xx产品有个功能是对任何端口的访问都会被记录。它的实现原理是iptables的NFLOG
NFLOG是什么
它是一个target,就像ACCEPT、DROP等可以作为iptables -j后的参数值
iptables -A INPUT -p tcp -m tcp --dport 80 -j NFLOG --nflog-group 40 --nflog-prefix TCPDUMP-PCAP-INtcpdump -i nflog:40 -v -w nf40.pcap
// 此时tcpdump必须使用 -w 参数报文报文
tcpdump -i nflog:40 -v -w nf40.pcap
tcpdump: listening on nflog:40, link-type NFLOG (Linux netfilter log messages), capture size 262144 bytes示例:
Can I log and drop packets with nflog in one iptables rule?
-N log_and_drop
-A log_and_drop -j NFLOG --nflog-prefix "shared prefix"
-A log_and_drop -j DROP
-A INPUT -p tcp --sport 1234 -g log_and_drop
-A INPUT -p udp --sport 4321 -g log_and_dropIs there any way to put NFLOG (--nflog-prefix) inside the iptables rule so that there is only one line left?
NFLOG:https://ipset.netfilter.org/iptables-extensions.man.html#lbDG
内核代码为:
static struct xt_target ebt_nflog_tg_reg __read_mostly = {
.name = "nflog",
.revision = 0,
.family = NFPROTO_BRIDGE,
.target = ebt_nflog_tg,
.checkentry = ebt_nflog_tg_check,
.targetsize = sizeof(struct ebt_nflog_info),
.me = THIS_MODULE,
};
ebt_nflog_tg(struct sk_buff *skb, const struct xt_action_param *par)
{
const struct ebt_nflog_info *info = par->targinfo;
struct net *net = xt_net(par);
struct nf_loginfo li;
li.type = NF_LOG_TYPE_ULOG;
li.u.ulog.copy_len = info->len;
li.u.ulog.group = info->group;
li.u.ulog.qthreshold = info->threshold;
li.u.ulog.flags = 0;
nf_log_packet(net, PF_BRIDGE, xt_hooknum(par), skb, xt_in(par),
xt_out(par), &li, "%s", info->prefix);
return EBT_CONTINUE;
}
http代理服务器(3-4-7层代理)-网络事件库公共组件、内核kernel驱动 摄像头驱动 tcpip网络协议栈、netfilter、bridge 好像看过!!!! 但行好事 莫问前程 --身高体重180的胖子