tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom
kernel / net / netfilter / xt_LOG.c
at v3.4-rc2 23 kB view raw
1/* 2 * This is a module which is used for logging packets. 3 */ 4 5/* (C) 1999-2001 Paul `Rusty' Russell 6 * (C) 2002-2004 Netfilter Core Team <coreteam@netfilter.org> 7 * 8 * This program is free software; you can redistribute it and/or modify 9 * it under the terms of the GNU General Public License version 2 as 10 * published by the Free Software Foundation. 11 */ 12 13#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt 14#include <linux/module.h> 15#include <linux/spinlock.h> 16#include <linux/skbuff.h> 17#include <linux/if_arp.h> 18#include <linux/ip.h> 19#include <net/ipv6.h> 20#include <net/icmp.h> 21#include <net/udp.h> 22#include <net/tcp.h> 23#include <net/route.h> 24 25#include <linux/netfilter.h> 26#include <linux/netfilter/x_tables.h> 27#include <linux/netfilter/xt_LOG.h> 28#include <linux/netfilter_ipv6/ip6_tables.h> 29#include <net/netfilter/nf_log.h> 30#include <net/netfilter/xt_log.h> 31 32static struct nf_loginfo default_loginfo = { 33 .type = NF_LOG_TYPE_LOG, 34 .u = { 35 .log = { 36 .level = 5, 37 .logflags = NF_LOG_MASK, 38 }, 39 }, 40}; 41 42static int dump_udp_header(struct sbuff *m, const struct sk_buff *skb, 43 u8 proto, int fragment, unsigned int offset) 44{ 45 struct udphdr _udph; 46 const struct udphdr *uh; 47 48 if (proto == IPPROTO_UDP) 49 /* Max length: 10 "PROTO=UDP " */ 50 sb_add(m, "PROTO=UDP "); 51 else /* Max length: 14 "PROTO=UDPLITE " */ 52 sb_add(m, "PROTO=UDPLITE "); 53 54 if (fragment) 55 goto out; 56 57 /* Max length: 25 "INCOMPLETE [65535 bytes] " */ 58 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph); 59 if (uh == NULL) { 60 sb_add(m, "INCOMPLETE [%u bytes] ", skb->len - offset); 61 62 return 1; 63 } 64 65 /* Max length: 20 "SPT=65535 DPT=65535 " */ 66 sb_add(m, "SPT=%u DPT=%u LEN=%u ", ntohs(uh->source), ntohs(uh->dest), 67 ntohs(uh->len)); 68 69out: 70 return 0; 71} 72 73static int dump_tcp_header(struct sbuff *m, const struct sk_buff *skb, 74 u8 proto, int fragment, unsigned int offset, 75 unsigned int logflags) 76{ 77 struct tcphdr _tcph; 78 const struct tcphdr *th; 79 80 /* Max length: 10 "PROTO=TCP " */ 81 sb_add(m, "PROTO=TCP "); 82 83 if (fragment) 84 return 0; 85 86 /* Max length: 25 "INCOMPLETE [65535 bytes] " */ 87 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph); 88 if (th == NULL) { 89 sb_add(m, "INCOMPLETE [%u bytes] ", skb->len - offset); 90 return 1; 91 } 92 93 /* Max length: 20 "SPT=65535 DPT=65535 " */ 94 sb_add(m, "SPT=%u DPT=%u ", ntohs(th->source), ntohs(th->dest)); 95 /* Max length: 30 "SEQ=4294967295 ACK=4294967295 " */ 96 if (logflags & XT_LOG_TCPSEQ) 97 sb_add(m, "SEQ=%u ACK=%u ", ntohl(th->seq), ntohl(th->ack_seq)); 98 99 /* Max length: 13 "WINDOW=65535 " */ 100 sb_add(m, "WINDOW=%u ", ntohs(th->window)); 101 /* Max length: 9 "RES=0x3C " */ 102 sb_add(m, "RES=0x%02x ", (u_int8_t)(ntohl(tcp_flag_word(th) & 103 TCP_RESERVED_BITS) >> 22)); 104 /* Max length: 32 "CWR ECE URG ACK