tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

netfilter: nf_log: prepare net namespace support for loggers

This patch adds netns support to nf_log and it prepares netns
support for existing loggers. It is composed of four major
changes.

1) nf_log_register has been split to two functions: nf_log_register
and nf_log_set. The new nf_log_register is used to globally
register the nf_logger and nf_log_set is used for enabling
pernet support from nf_loggers.

Per netns is not yet complete after this patch, it comes in
separate follow up patches.

2) Add net as a parameter of nf_log_bind_pf. Per netns is not
yet complete after this patch, it only allows to bind the
nf_logger to the protocol family from init_net and it skips
other cases.

3) Adapt all nf_log_packet callers to pass netns as parameter.
After this patch, this function only works for init_net.

4) Make the sysctl net/netfilter/nf_log pernet.

Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

authored by

Gao feng and committed by
Pablo Neira Ayuso 30e0c6a6 f3c1a44a

+232 -99
+10 -4
include/net/netfilter/nf_log.h
··· 49 49 int nf_log_register(u_int8_t pf, struct nf_logger *logger); 50 50 void nf_log_unregister(struct nf_logger *logger); 51 51 52 - int nf_log_bind_pf(u_int8_t pf, const struct nf_logger *logger); 53 - void nf_log_unbind_pf(u_int8_t pf); 52 + void nf_log_set(struct net *net, u_int8_t pf, 53 + const struct nf_logger *logger); 54 + void nf_log_unset(struct net *net, const struct nf_logger *logger); 55 + 56 + int nf_log_bind_pf(struct net *net, u_int8_t pf, 57 + const struct nf_logger *logger); 58 + void nf_log_unbind_pf(struct net *net, u_int8_t pf); 54 59 55 60 /* Calls the registered backend logging function */ 56 - __printf(7, 8) 57 - void nf_log_packet(u_int8_t pf, 61 + __printf(8, 9) 62 + void nf_log_packet(struct net *net, 63 + u_int8_t pf, 58 64 unsigned int hooknum, 59 65 const struct sk_buff *skb, 60 66 const struct net_device *in,
+7
include/net/netns/netfilter.h
··· 2 2 #define __NETNS_NETFILTER_H 3 3 4 4 #include <linux/proc_fs.h> 5 + #include <linux/netfilter.h> 6 + 7 + struct nf_logger; 5 8 6 9 struct netns_nf { 7 10 #if defined CONFIG_PROC_FS 8 11 struct proc_dir_entry *proc_netfilter; 12 + #endif 13 + const struct nf_logger __rcu *nf_loggers[NFPROTO_NUMPROTO]; 14 + #ifdef CONFIG_SYSCTL 15 + struct ctl_table_header *nf_log_dir_header; 9 16 #endif 10 17 }; 11 18 #endif
+4 -3
net/bridge/netfilter/ebt_log.c
··· 176 176 { 177 177 const struct ebt_log_info *info = par->targinfo; 178 178 struct nf_loginfo li; 179 + struct net *net = dev_net(par->in ? par->in : par->out); 179 180 180 181 li.type = NF_LOG_TYPE_LOG; 181 182 li.u.log.level = info->loglevel; 182 183 li.u.log.logflags = info->bitmask; 183 184 184 185 if (info->bitmask & EBT_LOG_NFLOG) 185 - nf_log_packet(NFPROTO_BRIDGE, par->hooknum, skb, par->in, 186 - par->out, &li, "%s", info->prefix); 186 + nf_log_packet(net, NFPROTO_BRIDGE, par->hooknum, skb, 187 + par->in, par->out, &li, "%s", info->prefix); 187 188 else 188 189 ebt_log_packet(NFPROTO_BRIDGE, par->hooknum, skb, par->in, 189 - par->out, &li, info->prefix); 190 + par->out, &li, info->prefix); 190 191 return EBT_CONTINUE; 191 192 } 192 193
+3 -2
net/bridge/netfilter/ebt_nflog.c
