ulogd2: Update to version 2.0.5

This package adds logging of the flows and packets to an sqlite
database that can be used to get statistical output.

Logging to syslog as known from IPFire 2 has been added as well
but is only temporary until there is a way to view the logged
packets on the console.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ulogd2/patches/ulogd2-2.0.5-better-sqlite-debugging.patch

@@ -0,0 +1,26 @@
+diff --git a/output/sqlite3/ulogd_output_SQLITE3.c b/output/sqlite3/ulogd_output_SQLITE3.c
+index 5c49055..e3eff6f 100644
+--- a/output/sqlite3/ulogd_output_SQLITE3.c
++++ b/output/sqlite3/ulogd_output_SQLITE3.c
+@@ -212,7 +212,8 @@ sqlite3_interp(struct ulogd_pluginstance *pi)
+ 	return ULOGD_IRET_OK;
+ 
+  err_bind:
+-	ulogd_log(ULOGD_ERROR, "SQLITE: bind: %s\n", sqlite3_errmsg(priv->dbh));
++	ulogd_log(ULOGD_ERROR, "SQLITE: bind: %s (field: %s)\n", sqlite3_errmsg(priv->dbh),
++		f->key->name);
+ 	
+ 	return ULOGD_IRET_ERR;
+ }
+@@ -353,8 +354,10 @@ sqlite3_init_db(struct ulogd_pluginstance *pi)
+ 		}
+ 		strncpy(f->name, buf, ULOGD_MAX_KEYLEN);
+ 
+-		if ((f->key = ulogd_find_key(pi, buf)) == NULL)
++		if ((f->key = ulogd_find_key(pi, buf)) == NULL) {
++			ulogd_log(ULOGD_ERROR, "SQLITE3: Could not find field %s\n", buf);
+ 			return -1;
++		}
+ 
+ 		TAILQ_INSERT_TAIL(&priv->fields, f, link);
+ 	}

ulogd2/sqlite3.table

@@ -1,21 +1,126 @@
-CREATE TABLE ulog (
-			raw_mac		VARCHAR(80),
-			oob_time_sec	INT UNSIGNED,
-			oob_time_usec	INT UNSIGNED,
-			ip_saddr	INT UNSIGNED,
-			ip_daddr	INT UNSIGNED,
-			ip_protocol	TINYINT UNSIGNED,
-			ip_totlen       SMALLINT UNSIGNED,
-			tcp_sport	SMALLINT UNSIGNED,
-			tcp_dport	SMALLINT UNSIGNED,
-			udp_sport	SMALLINT UNSIGNED,
-			udp_dport	SMALLINT UNSIGNED,
-			udp_len		SMALLINT UNSIGNED,
-			icmp_type	TINYINT UNSIGNED,
-			icmp_code	TINYINT UNSIGNED,
-			icmp_echoid	SMALLINT UNSIGNED,
-			icmp_echoseq	SMALLINT UNSIGNED,
-			icmp_gateway	INT UNSIGNED,
-			icmp_fragmtu	SMALLINT UNSIGNED
-		);
+CREATE TABLE hits (
+	oob_time_sec		INTEGER NOT NULL,
+	oob_time_usec		INTEGER NOT NULL,
+	oob_hook		INTEGER,
+	oob_prefix		TEXT,
+	mac_saddr_str		TEXT,
+	mac_daddr_str		TEXT,
+	oob_in			TEXT,
+	oob_out			TEXT,
+	oob_family		INTEGER,
+	oob_protocol		INTEGER,
+	oob_uid			INTEGER,
+	oob_gid			INTEGER,
+	oob_mark		INTEGER,
+	ip_saddr		BLOB,
+	ip_saddr_str		TEXT,
+	ip_daddr		BLOB,
+	ip_daddr_str		TEXT,
+	ip_protocol		INTEGER,
+	ip_tos			INTEGER,
+	ip_ttl			INTEGER,
+	ip_totlen		INTEGER,
+	ip_id			INTEGER,
+	ip_fragoff		INTEGER,
+	ip6_payloadlen		INTEGER,
+	ip6_priority		INTEGER,
+	ip6_hoplimit		INTEGER,
+	ip6_flowlabel		INTEGER,
+	ip6_nexthdr		INTEGER,
+	ip6_fragoff		INTEGER,
+	ip6_fragid		INTEGER,
+	tcp_sport		INTEGER,
+	tcp_dport		INTEGER,
+	tcp_seq			INTEGER,
+	tcp_ackseq		INTEGER,
+	tcp_window		INTEGER,
+	tcp_syn			INTEGER,
+	tcp_ack			INTEGER,
+	tcp_rst			INTEGER,
+	tcp_fin			INTEGER,
+	tcp_urg			INTEGER,
+	tcp_urgp		INTEGER,
+	udp_sport		INTEGER,
+	udp_dport		INTEGER,
+	udp_len			INTEGER,
+	icmp_type		INTEGER,
+	icmp_code		INTEGER,
+	icmp_echoid		INTEGER,
+	icmp_echoseq		INTEGER,
+	icmp_gateway		INTEGER,
+	icmp_fragmtu		INTEGER,
+	icmpv6_type		INTEGER,
+	icmpv6_code		INTEGER,
+	icmpv6_echoid		INTEGER,
+	icmpv6_echoseq		INTEGER,
+	icmpv6_csum		INTEGER,
+	ahesp_spi		INTEGER,
+	arp_hwtype		INTEGER,
+	arp_protocoltype	INTEGER,
+	arp_operation		INTEGER,
+	arp_shwaddr		BLOB,
+	arp_saddr_str		TEXT,
+	arp_dhwaddr		BLOB,
+	arp_daddr_str		TEXT,
+	sctp_sport		INTEGER,
+	sctp_dport		INTEGER,
+	sctp_csum		INTEGER
+);
 
