tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom
kernel / net / netfilter / xt_LOG.c
at v3.7-rc2 23 kB view raw
1/* 2 * This is a module which is used for logging packets. 3 */ 4 5/* (C) 1999-2001 Paul `Rusty' Russell 6 * (C) 2002-2004 Netfilter Core Team <coreteam@netfilter.org> 7 * 8 * This program is free software; you can redistribute it and/or modify 9 * it under the terms of the GNU General Public License version 2 as 10 * published by the Free Software Foundation. 11 */ 12 13#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt 14#include <linux/module.h> 15#include <linux/spinlock.h> 16#include <linux/skbuff.h> 17#include <linux/if_arp.h> 18#include <linux/ip.h> 19#include <net/ipv6.h> 20#include <net/icmp.h> 21#include <net/udp.h> 22#include <net/tcp.h> 23#include <net/route.h> 24 25#include <linux/netfilter.h> 26#include <linux/netfilter/x_tables.h> 27#include <linux/netfilter/xt_LOG.h> 28#include <linux/netfilter_ipv6/ip6_tables.h> 29#include <net/netfilter/nf_log.h> 30#include <net/netfilter/xt_log.h> 31 32static struct nf_loginfo default_loginfo = { 33 .type = NF_LOG_TYPE_LOG, 34 .u = { 35 .log = { 36 .level = 5, 37 .logflags = NF_LOG_MASK, 38 }, 39 }, 40}; 41 42static int dump_udp_header(struct sbuff *m, const struct sk_buff *skb, 43 u8 proto, int fragment, unsigned int offset) 44{ 45 struct udphdr _udph; 46 const struct udphdr *uh; 47 48 if (proto == IPPROTO_UDP) 49 /* Max length: 10 "PROTO=UDP " */ 50 sb_add(m, "PROTO=UDP "); 51 else /* Max length: 14 "PROTO=UDPLITE " */ 52 sb_add(m, "PROTO=UDPLITE "); 53 54 if (fragment) 55 goto out; 56 57 /* Max length: 25 "INCOMPLETE [65535 bytes] " */ 58 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph); 59 if (uh == NULL) { 60 sb_add(m, "INCOMPLETE [%u bytes] ", skb->len - offset); 61 62 return 1; 63 } 64 65 /* Max length: 20 "SPT=65535 DPT=65535 " */ 66 sb_add(m, "SPT=%u DPT=%u LEN=%u ", ntohs(uh->source), ntohs(uh->dest), 67 ntohs(uh->len)); 68 69out: 70 return 0; 71} 72 73static int dump_tcp_header(struct sbuff *m, const struct sk_buff *skb, 74 u8 proto, int fragment, unsigned int offset, 75 unsigned int logflags) 76{ 77 struct tcphdr _tcph; 78 const struct tcphdr *th; 79 80 /* Max length: 10 "PROTO=TCP " */ 81 sb_add(m, "PROTO=TCP "); 82 83 if (fragment) 84 return 0; 85 86 /* Max length: 25 "INCOMPLETE [65535 bytes] " */ 87 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph); 88 if (th == NULL) { 89 sb_add(m, "INCOMPLETE [%u bytes] ", skb->len - offset); 90 return 1; 91 } 92 93 /* Max length: 20 "SPT=65535 DPT=65535 " */ 94 sb_add(m, "SPT=%u DPT=%u ", ntohs(th->source), ntohs(th->dest)); 95 /* Max length: 30 "SEQ=4294967295 ACK=4294967295 " */ 96 if (logflags & XT_LOG_TCPSEQ) 97 sb_add(m, "SEQ=%u ACK=%u ", ntohl(th->seq), ntohl(th->ack_seq)); 98 99 /* Max length: 13 "WINDOW=65535 " */ 100 sb_add(m, "WINDOW=%u ", ntohs(th->window)); 101 /* Max length: 9 "RES=0x3C " */ 102 sb_add(m, "RES=0x%02x ", (u_int8_t)(ntohl(tcp_flag_word(th) & 103 TCP_RESERVED_BITS) >> 22)); 104 /* Max length: 32 "CWR ECE URG