··· 24 24 { 25 25 const struct ebt_nflog_info *info = par->targinfo; 26 26 struct nf_loginfo li; 27 + struct net *net = dev_net(par->in ? par->in : par->out); 27 28 28 29 li.type = NF_LOG_TYPE_ULOG; 29 30 li.u.ulog.copy_len = info->len; 30 31 li.u.ulog.group = info->group; 31 32 li.u.ulog.qthreshold = info->threshold; 32 33 33 - nf_log_packet(PF_BRIDGE, par->hooknum, skb, par->in, par->out, 34 - &li, "%s", info->prefix); 34 + nf_log_packet(net, PF_BRIDGE, par->hooknum, skb, par->in, 35 + par->out, &li, "%s", info->prefix); 35 36 return EBT_CONTINUE; 36 37 } 37 38
+2 -1
net/ipv4/netfilter/ip_tables.c
··· 258 258 const char *hookname, *chainname, *comment; 259 259 const struct ipt_entry *iter; 260 260 unsigned int rulenum = 0; 261 + struct net *net = dev_net(in ? in : out); 261 262 262 263 table_base = private->entries[smp_processor_id()]; 263 264 root = get_entry(table_base, private->hook_entry[hook]); ··· 271 270 &chainname, &comment, &rulenum) != 0) 272 271 break; 273 272 274 - nf_log_packet(AF_INET, hook, skb, in, out, &trace_loginfo, 273 + nf_log_packet(net, AF_INET, hook, skb, in, out, &trace_loginfo, 275 274 "TRACE: %s:%s:%s:%u ", 276 275 tablename, chainname, comment, rulenum); 277 276 }
+4 -4
net/ipv4/netfilter/nf_conntrack_proto_icmp.c
··· 187 187 icmph = skb_header_pointer(skb, ip_hdrlen(skb), sizeof(_ih), &_ih); 188 188 if (icmph == NULL) { 189 189 if (LOG_INVALID(net, IPPROTO_ICMP)) 190 - nf_log_packet(PF_INET, 0, skb, NULL, NULL, NULL, 191 - "nf_ct_icmp: short packet "); 190 + nf_log_packet(net, PF_INET, 0, skb, NULL, NULL, 191 + NULL, "nf_ct_icmp: short packet "); 192 192 return -NF_ACCEPT; 193 193 } 194 194 ··· 196 196 if (net->ct.sysctl_checksum && hooknum == NF_INET_PRE_ROUTING && 197 197 nf_ip_checksum(skb, hooknum, dataoff, 0)) { 198 198 if (LOG_INVALID(net, IPPROTO_ICMP)) 199 - nf_log_packet(PF_INET, 0, skb, NULL, NULL, NULL, 199 + nf_log_packet(net, PF_INET, 0, skb, NULL, NULL, NULL, 200 200 "nf_ct_icmp: bad HW ICMP checksum "); 201 201 return -NF_ACCEPT; 202 202 } ··· 209 209 */ 210 210 if (icmph->type > NR_ICMP_TYPES) { 211 211 if (LOG_INVALID(net, IPPROTO_ICMP)) 212 - nf_log_packet(PF_INET, 0, skb, NULL, NULL, NULL, 212 + nf_log_packet(net, PF_INET, 0, skb, NULL, NULL, NULL, 213 213 "nf_ct_icmp: invalid ICMP type "); 214 214 return -NF_ACCEPT; 215 215 }
+2 -1
net/ipv6/netfilter/ip6_tables.c
··· 284 284 const char *hookname, *chainname, *comment; 285 285 const struct ip6t_entry *iter; 286 286 unsigned int rulenum = 0; 287 + struct net *net = dev_net(in ? in : out); 287 288 288 289 table_base = private->entries[smp_processor_id()]; 289 290 root = get_entry(table_base, private->hook_entry[hook]); ··· 297 296 &chainname, &comment, &rulenum) != 0) 298 297 break; 299 298 300 - nf_log_packet(AF_INET6, hook, skb, in, out, &trace_loginfo, 299 + nf_log_packet(net, AF_INET6, hook, skb, in, out, &trace_loginfo, 301 300 "TRACE: %s:%s:%s:%u ", 302 301 tablename, chainname, comment, rulenum); 303 302 }
+4 -3
net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c
