Node:Netfilter, Next:ulog-acctd, Up:Configuration
ulog-acctd relies on the kernel (more specific: Netfilter) to pipe the
packet headers to user space. This has to be enabled by adding rules
with the ULOG target to packet filtering tables.
The following example causes all packets that successfully pass the
FORWARD table to be logged to ulog-acctd.
iptables --append FORWARD -j ULOG --ulog-nlgroup 1 --ulog-cprange 48 --ulog-qthreshold 50 --ulog-prefix "FORWARD"
Explaination:
-j ULOG causes the packet to passed to userspace in the first
place.
--ulog-nlgroup GROUP specifies thet the packet be sent to
multicast group GROUP. ulog-acctd has to be configured
to listen to this group.
--ulog-cprange SIZE means that only the first SIZE
bytes are copied to userspace. The default is to copy the whole packet,
limiting the number of bytes should increase performance. However, when
IP headers carry a lot of option fields, this may lead to the case that
TCP, UDP, or ICMP headers are out of the copied range.
ulog-acctd will log a warning to to the system log as well as
the debug log in this case.
--ulog-qthreshold COUNT makes the kernel collect
COUNT packets before sending the message containing these packets
to userspace.
--ulog-prefix PREFIX causes a prefix string (max. 32
characters) to be passed along with the packet. This can for example be
used for including hints for accounting systems.
For further information, see iptables(8).