PSH RST SYN FIN " */ 105 if (th->cwr) 106 sb_add(m, "CWR "); 107 if (th->ece) 108 sb_add(m, "ECE "); 109 if (th->urg) 110 sb_add(m, "URG "); 111 if (th->ack) 112 sb_add(m, "ACK "); 113 if (th->psh) 114 sb_add(m, "PSH "); 115 if (th->rst) 116 sb_add(m, "RST "); 117 if (th->syn) 118 sb_add(m, "SYN "); 119 if (th->fin) 120 sb_add(m, "FIN "); 121 /* Max length: 11 "URGP=65535 " */ 122 sb_add(m, "URGP=%u ", ntohs(th->urg_ptr)); 123 124 if ((logflags & XT_LOG_TCPOPT) && th->doff*4 > sizeof(struct tcphdr)) { 125 u_int8_t _opt[60 - sizeof(struct tcphdr)]; 126 const u_int8_t *op; 127 unsigned int i; 128 unsigned int optsize = th->doff*4 - sizeof(struct tcphdr); 129 130 op = skb_header_pointer(skb, offset + sizeof(struct tcphdr), 131 optsize, _opt); 132 if (op == NULL) { 133 sb_add(m, "OPT (TRUNCATED)"); 134 return 1; 135 } 136 137 /* Max length: 127 "OPT (" 15*4*2chars ") " */ 138 sb_add(m, "OPT ("); 139 for (i = 0; i < optsize; i++) 140 sb_add(m, "%02X", op[i]); 141 142 sb_add(m, ") "); 143 } 144 145 return 0; 146} 147 148/* One level of recursion won't kill us */ 149static void dump_ipv4_packet(struct sbuff *m, 150 const struct nf_loginfo *info, 151 const struct sk_buff *skb, 152 unsigned int iphoff) 153{ 154 struct iphdr _iph; 155 const struct iphdr *ih; 156 unsigned int logflags; 157 158 if (info->type == NF_LOG_TYPE_LOG) 159 logflags = info->u.log.logflags; 160 else 161 logflags = NF_LOG_MASK; 162 163 ih = skb_header_pointer(skb, iphoff, sizeof(_iph), &_iph); 164 if (ih == NULL) { 165 sb_add(m, "TRUNCATED"); 166 return; 167 } 168 169 /* Important fields: 170 * TOS, len, DF/MF, fragment offset, TTL, src, dst, options. */ 171 /* Max length: 40 "SRC=255.255.255.255 DST=255.255.255.255 " */ 172 sb_add(m, "SRC=%pI4 DST=%pI4 ", 173 &ih->saddr, &ih->daddr); 174 175 /* Max length: 46 "LEN=65535 TOS=0xFF PREC=0xFF TTL=255 ID=65535 " */ 176 sb_add(m, "LEN=%u TOS=0x%02X PREC=0x%02X TTL=%u ID=%u ", 177 ntohs(ih->tot_len), ih->tos & IPTOS_TOS_MASK, 178 ih->tos & IPTOS_PREC_MASK, ih->ttl, ntohs(ih->id)); 179 180 /* Max length: 6 "CE DF MF " */ 181 if (ntohs(ih->frag_off) & IP_CE) 182 sb_add(m, "CE "); 183 if (ntohs(ih->frag_off) & IP_DF) 184 sb_add(m, "DF "); 185 if (ntohs(ih->frag_off) & IP_MF) 186 sb_add(m, "MF "); 187 188 /* Max length: 11 "FRAG:65535 " */ 189 if (ntohs(ih->frag_off) & IP_OFFSET) 190 sb_add(m, "FRAG:%u ", ntohs(ih->frag_off) & IP_OFFSET); 191 192 if ((logflags & XT_LOG_IPOPT) && 193 ih->ihl * 4 > sizeof(struct iphdr)) { 194 const unsigned char *op; 195 unsigned char _opt[4 * 15 - sizeof(struct iphdr)]; 196 unsigned int i, optsize; 197 198 optsize = ih->ihl * 4 - sizeof(struct iphdr); 199 op = skb_header_pointer(skb, iphoff+sizeof(_iph), 200 optsize, _opt); 201 if (op == NULL) { 202 sb_add(m, "TRUNCATED"); 203 return; 204 } 205 206 /* Max length: 127 "OPT (" 15*4*2chars ") " */ 207 sb_add(m, "OPT ("); 208 for (i = 0; i < optsize; i++) 209 sb_add(m, "%02X", op[i]); 210 sb_add(m, ") "); 211 } 212 213 switch (ih->protocol) { 214 case IPPROTO_TCP: 215 if (dump_tcp_header(m, skb, ih->protocol, 