··· 131 131 type + 128); 132 132 nf_ct_dump_tuple_ipv6(&ct->tuplehash[0].tuple); 133 133 if (LOG_INVALID(nf_ct_net(ct), IPPROTO_ICMPV6)) 134 - nf_log_packet(PF_INET6, 0, skb, NULL, NULL, NULL, 134 + nf_log_packet(nf_ct_net(ct), PF_INET6, 0, skb, NULL, 135 + NULL, NULL, 135 136 "nf_ct_icmpv6: invalid new with type %d ", 136 137 type + 128); 137 138 return false; ··· 204 203 icmp6h = skb_header_pointer(skb, dataoff, sizeof(_ih), &_ih); 205 204 if (icmp6h == NULL) { 206 205 if (LOG_INVALID(net, IPPROTO_ICMPV6)) 207 - nf_log_packet(PF_INET6, 0, skb, NULL, NULL, NULL, 206 + nf_log_packet(net, PF_INET6, 0, skb, NULL, NULL, NULL, 208 207 "nf_ct_icmpv6: short packet "); 209 208 return -NF_ACCEPT; 210 209 } ··· 212 211 if (net->ct.sysctl_checksum && hooknum == NF_INET_PRE_ROUTING && 213 212 nf_ip6_checksum(skb, hooknum, dataoff, IPPROTO_ICMPV6)) { 214 213 if (LOG_INVALID(net, IPPROTO_ICMPV6)) 215 - nf_log_packet(PF_INET6, 0, skb, NULL, NULL, NULL, 214 + nf_log_packet(net, PF_INET6, 0, skb, NULL, NULL, NULL, 216 215 "nf_ct_icmpv6: ICMPv6 checksum failed "); 217 216 return -NF_ACCEPT; 218 217 }
+1 -1
net/netfilter/nf_conntrack_helper.c
··· 353 353 /* rcu_read_lock()ed by nf_hook_slow */ 354 354 helper = rcu_dereference(help->helper); 355 355 356 - nf_log_packet(nf_ct_l3num(ct), 0, skb, NULL, NULL, NULL, 356 + nf_log_packet(nf_ct_net(ct), nf_ct_l3num(ct), 0, skb, NULL, NULL, NULL, 357 357 "nf_ct_%s: dropping packet: %pV ", helper->name, &vaf); 358 358 359 359 va_end(args);
+5 -4
net/netfilter/nf_conntrack_proto_dccp.c
··· 456 456 457 457 out_invalid: 458 458 if (LOG_INVALID(net, IPPROTO_DCCP)) 459 - nf_log_packet(nf_ct_l3num(ct), 0, skb, NULL, NULL, NULL, msg); 459 + nf_log_packet(net, nf_ct_l3num(ct), 0, skb, NULL, NULL, 460 + NULL, msg); 460 461 return false; 461 462 } 462 463 ··· 543 542 544 543 spin_unlock_bh(&ct->lock); 545 544 if (LOG_INVALID(net, IPPROTO_DCCP)) 546 - nf_log_packet(pf, 0, skb, NULL, NULL, NULL, 545 + nf_log_packet(net, pf, 0, skb, NULL, NULL, NULL, 547 546 "nf_ct_dccp: invalid packet ignored "); 548 547 return NF_ACCEPT; 549 548 case CT_DCCP_INVALID: 550 549 spin_unlock_bh(&ct->lock); 551 550 if (LOG_INVALID(net, IPPROTO_DCCP)) 552 - nf_log_packet(pf, 0, skb, NULL, NULL, NULL, 551 + nf_log_packet(net, pf, 0, skb, NULL, NULL, NULL, 553 552 "nf_ct_dccp: invalid state transition "); 554 553 return -NF_ACCEPT; 555 554 } ··· 614 613 615 614 out_invalid: 616 615 if (LOG_INVALID(net, IPPROTO_DCCP)) 617 - nf_log_packet(pf, 0, skb, NULL, NULL, NULL, msg); 616 + nf_log_packet(net, pf, 0, skb, NULL, NULL, NULL, msg); 618 617 return -NF_ACCEPT; 619 618 } 620 619
+9 -9
net/netfilter/nf_conntrack_proto_tcp.c
··· 720 720 tn->tcp_be_liberal) 721 721 res = true; 722 722 if (!res && LOG_INVALID(net, IPPROTO_TCP)) 723 - nf_log_packet(pf, 0, skb, NULL, NULL, NULL, 723 + nf_log_packet(net, pf, 0, skb, NULL, NULL, NULL, 724 724 "nf_ct_tcp: %s ", 725 725 before(seq, sender->td_maxend + 1) ? 726 726 after(end, sender->td_end - receiver->td_maxwin - 1) ? ··· 772 772 th = skb_header_pointer(skb, dataoff, sizeof(_tcph), &_tcph); 773 773 if (th == NULL) { 774 774 if (LOG_INVALID(net, IPPROTO_TCP)) 775 - nf_log_packet(pf, 0, skb, NULL, NULL, NULL, 775 + nf_log_packet(net, pf, 0, skb, NULL, NULL, NULL, 776 776 "nf_ct_tcp: short packet "); 777 777 return -NF_ACCEPT; 778 778 } ··· 780 780 /* Not whole TCP header or malformed packet */ 781 781 if (th->doff*4 < sizeof(struct tcphdr) || tcplen < th->doff*4) { 782 782 if (LOG_INVALID(net, IPPROTO_TCP)) 783 - nf_log_packet(pf, 0, skb, NULL, NULL, NULL, 783 + nf_log_packet(net, pf, 0, skb, NULL, NULL, NULL, 784 784 "nf_ct_tcp: truncated/malformed packet "); 785 785 return -NF_ACCEPT; 786 786 } ··· 793 793 if (net->ct.sysctl_checksum && hooknum == NF_INET_PRE_ROUTING && 794 794 nf_checksum(skb, hooknum, dataoff, IPPROTO_TCP, pf)) { 795 795 if (LOG_INVALID(net, IPPROTO_TCP)) 796 - nf_log_packet(pf, 0, skb, NULL, NULL, NULL, 796 + nf_log_packet(net, pf, 0, skb, NULL, NULL, NULL, 797 797 "nf_ct_tcp: bad TCP checksum "); 798 798 return -NF_ACCEPT; 799 799 } ··· 802 802 tcpflags = (tcp_flag_byte(th) & ~(TCPHDR_ECE|TCPHDR_CWR|TCPHDR_PSH)); 803 803 if (!tcp_valid_flags[tcpflags]) { 804 804 if (LOG_INVALID(net, IPPROTO_TCP)) 805 - nf_log_packet(pf, 0, skb, NULL, NULL, NULL, 805 + nf_log_packet(net, pf, 0, skb, NULL, NULL, NULL, 806 806 "nf_ct_tcp: invalid TCP flag combination "); 807 807 return -NF_ACCEPT; 808 808 } ··· 949 949 } 950 950 spin_unlock_bh(&ct->lock); 951 951 if (LOG_INVALID(net, IPPROTO_TCP)) 952 - nf_log_packet(pf, 0, skb, NULL, NULL, NULL, 952 + nf_log_packet(net, pf, 0, skb, NULL, NULL, NULL, 953 953 "nf_ct_tcp: invalid packet ignored in " 954 954 "state %s ", tcp_conntrack_names[old_state]); 955 955 return NF_ACCEPT; ··· 959 959 dir, get_conntrack_index(th), old_state); 960 960 spin_unlock_bh(&ct->lock); 961 961 if (LOG_INVALID(net, IPPROTO_TCP)) 962 - nf_log_packet(pf, 0, skb, NULL, NULL, NULL, 962 + nf_log_packet(net, pf, 0, skb, NULL, NULL, NULL, 963 963 "nf_ct_tcp: invalid state "); 964 964 return -NF_ACCEPT; 965 965 case TCP_CONNTRACK_CLOSE: ··· 969 969 /* Invalid RST */ 970 970 spin_unlock_bh(&ct->lock); 971 971 if (LOG_INVALID(net, IPPROTO_TCP)) 972 - nf_log_packet(pf, 0, skb, NULL, NULL, NULL, 973 - "nf_ct_tcp: invalid RST "); 972 + nf_log_packet(net, pf, 0, skb, NULL, NULL, 973 + NULL, "nf_ct_tcp: invalid RST "); 974 974 return -NF_ACCEPT; 975 975 } 976 976 if (index == TCP_RST_SET
+3 -3
net/netfilter/nf_conntrack_proto_udp.c
··· 119 119 hdr = skb_header_pointer(skb, dataoff, sizeof(_hdr), &_hdr); 120 120 if (hdr == NULL) { 121 121 if (LOG_INVALID(net, IPPROTO_UDP)) 122 - nf_log_packet(pf, 0, skb, NULL, NULL, NULL, 122 + nf_log_packet(net, pf, 0, skb, NULL, NULL, NULL, 123 123 "nf_ct_udp: short packet "); 124 124 return -NF_ACCEPT; 125 125 } ··· 127 127 /* Truncated/malformed packets */ 128 128 if (ntohs(hdr->len) > udplen || ntohs(hdr->len) < sizeof(*hdr)) { 129 129 if (LOG_INVALID(net, IPPROTO_UDP)) 130 - nf_log_packet(pf, 0, skb, NULL, NULL, NULL, 130 + nf_log_packet(net, pf, 0, skb, NULL, NULL, NULL, 131 131 "nf_ct_udp: truncated/malformed packet "); 132 132 return -NF_ACCEPT; 133 133 } ··· 143 143 if (net->ct.sysctl_checksum && hooknum == NF_INET_PRE_ROUTING && 144 144 nf_checksum(skb, hooknum, dataoff, IPPROTO_UDP, pf)) { 145 145 if (LOG_INVALID(net, IPPROTO_UDP)) 146 - nf_log_packet(pf, 0, skb, NULL, NULL, NULL, 146 + nf_log_packet(net, pf, 0, skb, NULL, NULL, NULL, 147 147 "nf_ct_udp: bad UDP checksum "); 148 148 return -NF_ACCEPT; 149 149 }
+4 -4
net/netfilter/nf_conntrack_proto_udplite.c