ACK PSH RST SYN FIN " */ 105 if (th->cwr) 106 sb_add(m, "CWR "); 107 if (th->ece) 108 sb_add(m, "ECE "); 109 if (th->urg) 110 sb_add(m, "URG "); 111 if (th->ack) 112 sb_add(m, "ACK "); 113 if (th->psh) 114 sb_add(m, "PSH "); 115 if (th->rst) 116 sb_add(m, "RST "); 117 if (th->syn) 118 sb_add(m, "SYN "); 119 if (th->fin) 120 sb_add(m, "FIN "); 121 /* Max length: 11 "URGP=65535 " */ 122 sb_add(m, "URGP=%u ", ntohs(th->urg_ptr)); 123 124 if ((logflags & XT_LOG_TCPOPT) && th->doff*4 > sizeof(struct tcphdr)) { 125 u_int8_t _opt[60 - sizeof(struct tcphdr)]; 126 const u_int8_t *op; 127 unsigned int i; 128 unsigned int optsize = th->doff*4 - sizeof(struct tcphdr); 129 130 op = skb_header_pointer(skb, offset + sizeof(struct tcphdr), 131 optsize, _opt); 132 if (op == NULL) { 133 sb_add(m, "OPT (TRUNCATED)"); 134 return 1; 135 } 136 137 /* Max length: 127 "OPT (" 15*4*2chars ") " */ 138 sb_add(m, "OPT ("); 139 for (i = 0; i < optsize; i++) 140 sb_add(m, "%02X", op[i]); 141 142 sb_add(m, ") "); 143 } 144 145 return 0; 146} 147 148static void dump_sk_uid_gid(struct sbuff *m, struct sock *sk) 149{ 150 if (!sk || sk->sk_state == TCP_TIME_WAIT) 151 return; 152 153 read_lock_bh(&sk->sk_callback_lock); 154 if (sk->sk_socket && sk->sk_socket->file) { 155 const struct cred *cred = sk->sk_socket->file->f_cred; 156 sb_add(m, "UID=%u GID=%u ", 157 from_kuid_munged(&init_user_ns, cred->fsuid), 158 from_kgid_munged(&init_user_ns, cred->fsgid)); 159 } 160 read_unlock_bh(&sk->sk_callback_lock); 161} 162 163/* One level of recursion won't kill us */ 164static void dump_ipv4_packet(struct sbuff *m, 165 const struct nf_loginfo *info, 166 const struct sk_buff *skb, 167 unsigned int iphoff) 168{ 169 struct iphdr _iph; 170 const struct iphdr *ih; 171 unsigned int logflags; 172 173 if (info->type == NF_LOG_TYPE_LOG) 174 logflags = info->u.log.logflags; 175 else 176 logflags = NF_LOG_MASK; 177 178 ih = skb_header_pointer(skb, iphoff, sizeof(_iph), &_iph); 179 if (ih == NULL) { 180 sb_add(m, "TRUNCATED"); 181 return; 182 } 183 184 /* Important fields: 185 * TOS, len, DF/MF, fragment offset, TTL, src, dst, options. */ 186 /* Max length: 40 "SRC=255.255.255.255 DST=255.255.255.255 " */ 187 sb_add(m, "SRC=%pI4 DST=%pI4 ", 188 &ih->saddr, &ih->daddr); 189 190 /* Max length: 46 "LEN=65535 TOS=0xFF PREC=0xFF TTL=255 ID=65535 " */ 191 sb_add(m, "LEN=%u TOS=0x%02X PREC=0x%02X TTL=%u ID=%u ", 192 ntohs(ih->tot_len), ih->tos & IPTOS_TOS_MASK, 193 ih->tos & IPTOS_PREC_MASK, ih->ttl, ntohs(ih->id)); 194 195 /* Max length: 6 "CE DF MF " */ 196 if (ntohs(ih->frag_off) & IP_CE) 197 sb_add(m, "CE "); 198 if (ntohs(ih->frag_off) & IP_DF) 199 sb_add(m, "DF "); 200 if (ntohs(ih->frag_off) & IP_MF) 201 sb_add(m, "MF "); 202 203 /* Max length: 11 "FRAG:65535 " */ 204 if (ntohs(ih->frag_off) & IP_OFFSET) 205 sb_add(m, "FRAG:%u ", ntohs(ih->frag_off) & IP_OFFSET); 206 207 if ((logflags & XT_LOG_IPOPT) && 208 ih->ihl * 4 > sizeof(struct iphdr)) { 209 const unsigned char *op; 210 unsigned char _opt[4 * 15 - sizeof(struct iphdr)]; 211 unsigned