tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next

Pablo Neira Ayuso says:

====================
Netfilter updates for net-next

The following batch contains Netfilter/IPVS updates for your net-next tree:

1) Simplify log infrastructure modularity: Merge ipv4, ipv6, bridge,
netdev and ARP families to nf_log_syslog.c. Add module softdeps.
This fixes a rare deadlock condition that might occur when log
module autoload is required. From Florian Westphal.

2) Moves part of netfilter related pernet data from struct net to
net_generic() infrastructure. All of these users can be modules,
so if they are not loaded there is no need to waste space. Size
reduction is 7 cachelines on x86_64, also from Florian.

2) Update nftables audit support to report events once per table,
to get it aligned with iptables. From Richard Guy Briggs.

3) Check for stale routes from the flowtable garbage collector path.
This is fixing IPv6 which breaks due missing check for the dst_cookie.

4) Add a nfnl_fill_hdr() function to simplify netlink + nfnetlink
headers setup.

5) Remove documentation on several statified functions.

6) Remove printk on netns creation for the FTP IPVS tracker,
from Florian Westphal.

7) Remove unnecessary nf_tables_destroy_list_lock spinlock
initialization, from Yang Yingliang.

7) Remove a duplicated forward declaration in ipset,
from Wan Jiabing.
====================

Signed-off-by: David S. Miller <davem@davemloft.net>

David S. Miller 5106efe6 a460513e

+1910 -2060
-2
include/linux/netfilter/ipset/ip_set.h
··· 124 124 bool target; 125 125 }; 126 126 127 - struct ip_set; 128 - 129 127 #define ext_timeout(e, s) \ 130 128 ((unsigned long *)(((void *)(e)) + (s)->offset[IPSET_EXT_ID_TIMEOUT])) 131 129 #define ext_counter(e, s) \
+29
include/linux/netfilter/nfnetlink.h
··· 51 51 unsigned int group, int echo, gfp_t flags); 52 52 int nfnetlink_set_err(struct net *net, u32 portid, u32 group, int error); 53 53 int nfnetlink_unicast(struct sk_buff *skb, struct net *net, u32 portid); 54 + void nfnetlink_broadcast(struct net *net, struct sk_buff *skb, __u32 portid, 55 + __u32 group, gfp_t allocation); 54 56 55 57 static inline u16 nfnl_msg_type(u8 subsys, u8 msg_type) 56 58 { 57 59 return subsys << 8 | msg_type; 60 + } 61 + 62 + static inline void nfnl_fill_hdr(struct nlmsghdr *nlh, u8 family, u8 version, 63 + __be16 res_id) 64 + { 65 + struct nfgenmsg *nfmsg; 66 + 67 + nfmsg = nlmsg_data(nlh); 68 + nfmsg->nfgen_family = family; 69 + nfmsg->version = version; 70 + nfmsg->res_id = res_id; 71 + } 72 + 73 + static inline struct nlmsghdr *nfnl_msg_put(struct sk_buff *skb, u32 portid, 74 + u32 seq, int type, int flags, 75 + u8 family, u8 version, 76 + __be16 res_id) 77 + { 78 + struct nlmsghdr *nlh; 79 + 80 + nlh = nlmsg_put(skb, portid, seq, type, sizeof(struct nfgenmsg), flags); 81 + if (!nlh) 82 + return NULL; 83 + 84 + nfnl_fill_hdr(nlh, family, version, res_id); 85 + 86 + return nlh; 58 87 } 59 88 60 89 void nfnl_lock(__u8 subsys_id);
-9
include/net/net_namespace.h
··· 142 142 #if defined(CONFIG_NF_TABLES) || defined(CONFIG_NF_TABLES_MODULE) 143 143 struct netns_nftables nft; 144 144 #endif 145 - #if IS_ENABLED(CONFIG_NF_DEFRAG_IPV6) 146 - struct netns_nf_frag nf_frag; 147 - struct ctl_table_header *nf_frag_frags_hdr; 148 - #endif 149 - struct sock *nfnl; 150 - struct sock *nfnl_stash; 151 - #if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT) 152 - struct list_head nfct_timeout_list; 153 - #endif 154 145 #endif 155 146 #ifdef CONFIG_WEXT_CORE 156 147 struct sk_buff_head wext_nlevents;
+6
include/net/netfilter/ipv6/nf_defrag_ipv6.h
··· 13 13 14 14 struct inet_frags_ctl; 15 15 16 + struct nft_ct_frag6_pernet { 17 + struct ctl_table_header *nf_frag_frags_hdr; 18 + struct fqdir *fqdir; 19 + unsigned int users; 20 + }; 21 + 16 22 #endif /* _NF_DEFRAG_IPV6_H */
+7
include/net/netfilter/nf_conntrack.h
··· 47 47 unsigned int users4; 48 48 unsigned int users6; 49 49 unsigned int users_bridge; 50 + #ifdef CONFIG_SYSCTL 51 + struct ctl_table_header *sysctl_header; 52 + #endif 53 + #ifdef CONFIG_NF_CONNTRACK_EVENTS 54 + struct delayed_work ecache_dwork; 55 + struct netns_ct *ct_net; 56 + #endif 50 57 }; 51 58 52 59 #include <linux/types.h>
+12 -21
include/net/netfilter/nf_conntrack_ecache.h
··· 171 171 struct nf_conntrack_expect *exp, 172 172 u32 portid, int report); 173 173 174 + void nf_conntrack_ecache_work(struct net *net, enum nf_ct_ecache_state state); 175 + 174 176 void nf_conntrack_ecache_pernet_init(struct net *net); 175 177 void nf_conntrack_ecache_pernet_fini(struct net *net); 176 178 177 179 int nf_conntrack_ecache_init(void); 178 180 void nf_conntrack_ecache_fini(void); 179 181 182 + static inline bool nf_conntrack_ecache_dwork_pending(const struct net *net) 183 + { 184 + return net->ct.ecache_dwork_pending; 185 + } 180 186 #else /* CONFIG_NF_CONNTRACK_EVENTS */ 181 187 182 188 static inline void nf_ct_expect_event_report(enum ip_conntrack_expect_events e, 183 189 struct nf_conntrack_expect *exp, 184 190 u32 portid, 185 191 int report) 192 + { 193 + } 194 + 195 + static inline void nf_conntrack_ecache_work(struct net *net, 196 + enum nf_ct_ecache_state s) 186 197 { 187 198 } 188 199 ··· 214 203 { 215 204 } 216 205 206 + static inline bool nf_conntrack_ecache_dwork_pending(const struct net *net) { return false; } 217 207 #endif /* CONFIG_NF_CONNTRACK_EVENTS */ 218 - 219 - static inline void nf_conntrack_ecache_delayed_work(struct net *net) 220 - { 221 - #ifdef CONFIG_NF_CONNTRACK_EVENTS 222 - if (!delayed_work_pending(&net->ct.ecache_dwork)) { 223 - schedule_delayed_work(&net->ct.ecache_dwork, HZ); 224 - net->ct.ecache_dwork_pending = true; 225 - } 226 - #endif 227 - } 228 - 229 - static inline void nf_conntrack_ecache_work(struct net *net) 230 - { 231 - #ifdef CONFIG_NF_CONNTRACK_EVENTS 232 - if (net->ct.ecache_dwork_pending) { 233 - net->ct.ecache_dwork_pending = false; 234 - mod_delayed_work(system_wq, &net->ct.ecache_dwork, 0); 235 - } 236 - #endif 237 - } 238 - 239 208 #endif /*_NF_CONNTRACK_ECACHE_H*/
+4 -1
include/net/netfilter/nf_flow_table.h
··· 129 129 in_vlan_ingress:2; 130 130 u16 mtu; 131 131 union { 132 - struct dst_entry *dst_cache; 132 + struct { 133 + struct dst_entry *dst_cache; 134 + u32 dst_cookie; 135 + }; 133 136 struct { 134 137 u32 ifidx; 135 138 u32 hw_ifidx;
-25
include/net/netfilter/nf_log.h
··· 68 68 69 69 int nf_logger_find_get(int pf, enum nf_log_type type); 70 70 void nf_logger_put(int pf, enum nf_log_type type); 71 - void nf_logger_request_module(int pf, enum nf_log_type type); 72 71 73 72 #define MODULE_ALIAS_NF_LOGGER(family, type) \ 74 73 MODULE_ALIAS("nf-logger-" __stringify(family) "-" __stringify(type)) ··· 98 99 struct nf_log_buf *nf_log_buf_open(void); 99 100 __printf(2, 3) int nf_log_buf_add(struct nf_log_buf *m, const char *f, ...); 100 101 void nf_log_buf_close(struct nf_log_buf *m); 101 - 102 - /* common logging functions */ 103 - int nf_log_dump_udp_header(struct nf_log_buf *m, const struct sk_buff *skb, 104 - u8 proto, int fragment, unsigned int offset); 105 - int nf_log_dump_tcp_header(struct nf_log_buf *m, const struct sk_buff *skb, 106 - u8 proto, int fragment, unsigned int offset, 107 - unsigned int logflags); 108 - void nf_log_dump_sk_uid_gid(struct net *net, struct nf_log_buf *m, 109 - struct sock *sk); 110 - void nf_log_dump_vlan(struct nf_log_buf *m, const struct sk_buff *skb); 111 - void nf_log_dump_packet_common(struct nf_log_buf *m, u_int8_t pf, 112 - unsigned int hooknum, const struct sk_buff *skb, 113 - const struct net_device *in, 114 - const struct net_device *out, 115 - const struct nf_loginfo *loginfo, 116 - const char *prefix); 117 - void nf_log_l2packet(struct net *net, u_int8_t pf, 118 - __be16 protocol, 119 - unsigned int hooknum, 120 - const struct sk_buff *skb, 121 - const struct net_device *in, 122 - const struct net_device *out, 123 - const struct nf_loginfo *loginfo, const char *prefix); 124 - 125 102 #endif /* _NF_LOG_H */
+16
include/net/netfilter/nf_tables.h
··· 1562 1562 int nf_msecs_to_jiffies64(const struct nlattr *nla, u64 *result); 1563 1563 __be64 nf_jiffies64_to_msecs(u64 input); 1564 1564 1565 + #ifdef CONFIG_MODULES 1566 + __printf(2, 3) int nft_request_module(struct net *net, const char *fmt, ...); 1567 + #else 1568 + static inline int nft_request_module(struct net *net, const char *fmt, ...) { return -ENOENT; } 1569 + #endif 1570 + 1571 + struct nftables_pernet { 1572 + struct list_head tables; 1573 + struct list_head commit_list; 1574 + struct list_head module_list; 1575 + struct list_head notify_list; 1576 + struct mutex commit_mutex; 1577 + unsigned int base_seq; 1578 + u8 validate_state; 1579 + }; 1580 + 1565 1581 #endif /* _NET_NF_TABLES_H */
-4
include/net/netns/conntrack.h
··· 96 96 atomic_t count; 97 97 unsigned int expect_count; 98 98 #ifdef CONFIG_NF_CONNTRACK_EVENTS 99 - struct delayed_work ecache_dwork; 100 99 bool ecache_dwork_pending; 101 100 #endif 102 101 bool auto_assign_helper_warned; 103 - #ifdef CONFIG_SYSCTL 104 - struct ctl_table_header *sysctl_header; 105 - #endif 106 102 unsigned int sysctl_log_invalid; /* Log invalid packets */ 107 103 int sysctl_events; 108 104 int sysctl_acct;
-6
include/net/netns/netfilter.h
··· 28 28 #if IS_ENABLED(CONFIG_DECNET) 29 29 struct nf_hook_entries __rcu *hooks_decnet[NF_DN_NUMHOOKS]; 30 30 #endif 31 - #if IS_ENABLED(CONFIG_NF_DEFRAG_IPV4) 32 - bool defrag_ipv4; 33 - #endif 34 - #if IS_ENABLED(CONFIG_NF_DEFRAG_IPV6) 35 - bool defrag_ipv6; 36 - #endif 37 31 }; 38 32 #endif
-7
include/net/netns/nftables.h
··· 5 5 #include <linux/list.h> 6 6 7 7 struct netns_nftables { 8 - struct list_head tables; 9 - struct list_head commit_list; 10 - struct list_head module_list; 11 - struct list_head notify_list; 12 - struct mutex commit_mutex; 13 - unsigned int base_seq; 14 8 u8 gencursor; 15 - u8 validate_state; 16 9 }; 17 10 18 11 #endif
-1
include/net/netns/x_tables.h
··· 8 8 struct ebt_table; 9 9 10 10 struct netns_xt { 11 - struct list_head tables[NFPROTO_NUMPROTO]; 12 11 bool notrack_deprecated_warning; 13 12 bool clusterip_deprecated_warning; 14 13 #if defined(CONFIG_BRIDGE_NF_EBTABLES) || \
-4
net/bridge/netfilter/Kconfig
··· 23 23 help 24 24 Add support to reject packets. 25 25 26 - config NF_LOG_BRIDGE 27 - tristate "Bridge packet logging" 28 - select NF_LOG_COMMON 29 - 30 26 endif # NF_TABLES_BRIDGE 31 27 32 28 config NF_CONNTRACK_BRIDGE
-3
net/bridge/netfilter/Makefile
··· 9 9 # connection tracking 10 10 obj-$(CONFIG_NF_CONNTRACK_BRIDGE) += nf_conntrack_bridge.o 11 11 12 - # packet logging 13 - obj-$(CONFIG_NF_LOG_BRIDGE) += nf_log_bridge.o 14 - 15 12 obj-$(CONFIG_BRIDGE_NF_EBTABLES) += ebtables.o 16 13 17 14 # tables
+34 -5
net/bridge/netfilter/ebtables.c
··· 24 24 #include <linux/cpumask.h> 25 25 #include <linux/audit.h> 26 26 #include <net/sock.h> 27 + #include <net/netns/generic.h> 27 28 /* needed for logical [in,out]-dev filtering */ 28 29 #include "../br_private.h" 29 30 ··· 40 39 #define COUNTER_BASE(c, n, cpu) ((struct ebt_counter *)(((char *)c) + \ 41 40 COUNTER_OFFSET(n) * cpu)) 42 41 42 + struct ebt_pernet { 43 + struct list_head tables; 44 + }; 43 45 44 - 46 + static unsigned int ebt_pernet_id __read_mostly; 45 47 static DEFINE_MUTEX(ebt_mutex); 46 48 47 49 #ifdef CONFIG_COMPAT ··· 340 336 find_table_lock(struct net *net, const char *name, int *error, 341 337 struct mutex *mutex) 342 338 { 343 - return find_inlist_lock(&net->xt.tables[NFPROTO_BRIDGE], name, 339 + struct ebt_pernet *ebt_net = net_generic(net, ebt_pernet_id); 340 + 341 + return find_inlist_lock(&ebt_net->tables, name, 344 342 "ebtable_", error, mutex); 345 343 } 346 344 ··· 1142 1136 int ebt_register_table(struct net *net, const struct ebt_table *input_table, 1143 1137 const struct nf_hook_ops *ops, struct ebt_table **res) 1144 1138 { 1139 + struct ebt_pernet *ebt_net = net_generic(net, ebt_pernet_id); 1145 1140 struct ebt_table_info *newinfo; 1146 1141 struct ebt_table *t, *table; 1147 1142 struct ebt_replace_kernel *repl; ··· 1201 1194 table->private = newinfo; 1202 1195 rwlock_init(&table->lock); 1203 1196 mutex_lock(&ebt_mutex); 1204 - list_for_each_entry(t, &net->xt.tables[NFPROTO_BRIDGE], list) { 1197 + list_for_each_entry(t, &ebt_net->tables, list) { 1205 1198 if (strcmp(t->name, table->name) == 0) { 1206 1199 ret = -EEXIST; 1207 1200 goto free_unlock; ··· 1213 1206 ret = -ENOENT; 1214 1207 goto free_unlock; 1215 1208 } 1216 - list_add(&table->list, &net->xt.tables[NFPROTO_BRIDGE]); 1209 + list_add(&table->list, &ebt_net->tables); 1217 1210 mutex_unlock(&ebt_mutex); 1218 1211 1219 1212 WRITE_ONCE(*res, table); ··· 2419 2412 .owner = THIS_MODULE, 2420 2413 }; 2421 2414 2415 + static int __net_init ebt_pernet_init(struct net *net) 2416 + { 2417 + struct ebt_pernet *ebt_net = net_generic(net, ebt_pernet_id); 2418 + 2419 + INIT_LIST_HEAD(&ebt_net->tables); 2420 + return 0; 2421 + } 2422 + 2423 + static struct pernet_operations ebt_net_ops = { 2424 + .init = ebt_pernet_init, 2425 + .id = &ebt_pernet_id, 2426 + .size = sizeof(struct ebt_pernet), 2427 + }; 2428 + 2422 2429 static int __init ebtables_init(void) 2423 2430 { 2424 2431 int ret; ··· 2446 2425 return ret; 2447 2426 } 2448 2427 2428 + ret = register_pernet_subsys(&ebt_net_ops); 2429 + if (ret < 0) { 2430 + nf_unregister_sockopt(&ebt_sockopts); 2431 + xt_unregister_target(&ebt_standard_target); 2432 + return ret; 2433 + } 2434 + 2449 2435 return 0; 2450 2436 } 2451 2437 2452 - static void __exit ebtables_fini(void) 2438 + static void ebtables_fini(void) 2453 2439 { 2454 2440 nf_unregister_sockopt(&ebt_sockopts); 2455 2441 xt_unregister_target(&ebt_standard_target); 2442 + unregister_pernet_subsys(&ebt_net_ops); 2456 2443 } 2457 2444 2458 2445 EXPORT_SYMBOL(ebt_register_table);
