpq
 - MySQL: libmysqlclient
 - SQLITE3: libsqlite3
 - DBI: libdbi

The build procedure is standard:
 $ ./configure
 $ make
 $ sudo make install

After build, you need to edit the ulogd.conf file to define a stack or more
to use.

===> EXAMPLES

= NFLOG(防火墙log) usage

At first a simple example, which passes every outgoing packet to the
userspace logging, using nfnetlink group 3.

iptables -A OUTPUT -j NFLOG --nflog-group 3

A more advanced one, passing all incoming tcp packets with destination
port 80 to the userspace logging daemon listening on netlink multicast
group 32. All packets get tagged with the ulog prefix "inp"

iptables -A INPUT -j NFLOG -p tcp --dport 80 --nflog-group 32 --nflog-prefix inp

See iptables -j NFLOG -h for complete information about NFLOG.

= NFCT(链接跟踪) usage

To use connection logging, simply activate in ulogd.conf one stack using
the NFCT plugin.

For example, the following stack will do flow-based logging via
LOGEMU:

stack=ct1:NFCT,ip2str1:IP2STR,print1:PRINTFLOW,emu1:LOGEMU(配置文件中的相关配置)

= NFACCT(防火墙统计) usage

On ulogd side, activate a stack using the NFACCT module.

You then need to create counters:
 # nfacct add ipv4.tcp
 # nfacct add ipv6.tcp.443 (是一个新的命令，需要重新安装)

Once this is done, you can then create iptables matching rule that will increment
each time a packet hit them:

# iptables -A FORWARD -p tcp -m nfacct --nfacct-name ipv4.tcp(配置的是一个转发链，pc机验证时候建议设置成INPUT、OUTPUT)
 # ip6tables -A FORWARD -p tcp  --dport 443 -m nfacct --nfacct-name ipv6.tcp.443
 # ip6tables -A FORWARD -p tcp  --sport 443 -m nfacct --nfacct-name ipv6.tcp.443

NFACCT plugin will then dump periodically the counters and trigger an update of the
output corresponding to the active stacks.

===> COPYRIGHT + CREDITS

The code and documentation is
    (C) 2000-2006 by Harald Welte <laforge@gnumonks.org>
    (C) 2008-2012 Pablo Neira Ayuso <pablo@netfilter.org>
    (C) 2008-2013 Eric Leblond <eric@regit.org>

Thanks also to the valuable contributions of Daniel Stone, Alexander Janssen,
Michael Stolovitzsky and Jozsef Kadlecsik.

Credits to Rusty Russell, James Morris, Marc Boucher and all the other
netfilter hackers.