int i, optsize; 212 213 optsize = ih->ihl * 4 - sizeof(struct iphdr); 214 op = skb_header_pointer(skb, iphoff+sizeof(_iph), 215 optsize, _opt); 216 if (op == NULL) { 217 sb_add(m, "TRUNCATED"); 218 return; 219 } 220 221 /* Max length: 127 "OPT (" 15*4*2chars ") " */ 222 sb_add(m, "OPT ("); 223 for (i = 0; i < optsize; i++) 224 sb_add(m, "%02X", op[i]); 225 sb_add(m, ") "); 226 } 227 228 switch (ih->protocol) { 229 case IPPROTO_TCP: 230 if (dump_tcp_header(m, skb, ih->protocol, 231 ntohs(ih->frag_off) & IP_OFFSET, 232 iphoff+ih->ihl*4, logflags)) 233 return; 234 break; 235 case IPPROTO_UDP: 236 case IPPROTO_UDPLITE: 237 if (dump_udp_header(m, skb, ih->protocol, 238 ntohs(ih->frag_off) & IP_OFFSET, 239 iphoff+ih->ihl*4)) 240 return; 241 break; 242 case IPPROTO_ICMP: { 243 struct icmphdr _icmph; 244 const struct icmphdr *ich; 245 static const size_t required_len[NR_ICMP_TYPES+1] 246 = { [ICMP_ECHOREPLY] = 4, 247 [ICMP_DEST_UNREACH] 248 = 8 + sizeof(struct iphdr), 249 [ICMP_SOURCE_QUENCH] 250 = 8 + sizeof(struct iphdr), 251 [ICMP_REDIRECT] 252 = 8 + sizeof(struct iphdr), 253 [ICMP_ECHO] = 4, 254 [ICMP_TIME_EXCEEDED] 255 = 8 + sizeof(struct iphdr), 256 [ICMP_PARAMETERPROB] 257 = 8 + sizeof(struct iphdr), 258 [ICMP_TIMESTAMP] = 20, 259 [ICMP_TIMESTAMPREPLY] = 20, 260 [ICMP_ADDRESS] = 12, 261 [ICMP_ADDRESSREPLY] = 12 }; 262 263 /* Max length: 11 "PROTO=ICMP " */ 264 sb_add(m, "PROTO=ICMP "); 265 266 if (ntohs(ih->frag_off) & IP_OFFSET) 267 break; 268 269 /* Max length: 25 "INCOMPLETE [65535 bytes] " */ 270 ich = skb_header_pointer(skb, iphoff + ih->ihl * 4, 271 sizeof(_icmph), &_icmph); 272 if (ich == NULL) { 273 sb_add(m, "INCOMPLETE [%u bytes] ", 274 skb->len - iphoff - ih->ihl*4); 275 break; 276 } 277 278 /* Max length: 18 "TYPE=255 CODE=255 " */ 279 sb_add(m, "TYPE=%u CODE=%u ", ich->type, ich->code); 280 281 /* Max length: 25 "INCOMPLETE [65535 bytes] " */ 282 if (ich->type <= NR_ICMP_TYPES && 283 required_len[ich->type] && 284 skb->len-iphoff-ih->ihl*4 < required_len[ich->type]) { 285 sb_add(m, "INCOMPLETE [%u bytes] ", 286 skb->len - iphoff - ih->ihl*4); 287 break; 288 } 289 290 switch (ich->type) { 291 case ICMP_ECHOREPLY: 292 case ICMP_ECHO: 293 /* Max length: 19 "ID=65535 SEQ=65535 " */ 294 sb_add(m, "ID=%u SEQ=%u ", 295 ntohs(ich->un.echo.id), 296 ntohs(ich->un.echo.sequence)); 297 break; 298 299 case ICMP_PARAMETERPROB: 300 /* Max length: 14 "PARAMETER=255 " */ 301 sb_add(m, "PARAMETER=%u ", 302 ntohl(ich->un.gateway) >> 24); 303 break; 304 case ICMP_REDIRECT: 305 /* Max length: 24 "GATEWAY=255.255.255.255 " */ 306 sb_add(m, "GATEWAY=%pI4 ", &ich->un.gateway); 307 /* Fall through */ 308 case ICMP_DEST_UNREACH: 309 case ICMP_SOURCE_QUENCH: 310 case ICMP_TIME_EXCEEDED: 311 /* Max length: 3+maxlen */ 312 if (!iphoff) { /* Only recurse once. */ 313 sb_add(m, "["); 314 dump_ipv4_packet(m, info, skb, 315 iphoff + ih->ihl*4+sizeof(_icmph)); 316 sb_add(m, "] "); 317 } 318 319 /* Max length: 10 "MTU=65535 " */ 320 if (ich->type == ICMP_DEST_UNREACH && 321 ich->code == ICMP_FRAG_NEEDED) 