216 ntohs(ih->frag_off) & IP_OFFSET, 217 iphoff+ih->ihl*4, logflags)) 218 return; 219 break; 220 case IPPROTO_UDP: 221 case IPPROTO_UDPLITE: 222 if (dump_udp_header(m, skb, ih->protocol, 223 ntohs(ih->frag_off) & IP_OFFSET, 224 iphoff+ih->ihl*4)) 225 return; 226 break; 227 case IPPROTO_ICMP: { 228 struct icmphdr _icmph; 229 const struct icmphdr *ich; 230 static const size_t required_len[NR_ICMP_TYPES+1] 231 = { [ICMP_ECHOREPLY] = 4, 232 [ICMP_DEST_UNREACH] 233 = 8 + sizeof(struct iphdr), 234 [ICMP_SOURCE_QUENCH] 235 = 8 + sizeof(struct iphdr), 236 [ICMP_REDIRECT] 237 = 8 + sizeof(struct iphdr), 238 [ICMP_ECHO] = 4, 239 [ICMP_TIME_EXCEEDED] 240 = 8 + sizeof(struct iphdr), 241 [ICMP_PARAMETERPROB] 242 = 8 + sizeof(struct iphdr), 243 [ICMP_TIMESTAMP] = 20, 244 [ICMP_TIMESTAMPREPLY] = 20, 245 [ICMP_ADDRESS] = 12, 246 [ICMP_ADDRESSREPLY] = 12 }; 247 248 /* Max length: 11 "PROTO=ICMP " */ 249 sb_add(m, "PROTO=ICMP "); 250 251 if (ntohs(ih->frag_off) & IP_OFFSET) 252 break; 253 254 /* Max length: 25 "INCOMPLETE [65535 bytes] " */ 255 ich = skb_header_pointer(skb, iphoff + ih->ihl * 4, 256 sizeof(_icmph), &_icmph); 257 if (ich == NULL) { 258 sb_add(m, "INCOMPLETE [%u bytes] ", 259 skb->len - iphoff - ih->ihl*4); 260 break; 261 } 262 263 /* Max length: 18 "TYPE=255 CODE=255 " */ 264 sb_add(m, "TYPE=%u CODE=%u ", ich->type, ich->code); 265 266 /* Max length: 25 "INCOMPLETE [65535 bytes] " */ 267 if (ich->type <= NR_ICMP_TYPES && 268 required_len[ich->type] && 269 skb->len-iphoff-ih->ihl*4 < required_len[ich->type]) { 270 sb_add(m, "INCOMPLETE [%u bytes] ", 271 skb->len - iphoff - ih->ihl*4); 272 break; 273 } 274 275 switch (ich->type) { 276 case ICMP_ECHOREPLY: 277 case ICMP_ECHO: 278 /* Max length: 19 "ID=65535 SEQ=65535 " */ 279 sb_add(m, "ID=%u SEQ=%u ", 280 ntohs(ich->un.echo.id), 281 ntohs(ich->un.echo.sequence)); 282 break; 283 284 case ICMP_PARAMETERPROB: 285 /* Max length: 14 "PARAMETER=255 " */ 286 sb_add(m, "PARAMETER=%u ", 287 ntohl(ich->un.gateway) >> 24); 288 break; 289 case ICMP_REDIRECT: 290 /* Max length: 24 "GATEWAY=255.255.255.255 " */ 291 sb_add(m, "GATEWAY=%pI4 ", &ich->un.gateway); 292 /* Fall through */ 293 case ICMP_DEST_UNREACH: 294 case ICMP_SOURCE_QUENCH: 295 case ICMP_TIME_EXCEEDED: 296 /* Max length: 3+maxlen */ 297 if (!iphoff) { /* Only recurse once. */ 298 sb_add(m, "["); 299 dump_ipv4_packet(m, info, skb, 300 iphoff + ih->ihl*4+sizeof(_icmph)); 301 sb_add(m, "] "); 302 } 303 304 /* Max length: 10 "MTU=65535 " */ 305 if (ich->type == ICMP_DEST_UNREACH && 306 ich->code == ICMP_FRAG_NEEDED) 307 sb_add(m, "MTU=%u ", ntohs(ich->un.frag.mtu)); 308 } 309 break; 310 } 311 /* Max Length */ 312 case IPPROTO_AH: { 313 struct ip_auth_hdr _ahdr; 314 const struct ip_auth_hdr *ah; 315 316 if (ntohs(ih->frag_off) & IP_OFFSET) 317 break; 318 319 /* Max length: 9 "PROTO=AH " */ 320 sb_add(m, "PROTO=AH "); 321 322 /* Max length: 25 "INCOMPLETE [65535 bytes] " */ 323 ah = skb_header_pointer(skb, iphoff+ih->ihl*4, 324 sizeof(_ahdr), &_ahdr); 325 if (ah == NULL) { 326 