-79
net/bridge/netfilter/nf_log_bridge.c
··· 1 - // SPDX-License-Identifier: GPL-2.0-only 2 - /* 3 - * (C) 2014 by Pablo Neira Ayuso <pablo@netfilter.org> 4 - */ 5 - 6 - #include <linux/module.h> 7 - #include <linux/spinlock.h> 8 - #include <linux/skbuff.h> 9 - #include <linux/if_bridge.h> 10 - #include <linux/ip.h> 11 - #include <net/route.h> 12 - 13 - #include <linux/netfilter.h> 14 - #include <net/netfilter/nf_log.h> 15 - 16 - static void nf_log_bridge_packet(struct net *net, u_int8_t pf, 17 - unsigned int hooknum, 18 - const struct sk_buff *skb, 19 - const struct net_device *in, 20 - const struct net_device *out, 21 - const struct nf_loginfo *loginfo, 22 - const char *prefix) 23 - { 24 - nf_log_l2packet(net, pf, eth_hdr(skb)->h_proto, hooknum, skb, 25 - in, out, loginfo, prefix); 26 - } 27 - 28 - static struct nf_logger nf_bridge_logger __read_mostly = { 29 - .name = "nf_log_bridge", 30 - .type = NF_LOG_TYPE_LOG, 31 - .logfn = nf_log_bridge_packet, 32 - .me = THIS_MODULE, 33 - }; 34 - 35 - static int __net_init nf_log_bridge_net_init(struct net *net) 36 - { 37 - return nf_log_set(net, NFPROTO_BRIDGE, &nf_bridge_logger); 38 - } 39 - 40 - static void __net_exit nf_log_bridge_net_exit(struct net *net) 41 - { 42 - nf_log_unset(net, &nf_bridge_logger); 43 - } 44 - 45 - static struct pernet_operations nf_log_bridge_net_ops = { 46 - .init = nf_log_bridge_net_init, 47 - .exit = nf_log_bridge_net_exit, 48 - }; 49 - 50 - static int __init nf_log_bridge_init(void) 51 - { 52 - int ret; 53 - 54 - /* Request to load the real packet loggers. */ 55 - nf_logger_request_module(NFPROTO_IPV4, NF_LOG_TYPE_LOG); 56 - nf_logger_request_module(NFPROTO_IPV6, NF_LOG_TYPE_LOG); 57 - nf_logger_request_module(NFPROTO_ARP, NF_LOG_TYPE_LOG); 58 - 59 - ret = register_pernet_subsys(&nf_log_bridge_net_ops); 60 - if (ret < 0) 61 - return ret; 62 - 63 - nf_log_register(NFPROTO_BRIDGE, &nf_bridge_logger); 64 - return 0; 65 - } 66 - 67 - static void __exit nf_log_bridge_exit(void) 68 - { 69 - unregister_pernet_subsys(&nf_log_bridge_net_ops); 70 - nf_log_unregister(&nf_bridge_logger); 71 - } 72 - 73 - module_init(nf_log_bridge_init); 74 - module_exit(nf_log_bridge_exit); 75 - 76 - MODULE_AUTHOR("Pablo Neira Ayuso <pablo@netfilter.org>"); 77 - MODULE_DESCRIPTION("Netfilter bridge packet logging"); 78 - MODULE_LICENSE("GPL"); 79 - MODULE_ALIAS_NF_LOGGER(AF_BRIDGE, 0);
+8 -2
net/ipv4/netfilter/Kconfig
··· 76 76 config NF_LOG_ARP 77 77 tristate "ARP packet logging" 78 78 default m if NETFILTER_ADVANCED=n 79 - select NF_LOG_COMMON 79 + select NF_LOG_SYSLOG 80 + help 81 + This is a backwards-compat option for the user's convenience 82 + (e.g. when running oldconfig). It selects CONFIG_NF_LOG_SYSLOG. 80 83 81 84 config NF_LOG_IPV4 82 85 tristate "IPv4 packet logging" 83 86 default m if NETFILTER_ADVANCED=n 84 - select NF_LOG_COMMON 87 + select NF_LOG_SYSLOG 88 + help 89 + This is a backwards-compat option for the user's convenience 90 + (e.g. when running oldconfig). It selects CONFIG_NF_LOG_SYSLOG. 85 91 86 92 config NF_REJECT_IPV4 87 93 tristate "IPv4 packet rejection"
-4
net/ipv4/netfilter/Makefile
··· 9 9 obj-$(CONFIG_NF_SOCKET_IPV4) += nf_socket_ipv4.o 10 10 obj-$(CONFIG_NF_TPROXY_IPV4) += nf_tproxy_ipv4.o 11 11 12 - # logging 13 - obj-$(CONFIG_NF_LOG_ARP) += nf_log_arp.o 14 - obj-$(CONFIG_NF_LOG_IPV4) += nf_log_ipv4.o 15 - 16 12 # reject 17 13 obj-$(CONFIG_NF_REJECT_IPV4) += nf_reject_ipv4.o 18 14
+15 -5
net/ipv4/netfilter/nf_defrag_ipv4.c
··· 20 20 #endif 21 21 #include <net/netfilter/nf_conntrack_zones.h> 22 22 23 + static unsigned int defrag4_pernet_id __read_mostly; 23 24 static DEFINE_MUTEX(defrag4_mutex); 25 + 26 + struct defrag4_pernet { 27 + unsigned int users; 28 + }; 24 29 25 30 static int nf_ct_ipv4_gather_frags(struct net *net, struct sk_buff *skb, 26 31 u_int32_t user) ··· 111 106 112 107 static void __net_exit defrag4_net_exit(struct net *net) 113 108 { 114 - if (net->nf.defrag_ipv4) { 109 + struct defrag4_pernet *nf_defrag = net_generic(net, defrag4_pernet_id); 110 + 111 + if (nf_defrag->users) { 115 112 nf_unregister_net_hooks(net, ipv4_defrag_ops, 116 113 ARRAY_SIZE(ipv4_defrag_ops)); 117 - net->nf.defrag_ipv4 = false; 114 + nf_defrag->users = 0; 118 115 } 119 116 } 120 117 121 118 static struct pernet_operations defrag4_net_ops = { 122 119 .exit = defrag4_net_exit, 120 + .id = &defrag4_pernet_id, 121 + .size = sizeof(struct defrag4_pernet), 123 122 }; 124 123 125 124 static int __init nf_defrag_init(void) ··· 138 129 139 130 int nf_defrag_ipv4_enable(struct net *net) 140 131 { 132 + struct defrag4_pernet *nf_defrag = net_generic(net, defrag4_pernet_id); 141 133 int err = 0; 142 134 143 135 might_sleep(); 144 136 145 - if (net->nf.defrag_ipv4) 137 + if (nf_defrag->users) 146 138 return 0; 147 139 148 140 mutex_lock(&defrag4_mutex); 149 - if (net->nf.defrag_ipv4) 141 + if (nf_defrag->users) 150 142 goto out_unlock; 151 143 152 144 err = nf_register_net_hooks(net, ipv4_defrag_ops, 153 145 ARRAY_SIZE(ipv4_defrag_ops)); 154 146 if (err == 0) 155 - net->nf.defrag_ipv4 = true; 147 + nf_defrag->users = 1; 156 148 157 149 out_unlock: 158 150 mutex_unlock(&defrag4_mutex);
-172
net/ipv4/netfilter/nf_log_arp.c
··· 1 - // SPDX-License-Identifier: GPL-2.0-only 2 - /* 3 - * (C) 2014 by Pablo Neira Ayuso <pablo@netfilter.org> 4 - * 5 - * Based on code from ebt_log from: 6 - * 7 - * Bart De Schuymer <bdschuym@pandora.be> 8 - * Harald Welte <laforge@netfilter.org> 9 - */ 10 - 11 - #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt 12 - 13 - #include <linux/kernel.h> 14 - #include <linux/module.h> 15 - #include <linux/spinlock.h> 16 - #include <linux/skbuff.h> 17 - #include <linux/if_arp.h> 18 - #include <linux/ip.h> 19 - #include <net/route.h> 20 - 21 - #include <linux/netfilter.h> 22 - #include <linux/netfilter/xt_LOG.h> 23 - #include <net/netfilter/nf_log.h> 24 - 25 - static const struct nf_loginfo default_loginfo = { 26 - .type = NF_LOG_TYPE_LOG, 27 - .u = { 28 - .log = { 29 - .level = LOGLEVEL_NOTICE, 30 - .logflags = NF_LOG_DEFAULT_MASK, 31 - }, 32 - }, 33 - }; 34 - 35 - struct arppayload { 36 - unsigned char mac_src[ETH_ALEN]; 37 - unsigned char ip_src[4]; 38 - unsigned char mac_dst[ETH_ALEN]; 39 - unsigned char ip_dst[4]; 40 - }; 41 - 42 - static void dump_arp_packet(struct nf_log_buf *m, 43 - const struct nf_loginfo *info, 44 - const struct sk_buff *skb, unsigned int nhoff) 45 - { 46 - const struct arppayload *ap; 47 - struct arppayload _arpp; 48 - const struct arphdr *ah; 49 - unsigned int logflags; 50 - struct arphdr _arph; 51 - 52 - ah = skb_header_pointer(skb, 0, sizeof(_arph), &_arph); 53 - if (ah == NULL) { 54 - nf_log_buf_add(m, "TRUNCATED"); 55 - return; 56 - } 57 - 58 - if (info->type == NF_LOG_TYPE_LOG) 59 - logflags = info->u.log.logflags; 60 - else 61 - logflags = NF_LOG_DEFAULT_MASK; 62 - 63 - if (logflags & NF_LOG_MACDECODE) { 64 - nf_log_buf_add(m, "MACSRC=%pM MACDST=%pM ", 65 - eth_hdr(skb)->h_source, eth_hdr(skb)->h_dest); 66 - nf_log_dump_vlan(m, skb); 67 - nf_log_buf_add(m, "MACPROTO=%04x ", 68 - ntohs(eth_hdr(skb)->h_proto)); 69 - } 70 - 71 - nf_log_buf_add(m, "ARP HTYPE=%d PTYPE=0x%04x OPCODE=%d", 72 - ntohs(ah->ar_hrd), ntohs(ah->ar_pro), ntohs(ah->ar_op)); 73 - 74 - /* If it's for Ethernet and the lengths are OK, then log the ARP 75 - * payload. 76 - */ 77 - if (ah->ar_hrd != htons(ARPHRD_ETHER) || 78 - ah->ar_hln != ETH_ALEN || 79 - ah->ar_pln != sizeof(__be32)) 80 - return; 81 - 82 - ap = skb_header_pointer(skb, sizeof(_arph), sizeof(_arpp), &_arpp); 83 - if (ap == NULL) { 84 - nf_log_buf_add(m, " INCOMPLETE [%zu bytes]", 85 - skb->len - sizeof(_arph)); 86 - return; 87 - } 88 - nf_log_buf_add(m, " MACSRC=%pM IPSRC=%pI4 MACDST=%pM IPDST=%pI4", 89 - ap->mac_src, ap->ip_src, ap->mac_dst, ap->ip_dst); 90 - } 91 - 92 - static void nf_log_arp_packet(struct net *net, u_int8_t pf, 93 - unsigned int hooknum, const struct sk_buff *skb, 94 - const struct net_device *in, 95 - const struct net_device *out, 96 - const struct nf_loginfo *loginfo, 97 - const char *prefix) 98 - { 99 - struct nf_log_buf *m; 100 - 101 - /* FIXME: Disabled from containers until syslog ns is supported */ 102 - if (!net_eq(net, &init_net) && !sysctl_nf_log_all_netns) 103 - return; 104 - 105 - m = nf_log_buf_open(); 106 - 107 - if (!loginfo) 108 - loginfo = &default_loginfo; 109 - 110 - nf_log_dump_packet_common(m, pf, hooknum, skb, in, out, loginfo, 111 - prefix); 112 - dump_arp_packet(m, loginfo, skb, 0); 113 - 114 - nf_log_buf_close(m); 115 - } 116 - 117 - static struct nf_logger nf_arp_logger __read_mostly = { 118 - .name = "nf_log_arp", 119 - .type = NF_LOG_TYPE_LOG, 120 - .logfn = nf_log_arp_packet, 121 - .me = THIS_MODULE, 122 - }; 123 - 124 - static int __net_init nf_log_arp_net_init(struct net *net) 125 - { 126 - return nf_log_set(net, NFPROTO_ARP, &nf_arp_logger); 127 - } 128 - 129 - static void __net_exit nf_log_arp_net_exit(struct net *net) 130 - { 131 - nf_log_unset(net, &nf_arp_logger); 132 - } 133 - 134 - static struct pernet_operations nf_log_arp_net_ops = { 135 - .init = nf_log_arp_net_init, 136 - .exit = nf_log_arp_net_exit, 137 - }; 138 - 139 - static int __init nf_log_arp_init(void) 140 - { 141 - int ret; 142 - 143 - ret = register_pernet_subsys(&nf_log_arp_net_ops); 144 - if (ret < 0) 145 - return ret; 146 - 147 - ret = nf_log_register(NFPROTO_ARP, &nf_arp_logger); 148 - if (ret < 0) { 149 - pr_err("failed to register logger\n"); 150 - goto err1; 151 - } 152 - 153 - return 0; 154 - 155 - err1: 156 - unregister_pernet_subsys(&nf_log_arp_net_ops); 157 - return ret; 158 - } 159 - 160 - static void __exit nf_log_arp_exit(void) 161 - { 162 - unregister_pernet_subsys(&nf_log_arp_net_ops); 163 - nf_log_unregister(&nf_arp_logger); 164 - } 165 - 166 - module_init(nf_log_arp_init); 167 - module_exit(nf_log_arp_exit); 168 - 169 - MODULE_AUTHOR("Pablo Neira Ayuso <pablo@netfilter.org>"); 170 - MODULE_DESCRIPTION("Netfilter ARP packet logging"); 171 - MODULE_LICENSE("GPL"); 172 - MODULE_ALIAS_NF_LOGGER(3, 0);
-395
net/ipv4/netfilter/nf_log_ipv4.c
··· 1 - // SPDX-License-Identifier: GPL-2.0-only 2 - /* (C) 1999-2001 Paul `Rusty' Russell 3 - * (C) 2002-2004 Netfilter Core Team <coreteam@netfilter.org> 4 - */ 5 - 6 - #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt 7 - 8 - #include <linux/kernel.h> 9 - #include <linux/module.h> 10 - #include <linux/spinlock.h> 11 - #include <linux/skbuff.h> 12 - #include <linux/if_arp.h> 13 - #include <linux/ip.h> 14 - #include <net/ipv6.h> 15 - #include <net/icmp.h> 16 - #include <net/udp.h> 17 - #include <net/tcp.h> 18 - #include <net/route.h> 19 - 20 - #include <linux/netfilter.h> 21 - #include <linux/netfilter/xt_LOG.h> 22 - #include <net/netfilter/nf_log.h> 23 - 24 - static const struct nf_loginfo default_loginfo = { 25 - .type = NF_LOG_TYPE_LOG, 26 - .u = { 27 - .log = { 28 - .level = LOGLEVEL_NOTICE, 29 - .logflags = NF_LOG_DEFAULT_MASK, 30 - }, 31 - }, 32 - }; 33 - 34 - /* One level of recursion won't kill us */ 35 - static void dump_ipv4_packet(struct net *net, struct nf_log_buf *m, 36 - const struct nf_loginfo *info, 37 - const struct sk_buff *skb, unsigned int iphoff) 38 - { 39 - struct iphdr _iph; 40 - const struct iphdr *ih; 41 - unsigned int logflags; 42 - 43 - if (info->type == NF_LOG_TYPE_LOG) 44 - logflags = info->u.log.logflags; 45 - else 46 - logflags = NF_LOG_DEFAULT_MASK; 47 - 48 - ih = skb_header_pointer(skb, iphoff, sizeof(_iph), &_iph); 49 - if (ih == NULL) { 50 - nf_log_buf_add(m, "TRUNCATED"); 51 - return; 52 - } 53 - 54 - /* Important fields: 55 - * TOS, len, DF/MF, fragment offset, TTL, src, dst, options. */ 56 - /* Max length: 40 "SRC=255.255.255.255 DST=255.255.255.255 " */ 57 - nf_log_buf_add(m, "SRC=%pI4 DST=%pI4 ", &ih->saddr, &ih->daddr); 58 - 59 - /* Max length: 46 "LEN=65535 TOS=0xFF PREC=0xFF TTL=255 ID=65535 " */ 60 - nf_log_buf_add(m, "LEN=%u TOS=0x%02X PREC=0x%02X TTL=%u ID=%u ", 61 - ntohs(ih->tot_len), ih->tos & IPTOS_TOS_MASK, 62 - ih->tos & IPTOS_PREC_MASK, ih->ttl, ntohs(ih->id)); 63 - 64 - /* Max length: 6 "CE DF MF " */ 65 - if (ntohs(ih->frag_off) & IP_CE) 66 - nf_log_buf_add(m, "CE "); 67 - if (ntohs(ih->frag_off) & IP_DF) 68 - nf_log_buf_add(m, "DF "); 69 - if (ntohs(ih->frag_off) & IP_MF) 70 - nf_log_buf_add(m, "MF "); 71 - 72 - /* Max length: 11 "FRAG:65535 " */ 73 - if (ntohs(ih->frag_off) & IP_OFFSET) 74 - nf_log_buf_add(m, "FRAG:%u ", ntohs(ih->frag_off) & IP_OFFSET); 75 - 76 - if ((logflags & NF_LOG_IPOPT) && 77 - ih->ihl * 4 > sizeof(struct iphdr)) { 78 - const unsigned char *op; 79 - unsigned