322 sb_add(m, "MTU=%u ", ntohs(ich->un.frag.mtu)); 323 } 324 break; 325 } 326 /* Max Length */ 327 case IPPROTO_AH: { 328 struct ip_auth_hdr _ahdr; 329 const struct ip_auth_hdr *ah; 330 331 if (ntohs(ih->frag_off) & IP_OFFSET) 332 break; 333 334 /* Max length: 9 "PROTO=AH " */ 335 sb_add(m, "PROTO=AH "); 336 337 /* Max length: 25 "INCOMPLETE [65535 bytes] " */ 338 ah = skb_header_pointer(skb, iphoff+ih->ihl*4, 339 sizeof(_ahdr), &_ahdr); 340 if (ah == NULL) { 341 sb_add(m, "INCOMPLETE [%u bytes] ", 342 skb->len - iphoff - ih->ihl*4); 343 break; 344 } 345 346 /* Length: 15 "SPI=0xF1234567 " */ 347 sb_add(m, "SPI=0x%x ", ntohl(ah->spi)); 348 break; 349 } 350 case IPPROTO_ESP: { 351 struct ip_esp_hdr _esph; 352 const struct ip_esp_hdr *eh; 353 354 /* Max length: 10 "PROTO=ESP " */ 355 sb_add(m, "PROTO=ESP "); 356 357 if (ntohs(ih->frag_off) & IP_OFFSET) 358 break; 359 360 /* Max length: 25 "INCOMPLETE [65535 bytes] " */ 361 eh = skb_header_pointer(skb, iphoff+ih->ihl*4, 362 sizeof(_esph), &_esph); 363 if (eh == NULL) { 364 sb_add(m, "INCOMPLETE [%u bytes] ", 365 skb->len - iphoff - ih->ihl*4); 366 break; 367 } 368 369 /* Length: 15 "SPI=0xF1234567 " */ 370 sb_add(m, "SPI=0x%x ", ntohl(eh->spi)); 371 break; 372 } 373 /* Max length: 10 "PROTO 255 " */ 374 default: 375 sb_add(m, "PROTO=%u ", ih->protocol); 376 } 377 378 /* Max length: 15 "UID=4294967295 " */ 379 if ((logflags & XT_LOG_UID) && !iphoff) 380 dump_sk_uid_gid(m, skb->sk); 381 382 /* Max length: 16 "MARK=0xFFFFFFFF " */ 383 if (!iphoff && skb->mark) 384 sb_add(m, "MARK=0x%x ", skb->mark); 385 386 /* Proto Max log string length */ 387 /* IP: 40+46+6+11+127 = 230 */ 388 /* TCP: 10+max(25,20+30+13+9+32+11+127) = 252 */ 389 /* UDP: 10+max(25,20) = 35 */ 390 /* UDPLITE: 14+max(25,20) = 39 */ 391 /* ICMP: 11+max(25, 18+25+max(19,14,24+3+n+10,3+n+10)) = 91+n */ 392 /* ESP: 10+max(25)+15 = 50 */ 393 /* AH: 9+max(25)+15 = 49 */ 394 /* unknown: 10 */ 395 396 /* (ICMP allows recursion one level deep) */ 397 /* maxlen = IP + ICMP + IP + max(TCP,UDP,ICMP,unknown) */ 398 /* maxlen = 230+ 91 + 230 + 252 = 803 */ 399} 400 401static void dump_ipv4_mac_header(struct sbuff *m, 402 const struct nf_loginfo *info, 403 const struct sk_buff *skb) 404{ 405 struct net_device *dev = skb->dev; 406 unsigned int logflags = 0; 407 408 if (info->type == NF_LOG_TYPE_LOG) 409 logflags = info->u.log.logflags; 410 411 if (!(logflags & XT_LOG_MACDECODE)) 412 goto fallback; 413 414 switch (dev->type) { 415 case ARPHRD_ETHER: 416 sb_add(m, "MACSRC=%pM MACDST=%pM MACPROTO=%04x ", 417 eth_hdr(skb)->h_source, eth_hdr(skb)->h_dest, 418 ntohs(eth_hdr(skb)->h_proto)); 419 return; 420 default: 421 break; 422 } 423 424fallback: 425 sb_add(m, "MAC="); 426 if (dev->hard_header_len && 427 skb->mac_header != skb->network_header) { 428 const unsigned char *p = skb_mac_header(skb); 429 unsigned int i; 430 431 sb_add(m, "%02x", *p++); 432 for (i = 1; i < dev->hard_header_len; i++, p++) 433 sb_add(m, ":%02x", *p); 434 } 435 sb_add(m, " "); 436} 437 438static void 