sb_add(m, "INCOMPLETE [%u bytes] ", 327 skb->len - iphoff - ih->ihl*4); 328 break; 329 } 330 331 /* Length: 15 "SPI=0xF1234567 " */ 332 sb_add(m, "SPI=0x%x ", ntohl(ah->spi)); 333 break; 334 } 335 case IPPROTO_ESP: { 336 struct ip_esp_hdr _esph; 337 const struct ip_esp_hdr *eh; 338 339 /* Max length: 10 "PROTO=ESP " */ 340 sb_add(m, "PROTO=ESP "); 341 342 if (ntohs(ih->frag_off) & IP_OFFSET) 343 break; 344 345 /* Max length: 25 "INCOMPLETE [65535 bytes] " */ 346 eh = skb_header_pointer(skb, iphoff+ih->ihl*4, 347 sizeof(_esph), &_esph); 348 if (eh == NULL) { 349 sb_add(m, "INCOMPLETE [%u bytes] ", 350 skb->len - iphoff - ih->ihl*4); 351 break; 352 } 353 354 /* Length: 15 "SPI=0xF1234567 " */ 355 sb_add(m, "SPI=0x%x ", ntohl(eh->spi)); 356 break; 357 } 358 /* Max length: 10 "PROTO 255 " */ 359 default: 360 sb_add(m, "PROTO=%u ", ih->protocol); 361 } 362 363 /* Max length: 15 "UID=4294967295 " */ 364 if ((logflags & XT_LOG_UID) && !iphoff && skb->sk) { 365 read_lock_bh(&skb->sk->sk_callback_lock); 366 if (skb->sk->sk_socket && skb->sk->sk_socket->file) 367 sb_add(m, "UID=%u GID=%u ", 368 skb->sk->sk_socket->file->f_cred->fsuid, 369 skb->sk->sk_socket->file->f_cred->fsgid); 370 read_unlock_bh(&skb->sk->sk_callback_lock); 371 } 372 373 /* Max length: 16 "MARK=0xFFFFFFFF " */ 374 if (!iphoff && skb->mark) 375 sb_add(m, "MARK=0x%x ", skb->mark); 376 377 /* Proto Max log string length */ 378 /* IP: 40+46+6+11+127 = 230 */ 379 /* TCP: 10+max(25,20+30+13+9+32+11+127) = 252 */ 380 /* UDP: 10+max(25,20) = 35 */ 381 /* UDPLITE: 14+max(25,20) = 39 */ 382 /* ICMP: 11+max(25, 18+25+max(19,14,24+3+n+10,3+n+10)) = 91+n */ 383 /* ESP: 10+max(25)+15 = 50 */ 384 /* AH: 9+max(25)+15 = 49 */ 385 /* unknown: 10 */ 386 387 /* (ICMP allows recursion one level deep) */ 388 /* maxlen = IP + ICMP + IP + max(TCP,UDP,ICMP,unknown) */ 389 /* maxlen = 230+ 91 + 230 + 252 = 803 */ 390} 391 392static void dump_ipv4_mac_header(struct sbuff *m, 393 const struct nf_loginfo *info, 394 const struct sk_buff *skb) 395{ 396 struct net_device *dev = skb->dev; 397 unsigned int logflags = 0; 398 399 if (info->type == NF_LOG_TYPE_LOG) 400 logflags = info->u.log.logflags; 401 402 if (!(logflags & XT_LOG_MACDECODE)) 403 goto fallback; 404 405 switch (dev->type) { 406 case ARPHRD_ETHER: 407 sb_add(m, "MACSRC=%pM MACDST=%pM MACPROTO=%04x ", 408 eth_hdr(skb)->h_source, eth_hdr(skb)->h_dest, 409 ntohs(eth_hdr(skb)->h_proto)); 410 return; 411 default: 412 break; 413 } 414 415fallback: 416 sb_add(m, "MAC="); 417 if (dev->hard_header_len && 418 skb->mac_header != skb->network_header) { 419 const unsigned char *p = skb_mac_header(skb); 420 unsigned int i; 421 422 sb_add(m, "%02x", *p++); 423 for (i = 1; i < dev->hard_header_len; i++, p++) 424 sb_add(m, ":%02x", *p); 425 } 426 sb_add(m, " "); 427} 428 429static void 430log_packet_common(struct sbuff *m, 431 u_int8_t pf, 432 unsigned int hooknum, 433 const struct sk_buff *skb, 434 const struct net_device *in, 435 const struct net_device *out, 436 const struct nf_loginfo *loginfo, 437 const char *prefix) 