Hi All,

I'm currently using the 'LOG' target of iptables to send information into the syslog which another program then reads (tail -f) to collect the MAC and IP of particular packets of interest.

What I'm wanting to do is short-cut this step of going into syslog as it's not necessary.

What I want to be able to do is create my own version of the 'LOG' target that will send the MAC and IP of the packets that match the rule to a custom process (or more likely a socket) on the machine.

I've had a read through this site http://pudhumaijude.blogspot.com/201...-iptables.html and this PDF http://inai.de/documents/Netfilter_Modules.pdf but unfortunately the part I can't work out is where the actual 'logging' takes place.

Is there someone out there who might be able to point me in the right direction?

Thanks
Anubis.

It's not that syslog is not necessary but the mechanism is that these messages enter the kernel message ring buffer by default and where they exit is determined by which facility is set ('man 3 syslog') when using --log-level in -j LOG in combination with the facility and destination configured in (r)syslog.conf. Depending on what processing is needed (do clarify?) and depending on what syslog daemon you use you could already have part of it solved. For example Rsyslog allows you to run an(y) external command on message reception (no idea what the execution penalty / overhead would be though).


I really wonder if you would require invasive modification of Netfilter code when there's ready-made ULOGD and NFQUEUE? For example ULOGD-related specter does seem to do exec too or see nfqueue-bindings examples with respect to Scapy.

Hi unSpawn,

Thanks very much for your reply. I had always wondered about the 'LOG' target as to how it ends up in the syslog, but your explanation clears that up nicely.

The ULOGD seems like it might do the job; wonder why I'd not come across it before. Anyway, I'll check over that before 'invading' modifications to netfilter.

Thanks
Anubis.