439log_packet_common(struct sbuff *m, 440 u_int8_t pf, 441 unsigned int hooknum, 442 const struct sk_buff *skb, 443 const struct net_device *in, 444 const struct net_device *out, 445 const struct nf_loginfo *loginfo, 446 const char *prefix) 447{ 448 sb_add(m, KERN_SOH "%c%sIN=%s OUT=%s ", 449 '0' + loginfo->u.log.level, prefix, 450 in ? in->name : "", 451 out ? out->name : ""); 452#ifdef CONFIG_BRIDGE_NETFILTER 453 if (skb->nf_bridge) { 454 const struct net_device *physindev; 455 const struct net_device *physoutdev; 456 457 physindev = skb->nf_bridge->physindev; 458 if (physindev && in != physindev) 459 sb_add(m, "PHYSIN=%s ", physindev->name); 460 physoutdev = skb->nf_bridge->physoutdev; 461 if (physoutdev && out != physoutdev) 462 sb_add(m, "PHYSOUT=%s ", physoutdev->name); 463 } 464#endif 465} 466 467 468static void 469ipt_log_packet(u_int8_t pf, 470 unsigned int hooknum, 471 const struct sk_buff *skb, 472 const struct net_device *in, 473 const struct net_device *out, 474 const struct nf_loginfo *loginfo, 475 const char *prefix) 476{ 477 struct sbuff *m = sb_open(); 478 479 if (!loginfo) 480 loginfo = &default_loginfo; 481 482 log_packet_common(m, pf, hooknum, skb, in, out, loginfo, prefix); 483 484 if (in != NULL) 485 dump_ipv4_mac_header(m, loginfo, skb); 486 487 dump_ipv4_packet(m, loginfo, skb, 0); 488 489 sb_close(m); 490} 491 492#if IS_ENABLED(CONFIG_IP6_NF_IPTABLES) 493/* One level of recursion won't kill us */ 494static void dump_ipv6_packet(struct sbuff *m, 495 const struct nf_loginfo *info, 496 const struct sk_buff *skb, unsigned int ip6hoff, 497 int recurse) 498{ 499 u_int8_t currenthdr; 500 int fragment; 501 struct ipv6hdr _ip6h; 502 const struct ipv6hdr *ih; 503 unsigned int ptr; 504 unsigned int hdrlen = 0; 505 unsigned int logflags; 506 507 if (info->type == NF_LOG_TYPE_LOG) 508 logflags = info->u.log.logflags; 509 else 510 logflags = NF_LOG_MASK; 511 512 ih = skb_header_pointer(skb, ip6hoff, sizeof(_ip6h), &_ip6h); 513 if (ih == NULL) { 514 sb_add(m, "TRUNCATED"); 515 return; 516 } 517 518 /* Max length: 88 "SRC=0000.0000.0000.0000.0000.0000.0000.0000 DST=0000.0000.0000.0000.0000.0000.0000.0000 " */ 519 sb_add(m, "SRC=%pI6 DST=%pI6 ", &ih->saddr, &ih->daddr); 520 521 /* Max length: 44 "LEN=65535 TC=255 HOPLIMIT=255 FLOWLBL=FFFFF " */ 522 sb_add(m, "LEN=%Zu TC=%u HOPLIMIT=%u FLOWLBL=%u ", 523 ntohs(ih->payload_len) + sizeof(struct ipv6hdr), 524 (ntohl(*(__be32 *)ih) & 0x0ff00000) >> 20, 525 ih->hop_limit, 526 (ntohl(*(__be32 *)ih) & 0x000fffff)); 527 528 fragment = 0; 529 ptr = ip6hoff + sizeof(struct ipv6hdr); 530 currenthdr = ih->nexthdr; 531 while (currenthdr != NEXTHDR_NONE && ip6t_ext_hdr(currenthdr)) { 532 struct ipv6_opt_hdr _hdr; 533 const struct ipv6_opt_hdr *hp; 534 535 hp = skb_header_pointer(skb, ptr, sizeof(_hdr), &_hdr); 536 if (hp == NULL) { 537 sb_add(m, "TRUNCATED"); 538 return; 539 } 540 541 /* Max length: 48 "OPT (...) " */ 542 if (logflags & XT_LOG_IPOPT) 543 sb_add(m, "OPT ( "); 544 545 switch (currenthdr) { 546 case IPPROTO_FRAGMENT: { 547 struct