summaryrefslogtreecommitdiff
path: root/doc/stats
diff options
context:
space:
mode:
authorPablo Neira Ayuso <pablo@netfilter.org>2008-07-22 12:13:43 +0200
committerPablo Neira Ayuso <pablo@netfilter.org>2008-07-22 12:13:43 +0200
commit77b1fdb824eb45213df4f57224e8e799fed43ded (patch)
tree282a395e7ab2d8fe8cfe12f34e6d09535d067101 /doc/stats
parent2de606c2458067c48e72058a31af384574cf9c70 (diff)
downloadconntrack-tools-77b1fdb824eb45213df4f57224e8e799fed43ded.tar.gz
conntrack-tools-77b1fdb824eb45213df4f57224e8e799fed43ded.zip
Major rework of the user-space event filtering
This patch reworks the user-space filtering. Although we have kernel-space filtering since Linux kernel >= 2.6.26, we keep userspace filtering to ensure backward compatibility. Moreover, this patch prepares the implementation of the kernel-space filtering via libnetfilter_conntrack's high-level berkeley socket filter API. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'doc/stats')
-rw-r--r--doc/stats/conntrackd.conf54
1 files changed, 33 insertions, 21 deletions
diff --git a/doc/stats/conntrackd.conf b/doc/stats/conntrackd.conf
index 4bc5642..b63c2c3 100644
--- a/doc/stats/conntrackd.conf
+++ b/doc/stats/conntrackd.conf
@@ -47,6 +47,39 @@ General {
# Increase the socket buffer up to maximun if required
#
SocketBufferSizeMaxGrown 655355
+
+ #
+ # Event filtering: This clause allows you to filter certain traffic,
+ # There are currently three filter-sets: Protocol, Address and
+ # State. The filter is attached to an action that can be: Accept or
+ # Ignore. Thus, you can define the event filtering policy of the
+ # filter-sets in positive or negative logic depending on your needs.
+ #
+ Filter {
+ #
+ # Accept only certain protocols: You may want to log the
+ # state of flows depending on their layer 4 protocol.
+ #
+ Protocol Accept {
+ TCP
+ }
+
+ #
+ # Ignore traffic for a certain set of IP's.
+ #
+ Address Ignore {
+ IPv4_address 127.0.0.1 # loopback
+ }
+
+ #
+ # Uncomment this line below if you want to filter by flow state.
+ # The existing TCP states are: SYN_SENT, SYN_RECV, ESTABLISHED,
+ # FIN_WAIT, CLOSE_WAIT, LAST_ACK, TIME_WAIT, CLOSED, LISTEN.
+ #
+ # State Accept {
+ # ESTABLISHED CLOSED TIME_WAIT CLOSE_WAIT for TCP
+ # }
+ }
}
Stats {
@@ -66,24 +99,3 @@ Stats {
#
#Syslog on
}
-
-#
-# Ignore traffic for a certain set of IP's: Usually
-# all the IP assigned to the firewall since local
-# traffic must be ignored, just forwarded connections
-# are worth to replicate
-#
-IgnoreTrafficFor {
- IPv4_address 127.0.0.1 # loopback
-}
-
-#
-# Do not replicate certain protocol traffic
-#
-IgnoreProtocol {
- UDP
-# ICMP
-# IGMP
-# VRRP
- # numeric numbers also valid
-}