438{ 439 sb_add(m, "<%d>%sIN=%s OUT=%s ", loginfo->u.log.level, 440 prefix, 441 in ? in->name : "", 442 out ? out->name : ""); 443#ifdef CONFIG_BRIDGE_NETFILTER 444 if (skb->nf_bridge) { 445 const struct net_device *physindev; 446 const struct net_device *physoutdev; 447 448 physindev = skb->nf_bridge->physindev; 449 if (physindev && in != physindev) 450 sb_add(m, "PHYSIN=%s ", physindev->name); 451 physoutdev = skb->nf_bridge->physoutdev; 452 if (physoutdev && out != physoutdev) 453 sb_add(m, "PHYSOUT=%s ", physoutdev->name); 454 } 455#endif 456} 457 458 459static void 460ipt_log_packet(u_int8_t pf, 461 unsigned int hooknum, 462 const struct sk_buff *skb, 463 const struct net_device *in, 464 const struct net_device *out, 465 const struct nf_loginfo *loginfo, 466 const char *prefix) 467{ 468 struct sbuff *m = sb_open(); 469 470 if (!loginfo) 471 loginfo = &default_loginfo; 472 473 log_packet_common(m, pf, hooknum, skb, in, out, loginfo, prefix); 474 475 if (in != NULL) 476 dump_ipv4_mac_header(m, loginfo, skb); 477 478 dump_ipv4_packet(m, loginfo, skb, 0); 479 480 sb_close(m); 481} 482 483#if IS_ENABLED(CONFIG_IP6_NF_IPTABLES) 484/* One level of recursion won't kill us */ 485static void dump_ipv6_packet(struct sbuff *m, 486 const struct nf_loginfo *info, 487 const struct sk_buff *skb, unsigned int ip6hoff, 488 int recurse) 489{ 490 u_int8_t currenthdr; 491 int fragment; 492 struct ipv6hdr _ip6h; 493 const struct ipv6hdr *ih; 494 unsigned int ptr; 495 unsigned int hdrlen = 0; 496 unsigned int logflags; 497 498 if (info->type == NF_LOG_TYPE_LOG) 499 logflags = info->u.log.logflags; 500 else 501 logflags = NF_LOG_MASK; 502 503 ih = skb_header_pointer(skb, ip6hoff, sizeof(_ip6h), &_ip6h); 504 if (ih == NULL) { 505 sb_add(m, "TRUNCATED"); 506 return; 507 } 508 509 /* Max length: 88 "SRC=0000.0000.0000.0000.0000.0000.0000.0000 DST=0000.0000.0000.0000.0000.0000.0000.0000 " */ 510 sb_add(m, "SRC=%pI6 DST=%pI6 ", &ih->saddr, &ih->daddr); 511 512 /* Max length: 44 "LEN=65535 TC=255 HOPLIMIT=255 FLOWLBL=FFFFF " */ 513 sb_add(m, "LEN=%Zu TC=%u HOPLIMIT=%u FLOWLBL=%u ", 514 ntohs(ih->payload_len) + sizeof(struct ipv6hdr), 515 (ntohl(*(__be32 *)ih) & 0x0ff00000) >> 20, 516 ih->hop_limit, 517 (ntohl(*(__be32 *)ih) & 0x000fffff)); 518 519 fragment = 0; 520 ptr = ip6hoff + sizeof(struct ipv6hdr); 521 currenthdr = ih->nexthdr; 522 while (currenthdr != NEXTHDR_NONE && ip6t_ext_hdr(currenthdr)) { 523 struct ipv6_opt_hdr _hdr; 524 const struct ipv6_opt_hdr *hp; 525 526 hp = skb_header_pointer(skb, ptr, sizeof(_hdr), &_hdr); 527 if (hp == NULL) { 528 sb_add(m, "TRUNCATED"); 529 return; 530 } 531 532 /* Max length: 48 "OPT (...) " */ 533 if (logflags & XT_LOG_IPOPT) 534 sb_add(m, "OPT ( "); 535 536 switch (currenthdr) { 537 case IPPROTO_FRAGMENT: { 538 struct frag_hdr _fhdr; 539 const struct frag_hdr *fh; 540 541 sb_add(m, "FRAG:"); 542 fh = skb_header_pointer(skb, ptr, sizeof(_fhdr), 543 &_fhdr); 544 if (fh == NULL) { 545 sb_add(m, "TRUNCATED "); 546 return; 547 } 548 549 /* Max length: 6 "65535 " */ 