+CREATE INDEX hits_time ON hits(oob_time_sec);
+CREATE INDEX hits_prefix ON hits(oob_prefix);
+CREATE INDEX hits_oob_family ON hits(oob_family);
+
+/* Layer 2 - MAC addresses */
+CREATE INDEX hits_mac_saddr ON hits(mac_saddr_str);
+CREATE INDEX hits_mac_daddr ON hits(mac_daddr_str);
+
+/* Layer 3 - IP */
+CREATE INDEX hits_ip_saddr ON hits(ip_saddr);
+CREATE INDEX hits_ip_daddr ON hits(ip_daddr);
+CREATE INDEX hits_ip_protocol ON hits(ip_protocol);
+
+/* Layer 4 protocols */
+CREATE INDEX hits_tcp_sport ON hits(tcp_sport);
+CREATE INDEX hits_tcp_dport ON hits(tcp_dport);
+CREATE INDEX hits_udp_sport ON hits(udp_sport);
+CREATE INDEX hits_udp_dport ON hits(udp_dport);
+CREATE INDEX hits_sctp_sport ON hits(sctp_sport);
+CREATE INDEX hits_sctp_dport ON hits(sctp_dport);
+
+CREATE INDEX hits_icmpv6_type ON hits(icmpv6_type);
+CREATE INDEX hits_icmp_type ON hits(icmp_type);
+
+CREATE TABLE flows (
+	flow_start_sec		INTEGER,
+	flow_start_usec		INTEGER,
+	flow_end_sec		INTEGER,
+	flow_end_usec		INTEGER,
+	orig_ip_saddr		BLOB NOT NULL,
+	orig_ip_saddr_str	TEXT NOT NULL,
+	orig_ip_daddr		BLOB NOT NULL,
+	orig_ip_daddr_str	TEXT NOT NULL,
+	orig_ip_protocol	INTEGER NOT NULL,
+	orig_l4_sport		INTEGER,
+	orig_l4_dport		INTEGER,
+	orig_raw_pktcount	INTEGER NOT NULL,
+	orig_raw_pktlen		INTEGER NOT NULL,
+	reply_ip_saddr		BLOB NOT NULL,
+	reply_ip_saddr_str	BLOB NOT NULL,
+	reply_ip_daddr		BLOB NOT NULL,
+	reply_ip_daddr_str	BLOB NOT NULL,
+	reply_ip_protocol	INTEGER NOT NULL,
+	reply_l4_sport		INTEGER,
+	reply_l4_dport		INTEGER,
+	reply_raw_pktcount	INTEGER NOT NULL,
+	reply_raw_pktlen	INTEGER NOT NULL,
+	icmp_code		INTEGER,
+	icmp_type		INTEGER,
+	ct_id			INTEGER NOT NULL,
+	ct_event		INTEGER NOT NULL,
+	ct_mark			INTEGER
+);
+
+CREATE INDEX flows_ip_saddr ON flows(orig_ip_saddr);
+CREATE INDEX flows_ip_daddr ON flows(orig_ip_daddr);
+CREATE INDEX flows_ip_protocol ON flows(orig_ip_protocol);

ulogd2/ulogd.conf

@@ -5,9 +5,6 @@
 # GLOBAL OPTIONS
 ######################################################################
 
-# logfile for status messages
-logfile="/var/log/ulogd/ulogd.log"
-
 # loglevel: debug(1), info(3), notice(5), error(7) or fatal(8)
 loglevel=7
 
@@ -22,7 +19,7 @@ loglevel=7
 # 2. options for each plugin in seperate section below
 