frag_hdr _fhdr; 548 const struct frag_hdr *fh; 549 550 sb_add(m, "FRAG:"); 551 fh = skb_header_pointer(skb, ptr, sizeof(_fhdr), 552 &_fhdr); 553 if (fh == NULL) { 554 sb_add(m, "TRUNCATED "); 555 return; 556 } 557 558 /* Max length: 6 "65535 " */ 559 sb_add(m, "%u ", ntohs(fh->frag_off) & 0xFFF8); 560 561 /* Max length: 11 "INCOMPLETE " */ 562 if (fh->frag_off & htons(0x0001)) 563 sb_add(m, "INCOMPLETE "); 564 565 sb_add(m, "ID:%08x ", ntohl(fh->identification)); 566 567 if (ntohs(fh->frag_off) & 0xFFF8) 568 fragment = 1; 569 570 hdrlen = 8; 571 572 break; 573 } 574 case IPPROTO_DSTOPTS: 575 case IPPROTO_ROUTING: 576 case IPPROTO_HOPOPTS: 577 if (fragment) { 578 if (logflags & XT_LOG_IPOPT) 579 sb_add(m, ")"); 580 return; 581 } 582 hdrlen = ipv6_optlen(hp); 583 break; 584 /* Max Length */ 585 case IPPROTO_AH: 586 if (logflags & XT_LOG_IPOPT) { 587 struct ip_auth_hdr _ahdr; 588 const struct ip_auth_hdr *ah; 589 590 /* Max length: 3 "AH " */ 591 sb_add(m, "AH "); 592 593 if (fragment) { 594 sb_add(m, ")"); 595 return; 596 } 597 598 ah = skb_header_pointer(skb, ptr, sizeof(_ahdr), 599 &_ahdr); 600 if (ah == NULL) { 601 /* 602 * Max length: 26 "INCOMPLETE [65535 603 * bytes] )" 604 */ 605 sb_add(m, "INCOMPLETE [%u bytes] )", 606 skb->len - ptr); 607 return; 608 } 609 610 /* Length: 15 "SPI=0xF1234567 */ 611 sb_add(m, "SPI=0x%x ", ntohl(ah->spi)); 612 613 } 614 615 hdrlen = (hp->hdrlen+2)<<2; 616 break; 617 case IPPROTO_ESP: 618 if (logflags & XT_LOG_IPOPT) { 619 struct ip_esp_hdr _esph; 620 const struct ip_esp_hdr *eh; 621 622 /* Max length: 4 "ESP " */ 623 sb_add(m, "ESP "); 624 625 if (fragment) { 626 sb_add(m, ")"); 627 return; 628 } 629 630 /* 631 * Max length: 26 "INCOMPLETE [65535 bytes] )" 632 */ 633 eh = skb_header_pointer(skb, ptr, sizeof(_esph), 634 &_esph); 635 if (eh == NULL) { 636 sb_add(m, "INCOMPLETE [%u bytes] )", 637 skb->len - ptr); 638 return; 639 } 640 641 /* Length: 16 "SPI=0xF1234567 )" */ 642 sb_add(m, "SPI=0x%x )", ntohl(eh->spi)); 643 644 } 645 return; 646 default: 647 /* Max length: 20 "Unknown Ext Hdr 255" */ 648 sb_add(m, "Unknown Ext Hdr %u", currenthdr); 649 return; 650 } 651 if (logflags & XT_LOG_IPOPT) 652 sb_add(m, ") "); 653 654 currenthdr = hp->nexthdr; 655 ptr += hdrlen; 656 } 657 658 switch (currenthdr) { 659 case IPPROTO_TCP: 660 if (dump_tcp_header(m, skb, currenthdr, fragment, ptr, 661 logflags)) 662 return; 663 break; 664 case IPPROTO_UDP: 665 case IPPROTO_UDPLITE: 666 if (dump_udp_header(m, skb, currenthdr, fragment, ptr)) 667 return; 668 break; 669 case IPPROTO_ICMPV6: { 670 struct icmp6hdr _icmp6h; 671 const struct icmp6hdr *ic; 672 673 /* Max length: 13 "PROTO=ICMPv6 " */ 674 sb_add(m, "PROTO=ICMPv6 "); 675 676 if (fragment) 677 break; 678 679 /* Max length: 25 "INCOMPLETE [65535 bytes] " */ 680 ic = skb_header_pointer(skb, ptr, sizeof(_icmp6h), &_icmp6h); 681 if (ic == NULL) { 682 sb_add(m, "INCOMPLETE [%u bytes] ", skb->len - ptr); 683 return; 684 } 685 686 /* Max length: 18 "TYPE=255 CODE=255 " */ 687 sb_add(m, "TYPE=%u CODE=%u ", ic->icmp6_type, ic->icmp6_code); 688 689 switch (ic->icmp6_type) { 690 case ICMPV6_ECHO_REQUEST: 691 case ICMPV6_ECHO_REPLY: 692 /* Max length: 19 "ID=65535 SEQ=65535 " */ 693 sb_add(m, "ID=%u SEQ=%u ", 694 ntohs(ic->icmp6_identifier), 695 ntohs(ic->icmp6_sequence)); 696 break; 697 case ICMPV6_MGM_QUERY: 698 case ICMPV6_MGM_REPORT: 699 case ICMPV6_MGM_REDUCTION: 700 break; 701 702 case ICMPV6_PARAMPROB: 703 /* Max length: 17 "POINTER=ffffffff " */ 704 sb_add(m, "POINTER=%08x ", ntohl(ic->icmp6_pointer)); 705 /* Fall through */ 706 case ICMPV6_DEST_UNREACH: 707 case ICMPV6_PKT_TOOBIG: 708 case ICMPV6_TIME_EXCEED: 709 /* Max length: 3+maxlen */ 710 if (recurse) { 711 sb_add(m, "["); 712 dump_ipv6_packet(m, info, skb, 713 ptr + sizeof(_icmp6h), 0); 714 sb_add(m, "] "); 715 } 716 717 /* Max length: 10 "MTU=65535 " */ 718 if (ic->icmp6_type == ICMPV6_PKT_TOOBIG) 719 sb_add(m, "MTU=%u ", ntohl(ic->icmp6_mtu)); 720 } 721 break; 722 } 723 /* Max length: 10 "PROTO=255 " */ 724 default: 725 sb_add(m, "PROTO=%u ", currenthdr); 726 } 727 728 /* Max length: 15 "UID=4294967295 " */ 729 if ((logflags & XT_LOG_UID) && recurse) 730 dump_sk_uid_gid(m, skb->sk); 731 732 /* Max length: 16 "MARK=0xFFFFFFFF " */ 733 if (!recurse && skb->mark) 734 sb_add(m, "MARK=0x%x ", skb->mark); 735} 736 737static void dump_ipv6_mac_header(struct sbuff *m, 738 const struct nf_loginfo *info, 739 const struct sk_buff *skb) 740{ 741 struct net_device *dev = skb->dev; 742 unsigned int logflags = 0; 743 744 if (info->type == NF_LOG_TYPE_LOG) 745 logflags = info->u.log.logflags; 746 747 if (!(logflags & XT_LOG_MACDECODE)) 748 goto fallback; 749 750 switch (dev->type) { 751 case ARPHRD_ETHER: 752 sb_add(m, "MACSRC=%pM MACDST=%pM MACPROTO=%04x ", 753 eth_hdr(skb)->h_source, eth_hdr(skb)->h_dest, 754 ntohs(eth_hdr(skb)->h_proto)); 755 return; 756 default: 757 break; 758 } 759 760fallback: 761 sb_add(m, "MAC="); 762 if (dev->hard_header_len && 763 skb->mac_header != skb->network_header) { 764 const unsigned char *p = skb_mac_header(skb); 765 unsigned int len = dev->hard_header_len; 766 unsigned int i; 767 768 if (dev->type == ARPHRD_SIT) { 769 p -= ETH_HLEN; 770 771 if (p < skb->head) 772 p = NULL; 773 } 774 775 if (p != NULL) { 776 sb_add(m, "%02x", *p++); 777 for (i = 1; i < len; i++) 778 sb_add(m, ":%02x", *p++); 779 } 780 sb_add(m, " "); 781 782 if (dev->type == ARPHRD_SIT) { 783 const struct iphdr *iph = 784 (struct iphdr *)skb_mac_header(skb); 785 sb_add(m, "TUNNEL=%pI4->%pI4 ", &iph->saddr, 786 &iph->daddr); 787 } 788 } else 789 sb_add(m, " "); 790} 791 792static void 793ip6t_log_packet(u_int8_t pf, 794 unsigned int hooknum, 795 const struct sk_buff *skb, 796 const struct net_device *in, 797 const struct net_device *out, 798 const struct nf_loginfo *loginfo, 799 const char *prefix) 800{ 801 struct sbuff *m = sb_open(); 802 803 if (!loginfo) 804 loginfo = &default_loginfo; 805 806 log_packet_common(m, pf, hooknum, skb, in, out, loginfo, prefix); 807 808 if (in != NULL) 809 dump_ipv6_mac_header(m, loginfo, skb); 810 811 