550 sb_add(m, "%u ", ntohs(fh->frag_off) & 0xFFF8); 551 552 /* Max length: 11 "INCOMPLETE " */ 553 if (fh->frag_off & htons(0x0001)) 554 sb_add(m, "INCOMPLETE "); 555 556 sb_add(m, "ID:%08x ", ntohl(fh->identification)); 557 558 if (ntohs(fh->frag_off) & 0xFFF8) 559 fragment = 1; 560 561 hdrlen = 8; 562 563 break; 564 } 565 case IPPROTO_DSTOPTS: 566 case IPPROTO_ROUTING: 567 case IPPROTO_HOPOPTS: 568 if (fragment) { 569 if (logflags & XT_LOG_IPOPT) 570 sb_add(m, ")"); 571 return; 572 } 573 hdrlen = ipv6_optlen(hp); 574 break; 575 /* Max Length */ 576 case IPPROTO_AH: 577 if (logflags & XT_LOG_IPOPT) { 578 struct ip_auth_hdr _ahdr; 579 const struct ip_auth_hdr *ah; 580 581 /* Max length: 3 "AH " */ 582 sb_add(m, "AH "); 583 584 if (fragment) { 585 sb_add(m, ")"); 586 return; 587 } 588 589 ah = skb_header_pointer(skb, ptr, sizeof(_ahdr), 590 &_ahdr); 591 if (ah == NULL) { 592 /* 593 * Max length: 26 "INCOMPLETE [65535 594 * bytes] )" 595 */ 596 sb_add(m, "INCOMPLETE [%u bytes] )", 597 skb->len - ptr); 598 return; 599 } 600 601 /* Length: 15 "SPI=0xF1234567 */ 602 sb_add(m, "SPI=0x%x ", ntohl(ah->spi)); 603 604 } 605 606 hdrlen = (hp->hdrlen+2)<<2; 607 break; 608 case IPPROTO_ESP: 609 if (logflags & XT_LOG_IPOPT) { 610 struct ip_esp_hdr _esph; 611 const struct ip_esp_hdr *eh; 612 613 /* Max length: 4 "ESP " */ 614 sb_add(m, "ESP "); 615 616 if (fragment) { 617 sb_add(m, ")"); 618 return; 619 } 620 621 /* 622 * Max length: 26 "INCOMPLETE [65535 bytes] )" 623 */ 624 eh = skb_header_pointer(skb, ptr, sizeof(_esph), 625 &_esph); 626 if (eh == NULL) { 627 sb_add(m, "INCOMPLETE [%u bytes] )", 628 skb->len - ptr); 629 return; 630 } 631 632 /* Length: 16 "SPI=0xF1234567 )" */ 633 sb_add(m, "SPI=0x%x )", ntohl(eh->spi)); 634 635 } 636 return; 637 default: 638 /* Max length: 20 "Unknown Ext Hdr 255" */ 639 sb_add(m, "Unknown Ext Hdr %u", currenthdr); 640 return; 641 } 642 if (logflags & XT_LOG_IPOPT) 643 sb_add(m, ") "); 644 645 currenthdr = hp->nexthdr; 646 ptr += hdrlen; 647 } 648 649 switch (currenthdr) { 650 case IPPROTO_TCP: 651 if (dump_tcp_header(m, skb, currenthdr, fragment, ptr, 652 logflags)) 653 return; 654 break; 655 case IPPROTO_UDP: 656 case IPPROTO_UDPLITE: 657 if (dump_udp_header(m, skb, currenthdr, fragment, ptr)) 658 return; 659 break; 660 case IPPROTO_ICMPV6: { 661 struct icmp6hdr _icmp6h; 662 const struct icmp6hdr *ic; 663 664 /* Max length: 13 "PROTO=ICMPv6 " */ 665 sb_add(m, "PROTO=ICMPv6 "); 666 667 if (fragment) 668 break; 669 670 /* Max length: 25 "INCOMPLETE [65535 bytes] " */ 671 ic = skb_header_pointer(skb, ptr, sizeof(_icmp6h), &_icmp6h); 672 if (ic == NULL) { 673 sb_add(m, "INCOMPLETE [%u bytes] ", skb->len - ptr); 674 return; 675 } 676 677 /* Max length: 18 "TYPE=255 CODE=255 " */ 678 sb_add(m, "TYPE=%u CODE=%u ", ic->icmp6_type, ic->icmp6_code); 679 680 switch (ic->icmp6_type) { 681 case ICMPV6_ECHO_REQUEST: 682 case ICMPV6_ECHO_REPLY: 683 /* Max length: 19 "ID=65535 SEQ=65535 " */ 684 sb_add(m, "ID=%u SEQ=%u ", 685 ntohs(ic->icmp6_identifier), 686 ntohs(ic->icmp6_sequence)); 