··· 131 131 hdr = skb_header_pointer(skb, dataoff, sizeof(_hdr), &_hdr); 132 132 if (hdr == NULL) { 133 133 if (LOG_INVALID(net, IPPROTO_UDPLITE)) 134 - nf_log_packet(pf, 0, skb, NULL, NULL, NULL, 134 + nf_log_packet(net, pf, 0, skb, NULL, NULL, NULL, 135 135 "nf_ct_udplite: short packet "); 136 136 return -NF_ACCEPT; 137 137 } ··· 141 141 cscov = udplen; 142 142 else if (cscov < sizeof(*hdr) || cscov > udplen) { 143 143 if (LOG_INVALID(net, IPPROTO_UDPLITE)) 144 - nf_log_packet(pf, 0, skb, NULL, NULL, NULL, 144 + nf_log_packet(net, pf, 0, skb, NULL, NULL, NULL, 145 145 "nf_ct_udplite: invalid checksum coverage "); 146 146 return -NF_ACCEPT; 147 147 } ··· 149 149 /* UDPLITE mandates checksums */ 150 150 if (!hdr->check) { 151 151 if (LOG_INVALID(net, IPPROTO_UDPLITE)) 152 - nf_log_packet(pf, 0, skb, NULL, NULL, NULL, 152 + nf_log_packet(net, pf, 0, skb, NULL, NULL, NULL, 153 153 "nf_ct_udplite: checksum missing "); 154 154 return -NF_ACCEPT; 155 155 } ··· 159 159 nf_checksum_partial(skb, hooknum, dataoff, cscov, IPPROTO_UDP, 160 160 pf)) { 161 161 if (LOG_INVALID(net, IPPROTO_UDPLITE)) 162 - nf_log_packet(pf, 0, skb, NULL, NULL, NULL, 162 + nf_log_packet(net, pf, 0, skb, NULL, NULL, NULL, 163 163 "nf_ct_udplite: bad UDPLite checksum "); 164 164 return -NF_ACCEPT; 165 165 }
+167 -56
net/netfilter/nf_log.c
··· 16 16 #define NF_LOG_PREFIXLEN 128 17 17 #define NFLOGGER_NAME_LEN 64 18 18 19 - static const struct nf_logger __rcu *nf_loggers[NFPROTO_NUMPROTO] __read_mostly; 20 19 static struct list_head nf_loggers_l[NFPROTO_NUMPROTO] __read_mostly; 21 20 static DEFINE_MUTEX(nf_log_mutex); 22 21 ··· 31 32 return NULL; 32 33 } 33 34 35 + void nf_log_set(struct net *net, u_int8_t pf, const struct nf_logger *logger) 36 + { 37 + const struct nf_logger *log; 38 + 39 + if (!net_eq(net, &init_net)) 40 + return; 41 + 42 + if (pf == NFPROTO_UNSPEC) 43 + return; 44 + 45 + mutex_lock(&nf_log_mutex); 46 + log = rcu_dereference_protected(net->nf.nf_loggers[pf], 47 + lockdep_is_held(&nf_log_mutex)); 48 + if (log == NULL) 49 + rcu_assign_pointer(net->nf.nf_loggers[pf], logger); 50 + 51 + mutex_unlock(&nf_log_mutex); 52 + } 53 + EXPORT_SYMBOL(nf_log_set); 54 + 55 + void nf_log_unset(struct net *net, const struct nf_logger *logger) 56 + { 57 + int i; 58 + const struct nf_logger *log; 59 + 60 + if (!net_eq(net, &init_net)) 61 + return; 62 + 63 + mutex_lock(&nf_log_mutex); 64 + for (i = 0; i < NFPROTO_NUMPROTO; i++) { 65 + log = rcu_dereference_protected(net->nf.nf_loggers[i], 66 + lockdep_is_held(&nf_log_mutex)); 67 + if (log == logger) 68 + RCU_INIT_POINTER(net->nf.nf_loggers[i], NULL); 69 + } 70 + mutex_unlock(&nf_log_mutex); 71 + synchronize_rcu(); 72 + } 73 + EXPORT_SYMBOL(nf_log_unset); 74 + 34 75 /* return EEXIST if the same logger is registered, 0 on success. */ 35 76 int nf_log_register(u_int8_t pf, struct nf_logger *logger) 36 77 { 37 - const struct nf_logger *llog; 38 78 int i; 39 79 40 - if (pf >= ARRAY_SIZE(nf_loggers)) 80 + if (pf >= ARRAY_SIZE(init_net.nf.nf_loggers)) 41 81 return -EINVAL; 42 82 43 83 for (i = 0; i < ARRAY_SIZE(logger->list); i++) ··· 90 52 } else { 91 53 /* register at end of list to honor first register win */ 92 54 list_add_tail(&logger->list[pf], &nf_loggers_l[pf]); 93 - llog = rcu_dereference_protected(nf_loggers[pf], 94 - lockdep_is_held(&nf_log_mutex)); 95 - if (llog == NULL) 96 - rcu_assign_pointer(nf_loggers[pf], logger); 97 55 } 98 56 99 57 mutex_unlock(&nf_log_mutex); 100 58 59 + nf_log_set(&init_net, pf, logger); 101 60 return 0; 102 61 } 103 62 EXPORT_SYMBOL(nf_log_register); 104 63 105 64 void nf_log_unregister(struct nf_logger *logger) 106 65 { 107 - const struct nf_logger *c_logger; 108 66 int i; 109 67 110 68 mutex_lock(&nf_log_mutex); 111 - for (i = 0; i < ARRAY_SIZE(nf_loggers); i++) { 112 - c_logger = rcu_dereference_protected(nf_loggers[i], 113 - lockdep_is_held(&nf_log_mutex)); 114 - if (c_logger == logger) 115 - RCU_INIT_POINTER(nf_loggers[i], NULL); 69 + for (i = 0; i < NFPROTO_NUMPROTO; i++) 116 70 list_del(&logger->list[i]); 117 - } 118 71 mutex_unlock(&nf_log_mutex); 119 72 120 - synchronize_rcu(); 73 + nf_log_unset(&init_net, logger); 121 74 } 122 75 EXPORT_SYMBOL(nf_log_unregister); 123 76 124 - int nf_log_bind_pf(u_int8_t pf, const struct nf_logger *logger) 77 + int nf_log_bind_pf(struct net *net, u_int8_t pf, 78 + const struct nf_logger *logger) 125 79 { 126 - if (pf >= ARRAY_SIZE(nf_loggers)) 80 + if (!net_eq(net, &init_net)) 81 + return 0; 82 + 83 + if (pf >= ARRAY_SIZE(net->nf.nf_loggers)) 127 84 return -EINVAL; 128 85 mutex_lock(&nf_log_mutex); 129 86 if (__find_logger(pf, logger->name) == NULL) { 130 87 mutex_unlock(&nf_log_mutex); 131 88 return -ENOENT; 132 89 } 133 - rcu_assign_pointer(nf_loggers[pf], logger); 90 + rcu_assign_pointer(net->nf.nf_loggers[pf], logger); 134 91 mutex_unlock(&nf_log_mutex); 135 92 return 0; 136 93 } 137 94 EXPORT_SYMBOL(nf_log_bind_pf); 138 95 139 - void nf_log_unbind_pf(u_int8_t pf) 96 + void nf_log_unbind_pf(struct net *net, u_int8_t pf) 140 97 { 141 - if (pf >= ARRAY_SIZE(nf_loggers)) 98 + if (!net_eq(net, &init_net)) 99 + return; 100 + 101 + if (pf >= ARRAY_SIZE(net->nf.nf_loggers)) 142 102 return; 143 103 mutex_lock(&nf_log_mutex); 144 - RCU_INIT_POINTER(nf_loggers[pf], NULL); 104 + RCU_INIT_POINTER(net->nf.nf_loggers[pf], NULL); 145 105 mutex_unlock(&nf_log_mutex); 146 106 } 147 107 EXPORT_SYMBOL(nf_log_unbind_pf); 148 108 149 - void nf_log_packet(u_int8_t pf, 109 + void nf_log_packet(struct net *net, 110 + u_int8_t pf, 150 111 unsigned int hooknum, 151 112 const struct sk_buff *skb, 152 113 const struct net_device *in, ··· 157 120 char prefix[NF_LOG_PREFIXLEN]; 158 121 const struct nf_logger *logger; 159 122 123 + if (!net_eq(net, &init_net)) 124 + return; 125 + 160 126 rcu_read_lock(); 161 - logger = rcu_dereference(nf_loggers[pf]); 127 + logger = rcu_dereference(net->nf.nf_loggers[pf]); 162 128 if (logger) { 163 129 va_start(args, fmt); 164 130 vsnprintf(prefix, sizeof(prefix), fmt, args); ··· 175 135 #ifdef CONFIG_PROC_FS 176 136 static void *seq_start(struct seq_file *seq, loff_t *pos) 177 137 { 138 + struct net *net = seq_file_net(seq); 139 + 178 140 mutex_lock(&nf_log_mutex); 179 141 180 - if (*pos >= ARRAY_SIZE(nf_loggers)) 142 + if (*pos >= ARRAY_SIZE(net->nf.nf_loggers)) 181 143 return NULL; 182 144 183 145 return pos; ··· 187 145 188 146 static void *seq_next(struct seq_file *s, void *v, loff_t *pos) 189 147 { 148 + struct net *net = seq_file_net(s); 149 + 190 150 (*pos)++; 191 151 192 - if (*pos >= ARRAY_SIZE(nf_loggers)) 152 + if (*pos >= ARRAY_SIZE(net->nf.nf_loggers)) 193 153 return NULL; 194 154 195 155 return pos; ··· 208 164 const struct nf_logger *logger; 209 165 struct nf_logger *t; 210 166 int ret; 167 + struct net *net = seq_file_net(s); 211 168 212 - logger = rcu_dereference_protected(nf_loggers[*pos], 169 + logger = rcu_dereference_protected(net->nf.nf_loggers[*pos], 213 170 lockdep_is_held(&nf_log_mutex)); 214 171 215 172 if (!logger) ··· 244 199 245 200 static int nflog_open(struct inode *inode, struct file *file) 246 201 { 247 - return seq_open(file, &nflog_seq_ops); 202 + return seq_open_net(inode, file, &nflog_seq_ops, 