 plugin="/usr/lib/ulogd/ulogd_inppkt_NFLOG.so"
-plugin="/usr/lib/ulogd/ulogd_inppkt_ULOG.so"
+#plugin="/usr/lib/ulogd/ulogd_inppkt_ULOG.so"
 plugin="/usr/lib/ulogd/ulogd_inpflow_NFCT.so"
 plugin="/usr/lib/ulogd/ulogd_filter_IFINDEX.so"
 plugin="/usr/lib/ulogd/ulogd_filter_IP2STR.so"
@@ -31,7 +28,7 @@ plugin="/usr/lib/ulogd/ulogd_filter_PRINTPKT.so"
 plugin="/usr/lib/ulogd/ulogd_filter_HWHDR.so"
 plugin="/usr/lib/ulogd/ulogd_filter_PRINTFLOW.so"
 #plugin="/usr/lib/ulogd/ulogd_filter_MARK.so"
-plugin="/usr/lib/ulogd/ulogd_output_LOGEMU.so"
+#plugin="/usr/lib/ulogd/ulogd_output_LOGEMU.so"
 plugin="/usr/lib/ulogd/ulogd_output_SYSLOG.so"
 #plugin="/usr/lib/ulogd/ulogd_output_OPRINT.so"
 #plugin="/usr/lib/ulogd/ulogd_output_NACCT.so"
@@ -42,38 +39,26 @@ plugin="/usr/lib/ulogd/ulogd_output_SYSLOG.so"
 plugin="/usr/lib/ulogd/ulogd_output_SQLITE3.so"
 plugin="/usr/lib/ulogd/ulogd_raw2packet_BASE.so"
 
-# this is a stack for logging packet send by system via LOGEMU
-stack=log1:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,emu1:LOGEMU
+# Log packets
+stack=src-pkt:NFLOG,base:BASE,ifindex:IFINDEX,ip2str:IP2STR,hw:HWHDR,db-packets:SQLITE3
+stack=src-pkt:NFLOG,base:BASE,ifindex:IFINDEX,ip2str:IP2STR,print:PRINTPKT,syslog:SYSLOG
 
-# this is a stack for NFLOG packet-based logging to PCAP
-#stack=log1:NFLOG,base1:BASE,pcap1:PCAP
+# Log connection tracking events
+stack=src-ct:NFCT,ip2bin:IP2BIN,ip2str:IP2STR,print-flow:PRINTFLOW,db-flows:SQLITE3
 
-# this is a stack for logging packet to sqlite
-#stack=log1:NFLOG,base1:BASE,ifi1:IFINDEX,ip2bin1:IP2BIN,mac2str1:HWHDR,sqlite1:SQLITE3
-
-# this is a stack for logging packets to syslog after a collect via NFLOG
-#stack=log1:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,sys1:SYSLOG
-
-# Logging of system packet through NFLOG
-[log1]
-# netlink multicast group (the same as the iptables --nflog-group param)
-# Group O is used by the kernel to log connection tracking invalid message
+[src-pkt]
 group=0
-#netlink_socket_buffer_size=217088
-#netlink_socket_buffer_maxsize=1085440
-# set number of packet to queue inside kernel
-#netlink_qthreshold=1
-# set the delay before flushing packet in the queue inside kernel (in ms)
-#netlink_qtimeout=1000
 bind=1
 
-[emu1]
-file="/var/log/ulogd/syslogemu.log"
-sync=1
+[src-ct]
+# Only receive DESTROY events
+event_mask=0x00000004
+hash_enable=1
 
-[pcap1]
-sync=1
+[db-packets]
+db=/var/lib/ulogd/ulogd.db
+table=hits
 
-[sqlite1]
-db=/var/log/ulogd/ulogd.db
-table=ulog
+[db-flows]
+db=/var/lib/ulogd/ulogd.db
+table=flows

ulogd2/ulogd.logrotate

@@ -1,7 +0,0 @@
-/var/log/ulogd.log /var/log/ulogd.syslogemu /var/log/ulogd.pktlog /var/log/ulogd.pcap {
-    missingok
-    sharedscripts
-    postrotate
-	/bin/killall -HUP ulogd 2> /dev/null || true
-    endscript
-}

ulogd2/ulogd2.nm

@@ -4,7 +4,7 @@
 ###############################################################################
 
 name       = ulogd2
-version    = 2.0.4
+version    = 2.0.5
 release    = 1
 epoch      = 1
 
@@ -40,15 +40,15 @@ build
 	# Set libdir to "/usr/lib" for every architecture to install the ulogd2 plugins
 	# to this folder.
 	configure_options+= \
-		--sysconfdir=/etc \
 		--libdir=%{prefix}/lib
 
 	install_cmds
-		mkdir -pv %{BUILDROOT}/etc
-		cp -vf %{DIR_SOURCE}/ulogd.conf %{BUILDROOT}/etc/ulogd.conf
+		mkdir -pv %{BUILDROOT}%{sysconfdir}
+		cp -vf %{DIR_SOURCE}/ulogd.conf %{BUILDROOT}%{sysconfdir}/ulogd.conf
 
-		mkdir -pv %{BUILDROOT}/var/log/ulogd
-		sqlite3 -echo %{BUILDROOT}/var/log/ulogd/ulogd.db < %{DIR_SOURCE}/sqlite3.table
+		mkdir -pv %{BUILDROOT}%{sharedstatedir}/ulogd
+		sqlite3 -echo %{BUILDROOT}%{sharedstatedir}/ulogd/ulogd.db \
+			< %{DIR_SOURCE}/sqlite3.table
 	end
 end
 
@@ -61,7 +61,11 @@ packages
 		end
 
 		configfiles
-			/etc/ulogd.conf
+			%{sysconfdir}/ulogd.conf
+		end
+
+		datafiles
+			%{sharedstatedir}/ulogd/ulogd.db
 		end
 
 		script postin