687 break; 688 case ICMPV6_MGM_QUERY: 689 case ICMPV6_MGM_REPORT: 690 case ICMPV6_MGM_REDUCTION: 691 break; 692 693 case ICMPV6_PARAMPROB: 694 /* Max length: 17 "POINTER=ffffffff " */ 695 sb_add(m, "POINTER=%08x ", ntohl(ic->icmp6_pointer)); 696 /* Fall through */ 697 case ICMPV6_DEST_UNREACH: 698 case ICMPV6_PKT_TOOBIG: 699 case ICMPV6_TIME_EXCEED: 700 /* Max length: 3+maxlen */ 701 if (recurse) { 702 sb_add(m, "["); 703 dump_ipv6_packet(m, info, skb, 704 ptr + sizeof(_icmp6h), 0); 705 sb_add(m, "] "); 706 } 707 708 /* Max length: 10 "MTU=65535 " */ 709 if (ic->icmp6_type == ICMPV6_PKT_TOOBIG) 710 sb_add(m, "MTU=%u ", ntohl(ic->icmp6_mtu)); 711 } 712 break; 713 } 714 /* Max length: 10 "PROTO=255 " */ 715 default: 716 sb_add(m, "PROTO=%u ", currenthdr); 717 } 718 719 /* Max length: 15 "UID=4294967295 " */ 720 if ((logflags & XT_LOG_UID) && recurse && skb->sk) { 721 read_lock_bh(&skb->sk->sk_callback_lock); 722 if (skb->sk->sk_socket && skb->sk->sk_socket->file) 723 sb_add(m, "UID=%u GID=%u ", 724 skb->sk->sk_socket->file->f_cred->fsuid, 725 skb->sk->sk_socket->file->f_cred->fsgid); 726 read_unlock_bh(&skb->sk->sk_callback_lock); 727 } 728 729 /* Max length: 16 "MARK=0xFFFFFFFF " */ 730 if (!recurse && skb->mark) 731 sb_add(m, "MARK=0x%x ", skb->mark); 732} 733 734static void dump_ipv6_mac_header(struct sbuff *m, 735 const struct nf_loginfo *info, 736 const struct sk_buff *skb) 737{ 738 struct net_device *dev = skb->dev; 739 unsigned int logflags = 0; 740 741 if (info->type == NF_LOG_TYPE_LOG) 742 logflags = info->u.log.logflags; 743 744 if (!(logflags & XT_LOG_MACDECODE)) 745 goto fallback; 746 747 switch (dev->type) { 748 case ARPHRD_ETHER: 749 sb_add(m, "MACSRC=%pM MACDST=%pM MACPROTO=%04x ", 750 eth_hdr(skb)->h_source, eth_hdr(skb)->h_dest, 751 ntohs(eth_hdr(skb)->h_proto)); 752 return; 753 default: 754 break; 755 } 756 757fallback: 758 sb_add(m, "MAC="); 759 if (dev->hard_header_len && 760 skb->mac_header != skb->network_header) { 761 const unsigned char *p = skb_mac_header(skb); 762 unsigned int len = dev->hard_header_len; 763 unsigned int i; 764 765 if (dev->type == ARPHRD_SIT) { 766 p -= ETH_HLEN; 767 768 if (p < skb->head) 769 p = NULL; 770 } 771 772 if (p != NULL) { 773 sb_add(m, "%02x", *p++); 774 for (i = 1; i < len; i++) 775 sb_add(m, ":%02x", *p++); 776 } 777 sb_add(m, " "); 778 779 if (dev->type == ARPHRD_SIT) { 780 const struct iphdr *iph = 781 (struct iphdr *)skb_mac_header(skb); 782 sb_add(m, "TUNNEL=%pI4->%pI4 ", &iph->saddr, 783 &iph->daddr); 784 } 785 } else 786 sb_add(m, " "); 787} 788 789static void 790ip6t_log_packet(u_int8_t pf, 791 unsigned int hooknum, 792 const struct sk_buff *skb, 793 const struct net_device *in, 794 const struct net_device *out, 795 const struct nf_loginfo *loginfo, 796 const char *prefix) 797{ 798 struct sbuff *m = sb_open(); 799 800 if (!loginfo) 801 loginfo = &default_loginfo; 802 803 log_packet_common(m, pf, hooknum, skb, in, out, loginfo, prefix); 804 805 if (in != NULL) 806 dump_ipv6_mac_header(m, loginfo, skb); 807 808 