203 + sizeof(struct seq_net_private)); 248 204 } 249 205 250 206 static const struct file_operations nflog_file_ops = { ··· 253 207 .open = nflog_open, 254 208 .read = seq_read, 255 209 .llseek = seq_lseek, 256 - .release = seq_release, 210 + .release = seq_release_net, 257 211 }; 258 212 259 213 ··· 262 216 #ifdef CONFIG_SYSCTL 263 217 static char nf_log_sysctl_fnames[NFPROTO_NUMPROTO-NFPROTO_UNSPEC][3]; 264 218 static struct ctl_table nf_log_sysctl_table[NFPROTO_NUMPROTO+1]; 265 - static struct ctl_table_header *nf_log_dir_header; 266 219 267 220 static int nf_log_proc_dostring(ctl_table *table, int write, 268 221 void __user *buffer, size_t *lenp, loff_t *ppos) ··· 271 226 size_t size = *lenp; 272 227 int r = 0; 273 228 int tindex = (unsigned long)table->extra1; 229 + struct net *net = current->nsproxy->net_ns; 274 230 275 231 if (write) { 232 + if (!net_eq(net, &init_net)) 233 + return -EPERM; 234 + 276 235 if (size > sizeof(buf)) 277 236 size = sizeof(buf); 278 237 if (copy_from_user(buf, buffer, size)) 279 238 return -EFAULT; 280 239 281 240 if (!strcmp(buf, "NONE")) { 282 - nf_log_unbind_pf(tindex); 241 + nf_log_unbind_pf(net, tindex); 283 242 return 0; 284 243 } 285 244 mutex_lock(&nf_log_mutex); ··· 292 243 mutex_unlock(&nf_log_mutex); 293 244 return -ENOENT; 294 245 } 295 - rcu_assign_pointer(nf_loggers[tindex], logger); 246 + rcu_assign_pointer(net->nf.nf_loggers[tindex], logger); 296 247 mutex_unlock(&nf_log_mutex); 297 248 } else { 298 249 mutex_lock(&nf_log_mutex); 299 - logger = rcu_dereference_protected(nf_loggers[tindex], 250 + logger = rcu_dereference_protected(net->nf.nf_loggers[tindex], 300 251 lockdep_is_held(&nf_log_mutex)); 301 252 if (!logger) 302 253 table->data = "NONE"; ··· 309 260 return r; 310 261 } 311 262 312 - static __init int netfilter_log_sysctl_init(void) 263 + static int netfilter_log_sysctl_init(struct net *net) 313 264 { 314 265 int i; 266 + struct ctl_table *table; 315 267 316 - for (i = NFPROTO_UNSPEC; i < NFPROTO_NUMPROTO; i++) { 317 - snprintf(nf_log_sysctl_fnames[i-NFPROTO_UNSPEC], 3, "%d", i); 318 - nf_log_sysctl_table[i].procname = 319 - nf_log_sysctl_fnames[i-NFPROTO_UNSPEC]; 320 - nf_log_sysctl_table[i].data = NULL; 321 - nf_log_sysctl_table[i].maxlen = 322 - NFLOGGER_NAME_LEN * sizeof(char); 323 - nf_log_sysctl_table[i].mode = 0644; 324 - nf_log_sysctl_table[i].proc_handler = nf_log_proc_dostring; 325 - nf_log_sysctl_table[i].extra1 = (void *)(unsigned long) i; 268 + table = nf_log_sysctl_table; 269 + if (!net_eq(net, &init_net)) { 270 + table = kmemdup(nf_log_sysctl_table, 271 + sizeof(nf_log_sysctl_table), 272 + GFP_KERNEL); 273 + if (!table) 274 + goto err_alloc; 275 + } else { 276 + for (i = NFPROTO_UNSPEC; i < NFPROTO_NUMPROTO; i++) { 277 + snprintf(nf_log_sysctl_fnames[i], 278 + 3, "%d", i); 279 + nf_log_sysctl_table[i].procname = 280 + nf_log_sysctl_fnames[i]; 281 + nf_log_sysctl_table[i].data = NULL; 282 + nf_log_sysctl_table[i].maxlen = 283 + NFLOGGER_NAME_LEN * sizeof(char); 284 + nf_log_sysctl_table[i].mode = 0644; 285 + nf_log_sysctl_table[i].proc_handler = 286 + nf_log_proc_dostring; 287 + nf_log_sysctl_table[i].extra1 = 288 + (void *)(unsigned long) i; 289 + } 326 290 } 327 291 328 - nf_log_dir_header = register_net_sysctl(&init_net, "net/netfilter/nf_log", 329 - nf_log_sysctl_table); 330 - if (!nf_log_dir_header) 331 - return -ENOMEM; 292 + net->nf.nf_log_dir_header = register_net_sysctl(net, 293 + "net/netfilter/nf_log", 294 + table); 295 + if (!net->nf.nf_log_dir_header) 296 + goto err_reg; 332 297 333 298 return 0; 299 + 300 + err_reg: 301 + if (!net_eq(net, &init_net)) 302 + kfree(table); 303 + err_alloc: 304 + return -ENOMEM; 305 + } 306 + 307 + static void netfilter_log_sysctl_exit(struct net *net) 308 + { 309 + struct ctl_table *table; 310 + 311 + table = net->nf.nf_log_dir_header->ctl_table_arg; 312 + unregister_net_sysctl_table(net->nf.nf_log_dir_header); 313 + if (!net_eq(net, &init_net)) 314 + kfree(table); 334 315 } 335 316 #else 336 - static __init int netfilter_log_sysctl_init(void) 317 + static int netfilter_log_sysctl_init(struct net *net) 337 318 { 338 319 return 0; 320 + } 321 + 322 + static void netfilter_log_sysctl_exit(struct net *net) 323 + { 339 324 } 340 325 #endif /* CONFIG_SYSCTL */ 341 326 342 - int __init netfilter_log_init(void) 327 + static int __net_init nf_log_net_init(struct net *net) 343 328 { 344 - int i, r; 329 + int ret = -ENOMEM; 330 + 345 331 #ifdef CONFIG_PROC_FS 346 332 if (!proc_create("nf_log", S_IRUGO, 347 - proc_net_netfilter, &nflog_file_ops)) 348 - return -1; 333 + net->nf.proc_netfilter, &nflog_file_ops)) 334 + return ret; 349 335 #endif 336 + ret = netfilter_log_sysctl_init(net); 337 + if (ret < 0) 338 + goto out_sysctl; 350 339 351 - /* Errors will trigger panic, unroll on error is unnecessary. */ 352 - r = netfilter_log_sysctl_init(); 353 - if (r < 0) 354 - return r; 340 + return 0; 341 + 342 + out_sysctl: 343 + /* For init_net: errors will trigger panic, don't unroll on error. */ 344 + if (!net_eq(net, &init_net)) 345 + remove_proc_entry("nf_log", net->nf.proc_netfilter); 346 + 347 + return ret; 348 + } 349 + 350 + static void __net_exit nf_log_net_exit(struct net *net) 351 + { 352 + netfilter_log_sysctl_exit(net); 353 + remove_proc_entry("nf_log", net->nf.proc_netfilter); 354 + } 355 + 356 + static struct pernet_operations nf_log_net_ops = { 357 + .init = nf_log_net_init, 358 + .exit = nf_log_net_exit, 359 + }; 360 + 361 + int __init netfilter_log_init(void) 362 + { 363 + int i, ret; 364 + 365 + ret = register_pernet_subsys(&nf_log_net_ops); 366 + if (ret < 0) 367 + return ret; 355 368 356 369 for (i = NFPROTO_UNSPEC; i < NFPROTO_NUMPROTO; i++) 357 370 INIT_LIST_HEAD(&(nf_loggers_l[i]));
+4 -2
net/netfilter/xt_osf.c
··· 201 201 unsigned char opts[MAX_IPOPTLEN]; 202 202 const struct xt_osf_finger *kf; 203 203 const struct xt_osf_user_finger *f; 204 + struct net *net = dev_net(p->in ? p->in : p->out); 204 205 205 206 if (!info) 206 207 return false; ··· 326 325 fcount++; 327 326 328 327 if (info->flags & XT_OSF_LOG) 329 - nf_log_packet(p->family, p->hooknum, skb, 328 + nf_log_packet(net, p->family, p->hooknum, skb, 330 329 p->in, p->out, NULL, 331 330 "%s [%s:%s] : %pI4:%d -> %pI4:%d hops=%d\n", 332 331 f->genre, f->version, f->subtype, ··· 342 341 rcu_read_unlock(); 343 342 344 343 if (!fcount && (info->flags & XT_OSF_LOG)) 345 - nf_log_packet(p->family, p->hooknum, skb, p->in, p->out, NULL, 344 + nf_log_packet(net, p->family, p->hooknum, skb, p->in, 345 + p->out, NULL, 346 346 "Remote OS is not known: %pI4:%u -> %pI4:%u\n", 347 347 &ip->saddr, ntohs(tcp->source), 348 348 &ip->daddr, ntohs(tcp->dest));