dump_ipv6_packet(m, loginfo, skb, skb_network_offset(skb), 1); 812 813 sb_close(m); 814} 815#endif 816 817static unsigned int 818log_tg(struct sk_buff *skb, const struct xt_action_param *par) 819{ 820 const struct xt_log_info *loginfo = par->targinfo; 821 struct nf_loginfo li; 822 823 li.type = NF_LOG_TYPE_LOG; 824 li.u.log.level = loginfo->level; 825 li.u.log.logflags = loginfo->logflags; 826 827 if (par->family == NFPROTO_IPV4) 828 ipt_log_packet(NFPROTO_IPV4, par->hooknum, skb, par->in, 829 par->out, &li, loginfo->prefix); 830#if IS_ENABLED(CONFIG_IP6_NF_IPTABLES) 831 else if (par->family == NFPROTO_IPV6) 832 ip6t_log_packet(NFPROTO_IPV6, par->hooknum, skb, par->in, 833 par->out, &li, loginfo->prefix); 834#endif 835 else 836 WARN_ON_ONCE(1); 837 838 return XT_CONTINUE; 839} 840 841static int log_tg_check(const struct xt_tgchk_param *par) 842{ 843 const struct xt_log_info *loginfo = par->targinfo; 844 845 if (par->family != NFPROTO_IPV4 && par->family != NFPROTO_IPV6) 846 return -EINVAL; 847 848 if (loginfo->level >= 8) { 849 pr_debug("level %u >= 8\n", loginfo->level); 850 return -EINVAL; 851 } 852 853 if (loginfo->prefix[sizeof(loginfo->prefix)-1] != '\0') { 854 pr_debug("prefix is not null-terminated\n"); 855 return -EINVAL; 856 } 857 858 return 0; 859} 860 861static struct xt_target log_tg_regs[] __read_mostly = { 862 { 863 .name = "LOG", 864 .family = NFPROTO_IPV4, 865 .target = log_tg, 866 .targetsize = sizeof(struct xt_log_info), 867 .checkentry = log_tg_check, 868 .me = THIS_MODULE, 869 }, 870#if IS_ENABLED(CONFIG_IP6_NF_IPTABLES) 871 { 872 .name = "LOG", 873 .family = NFPROTO_IPV6, 874 .target = log_tg, 875 .targetsize = sizeof(struct xt_log_info), 876 .checkentry = log_tg_check, 877 .me = THIS_MODULE, 878 }, 879#endif 880}; 881 882static struct nf_logger ipt_log_logger __read_mostly = { 883 .name = "ipt_LOG", 884 .logfn = &ipt_log_packet, 885 .me = THIS_MODULE, 886}; 887 888#if IS_ENABLED(CONFIG_IP6_NF_IPTABLES) 889static struct nf_logger ip6t_log_logger __read_mostly = { 890 .name = "ip6t_LOG", 891 .logfn = &ip6t_log_packet, 892 .me = THIS_MODULE, 893}; 894#endif 895 896static int __init log_tg_init(void) 897{ 898 int ret; 899 900 ret = xt_register_targets(log_tg_regs, ARRAY_SIZE(log_tg_regs)); 901 if (ret < 0) 902 return ret; 903 904 nf_log_register(NFPROTO_IPV4, &ipt_log_logger); 905#if IS_ENABLED(CONFIG_IP6_NF_IPTABLES) 906 nf_log_register(NFPROTO_IPV6, &ip6t_log_logger); 907#endif 908 return 0; 909} 910 911static void __exit log_tg_exit(void) 912{ 913 nf_log_unregister(&ipt_log_logger); 914#if IS_ENABLED(CONFIG_IP6_NF_IPTABLES) 915 nf_log_unregister(&ip6t_log_logger); 916#endif 917 xt_unregister_targets(log_tg_regs, ARRAY_SIZE(log_tg_regs)); 918} 919 920module_init(log_tg_init); 921module_exit(log_tg_exit); 922 923MODULE_LICENSE("GPL"); 924MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>"); 925MODULE_AUTHOR("Jan Rekorajski <baggins@pld.org.pl>"); 926MODULE_DESCRIPTION("Xtables: IPv4/IPv6 packet logging"); 927MODULE_ALIAS("ipt_LOG"); 928MODULE_ALIAS("ip6t_LOG");