dump_ipv6_packet(m, loginfo, skb, skb_network_offset(skb), 1); 809 810 sb_close(m); 811} 812#endif 813 814static unsigned int 815log_tg(struct sk_buff *skb, const struct xt_action_param *par) 816{ 817 const struct xt_log_info *loginfo = par->targinfo; 818 struct nf_loginfo li; 819 820 li.type = NF_LOG_TYPE_LOG; 821 li.u.log.level = loginfo->level; 822 li.u.log.logflags = loginfo->logflags; 823 824 if (par->family == NFPROTO_IPV4) 825 ipt_log_packet(NFPROTO_IPV4, par->hooknum, skb, par->in, 826 par->out, &li, loginfo->prefix); 827#if IS_ENABLED(CONFIG_IP6_NF_IPTABLES) 828 else if (par->family == NFPROTO_IPV6) 829 ip6t_log_packet(NFPROTO_IPV6, par->hooknum, skb, par->in, 830 par->out, &li, loginfo->prefix); 831#endif 832 else 833 WARN_ON_ONCE(1); 834 835 return XT_CONTINUE; 836} 837 838static int log_tg_check(const struct xt_tgchk_param *par) 839{ 840 const struct xt_log_info *loginfo = par->targinfo; 841 842 if (par->family != NFPROTO_IPV4 && par->family != NFPROTO_IPV6) 843 return -EINVAL; 844 845 if (loginfo->level >= 8) { 846 pr_debug("level %u >= 8\n", loginfo->level); 847 return -EINVAL; 848 } 849 850 if (loginfo->prefix[sizeof(loginfo->prefix)-1] != '\0') { 851 pr_debug("prefix is not null-terminated\n"); 852 return -EINVAL; 853 } 854 855 return 0; 856} 857 858static struct xt_target log_tg_regs[] __read_mostly = { 859 { 860 .name = "LOG", 861 .family = NFPROTO_IPV4, 862 .target = log_tg, 863 .targetsize = sizeof(struct xt_log_info), 864 .checkentry = log_tg_check, 865 .me = THIS_MODULE, 866 }, 867#if IS_ENABLED(CONFIG_IP6_NF_IPTABLES) 868 { 869 .name = "LOG", 870 .family = NFPROTO_IPV6, 871 .target = log_tg, 872 .targetsize = sizeof(struct xt_log_info), 873 .checkentry = log_tg_check, 874 .me = THIS_MODULE, 875 }, 876#endif 877}; 878 879static struct nf_logger ipt_log_logger __read_mostly = { 880 .name = "ipt_LOG", 881 .logfn = &ipt_log_packet, 882 .me = THIS_MODULE, 883}; 884 885#if IS_ENABLED(CONFIG_IP6_NF_IPTABLES) 886static struct nf_logger ip6t_log_logger __read_mostly = { 887 .name = "ip6t_LOG", 888 .logfn = &ip6t_log_packet, 889 .me = THIS_MODULE, 890}; 891#endif 892 893static int __init log_tg_init(void) 894{ 895 int ret; 896 897 ret = xt_register_targets(log_tg_regs, ARRAY_SIZE(log_tg_regs)); 898 if (ret < 0) 899 return ret; 900 901 nf_log_register(NFPROTO_IPV4, &ipt_log_logger); 902#if IS_ENABLED(CONFIG_IP6_NF_IPTABLES) 903 nf_log_register(NFPROTO_IPV6, &ip6t_log_logger); 904#endif 905 return 0; 906} 907 908static void __exit log_tg_exit(void) 909{ 910 nf_log_unregister(&ipt_log_logger); 911#if IS_ENABLED(CONFIG_IP6_NF_IPTABLES) 912 nf_log_unregister(&ip6t_log_logger); 913#endif 914 xt_unregister_targets(log_tg_regs, ARRAY_SIZE(log_tg_regs)); 915} 916 917module_init(log_tg_init); 918module_exit(log_tg_exit); 919 920MODULE_LICENSE("GPL"); 921MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>"); 922MODULE_AUTHOR("Jan Rekorajski <baggins@pld.org.pl>"); 923MODULE_DESCRIPTION("Xtables: IPv4/IPv6 packet logging"); 924MODULE_ALIAS("ipt_LOG"); 925MODULE_ALIAS("ip6t_LOG");