char _opt[4 * 15 - sizeof(struct iphdr)]; 80 - unsigned int i, optsize; 81 - 82 - optsize = ih->ihl * 4 - sizeof(struct iphdr); 83 - op = skb_header_pointer(skb, iphoff+sizeof(_iph), 84 - optsize, _opt); 85 - if (op == NULL) { 86 - nf_log_buf_add(m, "TRUNCATED"); 87 - return; 88 - } 89 - 90 - /* Max length: 127 "OPT (" 15*4*2chars ") " */ 91 - nf_log_buf_add(m, "OPT ("); 92 - for (i = 0; i < optsize; i++) 93 - nf_log_buf_add(m, "%02X", op[i]); 94 - nf_log_buf_add(m, ") "); 95 - } 96 - 97 - switch (ih->protocol) { 98 - case IPPROTO_TCP: 99 - if (nf_log_dump_tcp_header(m, skb, ih->protocol, 100 - ntohs(ih->frag_off) & IP_OFFSET, 101 - iphoff+ih->ihl*4, logflags)) 102 - return; 103 - break; 104 - case IPPROTO_UDP: 105 - case IPPROTO_UDPLITE: 106 - if (nf_log_dump_udp_header(m, skb, ih->protocol, 107 - ntohs(ih->frag_off) & IP_OFFSET, 108 - iphoff+ih->ihl*4)) 109 - return; 110 - break; 111 - case IPPROTO_ICMP: { 112 - struct icmphdr _icmph; 113 - const struct icmphdr *ich; 114 - static const size_t required_len[NR_ICMP_TYPES+1] 115 - = { [ICMP_ECHOREPLY] = 4, 116 - [ICMP_DEST_UNREACH] 117 - = 8 + sizeof(struct iphdr), 118 - [ICMP_SOURCE_QUENCH] 119 - = 8 + sizeof(struct iphdr), 120 - [ICMP_REDIRECT] 121 - = 8 + sizeof(struct iphdr), 122 - [ICMP_ECHO] = 4, 123 - [ICMP_TIME_EXCEEDED] 124 - = 8 + sizeof(struct iphdr), 125 - [ICMP_PARAMETERPROB] 126 - = 8 + sizeof(struct iphdr), 127 - [ICMP_TIMESTAMP] = 20, 128 - [ICMP_TIMESTAMPREPLY] = 20, 129 - [ICMP_ADDRESS] = 12, 130 - [ICMP_ADDRESSREPLY] = 12 }; 131 - 132 - /* Max length: 11 "PROTO=ICMP " */ 133 - nf_log_buf_add(m, "PROTO=ICMP "); 134 - 135 - if (ntohs(ih->frag_off) & IP_OFFSET) 136 - break; 137 - 138 - /* Max length: 25 "INCOMPLETE [65535 bytes] " */ 139 - ich = skb_header_pointer(skb, iphoff + ih->ihl * 4, 140 - sizeof(_icmph), &_icmph); 141 - if (ich == NULL) { 142 - nf_log_buf_add(m, "INCOMPLETE [%u bytes] ", 143 - skb->len - iphoff - ih->ihl*4); 144 - break; 145 - } 146 - 147 - /* Max length: 18 "TYPE=255 CODE=255 " */ 148 - nf_log_buf_add(m, "TYPE=%u CODE=%u ", ich->type, ich->code); 149 - 150 - /* Max length: 25 "INCOMPLETE [65535 bytes] " */ 151 - if (ich->type <= NR_ICMP_TYPES && 152 - required_len[ich->type] && 153 - skb->len-iphoff-ih->ihl*4 < required_len[ich->type]) { 154 - nf_log_buf_add(m, "INCOMPLETE [%u bytes] ", 155 - skb->len - iphoff - ih->ihl*4); 156 - break; 157 - } 158 - 159 - switch (ich->type) { 160 - case ICMP_ECHOREPLY: 161 - case ICMP_ECHO: 162 - /* Max length: 19 "ID=65535 SEQ=65535 " */ 163 - nf_log_buf_add(m, "ID=%u SEQ=%u ", 164 - ntohs(ich->un.echo.id), 165 - ntohs(ich->un.echo.sequence)); 166 - break; 167 - 168 - case ICMP_PARAMETERPROB: 169 - /* Max length: 14 "PARAMETER=255 " */ 170 - nf_log_buf_add(m, "PARAMETER=%u ", 171 - ntohl(ich->un.gateway) >> 24); 172 - break; 173 - case ICMP_REDIRECT: 174 - /* Max length: 24 "GATEWAY=255.255.255.255 " */ 175 - nf_log_buf_add(m, "GATEWAY=%pI4 ", &ich->un.gateway); 176 - fallthrough; 177 - case ICMP_DEST_UNREACH: 178 - case ICMP_SOURCE_QUENCH: 179 - case ICMP_TIME_EXCEEDED: 180 - /* Max length: 3+maxlen */ 181 - if (!iphoff) { /* Only recurse once. */ 182 - nf_log_buf_add(m, "["); 183 - dump_ipv4_packet(net, m, info, skb, 184 - iphoff + ih->ihl*4+sizeof(_icmph)); 185 - nf_log_buf_add(m, "] "); 186 - } 187 - 188 - /* Max length: 10 "MTU=65535 " */ 189 - if (ich->type == ICMP_DEST_UNREACH && 190 - ich->code == ICMP_FRAG_NEEDED) { 191 - nf_log_buf_add(m, "MTU=%u ", 192 - ntohs(ich->un.frag.mtu)); 193 - } 194 - } 195 - break; 196 - } 197 - /* Max Length */ 198 - case IPPROTO_AH: { 199 - struct ip_auth_hdr _ahdr; 200 - const struct ip_auth_hdr *ah; 201 - 202 - if (ntohs(ih->frag_off) & IP_OFFSET) 203 - break; 204 - 205 - /* Max length: 9 "PROTO=AH " */ 206 - nf_log_buf_add(m, "PROTO=AH "); 207 - 208 - /* Max length: 25 "INCOMPLETE [65535 bytes] " */ 209 - ah = skb_header_pointer(skb, iphoff+ih->ihl*4, 210 - sizeof(_ahdr), &_ahdr); 211 - if (ah == NULL) { 212 - nf_log_buf_add(m, "INCOMPLETE [%u bytes] ", 213 - skb->len - iphoff - ih->ihl*4); 214 - break; 215 - } 216 - 217 - /* Length: 15 "SPI=0xF1234567 " */ 218 - nf_log_buf_add(m, "SPI=0x%x ", ntohl(ah->spi)); 219 - break; 220 - } 221 - case IPPROTO_ESP: { 222 - struct ip_esp_hdr _esph; 223 - const struct ip_esp_hdr *eh; 224 - 225 - /* Max length: 10 "PROTO=ESP " */ 226 - nf_log_buf_add(m, "PROTO=ESP "); 227 - 228 - if (ntohs(ih->frag_off) & IP_OFFSET) 229 - break; 230 - 231 - /* Max length: 25 "INCOMPLETE [65535 bytes] " */ 232 - eh = skb_header_pointer(skb, iphoff+ih->ihl*4, 233 - sizeof(_esph), &_esph); 234 - if (eh == NULL) { 235 - nf_log_buf_add(m, "INCOMPLETE [%u bytes] ", 236 - skb->len - iphoff - ih->ihl*4); 237 - break; 238 - } 239 - 240 - /* Length: 15 "SPI=0xF1234567 " */ 241 - nf_log_buf_add(m, "SPI=0x%x ", ntohl(eh->spi)); 242 - break; 243 - } 244 - /* Max length: 10 "PROTO 255 " */ 245 - default: 246 - nf_log_buf_add(m, "PROTO=%u ", ih->protocol); 247 - } 248 - 249 - /* Max length: 15 "UID=4294967295 " */ 250 - if ((logflags & NF_LOG_UID) && !iphoff) 251 - nf_log_dump_sk_uid_gid(net, m, skb->sk); 252 - 253 - /* Max length: 16 "MARK=0xFFFFFFFF " */ 254 - if (!iphoff && skb->mark) 255 - nf_log_buf_add(m, "MARK=0x%x ", skb->mark); 256 - 257 - /* Proto Max log string length */ 258 - /* IP: 40+46+6+11+127 = 230 */ 259 - /* TCP: 10+max(25,20+30+13+9+32+11+127) = 252 */ 260 - /* UDP: 10+max(25,20) = 35 */ 261 - /* UDPLITE: 14+max(25,20) = 39 */ 262 - /* ICMP: 11+max(25, 18+25+max(19,14,24+3+n+10,3+n+10)) = 91+n */ 263 - /* ESP: 10+max(25)+15 = 50 */ 264 - /* AH: 9+max(25)+15 = 49 */ 265 - /* unknown: 10 */ 266 - 267 - /* (ICMP allows recursion one level deep) */ 268 - /* maxlen = IP + ICMP + IP + max(TCP,UDP,ICMP,unknown) */ 269 - /* maxlen = 230+ 91 + 230 + 252 = 803 */ 270 - } 271 - 272 - static void dump_ipv4_mac_header(struct nf_log_buf *m, 273 - const struct nf_loginfo *info, 274 - const struct sk_buff *skb) 275 - { 276 - struct net_device *dev = skb->dev; 277 - unsigned int logflags = 0; 278 - 279 - if (info->type == NF_LOG_TYPE_LOG) 280 - logflags = info->u.log.logflags; 281 - 282 - if (!(logflags & NF_LOG_MACDECODE)) 283 - goto fallback; 284 - 285 - switch (dev->type) { 286 - case ARPHRD_ETHER: 287 - nf_log_buf_add(m, "MACSRC=%pM MACDST=%pM ", 288 - eth_hdr(skb)->h_source, eth_hdr(skb)->h_dest); 289 - nf_log_dump_vlan(m, skb); 290 - nf_log_buf_add(m, "MACPROTO=%04x ", 291 - ntohs(eth_hdr(skb)->h_proto)); 292 - return; 293 - default: 294 - break; 295 - } 296 - 297 - fallback: 298 - nf_log_buf_add(m, "MAC="); 299 - if (dev->hard_header_len && 300 - skb->mac_header != skb->network_header) { 301 - const unsigned char *p = skb_mac_header(skb); 302 - unsigned int i; 303 - 304 - nf_log_buf_add(m, "%02x", *p++); 305 - for (i = 1; i < dev->hard_header_len; i++, p++) 306 - nf_log_buf_add(m, ":%02x", *p); 307 - } 308 - nf_log_buf_add(m, " "); 309 - } 310 - 311 - static void nf_log_ip_packet(struct net *net, u_int8_t pf, 312 - unsigned int hooknum, const struct sk_buff *skb, 313 - const struct net_device *in, 314 - const struct net_device *out, 315 - const struct nf_loginfo *loginfo, 316 - const char *prefix) 317 - { 318 - struct nf_log_buf *m; 319 - 320 - /* FIXME: Disabled from containers until syslog ns is supported */ 321 - if (!net_eq(net, &init_net) && !sysctl_nf_log_all_netns) 322 - return; 323 - 324 - m = nf_log_buf_open(); 325 - 326 - if (!loginfo) 327 - loginfo = &default_loginfo; 328 - 329 - nf_log_dump_packet_common(m, pf, hooknum, skb, in, 330 - out, loginfo, prefix); 331 - 332 - if (in != NULL) 333 - dump_ipv4_mac_header(m, loginfo, skb); 334 - 335 - dump_ipv4_packet(net, m, loginfo, skb, 0); 336 - 337 - nf_log_buf_close(m); 338 - } 339 - 340 - static struct nf_logger nf_ip_logger __read_mostly = { 341 - .name = "nf_log_ipv4", 342 - .type = NF_LOG_TYPE_LOG, 343 - .logfn = nf_log_ip_packet, 344 - .me = THIS_MODULE, 345 - }; 346 - 347 - static int __net_init nf_log_ipv4_net_init(struct net *net) 348 - { 349 - return nf_log_set(net, NFPROTO_IPV4, &nf_ip_logger); 350 - } 351 - 352 - static void __net_exit nf_log_ipv4_net_exit(struct net *net) 353 - { 354 - nf_log_unset(net, &nf_ip_logger); 355 - } 356 - 357 - static struct pernet_operations nf_log_ipv4_net_ops = { 358 - .init = nf_log_ipv4_net_init, 359 - .exit = nf_log_ipv4_net_exit, 360 - }; 361 - 362 - static int __init nf_log_ipv4_init(void) 363 - { 364 - int ret; 365 - 366 - ret = register_pernet_subsys(&nf_log_ipv4_net_ops); 367 - if (ret < 0) 368 - return ret; 369 - 370 - ret = nf_log_register(NFPROTO_IPV4, &nf_ip_logger); 371 - if (ret < 0) { 372 - pr_err("failed to register logger\n"); 373 - goto err1; 374 - } 375 - 376 - return 0; 377 - 378 - err1: 379 - unregister_pernet_subsys(&nf_log_ipv4_net_ops); 380 - return ret; 381 - } 382 - 383 - static void __exit nf_log_ipv4_exit(void) 384 - { 385 - unregister_pernet_subsys(&nf_log_ipv4_net_ops); 386 - nf_log_unregister(&nf_ip_logger); 387 - } 388 - 389 - module_init(nf_log_ipv4_init); 390 - module_exit(nf_log_ipv4_exit); 391 - 392 - MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>"); 393 - MODULE_DESCRIPTION("Netfilter IPv4 packet logging"); 394 - MODULE_LICENSE("GPL"); 395 - MODULE_ALIAS_NF_LOGGER(AF_INET, 0);
+4 -1
net/ipv6/netfilter/Kconfig
··· 69 69 config NF_LOG_IPV6 70 70 tristate "IPv6 packet logging" 71 71 default m if NETFILTER_ADVANCED=n 72 - select NF_LOG_COMMON 72 + select NF_LOG_SYSLOG 73 + help 74 + This is a backwards-compat option for the user's convenience 75 + (e.g. when running oldconfig). It selects CONFIG_NF_LOG_SYSLOG. 73 76 74 77 config IP6_NF_IPTABLES 75 78 tristate "IP6 tables support (required for filtering)"
-3
net/ipv6/netfilter/Makefile
··· 18 18 obj-$(CONFIG_NF_SOCKET_IPV6) += nf_socket_ipv6.o 19 19 obj-$(CONFIG_NF_TPROXY_IPV6) += nf_tproxy_ipv6.o 20 20 21 - # logging 22 - obj-$(CONFIG_NF_LOG_IPV6) += nf_log_ipv6.o 23 - 24 21 # reject 25 22 obj-$(CONFIG_NF_REJECT_IPV6) += nf_reject_ipv6.o 26 23
+36 -32
net/ipv6/netfilter/nf_conntrack_reasm.c
··· 15 15 #include <linux/errno.h> 16 16 #include <linux/types.h> 17 17 #include <linux/string.h> 18 - #include <linux/socket.h> 19 - #include <linux/sockios.h> 20 - #include <linux/jiffies.h> 21 18 #include <linux/net.h> 22 - #include <linux/list.h> 23 19 #include <linux/netdevice.h> 24 - #include <linux/in6.h> 25 20 #include <linux/ipv6.h> 26 - #include <linux/icmpv6.h> 27 - #include <linux/random.h> 28 21 #include <linux/slab.h> 29 22 30 - #include <net/sock.h> 31 - #include <net/snmp.h> 32 23 #include <net/ipv6_frag.h> 33 24 34 - #include <net/protocol.h> 35 - #include <net/transp_v6.h> 36 - #include <net/rawv6.h> 37 - #include <net/ndisc.h> 38 - #include <net/addrconf.h> 39 - #include <net/inet_ecn.h> 40 25 #include <net/netfilter/ipv6/nf_conntrack_ipv6.h> 41 26 #include <linux/sysctl.h> 42 27 #include <linux/netfilter.h> ··· 29 44 #include <linux/kernel.h> 30 45 #include <linux/module.h> 31 46 #include <net/netfilter/ipv6/nf_defrag_ipv6.h> 47 + #include <net/netns/generic.h> 32 48 33 49 static const char nf_frags_cache_name[] = "nf-frags"; 34 50 51 + unsigned int nf_frag_pernet_id __read_mostly; 35 52 static struct inet_frags nf_frags; 53 + 54 + static struct nft_ct_frag6_pernet *nf_frag_pernet(struct net *net) 55 + { 56 + return net_generic(net, nf_frag_pernet_id); 57 + } 36 58 37 59 #ifdef CONFIG_SYSCTL 38 60 ··· 67 75 68 76 static int nf_ct_frag6_sysctl_register(struct net *net) 69 77 { 78 + struct nft_ct_frag6_pernet *nf_frag; 70 79 struct ctl_table *table; 71 80 struct ctl_table_header *hdr; 72 81 ··· 79 86 goto err_alloc; 80 87 } 81 88 82 - table[0].data = &net->nf_frag.fqdir->timeout; 83 - table[1].data = &net->nf_frag.fqdir->low_thresh; 84 - table[1].extra2 = &net->nf_frag.fqdir->high_thresh; 85 - table[2].data = &net->nf_frag.fqdir->high_thresh; 86 - table[2].extra1 = &net->nf_frag.fqdir->low_thresh; 87 - table[2].extra2 = &init_net.nf_frag.fqdir->high_thresh; 89 + nf_frag = nf_frag_pernet(net); 90 + 91 + table[0].data = &nf_frag->fqdir->timeout; 92 + table[1].data = &nf_frag->fqdir->low_thresh; 93 + table[1].extra2 = &nf_frag->fqdir->high_thresh; 94 + table[2].data = &nf_frag->fqdir->high_thresh; 95 + table[2].extra1 = &nf_frag->fqdir->low_thresh; 96 + table[2].extra2 = &nf_frag->fqdir->high_thresh; 88 97 89 98 hdr = register_net_sysctl(net, "net/netfilter", table); 90 99 if (hdr == NULL) 91 100 goto err_reg; 92 101 93 - net->nf_frag_frags_hdr = hdr; 102 + nf_frag->nf_frag_frags_hdr = hdr; 94 103 return 0; 95 104 96 105 err_reg: ··· 104 109 105 110 static void __net_exit nf_ct_frags6_sysctl_unregister(struct net *net) 106 111 { 112 + struct nft_ct_frag6_pernet *nf_frag = nf_frag_pernet(net); 107 113 struct ctl_table *table; 108 114 109 - table = net->nf_frag_frags_hdr->ctl_table_arg; 110 - unregister_net_sysctl_table(net->nf_frag_frags_hdr); 115 + table = nf_frag->nf_frag_frags_hdr->ctl_table_arg; 116 + unregister_net_sysctl_table(nf_frag->nf_frag_frags_hdr); 111 117 if (!net_eq(net, &init_net)) 112 118 kfree(table); 113 119 } ··· 145 149 static struct frag_queue *fq_find(struct net *net, __be32 id, u32 user, 146 150 const struct ipv6hdr *hdr, int iif) 147 151 { 152 + struct