This is the mail archive of the systemtap@sourceware.org mailing list for the systemtap project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Re: monitor changes to iptables

From: Daniel Doron <danielmeirdoron at gmail dot com>
To: William Cohen <wcohen at redhat dot com>
Cc: systemtap at sourceware dot org
Date: Wed, 11 Oct 2017 07:47:40 +0300
Subject: Re: monitor changes to iptables
Authentication-results: sourceware.org; auth=none
References: <CAFwN=+w5JXcD7wT=fyvpM2L=Fc2wdVDBWMH0ef5Tm==oFb_fkw@mail.gmail.com> <0d43b4f5-7f71-c397-fdea-0fbb6e7b36bf@redhat.com>

Hi William,
Thanks for the suggestion. Correct me if I am wrong but:
1. auditctl does not provide real time / online logging facility
2. I would have to parse its logs to the get the info I want
3. Does it also use kprobes to get the info? I'll need to strace it to
see how it works...

I was thinking maybe monitor the ip_tables module directly, but I will
need to figure out the relevant functions...

On Tue, Oct 10, 2017 at 11:17 PM, William Cohen <wcohen@redhat.com> wrote:
> On 10/10/2017 10:49 AM, Daniel Doron wrote:
>> Hi,
>>
>> I am trying to figure out a way to monitor and log changes to iptables
>> (netfilter). Any ideas would be appreciated...
>>
>> Thanks.
>> Daniel.
>>
>
> Hi Daniel,
>
> Would you need to use systemtap for this or would using auditctl as mentioned in the following be sufficient?
>
> https://unix.stackexchange.com/questions/206891/audit-on-changes-to-the-running-iptables-configuration
>
>
> -Will

Follow-Ups:
- Re: monitor changes to iptables
  - From: William Cohen

References:
- monitor changes to iptables
  - From: Daniel Doron
- Re: monitor changes to iptables
  - From: William Cohen

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]