nft_ct_frag6_pernet *nf_frag = nf_frag_pernet(net); 148 153 struct frag_v6_compare_key key = { 149 154 .id = id, 150 155 .saddr = hdr->saddr, ··· 155 158 }; 156 159 struct inet_frag_queue *q; 157 160 158 - q = inet_frag_find(net->nf_frag.fqdir, &key); 161 + q = inet_frag_find(nf_frag->fqdir, &key); 159 162 if (!q) 160 163 return NULL; 161 164 ··· 492 495 493 496 static int nf_ct_net_init(struct net *net) 494 497 { 498 + struct nft_ct_frag6_pernet *nf_frag = nf_frag_pernet(net); 495 499 int res; 496 500 497 - res = fqdir_init(&net->nf_frag.fqdir, &nf_frags, net); 501 + res = fqdir_init(&nf_frag->fqdir, &nf_frags, net); 498 502 if (res < 0) 499 503 return res; 500 504 501 - net->nf_frag.fqdir->high_thresh = IPV6_FRAG_HIGH_THRESH; 502 - net->nf_frag.fqdir->low_thresh = IPV6_FRAG_LOW_THRESH; 503 - net->nf_frag.fqdir->timeout = IPV6_FRAG_TIMEOUT; 505 + nf_frag->fqdir->high_thresh = IPV6_FRAG_HIGH_THRESH; 506 + nf_frag->fqdir->low_thresh = IPV6_FRAG_LOW_THRESH; 507 + nf_frag->fqdir->timeout = IPV6_FRAG_TIMEOUT; 504 508 505 509 res = nf_ct_frag6_sysctl_register(net); 506 510 if (res < 0) 507 - fqdir_exit(net->nf_frag.fqdir); 511 + fqdir_exit(nf_frag->fqdir); 508 512 return res; 509 513 } 510 514 511 515 static void nf_ct_net_pre_exit(struct net *net) 512 516 { 513 - fqdir_pre_exit(net->nf_frag.fqdir); 517 + struct nft_ct_frag6_pernet *nf_frag = nf_frag_pernet(net); 518 + 519 + fqdir_pre_exit(nf_frag->fqdir); 514 520 } 515 521 516 522 static void nf_ct_net_exit(struct net *net) 517 523 { 524 + struct nft_ct_frag6_pernet *nf_frag = nf_frag_pernet(net); 525 + 518 526 nf_ct_frags6_sysctl_unregister(net); 519 - fqdir_exit(net->nf_frag.fqdir); 527 + fqdir_exit(nf_frag->fqdir); 520 528 } 521 529 522 530 static struct pernet_operations nf_ct_net_ops = { 523 531 .init = nf_ct_net_init, 524 532 .pre_exit = nf_ct_net_pre_exit, 525 533 .exit = nf_ct_net_exit, 534 + .id = &nf_frag_pernet_id, 535 + .size = sizeof(struct nft_ct_frag6_pernet), 526 536 }; 527 537 528 538 static const struct rhashtable_params nfct_rhash_params = {
+10 -5
net/ipv6/netfilter/nf_defrag_ipv6_hooks.c
··· 25 25 #include <net/netfilter/nf_conntrack_zones.h> 26 26 #include <net/netfilter/ipv6/nf_defrag_ipv6.h> 27 27 28 + extern unsigned int nf_frag_pernet_id; 29 + 28 30 static DEFINE_MUTEX(defrag6_mutex); 29 31 30 32 static enum ip6_defrag_users nf_ct6_defrag_user(unsigned int hooknum, ··· 91 89 92 90 static void __net_exit defrag6_net_exit(struct net *net) 93 91 { 94 - if (net->nf.defrag_ipv6) { 92 + struct nft_ct_frag6_pernet *nf_frag = net_generic(net, nf_frag_pernet_id); 93 + 94 + if (nf_frag->users) { 95 95 nf_unregister_net_hooks(net, ipv6_defrag_ops, 96 96 ARRAY_SIZE(ipv6_defrag_ops)); 97 - net->nf.defrag_ipv6 = false; 97 + nf_frag->users = 0; 98 98 } 99 99 } 100 100 ··· 134 130 135 131 int nf_defrag_ipv6_enable(struct net *net) 136 132 { 133 + struct nft_ct_frag6_pernet *nf_frag = net_generic(net, nf_frag_pernet_id); 137 134 int err = 0; 138 135 139 136 might_sleep(); 140 137 141 - if (net->nf.defrag_ipv6) 138 + if (nf_frag->users) 142 139 return 0; 143 140 144 141 mutex_lock(&defrag6_mutex); 145 - if (net->nf.defrag_ipv6) 142 + if (nf_frag->users) 146 143 goto out_unlock; 147 144 148 145 err = nf_register_net_hooks(net, ipv6_defrag_ops, 149 146 ARRAY_SIZE(ipv6_defrag_ops)); 150 147 if (err == 0) 151 - net->nf.defrag_ipv6 = true; 148 + nf_frag->users = 1; 152 149 153 150 out_unlock: 154 151 mutex_unlock(&defrag6_mutex);
-427
net/ipv6/netfilter/nf_log_ipv6.c
··· 1 - // SPDX-License-Identifier: GPL-2.0-only 2 - /* (C) 1999-2001 Paul `Rusty' Russell 3 - * (C) 2002-2004 Netfilter Core Team <coreteam@netfilter.org> 4 - */ 5 - 6 - #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt 7 - 8 - #include <linux/kernel.h> 9 - #include <linux/module.h> 10 - #include <linux/spinlock.h> 11 - #include <linux/skbuff.h> 12 - #include <linux/if_arp.h> 13 - #include <linux/ip.h> 14 - #include <net/ipv6.h> 15 - #include <net/icmp.h> 16 - #include <net/udp.h> 17 - #include <net/tcp.h> 18 - #include <net/route.h> 19 - 20 - #include <linux/netfilter.h> 21 - #include <linux/netfilter_ipv6.h> 22 - #include <linux/netfilter/xt_LOG.h> 23 - #include <net/netfilter/nf_log.h> 24 - 25 - static const struct nf_loginfo default_loginfo = { 26 - .type = NF_LOG_TYPE_LOG, 27 - .u = { 28 - .log = { 29 - .level = LOGLEVEL_NOTICE, 30 - .logflags = NF_LOG_DEFAULT_MASK, 31 - }, 32 - }, 33 - }; 34 - 35 - /* One level of recursion won't kill us */ 36 - static void dump_ipv6_packet(struct net *net, struct nf_log_buf *m, 37 - const struct nf_loginfo *info, 38 - const struct sk_buff *skb, unsigned int ip6hoff, 39 - int recurse) 40 - { 41 - u_int8_t currenthdr; 42 - int fragment; 43 - struct ipv6hdr _ip6h; 44 - const struct ipv6hdr *ih; 45 - unsigned int ptr; 46 - unsigned int hdrlen = 0; 47 - unsigned int logflags; 48 - 49 - if (info->type == NF_LOG_TYPE_LOG) 50 - logflags = info->u.log.logflags; 51 - else 52 - logflags = NF_LOG_DEFAULT_MASK; 53 - 54 - ih = skb_header_pointer(skb, ip6hoff, sizeof(_ip6h), &_ip6h); 55 - if (ih == NULL) { 56 - nf_log_buf_add(m, "TRUNCATED"); 57 - return; 58 - } 59 - 60 - /* Max length: 88 "SRC=0000.0000.0000.0000.0000.0000.0000.0000 DST=0000.0000.0000.0000.0000.0000.0000.0000 " */ 61 - nf_log_buf_add(m, "SRC=%pI6 DST=%pI6 ", &ih->saddr, &ih->daddr); 62 - 63 - /* Max length: 44 "LEN=65535 TC=255 HOPLIMIT=255 FLOWLBL=FFFFF " */ 64 - nf_log_buf_add(m, "LEN=%zu TC=%u HOPLIMIT=%u FLOWLBL=%u ", 65 - ntohs(ih->payload_len) + sizeof(struct ipv6hdr), 66 - (ntohl(*(__be32 *)ih) & 0x0ff00000) >> 20, 67 - ih->hop_limit, 68 - (ntohl(*(__be32 *)ih) & 0x000fffff)); 69 - 70 - fragment = 0; 71 - ptr = ip6hoff + sizeof(struct ipv6hdr); 72 - currenthdr = ih->nexthdr; 73 - while (currenthdr != NEXTHDR_NONE && nf_ip6_ext_hdr(currenthdr)) { 74 - struct ipv6_opt_hdr _hdr; 75 - const struct ipv6_opt_hdr *hp; 76 - 77 - hp = skb_header_pointer(skb, ptr, sizeof(_hdr), &_hdr); 78 - if (hp == NULL) { 79 - nf_log_buf_add(m, "TRUNCATED"); 80 - return; 81 - } 82 - 83 - /* Max length: 48 "OPT (...) " */ 84 - if (logflags & NF_LOG_IPOPT) 85 - nf_log_buf_add(m, "OPT ( "); 86 - 87 - switch (currenthdr) { 88 - case IPPROTO_FRAGMENT: { 89 - struct frag_hdr _fhdr; 90 - const struct frag_hdr *fh; 91 - 92 - nf_log_buf_add(m, "FRAG:"); 93 - fh = skb_header_pointer(skb, ptr, sizeof(_fhdr), 94 - &_fhdr); 95 - if (fh == NULL) { 96 - nf_log_buf_add(m, "TRUNCATED "); 97 - return; 98 - } 99 - 100 - /* Max length: 6 "65535 " */ 101 - nf_log_buf_add(m, "%u ", ntohs(fh->frag_off) & 0xFFF8); 102 - 103 - /* Max length: 11 "INCOMPLETE " */ 104 - if (fh->frag_off & htons(0x0001)) 105 - nf_log_buf_add(m, "INCOMPLETE "); 106 - 107 - nf_log_buf_add(m, "ID:%08x ", 108 - ntohl(fh->identification)); 109 - 110 - if (ntohs(fh->frag_off) & 0xFFF8) 111 - fragment = 1; 112 - 113 - hdrlen = 8; 114 - 115 - break; 116 - } 117 - case IPPROTO_DSTOPTS: 118 - case IPPROTO_ROUTING: 119 - case IPPROTO_HOPOPTS: 120 - if (fragment) { 121 - if (logflags & NF_LOG_IPOPT) 122 - nf_log_buf_add(m, ")"); 123 - return; 124 - } 125 - hdrlen = ipv6_optlen(hp); 126 - break; 127 - /* Max Length */ 128 - case IPPROTO_AH: 129 - if (logflags & NF_LOG_IPOPT) { 130 - struct ip_auth_hdr _ahdr; 131 - const struct ip_auth_hdr *ah; 132 - 133 - /* Max length: 3 "AH " */ 134 - nf_log_buf_add(m, "AH "); 135 - 136 - if (fragment) { 137 - nf_log_buf_add(m, ")"); 138 - return; 139 - } 140 - 141 - ah = skb_header_pointer(skb, ptr, sizeof(_ahdr), 142 - &_ahdr); 143 - if (ah == NULL) { 144 - /* 145 - * Max length: 26 "INCOMPLETE [65535 146 - * bytes] )" 147 - */ 148 - nf_log_buf_add(m, "INCOMPLETE [%u bytes] )", 149 - skb->len - ptr); 150 - return; 151 - } 152 - 153 - /* Length: 15 "SPI=0xF1234567 */ 154 - nf_log_buf_add(m, "SPI=0x%x ", ntohl(ah->spi)); 155 - 156 - } 157 - 158 - hdrlen = ipv6_authlen(hp); 159 - break; 160 - case IPPROTO_ESP: 161 - if (logflags & NF_LOG_IPOPT) { 162 - struct ip_esp_hdr _esph; 163 - const struct ip_esp_hdr *eh; 164 - 165 - /* Max length: 4 "ESP " */ 166 - nf_log_buf_add(m, "ESP "); 167 - 168 - if (fragment) { 169 - nf_log_buf_add(m, ")"); 170 - return; 171 - } 172 - 173 - /* 174 - * Max length: 26 "INCOMPLETE [65535 bytes] )" 175 - */ 176 - eh = skb_header_pointer(skb, ptr, sizeof(_esph), 177 - &_esph); 178 - if (eh == NULL) { 179 - nf_log_buf_add(m, "INCOMPLETE [%u bytes] )", 180 - skb->len - ptr); 181 - return; 182 - } 183 - 184 - /* Length: 16 "SPI=0xF1234567 )" */ 185 - nf_log_buf_add(m, "SPI=0x%x )", 186 - ntohl(eh->spi)); 187 - } 188 - return; 189 - default: 190 - /* Max length: 20 "Unknown Ext Hdr 255" */ 191 - nf_log_buf_add(m, "Unknown Ext Hdr %u", currenthdr); 192 - return; 193 - } 194 - if (logflags & NF_LOG_IPOPT) 195 - nf_log_buf_add(m, ") "); 196 - 197 - currenthdr = hp->nexthdr; 198 - ptr += hdrlen; 199 - } 200 - 201 - switch (currenthdr) { 202 - case IPPROTO_TCP: 203 - if (nf_log_dump_tcp_header(m, skb, currenthdr, fragment, 204 - ptr, logflags)) 205 - return; 206 - break; 207 - case IPPROTO_UDP: 208 - case IPPROTO_UDPLITE: 209 - if (nf_log_dump_udp_header(m, skb, currenthdr, fragment, ptr)) 210 - return; 211 - break; 212 - case IPPROTO_ICMPV6: { 213 - struct icmp6hdr _icmp6h; 214 - const struct icmp6hdr *ic; 215 - 216 - /* Max length: 13 "PROTO=ICMPv6 " */ 217 - nf_log_buf_add(m, "PROTO=ICMPv6 "); 218 - 219 - if (fragment) 220 - break; 221 - 222 - /* Max length: 25 "INCOMPLETE [65535 bytes] " */ 223 - ic = skb_header_pointer(skb, ptr, sizeof(_icmp6h), &_icmp6h); 224 - if (ic == NULL) { 225 - nf_log_buf_add(m, "INCOMPLETE [%u bytes] ", 226 - skb->len - ptr); 227 - return; 228 - } 229 - 230 - /* Max length: 18 "TYPE=255 CODE=255 " */ 231 - nf_log_buf_add(m, "TYPE=%u CODE=%u ", 232 - ic->icmp6_type, ic->icmp6_code); 233 - 234 - switch (ic->icmp6_type) { 235 - case ICMPV6_ECHO_REQUEST: 236 - case ICMPV6_ECHO_REPLY: 237 - /* Max length: 19 "ID=65535 SEQ=65535 " */ 238 - nf_log_buf_add(m, "ID=%u SEQ=%u ", 239 - ntohs(ic->icmp6_identifier), 240 - ntohs(ic->icmp6_sequence)); 241 - break; 242 - case ICMPV6_MGM_QUERY: 243 - case ICMPV6_MGM_REPORT: 244 - case ICMPV6_MGM_REDUCTION: 245 - break; 246 - 247 - case ICMPV6_PARAMPROB: 248 - /* Max length: 17 "POINTER=ffffffff " */ 249 - nf_log_buf_add(m, "POINTER=%08x ", 250 - ntohl(ic->icmp6_pointer)); 251 - fallthrough; 252 - case ICMPV6_DEST_UNREACH: 253 - case ICMPV6_PKT_TOOBIG: 254 - case ICMPV6_TIME_EXCEED: 255 - /* Max length: 3+maxlen */ 256 - if (recurse) { 257 - nf_log_buf_add(m, "["); 258 - dump_ipv6_packet(net, m, info, skb, 259 - ptr + sizeof(_icmp6h), 0); 260 - nf_log_buf_add(m, "] "); 261 - } 262 - 263 - /* Max length: 10 "MTU=65535 " */ 264 - if (ic->icmp6_type == ICMPV6_PKT_TOOBIG) { 265 - nf_log_buf_add(m, "MTU=%u ", 266 - ntohl(ic->icmp6_mtu)); 267 - } 268 - } 269 - break; 270 - } 271 - /* Max length: 10 "PROTO=255 " */ 272 - default: 273 - nf_log_buf_add(m, "PROTO=%u ", currenthdr); 274 - } 275 - 276 - /* Max length: 15 "UID=4294967295 " */ 277 - if ((logflags & NF_LOG_UID) && recurse) 278 - nf_log_dump_sk_uid_gid(net, m, skb->sk); 279 - 280 - /* Max length: 16 "MARK=0xFFFFFFFF " */ 281 - if (recurse && skb->mark) 282 - nf_log_buf_add(m, "MARK=0x%x ", skb->mark); 283 - } 284 - 285 - static void dump_ipv6_mac_header(struct nf_log_buf *m, 286 - const struct nf_loginfo *info, 287 - const struct sk_buff *skb) 288 - { 289 - struct net_device *dev = skb->dev; 290 - unsigned int logflags = 0; 291 - 292 - if (info->type == NF_LOG_TYPE_LOG) 293 - logflags = info->u.log.logflags; 294 - 295 - if (!(logflags & NF_LOG_MACDECODE)) 296 - goto fallback; 297 - 298 - switch (dev->type) { 299 - case ARPHRD_ETHER: 300 - nf_log_buf_add(m, "MACSRC=%pM MACDST=%pM ", 301 - eth_hdr(skb)->h_source, eth_hdr(skb)->h_dest); 302 - nf_log_dump_vlan(m, skb); 303 - nf_log_buf_add(m, "MACPROTO=%04x ", 304 - ntohs(eth_hdr(skb)->h_proto)); 305 - return; 306 - default: 307 - break; 308 - } 309 - 310 - fallback: 311 - nf_log_buf_add(m, "MAC="); 312 - if (dev->hard_header_len && 313 - skb->mac_header != skb->network_header) { 314 - const unsigned char *p = skb_mac_header(skb); 315 - unsigned int len = dev->hard_header_len; 316 - unsigned int i; 317 - 318 - if (dev->type == ARPHRD_SIT) { 319 - p -= ETH_HLEN; 320 - 321 - if (p < skb->head) 322 - p = NULL; 323 - } 324 - 325 - if (p != NULL) { 326 - nf_log_buf_add(m, "%02x", *p++); 327 - for (i = 1; i < len; i++) 328 - nf_log_buf_add(m, ":%02x", *p++); 329 - } 330 - nf_log_buf_add(m, " "); 331 - 332 - if (dev->type == ARPHRD_SIT) { 333 - const struct iphdr *iph = 334 - (struct iphdr *)skb_mac_header(skb); 335 - nf_log_buf_add(m, "TUNNEL=%pI4->%pI4 ", &iph->saddr, 336 - &iph->daddr); 337 - } 338 - } else { 339 - nf_log_buf_add(m, " "); 340 - } 341 - } 342 - 343 - static void nf_log_ip6_packet(struct net *net, u_int8_t pf, 344 - unsigned int hooknum, const struct sk_buff *skb, 345 - const struct net_device *in, 346 - const struct net_device *out, 347 - const struct nf_loginfo *loginfo, 348 - const char *prefix) 349 - { 350 - struct nf_log_buf *m; 351 - 352 - /* FIXME: Disabled from containers until syslog ns is supported */ 353 - if (!net_eq(net, &init_net) && !sysctl_nf_log_all_netns) 354 - return; 355 - 356 - m = nf_log_buf_open(); 357 - 358 - if (!loginfo) 359 - loginfo = &default_loginfo; 360 - 361 - nf_log_dump_packet_common(m, pf, hooknum, skb, in, out, 362 - loginfo, prefix); 363 - 364 - if (in != NULL) 365 - dump_ipv6_mac_header(m, loginfo, skb); 366 - 367 - dump_ipv6_packet(net, m, loginfo, skb, skb_network_offset(skb), 1); 368 - 369 - nf_log_buf_close(m); 370 - } 371 - 372 - static struct nf_logger nf_ip6_logger __read_mostly = { 373 - .name = "nf_log_ipv6", 374 - .type = NF_LOG_TYPE_LOG, 375 - .logfn = nf_log_ip6_packet, 376 - .me = THIS_MODULE, 377 - }; 378 - 379 - static int __net_init nf_log_ipv6_net_init(struct net *net) 380 - { 381 - return nf_log_set(net, NFPROTO_IPV6, &nf_ip6_logger); 382 - } 383 - 384 - static void __net_exit nf_log_ipv6_net_exit(struct net *net) 385 - { 386 - nf_log_unset(net, &nf_ip6_logger); 387 - } 388 - 389 - static struct pernet_operations nf_log_ipv6_net_ops = { 390 - .init = nf_log_ipv6_net_init, 391 - .exit = nf_log_ipv6_net_exit, 392 - }; 393 - 394 - static int __init nf_log_ipv6_init(void) 395 - { 396 - int ret; 397 - 398 - ret = register_pernet_subsys(&nf_log_ipv6_net_ops); 399 - if (ret < 0) 400 - return ret; 401 - 402 - ret = nf_log_register(NFPROTO_IPV6, &nf_ip6_logger); 403 - if (ret < 0) { 404 - pr_err("failed to register logger\n"); 405 - goto err1; 406 - } 407 - 408 - return 0; 409 - 410 - err1: 411 - unregister_pernet_subsys(&nf_log_ipv6_net_ops); 412 - return ret; 413 - } 414 - 415 - static void __exit nf_log_ipv6_exit(void) 416 - { 417 - unregister_pernet_subsys(&nf_log_ipv6_net_ops); 418 - nf_log_unregister(&nf_ip6_logger); 419 - } 420 - 421 - module_init(nf_log_ipv6_init); 422 - module_exit(nf_log_ipv6_exit); 423 - 424 - MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>"); 425 - MODULE_DESCRIPTION("Netfilter IPv6 packet logging"); 426 - MODULE_LICENSE("GPL"); 427 - MODULE_ALIAS_NF_LOGGER(AF_INET6, 0);
+12 -8
net/netfilter/Kconfig
··· 71 71 72 72 To compile it as a module, choose M here. If unsure, say N. 73 73 74 - config NF_LOG_COMMON 75 - tristate 76 - 77 - config NF_LOG_NETDEV 78 - tristate "Netdev packet logging" 79 - select NF_LOG_COMMON 74 + config NF_LOG_SYSLOG 75 + tristate "Syslog packet logging" 76 + default m if NETFILTER_ADVANCED=n 77 + help 78 + This option enable support for packet logging via syslog. 79 + It supports IPv4, IPV6, ARP and common transport protocols such 80 + as TCP and UDP. 81 + This is a simpler but less flexible logging method compared to 82 + CONFIG_NETFILTER_NETLINK_LOG. 83 + If both are enabled the backend to use can be configured at run-time 84 + by means of per-address-family sysctl tunables. 80 85 81 86 if NF_CONNTRACK 82 87 config NETFILTER_CONNCOUNT ··· 927 922 928 923 config NETFILTER_XT_TARGET_LOG 929 924 tristate "LOG target support" 930 - select NF_LOG_COMMON 931 - select NF_LOG_IPV4 925 + select NF_LOG_SYSLOG 932 926 select NF_LOG_IPV6 if IP6_NF_IPTABLES 933 927 default m if NETFILTER_ADVANCED=n 934 928 help
+1 -5
net/netfilter/Makefile
··· 48 48 49 49 nf_nat-y := nf_nat_core.o nf_nat_proto.o nf_nat_helper.o 50 50 51 - # generic transport layer logging 52 - obj-$(CONFIG_NF_LOG_COMMON) += nf_log_common.o 53 - 54 - # packet logging for netdev family 55 - obj-$(CONFIG_NF_LOG_NETDEV) += nf_log_netdev.o 51 + obj-$(CONFIG_NF_LOG_SYSLOG) += nf_log_syslog.o 56 52 57 53 obj-$(CONFIG_NF_NAT) += nf_nat.o 58 54 nf_nat-$(CONFIG_NF_NAT_REDIRECT) += nf_nat_redirect.o
+3 -14
net/netfilter/ipset/ip_set_core.c
··· 963 963 start_msg(struct sk_buff *skb, u32 portid, u32 seq, unsigned int flags, 964 964 enum ipset_cmd cmd) 965 965 { 966 - struct nlmsghdr *nlh; 967 - struct nfgenmsg *nfmsg; 968 - 969 - nlh = nlmsg_put(skb, portid, seq, nfnl_msg_type(NFNL_SUBSYS_IPSET, cmd), 970 - sizeof(*nfmsg), flags); 971 - if (!nlh) 972 - return NULL; 973 - 974 - nfmsg = nlmsg_data(nlh); 975 - nfmsg->nfgen_family = NFPROTO_IPV4; 976 - nfmsg->version = NFNETLINK_V0; 977 - nfmsg->res_id = 0; 978 - 979 - return nlh; 966 + return nfnl_msg_put(skb, portid, seq, 967 + nfnl_msg_type(NFNL_SUBSYS_IPSET, cmd), flags, 968 + NFPROTO_IPV4, NFNETLINK_V0, 0); 980 969 } 981 970 982 971 /* Create a set */
-2
net/netfilter/ipvs/ip_vs_ftp.c
··· 591 591 ret = register_ip_vs_app_inc(ipvs, app, app->protocol, ports[i]); 592 592 if (ret) 593 593 goto err_unreg; 594 - pr_info("%s: loaded support on port[%d] = %u\n", 595 - app->name, i, ports[i]); 596 594 } 597 595 return 0; 598 596
+5 -2
net/netfilter/nf_conntrack_core.c
··· 656 656 bool nf_ct_delete(struct nf_conn *ct, u32 portid, int report) 657 657 { 658 658 struct nf_conn_tstamp *tstamp; 659 + struct net *net; 659 660 660 661 if (test_and_set_bit(IPS_DYING_BIT, &ct->status)) 661 662 return false; ··· 671 670 * be done by event cache worker on redelivery. 672 671 */ 673 672 nf_ct_delete_from_lists(ct); 674 - nf_conntrack_ecache_delayed_work(nf_ct_net(ct)); 673 + nf_conntrack_ecache_work(nf_ct_net(ct), NFCT_ECACHE_DESTROY_FAIL); 675 674 return false; 676 675 } 677 676 678 - nf_conntrack_ecache_work(nf_ct_net(ct)); 677 + net = nf_ct_net(ct); 678 + if (nf_conntrack_ecache_dwork_pending(net)) 679 + nf_conntrack_ecache_work(net, NFCT_ECACHE_DESTROY_SENT); 679 680 nf_ct_delete_from_lists(ct); 680 681 nf_ct_put(ct); 681 682 return true;
+26 -5
net/netfilter/nf_conntrack_ecache.c
··· 27 27 #include <net/netfilter/nf_conntrack_ecache.h> 28 28 #include <net/netfilter/nf_conntrack_extend.h> 29 29 30 + extern unsigned int nf_conntrack_net_id; 31 + 30 32 static DEFINE_MUTEX(nf_ct_ecache_mutex); 31 33 32 34 #define ECACHE_RETRY_WAIT (HZ/10) ··· 98 96 99 97 static void ecache_work(struct work_struct *work) 100 98 { 101 - struct netns_ct *ctnet = 102 - container_of(work, struct netns_ct, ecache_dwork.work); 99 + struct nf_conntrack_net *cnet = container_of(work, struct nf_conntrack_net, ecache_dwork.work); 100 + struct netns_ct *ctnet = cnet->ct_net; 103 101 int cpu, delay = -1; 104 102 struct ct_pcpu *pcpu; 105 103 ··· 129 127 130 128 ctnet->ecache_dwork_pending = delay > 0; 131 129 if (delay >= 0) 132 - schedule_delayed_work(&ctnet->ecache_dwork, delay); 130 + schedule_delayed_work(&cnet->ecache_dwork, delay); 133 131 } 134 132 135 133 int nf_conntrack_eventmask_report(unsigned int eventmask, struct nf_conn *ct, ··· 346 344 } 347 345 EXPORT_SYMBOL_GPL(nf_ct_expect_unregister_notifier); 348 346 347 + void nf_conntrack_ecache_work(struct net *net, enum nf_ct_ecache_state state) 348 + { 349 + struct nf_conntrack_net *cnet = net_generic(net, nf_conntrack_net_id); 350 + 351 + if (state == NFCT_ECACHE_DESTROY_FAIL && 352 + !delayed_work_pending(&cnet->ecache_dwork)) { 353 + schedule_delayed_work(&cnet->ecache_dwork, HZ); 354 + net->ct.ecache_dwork_pending = true; 355 + } else if (state == NFCT_ECACHE_DESTROY_SENT) { 356 + net->ct.ecache_dwork_pending = false; 357 + mod_delayed_work(system_wq, &cnet->ecache_dwork, 0); 358 + } 359 + } 360 + 349 361 #define NF_CT_EVENTS_DEFAULT 1 350 362 static int nf_ct_events __read_mostly = NF_CT_EVENTS_DEFAULT; 351 363 ··· 371 355 372 356 void nf_conntrack_ecache_pernet_init(struct net *net) 373 357 { 358 + struct nf_conntrack_net *cnet = net_generic(net, nf_conntrack_net_id); 359 + 374 360 net->ct.sysctl_events = nf_ct_events; 375 - INIT_DELAYED_WORK(&net->ct.ecache_dwork, ecache_work); 361 + cnet->ct_net = &net->ct; 362 + INIT_DELAYED_WORK(&cnet->ecache_dwork, ecache_work); 376 363 } 377 364 378 365 void nf_conntrack_ecache_pernet_fini(struct net *net) 379 366 { 380 - cancel_delayed_work_sync(&net->ct.ecache_dwork); 367 + struct nf_conntrack_net *cnet = net_generic(net, nf_conntrack_net_id); 368 + 369 + cancel_delayed_work_sync(&cnet->ecache_dwork); 381 370 } 382 371 383 372 int nf_conntrack_ecache_init(void)
+21 -56
net/netfilter/nf_conntrack_netlink.c
··· 555 555 { 556 556 const struct nf_conntrack_zone *zone; 557 557 struct nlmsghdr *nlh; 558 - struct nfgenmsg *nfmsg; 559 558 struct nlattr *nest_parms; 560 559 unsigned int event; 561 560 562 561 if (portid) 563 562 flags |= NLM_F_MULTI; 564 563 event = nfnl_msg_type(NFNL_SUBSYS_CTNETLINK, IPCTNL_MSG_CT_NEW); 565 - nlh = nlmsg_put(skb, portid, seq, event, sizeof(*nfmsg), flags); 566 - if (nlh == NULL) 564 + nlh = nfnl_msg_put(skb, portid, seq, event, flags, nf_ct_l3num(ct), 565 + NFNETLINK_V0, 0); 566 + if (!nlh) 567 567 goto nlmsg_failure; 568 - 569 - nfmsg = nlmsg_data(nlh); 570 - nfmsg->nfgen_family = nf_ct_l3num(ct); 571 - nfmsg->version = NFNETLINK_V0; 572 - nfmsg->res_id = 0; 573 568 574 569 zone = nf_ct_zone(ct); 575 570 ··· 708 713 const struct nf_conntrack_zone *zone; 709 714 struct net *net; 710 715 struct nlmsghdr *nlh; 711 - struct nfgenmsg *nfmsg; 712 716 struct nlattr *nest_parms; 713 717 struct nf_conn *ct = item->ct; 714 718 struct sk_buff *skb; ··· 737 743 goto errout; 738 744 739 745 type = nfnl_msg_type(NFNL_SUBSYS_CTNETLINK, type); 740 - nlh = nlmsg_put(skb, item->portid, 0, type, sizeof(*nfmsg), flags); 741 - if (nlh == NULL) 746 + nlh = nfnl_msg_put(skb, item->portid, 0, type, flags, nf_ct_l3num(ct), 747 + NFNETLINK_V0, 0); 748 + if (!nlh) 742 749 goto nlmsg_failure; 743 - 744 - nfmsg = nlmsg_data(nlh); 745 - nfmsg->nfgen_family = nf_ct_l3num(ct); 746 - nfmsg->version = NFNETLINK_V0; 747 - nfmsg->res_id = 0; 748 750 749 751 zone = nf_ct_zone(ct); 750 752 ··· 2480 2490 __u16 cpu, const struct ip_conntrack_stat *st) 2481 2491 { 2482 2492 struct nlmsghdr *nlh; 2483 - struct nfgenmsg *nfmsg; 2484 2493 unsigned int flags = portid ? NLM_F_MULTI : 0, event; 2485 2494 2486 2495 event = nfnl_msg_type(NFNL_SUBSYS_CTNETLINK, 2487 2496 IPCTNL_MSG_CT_GET_STATS_CPU); 2488 - nlh = nlmsg_put(skb, portid, seq, event, sizeof(*nfmsg), flags); 2489 - if (nlh == NULL) 2497 + nlh = nfnl_msg_put(skb, portid, seq, event, flags, AF_UNSPEC, 2498 + NFNETLINK_V0, htons(cpu)); 2499 + if (!nlh) 2490 2500 goto nlmsg_failure; 2491 - 2492 - nfmsg = nlmsg_data(nlh); 2493 - nfmsg->nfgen_family = AF_UNSPEC; 2494 - nfmsg->version = NFNETLINK_V0; 2495 - nfmsg->res_id = htons(cpu); 2496 2501 2497 2502 if (nla_put_be32(skb, CTA_STATS_FOUND, htonl(st->found)) || 2498 2503 nla_put_be32(skb, CTA_STATS_INVALID, htonl(st->invalid)) || ··· 2560 2575 struct net *net) 2561 2576 { 2562 2577 struct nlmsghdr *nlh; 2563 - struct nfgenmsg *nfmsg; 2564 2578 unsigned int flags = portid ? NLM_F_MULTI : 0, event; 2565 2579 unsigned int nr_conntracks = atomic_read(&net->ct.count); 2566 2580 2567 2581 event = nfnl_msg_type(NFNL_SUBSYS_CTNETLINK, IPCTNL_MSG_CT_GET_STATS); 2568 - nlh = nlmsg_put(skb, portid, seq, event, sizeof(*nfmsg), flags); 2569 - if (nlh == NULL) 2582 + nlh = nfnl_msg_put(skb, portid, seq, event, flags, AF_UNSPEC, 2583 + NFNETLINK_V0, 0); 2584 + if (!nlh) 2570 2585 goto nlmsg_failure; 2571 - 2572 - nfmsg = nlmsg_data(nlh); 2573 - nfmsg->nfgen_family = AF_UNSPEC; 2574 - nfmsg->version = NFNETLINK_V0; 2575 - nfmsg->res_id = 0; 2576 2586 2577 2587 if (nla_put_be32(skb, CTA_STATS_GLOBAL_ENTRIES, htonl(nr_conntracks))) 2578 2588 goto nla_put_failure; ··· 3065 3085 int event, const struct nf_conntrack_expect *exp) 3066 3086 { 3067 3087 struct nlmsghdr *nlh; 3068 - struct nfgenmsg *nfmsg; 3069 3088 unsigned int flags = portid ? NLM_F_MULTI : 0; 3070 3089 3071 3090 event = nfnl_msg_type(NFNL_SUBSYS_CTNETLINK_EXP, event); 3072 - nlh = nlmsg_put(skb, portid, seq, event, sizeof(*nfmsg), flags); 3073 - if (nlh == NULL) 3091 + nlh = nfnl_msg_put(skb, portid, seq, event, flags, 3092 + exp->tuple.src.l3num, NFNETLINK_V0, 0); 3093 + if (!nlh) 3074 3094 goto nlmsg_failure; 3075 - 3076 - nfmsg = nlmsg_data(nlh); 3077 - nfmsg->nfgen_family = exp->tuple.src.l3num; 3078 - nfmsg->version = NFNETLINK_V0; 3079 - nfmsg->res_id = 0; 3080 3095 3081 3096 if (ctnetlink_exp_dump_expect(skb, exp) < 0) 3082 3097 goto nla_put_failure; ··· 3092 3117 struct nf_conntrack_expect *exp = item->exp; 3093 3118 struct net *net = nf_ct_exp_net(exp); 3094 3119 struct nlmsghdr *nlh; 3095 - struct nfgenmsg *nfmsg; 3096 3120 struct sk_buff *skb; 3097 3121 unsigned int type, group; 3098 3122 int flags = 0; ··· 3114 3140 goto errout; 3115 3141 3116 3142 type = nfnl_msg_type(NFNL_SUBSYS_CTNETLINK_EXP, type); 3117 - nlh = nlmsg_put(skb, item->portid, 0, type, sizeof(*nfmsg), flags); 3118 - if (nlh == NULL) 3143 + nlh = nfnl_msg_put(skb, item->portid, 0, type, flags, 3144 + exp->tuple.src.l3num, NFNETLINK_V0, 0); 3145 + if (!nlh) 3119 3146 goto nlmsg_failure; 3120 - 3121 - nfmsg = nlmsg_data(nlh); 3122 - nfmsg->nfgen_family = exp->tuple.src.l3num; 3123 - nfmsg->version = NFNETLINK_V0; 3124 - nfmsg->res_id = 0; 3125 3147 3126 3148 if (ctnetlink_exp_dump_expect(skb, exp) < 0) 3127 3149 goto nla_put_failure; ··· 3686 3716 const struct ip_conntrack_stat *st) 3687 3717 { 3688 3718 struct nlmsghdr *nlh; 3689 - struct nfgenmsg *nfmsg; 3690 3719 unsigned int flags = portid ? NLM_F_MULTI : 0, event; 3691 3720 3692 3721 event = nfnl_msg_type(NFNL_SUBSYS_CTNETLINK, 3693 3722 IPCTNL_MSG_EXP_GET_STATS_CPU); 3694 - nlh = nlmsg_put(skb, portid, seq, event, sizeof(*nfmsg), flags); 3695 - if (nlh == NULL) 3723 + nlh = nfnl_msg_put(skb, portid, seq, event, flags, AF_UNSPEC, 3724 + NFNETLINK_V0, htons(cpu)); 3725 + if (!nlh) 3696 3726 goto nlmsg_failure; 3697 - 3698 - nfmsg = nlmsg_data(nlh); 3699 - nfmsg->nfgen_family = AF_UNSPEC; 3700 - nfmsg->version = NFNETLINK_V0; 3701 - nfmsg->res_id = htons(cpu); 3702 3727 3703 3728 if (nla_put_be32(skb, CTA_STATS_EXP_NEW, htonl(st->expect_new)) || 3704 3729 nla_put_be32(skb, CTA_STATS_EXP_CREATE, htonl(st->expect_create)) ||
+6 -4
net/netfilter/nf_conntrack_standalone.c
··· 1027 1027 1028 1028 static int nf_conntrack_standalone_init_sysctl(struct net *net) 1029 1029 { 1030 + struct nf_conntrack_net *cnet = net_generic(net, nf_conntrack_net_id); 1030 1031 struct nf_udp_net *un = nf_udp_pernet(net); 1031 1032 struct ctl_table *table; 1032 1033 ··· 1073 1072 table[NF_SYSCTL_CT_BUCKETS].mode = 0444; 1074 1073 } 1075 1074 1076 - net->ct.sysctl_header = register_net_sysctl(net, "net/netfilter", table); 1077 - if (!net->ct.sysctl_header) 1075 + cnet->sysctl_header = register_net_sysctl(net, "net/netfilter", table); 1076 + if (!cnet->sysctl_header) 1078 1077 goto out_unregister_netfilter; 1079 1078 1080 1079 return 0; ··· 1086 1085 1087 1086 static void nf_conntrack_standalone_fini_sysctl(struct net *net) 1088 1087 { 1088 + struct nf_conntrack_net *cnet = net_generic(net, nf_conntrack_net_id); 1089 1089 struct ctl_table *table; 1090 1090 1091 - table = net->ct.sysctl_header->ctl_table_arg; 1092 - unregister_net_sysctl_table(net->ct.sysctl_header); 1091 + table = cnet->sysctl_header->ctl_table_arg; 1092 + unregister_net_sysctl_table(cnet->sysctl_header); 1093 1093 kfree(table); 1094 1094 } 1095 1095 #else
+36 -1
net/netfilter/nf_flow_table_core.c
··· 74 74 } 75 75 EXPORT_SYMBOL_GPL(flow_offload_alloc); 76 76 77 + static u32 flow_offload_dst_cookie(struct flow_offload_tuple *flow_tuple) 78 + { 79 + const struct rt6_info *rt; 80 + 81 + if (flow_tuple->l3proto == NFPROTO_IPV6) { 82 + rt = (const struct rt6_info *)flow_tuple->dst_cache; 83 + return rt6_get_cookie(rt); 84 + } 85 + 86 + return 0; 87 + } 88 + 77 89 static int flow_offload_fill_route(struct flow_offload *flow, 78 90 const struct nf_flow_route *route, 79 91 enum flow_offload_tuple_dir dir) ··· 128 116 return -1; 129 117 130 118 flow_tuple->dst_cache = dst; 119 + flow_tuple->dst_cookie = flow_offload_dst_cookie(flow_tuple); 131 120 break; 132 121 } 133 122 flow_tuple->xmit_type = route->tuple[dir].xmit_type; ··· 403 390 return err; 404 391 } 405 392 393 + static bool flow_offload_stale_dst(struct flow_offload_tuple *tuple) 394 + { 395 + struct dst_entry *dst; 396 + 397 + if (tuple->xmit_type == FLOW_OFFLOAD_XMIT_NEIGH || 398 + tuple->xmit_type == FLOW_OFFLOAD_XMIT_XFRM) { 399 + dst = tuple->dst_cache; 400 + if (!dst_check(dst, tuple->dst_cookie)) 401 + return true; 402 + } 403 + 404 + return false; 405 + } 406 + 407 + static bool nf_flow_has_stale_dst(struct flow_offload *flow) 408 + { 409 + return flow_offload_stale_dst(&flow->tuplehash[FLOW_OFFLOAD_DIR_ORIGINAL].tuple) || 410 + flow_offload_stale_dst(&flow->tuplehash[FLOW_OFFLOAD_DIR_REPLY].tuple); 411 + } 412 + 406 413 static void nf_flow_offload_gc_step(struct flow_offload *flow, void *data) 407 414 { 408 415 struct nf_flowtable *flow_table = data; 409 416 410 - if (nf_flow_has_expired(flow) || nf_ct_is_dying(flow->ct)) 417 + if (nf_flow_has_expired(flow) || 418 + nf_ct_is_dying(flow->ct) || 419 + nf_flow_has_stale_dst(flow)) 411 420 set_bit(NF_FLOW_TEARDOWN, &flow->flags); 412 421 413 422 if (test_bit(NF_FLOW_TEARDOWN, &flow->flags)) {
+4 -18
net/netfilter/nf_flow_table_ip.c
··· 364 364 if (nf_flow_state_check(flow, iph->protocol, skb, thoff)) 365 365 return NF_ACCEPT; 366 366 367 - if (tuplehash->tuple.xmit_type == FLOW_OFFLOAD_XMIT_NEIGH || 368 - tuplehash->tuple.xmit_type == FLOW_OFFLOAD_XMIT_XFRM) { 369 - rt = (struct rtable *)tuplehash->tuple.dst_cache; 370 - if (!dst_check(&rt->dst, 0)) { 371 - flow_offload_teardown(flow); 372 - return NF_ACCEPT; 373 - } 374 - } 375 - 376 367 if (skb_try_make_writable(skb, thoff + hdrsize)) 377 368 return NF_DROP; 378 369 ··· 382 391 nf_ct_acct_update(flow->ct, tuplehash->tuple.dir, skb->len); 383 392 384 393 if (unlikely(tuplehash->tuple.xmit_type == FLOW_OFFLOAD_XMIT_XFRM)) { 394 + rt = (struct rtable *)tuplehash->tuple.dst_cache; 385 395 memset(skb->cb, 0, sizeof(struct inet_skb_parm)); 386 396 IPCB(skb)->iif = skb->dev->ifindex; 387 397 IPCB(skb)->flags = IPSKB_FORWARDED; ··· 391 399 392 400 switch (tuplehash->tuple.xmit_type) { 393 401 case FLOW_OFFLOAD_XMIT_NEIGH: 402 + rt = (struct rtable *)tuplehash->tuple.dst_cache; 394 403 outdev = rt->dst.dev; 395 404 skb->dev = outdev; 396 405 nexthop = rt_nexthop(rt, flow->tuplehash[!dir].tuple.src_v4.s_addr); ··· 600 607 if (nf_flow_state_check(flow, ip6h->nexthdr, skb, thoff)) 601 608 return NF_ACCEPT; 602 609 603 - if (tuplehash->tuple.xmit_type == FLOW_OFFLOAD_XMIT_NEIGH || 604 - tuplehash->tuple.xmit_type == FLOW_OFFLOAD_XMIT_XFRM) { 605 - rt = (struct rt6_info *)tuplehash->tuple.dst_cache; 606 - if (!dst_check(&rt->dst, 0)) { 607 - flow_offload_teardown(flow); 608 - return NF_ACCEPT; 609 - } 610 - } 611 - 612 610 if (skb_try_make_writable(skb, thoff + hdrsize)) 613 611 return NF_DROP; 614 612 ··· 617 633 nf_ct_acct_update(flow->ct, tuplehash->tuple.dir, skb->len); 618 634 619 635 if (unlikely(tuplehash->tuple.xmit_type == FLOW_OFFLOAD_XMIT_XFRM)) { 636 + rt = (struct rt6_info *)tuplehash->tuple.dst_cache; 620 637 memset(skb->cb, 0, sizeof(struct inet6_skb_parm)); 621 638 IP6CB(skb)->iif = skb->dev->ifindex; 622 639 IP6CB(skb)->flags = IP6SKB_FORWARDED; ··· 626 641 627 642 switch (tuplehash->tuple.xmit_type) { 628 643 case FLOW_OFFLOAD_XMIT_NEIGH: 644 + rt = (struct rt6_info *)tuplehash->tuple.dst_cache; 629 645 outdev = rt->dst.dev; 630 646 skb->dev = outdev; 631 647 nexthop = rt6_nexthop(rt, &flow->tuplehash[!dir].tuple.src_v6);
-10
net/netfilter/nf_log.c
··· 151 151 } 152 152 EXPORT_SYMBOL(nf_log_unbind_pf); 153 153 154 - void nf_logger_request_module(int pf, enum nf_log_type type) 155 - { 156 - if (loggers[pf][type] == NULL) 157 - request_module("nf-logger-%u-%u", pf, type); 158 - } 159 - EXPORT_SYMBOL_GPL(nf_logger_request_module); 160 - 161 154 int nf_logger_find_get(int pf, enum nf_log_type type) 162 155 { 163 156 struct nf_logger *logger; ··· 169 176 170 177 return 0; 171 178 } 172 - 173 - if (rcu_access_pointer(loggers[pf][type]) == NULL) 174 - request_module("nf-logger-%u-%u", pf, type); 175 179 176 180 rcu_read_lock(); 177 181 logger = rcu_dereference(loggers[pf][type]);
-224
net/netfilter/nf_log_common.c
··· 1 - // SPDX-License-Identifier: GPL-2.0-only 2 - /* (C) 1999-2001 Paul `Rusty' Russell 3 - * (C) 2002-2004 Netfilter Core Team <coreteam@netfilter.org> 4 - */ 5 - 6 - #include <linux/module.h> 7 - #include <linux/spinlock.h> 8 - #include <linux/skbuff.h> 9 - #include <linux/if_arp.h> 10 - #include <linux/ip.h> 11 - #include <net/icmp.h> 12 - #include <net/udp.h> 13 - #include <net/tcp.h> 14 - #include <net/route.h> 15 - 16 - #include <linux/netfilter.h> 17 - #include <linux/netfilter_bridge.h> 18 - #include <linux/netfilter/xt_LOG.h> 19 - #include <net/netfilter/nf_log.h> 20 - 21 - int nf_log_dump_udp_header(struct nf_log_buf *m, const struct sk_buff *skb, 22 - u8 proto, int fragment, unsigned int offset) 23 - { 24 - struct udphdr _udph; 25 - const struct udphdr *uh; 26 - 27 - if (proto == IPPROTO_UDP) 28 - /* Max length: 10 "PROTO=UDP " */ 29 - nf_log_buf_add(m, "PROTO=UDP "); 30 - else /* Max length: 14 "PROTO=UDPLITE " */ 31 - nf_log_buf_add(m, "PROTO=UDPLITE "); 32 - 33 - if (fragment) 34 - goto out; 35 - 36 - /* Max length: 25 "INCOMPLETE [65535 bytes] " */ 37 - uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph); 38 - if (uh == NULL) { 39 - nf_log_buf_add(m, "INCOMPLETE [%u bytes] ", skb->len - offset); 40 - 41 - return 1; 42 - } 43 - 44 - /* Max length: 20 "SPT=65535 DPT=65535 " */ 45 - nf_log_buf_add(m, "SPT=%u DPT=%u LEN=%u ", 46 - ntohs(uh->source), ntohs(uh->dest), ntohs(uh->len)); 47 - 48 - out: 49 - return 0; 50 - } 51 - EXPORT_SYMBOL_GPL(nf_log_dump_udp_header); 52 - 53 - int nf_log_dump_tcp_header(struct nf_log_buf *m, const struct sk_buff *skb, 54 - u8 proto, int fragment, unsigned int offset, 55 - unsigned int logflags) 56 - { 57 - struct tcphdr _tcph; 58 - const struct tcphdr *th; 59 - 60 - /* Max length: 10 "PROTO=TCP " */ 61 - nf_log_buf_add(m, "PROTO=TCP "); 62 - 63 - if (fragment) 64 - return 0; 65 - 66 - /* Max length: 25 "INCOMPLETE [65535 bytes] " */ 67 - th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph); 68 - if (th == NULL) { 69 - nf_log_buf_add(m, "INCOMPLETE [%u bytes] ", skb->len - offset); 70 - return 1; 71 - } 72 - 73 - /* Max length: 20 "SPT=65535 DPT=65535 " */ 74 - nf_log_buf_add(m, "SPT=%u DPT=%u ", 75 - ntohs(th->source), ntohs(th->dest)); 76 - /* Max length: 30 "SEQ=4294967295 ACK=4294967295 " */ 77 - if (logflags & NF_LOG_TCPSEQ) { 78 - nf_log_buf_add(m, "SEQ=%u ACK=%u ", 79 - ntohl(th->seq), ntohl(th->ack_seq)); 80 - } 81 - 82 - /* Max length: 13 "WINDOW=65535 " */ 83 - nf_log_buf_add(m, "WINDOW=%u ", ntohs(th->window)); 84 - /* Max length: 9 "RES=0x3C " */ 85 - nf_log_buf_add(m, "RES=0x%02x ", (u_int8_t)(ntohl(tcp_flag_word(th) & 86 - TCP_RESERVED_BITS) >> 22)); 87 - /* Max length: 32 "CWR ECE URG ACK PSH RST SYN FIN " */ 88 - if (th->cwr) 89 - nf_log_buf_add(m, "CWR "); 90 - if (th->ece) 91 - nf_log_buf_add(m, "ECE "); 92 - if (th->urg) 93 - nf_log_buf_add(m, "URG "); 94 - if (th->ack) 95 - nf_log_buf_add(m, "ACK "); 96 - if (th->psh) 97 - nf_log_buf_add(m, "PSH "); 98 - if (th->rst) 99 - nf_log_buf_add(m, "RST "); 100 - if (th->syn) 101 - nf_log_buf_add(m, "SYN "); 102 - if (th->fin) 103 - nf_log_buf_add(m, "FIN "); 104 - /* Max length: 11 "URGP=65535 " */ 105 - nf_log_buf_add(m, "URGP=%u ", ntohs(th->urg_ptr)); 106 - 107 - if ((logflags & NF_LOG_TCPOPT) && th->doff*4 > sizeof(struct tcphdr)) { 108 - u_int8_t _opt[60 - sizeof(struct tcphdr)]; 109 - const u_int8_t *op; 110 - unsigned int i; 111 - unsigned int optsize = th->doff*4 - sizeof(struct tcphdr); 112 - 113 - op = skb_header_pointer(skb, offset + sizeof(struct tcphdr), 114 - optsize, _opt); 115 - if (op == NULL) { 116 - nf_log_buf_add(m, "OPT (TRUNCATED)"); 117 - return 1; 118 - } 119 - 120 - /* Max length: 127 "OPT (" 15*4*2chars ") " */ 121 - nf_log_buf_add(m, "OPT ("); 122 - for (i = 0; i < optsize; i++) 123 - nf_log_buf_add(m, "%02X", op[i]); 124 - 125 - nf_log_buf_add(m, ") "); 126 - } 127 - 128 - return 0; 129 - } 130 - EXPORT_SYMBOL_GPL(nf_log_dump_tcp_header); 131 - 132 - void nf_log_dump_sk_uid_gid(struct net *net, struct nf_log_buf *m, 133 - struct sock *sk) 134 - { 135 - if (!sk || !sk_fullsock(sk) || !net_eq(net, sock_net(sk))) 136 - return; 137 - 138 - read_lock_bh(&sk->sk_callback_lock); 139 - if (sk->sk_socket && sk->sk_socket->file) { 140 - const struct cred *cred = sk->sk_socket->file->f_cred; 141 - nf_log_buf_add(m, "UID=%u GID=%u ", 142 - from_kuid_munged(&init_user_ns, cred->fsuid), 143 - from_kgid_munged(&init_user_ns, cred->fsgid)); 144 - } 145 - read_unlock_bh(&sk->sk_callback_lock); 146 - } 147 - EXPORT_SYMBOL_GPL(nf_log_dump_sk_uid_gid); 148 - 149 - void 150 - nf_log_dump_packet_common(struct nf_log_buf *m, u_int8_t pf, 151 - unsigned int hooknum, const struct sk_buff *skb, 152 - const struct net_device *in, 153 - const struct net_device *out, 154 - const struct nf_loginfo *loginfo, const char *prefix) 155 - { 156 - const struct net_device *physoutdev __maybe_unused; 157 - const struct net_device *physindev __maybe_unused; 158 - 159 - nf_log_buf_add(m, KERN_SOH "%c%sIN=%s OUT=%s ", 160 - '0' + loginfo->u.log.level, prefix, 161 - in ? in->name : "", 162 - out ? out->name : ""); 163 - #if IS_ENABLED(CONFIG_BRIDGE_NETFILTER) 164 - physindev = nf_bridge_get_physindev(skb); 165 - if (physindev && in != physindev) 166 - nf_log_buf_add(m, "PHYSIN=%s ", physindev->name); 167 - physoutdev = nf_bridge_get_physoutdev(skb); 168 - if (physoutdev && out != physoutdev) 169 - nf_log_buf_add(m, "PHYSOUT=%s ", physoutdev->name); 170 - #endif 171 - } 172 - EXPORT_SYMBOL_GPL(nf_log_dump_packet_common); 173 - 174 - void nf_log_dump_vlan(struct nf_log_buf *m, const struct sk_buff *skb) 175 - { 176 - u16 vid; 177 - 178 - if (!skb_vlan_tag_present(skb)) 179 - return; 180 - 181 - vid = skb_vlan_tag_get(skb); 182 - nf_log_buf_add(m, "VPROTO=%04x VID=%u ", ntohs(skb->vlan_proto), vid); 183 - } 184 - EXPORT_SYMBOL_GPL(nf_log_dump_vlan); 185 - 186 - /* bridge and netdev logging families share this code. */ 187 - void nf_log_l2packet(struct net *net, u_int8_t pf, 188 - __be16 protocol, 189 - unsigned int hooknum, 190 - const struct sk_buff *skb, 191 - const struct net_device *in, 192 - const struct net_device *out, 193 - const struct nf_loginfo *loginfo, 194 - const char *prefix) 195 - { 196 - switch (protocol) { 197 - case htons(ETH_P_IP): 198 - nf_log_packet(net, NFPROTO_IPV4, hooknum, skb, in, out, 199 - loginfo, "%s", prefix); 200 - break; 201 - case htons(ETH_P_IPV6): 202 - nf_log_packet(net, NFPROTO_IPV6, hooknum, skb, in, out, 203 - loginfo, "%s", prefix); 204 - break; 205 - case htons(ETH_P_ARP): 206 - case htons(ETH_P_RARP): 207 - nf_log_packet(net, NFPROTO_ARP, hooknum, skb, in, out, 208 - loginfo, "%s", prefix); 209 - break; 210 - } 211 - } 212 - EXPORT_SYMBOL_GPL(nf_log_l2packet); 213 - 214 - static int __init nf_log_common_init(void) 215 - { 216 - return 0; 217 - } 218 - 219 - static void __exit nf_log_common_exit(void) {} 220 - 221 - module_init(nf_log_common_init); 222 - module_exit(nf_log_common_exit); 223 - 224 - MODULE_LICENSE("GPL");
-78
net/netfilter/nf_log_netdev.c
··· 1 - // SPDX-License-Identifier: GPL-2.0-only 2 - /* 3 - * (C) 2016 by Pablo Neira Ayuso <pablo@netfilter.org> 4 - */ 5 - 6 - #include <linux/module.h> 7 - #include <linux/spinlock.h> 8 - #include <linux/skbuff.h> 9 - #include <linux/ip.h> 10 - #include <net/route.h> 11 - 12 - #include <linux/netfilter.h> 13 - #include <net/netfilter/nf_log.h> 14 - 15 - static void nf_log_netdev_packet(struct net *net, u_int8_t pf, 16 - unsigned int hooknum, 17 - const struct sk_buff *skb, 18 - const struct net_device *in, 19 - const struct net_device *out, 20 - const struct nf_loginfo *loginfo, 21 - const char *prefix) 22 - { 23 - nf_log_l2packet(net, pf, skb->protocol, hooknum, skb, in, out, 24 - loginfo, prefix); 25 - } 26 - 27 - static struct nf_logger nf_netdev_logger __read_mostly = { 28 - .name = "nf_log_netdev", 29 - .type = NF_LOG_TYPE_LOG, 30 - .logfn = nf_log_netdev_packet, 31 - .me = THIS_MODULE, 32 - }; 33 - 34 - static int __net_init nf_log_netdev_net_init(struct net *net) 35 - { 36 - return nf_log_set(net, NFPROTO_NETDEV, &nf_netdev_logger); 37 - } 38 - 39 - static void __net_exit nf_log_netdev_net_exit(struct net *net) 40 - { 41 - nf_log_unset(net, &nf_netdev_logger); 42 - } 43 - 44 - static struct pernet_operations nf_log_netdev_net_ops = { 45 - .init = nf_log_netdev_net_init, 46 - .exit = nf_log_netdev_net_exit, 47 - }; 48 - 49 - static int __init nf_log_netdev_init(void) 50 - { 51 - int ret; 52 - 53 - /* Request to load the real packet loggers. */ 54 - nf_logger_request_module(NFPROTO_IPV4, NF_LOG_TYPE_LOG); 55 - nf_logger_request_module(NFPROTO_IPV6, NF_LOG_TYPE_LOG); 56 - nf_logger_request_module(NFPROTO_ARP, NF_LOG_TYPE_LOG); 57 - 58 - ret = register_pernet_subsys(&nf_log_netdev_net_ops); 59 - if (ret < 0) 60 - return ret; 61 - 62 - nf_log_register(NFPROTO_NETDEV, &nf_netdev_logger); 63 - return 0; 64 - } 65 - 66 - static void __exit nf_log_netdev_exit(void) 67 - { 68 - unregister_pernet_subsys(&nf_log_netdev_net_ops); 69 - nf_log_unregister(&nf_netdev_logger); 70 - } 71 - 72 - module_init(nf_log_netdev_init); 73 - module_exit(nf_log_netdev_exit); 74 - 75 - MODULE_AUTHOR("Pablo Neira Ayuso <pablo@netfilter.org>"); 76 - MODULE_DESCRIPTION("Netfilter netdev packet logging"); 77 - MODULE_LICENSE("GPL"); 78 - MODULE_ALIAS_NF_LOGGER(5, 0); /* NFPROTO_NETDEV */
+1089
net/netfilter/nf_log_syslog.c
··· 1 + // SPDX-License-Identifier: GPL-2.0-only 2 + /* (C) 1999-2001 Paul `Rusty' Russell 3 + * (C) 2002-2004 Netfilter Core Team <coreteam@netfilter.org> 4 + */ 5 + 6 + #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt 7 + 8 + #include <linux/kernel.h> 9 + #include <linux/module.h> 10 + #include <linux/spinlock.h> 11 + #include <linux/skbuff.h> 12 + #include <linux/if_arp.h> 13 + #include <linux/ip.h> 14 + #include <net/ipv6.h> 15 + #include <net/icmp.h> 16 + #include <net/udp.h> 17 + #include <net/tcp.h> 18 + #include <net/route.h> 19 + 20 + #include <linux/netfilter.h> 21 + #include <linux/netfilter_bridge.h> 22 + #include <linux/netfilter_ipv6.h> 23 + #include <linux/netfilter/xt_LOG.h> 24 + #include <net/netfilter/nf_log.h> 25 + 26 + static const struct nf_loginfo default_loginfo = { 27 + .type = NF_LOG_TYPE_LOG, 28 + .u = { 29 + .log = { 30 + .level = LOGLEVEL_NOTICE, 31 + .logflags = NF_LOG_DEFAULT_MASK, 32 + }, 33 + }, 34 + }; 35 + 36 + struct arppayload { 37 + unsigned char mac_src[ETH_ALEN]; 38 + unsigned char ip_src[4]; 39 + unsigned char mac_dst[ETH_ALEN]; 40 + unsigned char ip_dst[4]; 41 + }; 42 + 43 + static void nf_log_dump_vlan(struct nf_log_buf *m, const struct sk_buff *skb) 44 + { 45 + u16 vid; 46 + 47 + if (!skb_vlan_tag_present(skb)) 48 + return; 49 + 50 + vid = skb_vlan_tag_get(skb); 51 + nf_log_buf_add(m, "VPROTO=%04x VID=%u ", ntohs(skb->vlan_proto), vid); 52 + } 53 + static void noinline_for_stack 54 + dump_arp_packet(struct nf_log_buf *m, 55 + const struct nf_loginfo *info, 56 + const struct sk_buff *skb, unsigned int nhoff) 57 + { 58 + const struct arppayload *ap; 59 + struct arppayload _arpp; 60 + const struct arphdr *ah; 61 + unsigned int logflags; 62 + struct arphdr _arph; 63 + 64 + ah = skb_header_pointer(skb, 0, sizeof(_arph), &_arph); 65 + if (!ah) { 66 + nf_log_buf_add(m, "TRUNCATED"); 67 + return; 68 + } 69 + 70 + if (info->type == NF_LOG_TYPE_LOG) 71 + logflags = info->u.log.logflags; 72 + else 73 + logflags = NF_LOG_DEFAULT_MASK; 74 + 75 + if (logflags & NF_LOG_MACDECODE) { 76 + nf_log_buf_add(m, "MACSRC=%pM MACDST=%pM ", 77 + eth_hdr(skb)->h_source, eth_hdr(skb)->h_dest); 78 + nf_log_dump_vlan(m, skb); 79 + nf_log_buf_add(m, "MACPROTO=%04x ", 80 + ntohs(eth_hdr(skb)->h_proto)); 81 + } 82 + 83 + nf_log_buf_add(m, "ARP HTYPE=%d PTYPE=0x%04x OPCODE=%d", 84 + ntohs(ah->ar_hrd), ntohs(ah->ar_pro), ntohs(ah->ar_op)); 85 + /* If it's for Ethernet and the lengths are OK, then log the ARP 86 + * payload. 87 + */ 88 + if (ah->ar_hrd != htons(ARPHRD_ETHER) || 89 + ah->ar_hln != ETH_ALEN || 90 + ah->ar_pln != sizeof(__be32)) 91 + return; 92 + 93 + ap = skb_header_pointer(skb, sizeof(_arph), sizeof(_arpp), &_arpp); 94 + if (!ap) { 95 + nf_log_buf_add(m, " INCOMPLETE [%zu bytes]", 96 + skb->len - sizeof(_arph)); 97 + return; 98 + } 99 + nf_log_buf_add(m, " MACSRC=%pM IPSRC=%pI4 MACDST=%pM IPDST=%pI4", 100 + ap->mac_src, ap->ip_src, ap->mac_dst, ap->ip_dst); 101 + } 102 + 103 + static void 104 + nf_log_dump_packet_common(struct nf_log_buf *m, u8 pf, 105 + unsigned int hooknum, const struct sk_buff *skb, 106 + const struct net_device *in, 107 + const struct net_device *out, 108 + const struct nf_loginfo *loginfo, const char *prefix) 109 + { 110 + const struct net_device *physoutdev __maybe_unused; 111 + const struct net_device *physindev __maybe_unused; 112 + 113 + nf_log_buf_add(m, KERN_SOH "%c%sIN=%s OUT=%s ", 114 + '0' + loginfo->u.log.level, prefix, 115 + in ? in->name : "", 116 + out ? out->name : ""); 117 + #if IS_ENABLED(CONFIG_BRIDGE_NETFILTER) 118 + physindev = nf_bridge_get_physindev(skb); 119 + if (physindev && in != physindev) 120 + nf_log_buf_add(m, "PHYSIN=%s ", physindev->name); 121 + physoutdev = nf_bridge_get_physoutdev(skb); 122 + if (physoutdev && out != physoutdev) 123 + nf_log_buf_add(m, "PHYSOUT=%s ", physoutdev->name); 124 + #endif 125 + } 126 + 127 + static void nf_log_arp_packet(struct net *net, u_int8_t pf, 128 + unsigned int hooknum, const struct sk_buff *skb, 129 + const struct net_device *in, 130 + const struct net_device *out, 131 + const struct nf_loginfo *loginfo, 132 + const char *prefix) 133 + { 134 + struct nf_log_buf *m; 135 + 136 + /* FIXME: Disabled from containers until syslog ns is supported */ 137 + if (!net_eq(net, &init_net) && !sysctl_nf_log_all_netns) 138 + return; 139 + 140 + m = nf_log_buf_open(); 141 + 142 + if (!loginfo) 143 + loginfo = &default_loginfo; 144 + 145 + nf_log_dump_packet_common(m, pf, hooknum, skb, in, out, loginfo, 146 + prefix); 147 + dump_arp_packet(m, loginfo, skb, 0); 148 + 149 + nf_log_buf_close(m); 150 + } 151 + 152 + static struct nf_logger nf_arp_logger __read_mostly = { 153 + .name = "nf_log_arp", 154 + .type = NF_LOG_TYPE_LOG, 155 + .logfn = nf_log_arp_packet, 156 + .me = THIS_MODULE, 157 + }; 158 + 159 + static void nf_log_dump_sk_uid_gid(struct net *net, struct nf_log_buf *m, 160 + struct sock *sk) 161 + { 162 + if (!sk || !sk_fullsock(sk) || !net_eq(net, sock_net(sk))) 163 + return; 164 + 165 + read_lock_bh(&sk->sk_callback_lock); 166 + if (sk->sk_socket && sk->sk_socket->file) { 167 + const struct cred *cred = sk->sk_socket->file->f_cred; 168 + 169 + nf_log_buf_add(m, "UID=%u GID=%u ", 170 + from_kuid_munged(&init_user_ns, cred->fsuid), 171 + from_kgid_munged(&init_user_ns, cred->fsgid)); 172 + } 173 + read_unlock_bh(&sk->sk_callback_lock); 174 + } 175 + 176 + static noinline_for_stack int 177 + nf_log_dump_tcp_header(struct nf_log_buf *m, 178 + const struct sk_buff *skb, 179 + u8 proto, int fragment, 180 + unsigned int offset, 181 + unsigned int logflags) 182 + { 183 + struct tcphdr _tcph; 184 + const struct tcphdr *th; 185 + 186 + /* Max length: 10 "PROTO=TCP " */ 187 + nf_log_buf_add(m, "PROTO=TCP "); 188 + 189 + if (fragment) 190 + return 0; 191 + 192 + /* Max length: 25 "INCOMPLETE [65535 bytes] " */ 193 + th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph); 194 + if (!th) { 195 + nf_log_buf_add(m, "INCOMPLETE [%u bytes] ", skb->len - offset); 196 + return 1; 197 + } 198 + 199 + /* Max length: 20 "SPT=65535 DPT=65535 " */ 200 + nf_log_buf_add(m, "SPT=%u DPT=%u ", 201 + ntohs(th->source), ntohs(th->dest)); 202 + /* Max length: 30 "SEQ=4294967295 ACK=4294967295 " */ 203 + if (logflags & NF_LOG_TCPSEQ) { 204 + nf_log_buf_add(m, "SEQ=%u ACK=%u ", 205 + ntohl(th->seq), ntohl(th->ack_seq)); 206 + } 207 + 208 + /* Max length: 13 "WINDOW=65535 " */ 209 + nf_log_buf_add(m, "WINDOW=%u ", ntohs(th->window)); 210 + /* Max length: 9 "RES=0x3C " */ 211 + nf_log_buf_add(m, "RES=0x%02x ", (u_int8_t)(ntohl(tcp_flag_word(th) & 212 + TCP_RESERVED_BITS) >> 22)); 213 + /* Max length: 32 "CWR ECE URG ACK PSH RST SYN FIN " */ 214 + if (th->cwr) 215 + nf_log_buf_add(m, "CWR "); 216 + if (th->ece) 217 + nf_log_buf_add(m, "ECE "); 218 + if (th->urg) 219 + nf_log_buf_add(m, "URG "); 220 + if (th->ack) 221 + nf_log_buf_add(m, "ACK "); 222 + if (th->psh) 223 + nf_log_buf_add(m, "PSH "); 224 + if (th->rst) 225 + nf_log_buf_add(m, "RST "); 226 + if (th->syn) 227 + nf_log_buf_add(m, "SYN "); 228 + if (th->fin) 229 + nf_log_buf_add(m, "FIN "); 230 + /* Max length: 11 "URGP=65535 " */ 231 + nf_log_buf_add(m, "URGP=%u ", ntohs(th->urg_ptr)); 232 + 233 + if ((logflags & NF_LOG_TCPOPT) && th->doff * 4 > sizeof(struct tcphdr)) { 234 + unsigned int optsize = th->doff * 4 - sizeof(struct tcphdr); 235 + u8 _opt[60 - sizeof(struct tcphdr)]; 236 + unsigned int i; 237 + const u8 *op; 238 + 239 + op = skb_header_pointer(skb, offset + sizeof(struct tcphdr), 240 + optsize, _opt); 241 + if (!op) { 242 + nf_log_buf_add(m, "OPT (TRUNCATED)"); 243 + return 1; 244 + } 245 + 246 + /* Max length: 127 "OPT (" 15*4*2chars ") " */ 247 + nf_log_buf_add(m, "OPT ("); 248 + for (i = 0; i < optsize; i++) 249 + nf_log_buf_add(m, "%02X", op[i]); 250 + 251 + nf_log_buf_add(m, ") "); 252 + } 253 + 254 + return 0; 255 + } 256 + 257 + static noinline_for_stack int 258 + nf_log_dump_udp_header(struct nf_log_buf *m, 259 + const struct sk_buff *skb, 260 + u8 proto, int fragment, 261 + unsigned int offset) 262 + { 263 + struct udphdr _udph; 264 + const struct udphdr *uh; 265 + 266 + if (proto == IPPROTO_UDP) 267 + /* Max length: 10 "PROTO=UDP " */ 268 + nf_log_buf_add(m, "PROTO=UDP "); 269 + else /* Max length: 14 "PROTO=UDPLITE " */ 270 + nf_log_buf_add(m, "PROTO=UDPLITE "); 271 + 272 + if (fragment) 273 + goto out; 274 + 275 + /* Max length: 25 "INCOMPLETE [65535 bytes] " */ 276 + uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph); 277 + if (!uh) { 278 + nf_log_buf_add(m, "INCOMPLETE [%u bytes] ", skb->len - offset); 279 + 280 + return 1; 281 + } 282 + 283 + /* Max length: 20 "SPT=65535 DPT=65535 " */ 284 + nf_log_buf_add(m, "SPT=%u DPT=%u LEN=%u ", 285 + ntohs(uh->source), ntohs(uh->dest), ntohs(uh->len)); 286 + 287 + out: 288 + return 0; 289 + } 290 + 291 + /* One level of recursion won't kill us */ 292 + static noinline_for_stack void 293 + dump_ipv4_packet(struct net *net, struct nf_log_buf *m, 294 + const struct nf_loginfo *info, 295 + const struct sk_buff *skb, unsigned int iphoff) 296 + { 297 + const struct iphdr *ih; 298 + unsigned int logflags; 299 + struct iphdr _iph; 300 + 301 + if (info->type == NF_LOG_TYPE_LOG) 302 + logflags = info->u.log.logflags; 303 + else 304 + logflags = NF_LOG_DEFAULT_MASK; 305 + 306 + ih = skb_header_pointer(skb, iphoff, sizeof(_iph), &_iph); 307 + if (!ih) { 308 + nf_log_buf_add(m, "TRUNCATED"); 309 + return; 310 + } 311 + 312 + /* Important fields: 313 + * TOS, len, DF/MF, fragment offset, TTL, src, dst, options. 314 + * Max length: 40 "SRC=255.255.255.255 DST=255.255.255.255 " 315 + */ 316 + nf_log_buf_add(m, "SRC=%pI4 DST=%pI4 ", &ih->saddr, &ih->daddr); 317 + 318 + /* Max length: 46 "LEN=65535 TOS=0xFF PREC=0xFF TTL=255 ID=65535 " */ 319 + nf_log_buf_add(m, "LEN=%u TOS=0x%02X PREC=0x%02X TTL=%u ID=%u ", 320 + ntohs(ih->tot_len), ih->tos & IPTOS_TOS_MASK, 321 + ih->tos & IPTOS_PREC_MASK, ih->ttl, ntohs(ih->id)); 322 + 323 + /* Max length: 6 "CE DF MF " */ 324 + if (ntohs(ih->frag_off) & IP_CE) 325 + nf_log_buf_add(m, "CE "); 326 + if (ntohs(ih->frag_off) & IP_DF) 327 + nf_log_buf_add(m, "DF "); 328 + if (ntohs(ih->frag_off) & IP_MF) 329 + nf_log_buf_add(m, "MF "); 330 + 331 + /* Max length: 11 "FRAG:65535 " */ 332 + if (ntohs(ih->frag_off) & IP_OFFSET) 333 + nf_log_buf_add(m, "FRAG:%u ", ntohs(ih->frag_off) & IP_OFFSET); 334 + 335 + if ((logflags & NF_LOG_IPOPT) && 336 + ih->ihl * 4 > sizeof(struct iphdr)) { 337 + unsigned char _opt[4 * 15 - sizeof(struct iphdr)]; 338 + const unsigned char *op; 339 + unsigned int i, optsize; 340 + 341 + optsize = ih->ihl * 4 - sizeof(struct iphdr); 342 + op = skb_header_pointer(skb, iphoff + sizeof(_iph), 343 + optsize, _opt); 344 + if (!op) { 345 + nf_log_buf_add(m, "TRUNCATED"); 346 + return; 347 + } 348 + 349 + /* Max length: 127 "OPT (" 15*4*2chars ") " */ 350 + nf_log_buf_add(m, "OPT ("); 351 + for (i = 0; i < optsize; i++) 352 + nf_log_buf_add(m, "%02X", op[i]); 353 + nf_log_buf_add(m, ") "); 354 + } 355 + 356 + switch (ih->protocol) { 357 + case IPPROTO_TCP: 358 + if (nf_log_dump_tcp_header(m, skb, ih->protocol, 359 + ntohs(ih->frag_off) & IP_OFFSET, 360 + iphoff + ih->ihl * 4, logflags)) 361 + return; 362 + break; 363 + case IPPROTO_UDP: 364 + case IPPROTO_UDPLITE: 365 + if (nf_log_dump_udp_header(m, skb, ih->protocol, 366 + ntohs(ih->frag_off) & IP_OFFSET, 367 + iphoff + ih->ihl * 4)) 368 + return; 369 + break; 370 + case IPPROTO_ICMP: { 371 + static const size_t required_len[NR_ICMP_TYPES + 1] = { 372 + [ICMP_ECHOREPLY] = 4, 373 + [ICMP_DEST_UNREACH] = 8 + sizeof(struct iphdr), 374 + [ICMP_SOURCE_QUENCH] = 8 + sizeof(struct iphdr), 375 + [ICMP_REDIRECT] = 8 + sizeof(struct iphdr), 376 + [ICMP_ECHO] = 4, 377 + [ICMP_TIME_EXCEEDED] = 8 + sizeof(struct iphdr), 378 + [ICMP_PARAMETERPROB] = 8 + sizeof(struct iphdr), 379 + [ICMP_TIMESTAMP] = 20, 380 + [ICMP_TIMESTAMPREPLY] = 20, 381 + [ICMP_ADDRESS] = 12, 382 + [ICMP_ADDRESSREPLY] = 12 }; 383 + const struct icmphdr *ich; 384 + struct icmphdr _icmph; 385 + 386 + /* Max length: 11 "PROTO=ICMP " */ 387 + nf_log_buf_add(m, "PROTO=ICMP "); 388 + 389 + if (ntohs(ih->frag_off) & IP_OFFSET) 390 + break; 391 + 392 + /* Max length: 25 "INCOMPLETE [65535 bytes] " */ 393 + ich = skb_header_pointer(skb, iphoff + ih->ihl * 4, 394 + sizeof(_icmph), &_icmph); 395 + if (!ich) { 396 + nf_log_buf_add(m, "INCOMPLETE [%u bytes] ", 397 + skb->len - iphoff - ih->ihl * 4); 398 + break; 399 + } 400 + 401 + /* Max length: 18 "TYPE=255 CODE=255 " */ 402 + nf_log_buf_add(m, "TYPE=%u CODE=%u ", ich->type, ich->code); 403 + 404 + /* Max length: 25 "INCOMPLETE [65535 bytes] " */ 405 + if (ich->type <= NR_ICMP_TYPES && 406 + required_len[ich->type] && 407 + skb->len - iphoff - ih->ihl * 4 < required_len[ich->type]) { 408 + nf_log_buf_add(m, "INCOMPLETE [%u bytes] ", 409 + skb->len - iphoff - ih->ihl * 4); 410 + break; 411 + } 412 + 413 + switch (ich->type) { 414 + case ICMP_ECHOREPLY: 415 + case ICMP_ECHO: 416 + /* Max length: 19 "ID=65535 SEQ=65535 " */ 417 + nf_log_buf_add(m, "ID=%u SEQ=%u ", 418 + ntohs(ich->un.echo.id), 419 + ntohs(ich->un.echo.sequence)); 420 + break; 421 + 422 + case ICMP_PARAMETERPROB: 423 + /* Max length: 14 "PARAMETER=255 " */ 424 + nf_log_buf_add(m, "PARAMETER=%u ", 425 + ntohl(ich->un.gateway) >> 24); 426 + break; 427 + case ICMP_REDIRECT: 428 + /* Max length: 24 "GATEWAY=255.255.255.255 " */ 429 + nf_log_buf_add(m, "GATEWAY=%pI4 ", &ich->un.gateway); 430 + fallthrough; 431 + case ICMP_DEST_UNREACH: 432 + case ICMP_SOURCE_QUENCH: 433 + case ICMP_TIME_EXCEEDED: 434 + /* Max length: 3+maxlen */ 435 + if (!iphoff) { /* Only recurse once. */ 436 + nf_log_buf_add(m, "["); 437 + dump_ipv4_packet(net, m, info, skb, 438 + iphoff + ih->ihl * 4 + sizeof(_icmph)); 439 + nf_log_buf_add(m, "] "); 440 + } 441 + 442 + /* Max length: 10 "MTU=65535 " */ 443 + if (ich->type == ICMP_DEST_UNREACH && 444 + ich->code == ICMP_FRAG_NEEDED) { 445 + nf_log_buf_add(m, "MTU=%u ", 446 + ntohs(ich->un.frag.mtu)); 447 + } 448 + } 449 + break; 450 + } 451 + /* Max Length */ 452 + case IPPROTO_AH: { 453 + const struct ip_auth_hdr *ah; 454 + struct ip_auth_hdr _ahdr; 455 + 456 + if (ntohs(ih->frag_off) & IP_OFFSET) 457 + break; 458 + 459 + /* Max length: 9 "PROTO=AH " */ 460 + nf_log_buf_add(m, "PROTO=AH "); 461 + 462 + /* Max length: 25 "INCOMPLETE [65535 bytes] " */ 463 + ah = skb_header_pointer(skb, iphoff + ih->ihl * 4, 464 + sizeof(_ahdr), &_ahdr); 465 + if (!ah) { 466 + nf_log_buf_add(m, "INCOMPLETE [%u bytes] ", 467 + skb->len - iphoff - ih->ihl * 4); 468 + break; 469 + } 470 + 471 + /* Length: 15 "SPI=0xF1234567 " */ 472 + nf_log_buf_add(m, "SPI=0x%x ", ntohl(ah->spi)); 473 + break; 474 + } 475 + case IPPROTO_ESP: { 476 + const struct ip_esp_hdr *eh; 477 + struct ip_esp_hdr _esph; 478 + 479 + /* Max length: 10 "PROTO=ESP " */ 480 + nf_log_buf_add(m, "PROTO=ESP "); 481 + 482 + if (ntohs(ih->frag_off) & IP_OFFSET) 483 + break; 484 + 485 + /* Max length: 25 "INCOMPLETE [65535 bytes] " */ 486 + eh = skb_header_pointer(skb, iphoff + ih->ihl * 4, 487 + sizeof(_esph), &_esph); 488 + if (!eh) { 489 + nf_log_buf_add(m, "INCOMPLETE [%u bytes] ", 490 + skb->len - iphoff - ih->ihl * 4); 491 + break; 492 + } 493 + 494 + /* Length: 15 "SPI=0xF1234567 " */ 495 + nf_log_buf_add(m, "SPI=0x%x ", ntohl(eh->spi)); 496 + break; 497 + } 498 + /* Max length: 10 "PROTO 255 " */ 499 + default: 500 + nf_log_buf_add(m, "PROTO=%u ", ih->protocol); 501 + } 502 + 503 + /* Max length: 15 "UID=4294967295 " */ 504 + if ((logflags & NF_LOG_UID) && !iphoff) 505 + nf_log_dump_sk_uid_gid(net, m, skb->sk); 506 + 507 + /* Max length: 16 "MARK=0xFFFFFFFF " */ 508 + if (!iphoff && skb->mark) 509 + nf_log_buf_add(m, "MARK=0x%x ", skb->mark); 510 + 511 + /* Proto Max log string length */ 512 + /* IP: 40+46+6+11+127 = 230 */ 513 + /* TCP: 10+max(25,20+30+13+9+32+11+127) = 252 */ 514 + /* UDP: 10+max(25,20) = 35 */ 515 + /* UDPLITE: 14+max(25,20) = 39 */ 516 + /* ICMP: 11+max(25, 18+25+max(19,14,24+3+n+10,3+n+10)) = 91+n */ 517 + /* ESP: 10+max(25)+15 = 50 */ 518 + /* AH: 9+max(25)+15 = 49 */ 519 + /* unknown: 10 */ 520 + 521 + /* (ICMP allows recursion one level deep) */ 522 + /* maxlen = IP + ICMP + IP + max(TCP,UDP,ICMP,unknown) */ 523 + /* maxlen = 230+ 91 + 230 + 252 = 803 */ 524 + } 525 + 526 + static noinline_for_stack void 527 + dump_ipv6_packet(struct net *net, struct nf_log_buf *m, 528 + const struct nf_loginfo *info, 529 + const struct sk_buff *skb, unsigned int ip6hoff, 530 + int recurse) 531 + { 532 + const struct ipv6hdr *ih; 533 + unsigned int hdrlen = 0; 534 + unsigned int logflags; 535 + struct ipv6hdr _ip6h; 536 + unsigned int ptr; 537 + u8 currenthdr; 538 + int fragment; 539 + 540 + if (info->type == NF_LOG_TYPE_LOG) 541 + logflags = info->u.log.logflags; 542 + else 543 + logflags = NF_LOG_DEFAULT_MASK; 544 + 545 + ih = skb_header_pointer(skb, ip6hoff, sizeof(_ip6h), &_ip6h); 546 + if (!ih) { 547 + nf_log_buf_add(m, "TRUNCATED"); 548 + return; 549 + } 550 + 551 + /* Max length: 88 "SRC=0000.0000.0000.0000.0000.0000.0000.0000 DST=0000.0000.0000.0000.0000.0000.0000.0000 " */ 552 + nf_log_buf_add(m, "SRC=%pI6 DST=%pI6 ", &ih->saddr, &ih->daddr); 553 + 554 + /* Max length: 44 "LEN=65535 TC=255 HOPLIMIT=255 FLOWLBL=FFFFF " */ 555 + nf_log_buf_add(m, "LEN=%zu TC=%u HOPLIMIT=%u FLOWLBL=%u ", 556 + ntohs(ih->payload_len) + sizeof(struct ipv6hdr), 557 + (ntohl(*(__be32 *)ih) & 0x0ff00000) >> 20, 558 + ih->hop_limit, 559 + (ntohl(*(__be32 *)ih) & 0x000fffff)); 560 + 561 + fragment = 0; 562 + ptr = ip6hoff + sizeof(struct ipv6hdr); 563 + currenthdr = ih->nexthdr; 564 + while (currenthdr != NEXTHDR_NONE && nf_ip6_ext_hdr(currenthdr)) { 565 + struct ipv6_opt_hdr _hdr; 566 + const struct ipv6_opt_hdr *hp; 567 + 568 + hp = skb_header_pointer(skb, ptr, sizeof(_hdr), &_hdr); 569 + if (!hp) { 570 + nf_log_buf_add(m, "TRUNCATED"); 571 + return; 572 + } 573 + 574 + /* Max length: 48 "OPT (...) " */ 575 + if (logflags & NF_LOG_IPOPT) 576 + nf_log_buf_add(m, "OPT ( "); 577 + 578 + switch (currenthdr) { 579 + case IPPROTO_FRAGMENT: { 580 + struct frag_hdr _fhdr; 581 + const struct frag_hdr *fh; 582 + 583 + nf_log_buf_add(m, "FRAG:"); 584 + fh = skb_header_pointer(skb, ptr, sizeof(_fhdr), 585 + &_fhdr); 586 + if (!fh) { 587 + nf_log_buf_add(m, "TRUNCATED "); 588 + return; 589 + } 590 + 591 + /* Max length: 6 "65535 " */ 592 + nf_log_buf_add(m, "%u ", ntohs(fh->frag_off) & 0xFFF8); 593 + 594 + /* Max length: 11 "INCOMPLETE " */ 595 + if (fh->frag_off & htons(0x0001)) 596 + nf_log_buf_add(m, "INCOMPLETE "); 597 + 598 + nf_log_buf_add(m, "ID:%08x ", 599 + ntohl(fh->identification)); 600 + 601 + if (ntohs(fh->frag_off) & 0xFFF8) 602 + fragment = 1; 603 + 604 + hdrlen = 8; 605 + break; 606 + } 607 + case IPPROTO_DSTOPTS: 608 + case IPPROTO_ROUTING: 609 + case IPPROTO_HOPOPTS: 610 + if (fragment) { 611 + if (logflags & NF_LOG_IPOPT) 612 + nf_log_buf_add(m, ")"); 613 + return; 614 + } 615 + hdrlen = ipv6_optlen(hp); 616 + break; 617 + /* Max Length */ 618 + case IPPROTO_AH: 619 + if (logflags & NF_LOG_IPOPT) { 620 + struct ip_auth_hdr _ahdr; 621 + const struct ip_auth_hdr *ah; 622 + 623 + /* Max length: 3 "AH " */ 624 + nf_log_buf_add(m, "AH "); 625 + 626 + if (fragment) { 627 + nf_log_buf_add(m, ")"); 628 + return; 629 + } 630 + 631 + ah = skb_header_pointer(skb, ptr, sizeof(_ahdr), 632 + &_ahdr); 633 + if (!ah) { 634 + /* Max length: 26 "INCOMPLETE [65535 bytes] )" */ 635 + nf_log_buf_add(m, "INCOMPLETE [%u bytes] )", 636 + skb->len - ptr); 637 + return; 638 + } 639 + 640 + /* Length: 15 "SPI=0xF1234567 */ 641 + nf_log_buf_add(m, "SPI=0x%x ", ntohl(ah->spi)); 642 + } 643 + 644 + hdrlen = ipv6_authlen(hp); 645 + break; 646 + case IPPROTO_ESP: 647 + if (logflags & NF_LOG_IPOPT) { 648 + struct ip_esp_hdr _esph; 649 + const struct ip_esp_hdr *eh; 650 + 651 + /* Max length: 4 "ESP " */ 652 + nf_log_buf_add(m, "ESP "); 653 + 654 + if (fragment) { 655 + nf_log_buf_add(m, ")"); 656 + return; 657 + } 658 + 659 + /* Max length: 26 "INCOMPLETE [65535 bytes] )" */ 660 + eh = skb_header_pointer(skb, ptr, sizeof(_esph), 661 + &_esph); 662 + if (!eh) { 663 + nf_log_buf_add(m, "INCOMPLETE [%u bytes] )", 664 + skb->len - ptr); 665 + return; 666 + } 667 + 668 + /* Length: 16 "SPI=0xF1234567 )" */ 669 + nf_log_buf_add(m, "SPI=0x%x )", 670 + ntohl(eh->spi)); 671 + } 672 + return; 673 + default: 674 + /* Max length: 20 "Unknown Ext Hdr 255" */ 675 + nf_log_buf_add(m, "Unknown Ext Hdr %u", currenthdr); 676 + return; 677 + } 678 + if (logflags & NF_LOG_IPOPT) 679 + nf_log_buf_add(m, ") "); 680 + 681 + currenthdr = hp->nexthdr; 682 + ptr += hdrlen; 683 + } 684 + 685 + switch (currenthdr) { 686 + case IPPROTO_TCP: 687 + if (nf_log_dump_tcp_header(m, skb, currenthdr, fragment, 688 + ptr, logflags)) 689 + return; 690 + break; 691 + case IPPROTO_UDP: 692 + case IPPROTO_UDPLITE: 693 + if (nf_log_dump_udp_header(m, skb, currenthdr, fragment, ptr)) 694 + return; 695 + break; 696 + case IPPROTO_ICMPV6: { 697 + struct icmp6hdr _icmp6h; 698 + const struct icmp6hdr *ic; 699 + 700 + /* Max length: 13 "PROTO=ICMPv6 " */ 701 + nf_log_buf_add(m, "PROTO=ICMPv6 "); 702 + 703 + if (fragment) 704 + break; 705 + 706 + /* Max length: 25 "INCOMPLETE [65535 bytes] " */ 707 + ic = skb_header_pointer(skb, ptr, sizeof(_icmp6h), &_icmp6h); 708 + if (!ic) { 709 + nf_log_buf_add(m, "INCOMPLETE [%u bytes] ", 710 + skb->len - ptr); 711 + return; 712 + } 713 + 714 + /* Max length: 18 "TYPE=255 CODE=255 " */ 715 + nf_log_buf_add(m, "TYPE=%u CODE=%u ", 716 + ic->icmp6_type, ic->icmp6_code); 717 + 718 + switch (ic->icmp6_type) { 719 + case ICMPV6_ECHO_REQUEST: 720 + case ICMPV6_ECHO_REPLY: 721 + /* Max length: 19 "ID=65535 SEQ=65535 " */ 722 + nf_log_buf_add(m, "ID=%u SEQ=%u ", 723 + ntohs(ic->icmp6_identifier), 724 + ntohs(ic->icmp6_sequence)); 725 + break; 726 + case ICMPV6_MGM_QUERY: 727 + case ICMPV6_MGM_REPORT: 728 + case ICMPV6_MGM_REDUCTION: 729 + break; 730 + 731 + case ICMPV6_PARAMPROB: 732 + /* Max length: 17 "POINTER=ffffffff " */ 733 + nf_log_buf_add(m, "POINTER=%08x ", 734 + ntohl(ic->icmp6_pointer)); 735 + fallthrough; 736 + case ICMPV6_DEST_UNREACH: 737 + case ICMPV6_PKT_TOOBIG: 738 + case ICMPV6_TIME_EXCEED: 739 + /* Max length: 3+maxlen */ 740 + if (recurse) { 741 + nf_log_buf_add(m, "["); 742 + dump_ipv6_packet(net, m, info, skb, 743 + ptr + sizeof(_icmp6h), 0); 744 + nf_log_buf_add(m, "] "); 745 + } 746 + 747 + /* Max length: 10 "MTU=65535 " */ 748 + if (ic->icmp6_type == ICMPV6_PKT_TOOBIG) { 749 + nf_log_buf_add(m, "MTU=%u ", 750 + ntohl(ic->icmp6_mtu)); 751 + } 752 + } 753 + break; 754 + } 755 + /* Max length: 10 "PROTO=255 " */ 756 + default: 757 + nf_log_buf_add(m, "PROTO=%u ", currenthdr); 758 + } 759 + 760 + /* Max length: 15 "UID=4294967295 " */ 761 + if ((logflags & NF_LOG_UID) && recurse) 762 + nf_log_dump_sk_uid_gid(net, m, skb->sk); 763 + 764 + /* Max length: 16 "MARK=0xFFFFFFFF " */ 765 + if (recurse && skb->mark) 766 + nf_log_buf_add(m, "MARK=0x%x ", skb->mark); 767 + } 768 + 769 + static void dump_ipv4_mac_header(struct nf_log_buf *m, 770 + const struct nf_loginfo *info, 771 + const struct sk_buff *skb) 772 + { 773 + struct net_device *dev = skb->dev; 774 + unsigned int logflags = 0; 775 + 776 + if (info->type == NF_LOG_TYPE_LOG) 777 + logflags = info->u.log.logflags; 778 + 779 + if (!(logflags & NF_LOG_MACDECODE)) 780 + goto fallback; 781 + 782 + switch (dev->type) { 783 + case ARPHRD_ETHER: 784 + nf_log_buf_add(m, "MACSRC=%pM MACDST=%pM ", 785 + eth_hdr(skb)->h_source, eth_hdr(skb)->h_dest); 786 + nf_log_dump_vlan(m, skb); 787 + nf_log_buf_add(m, "MACPROTO=%04x ", 788 + ntohs(eth_hdr(skb)->h_proto)); 789 + return; 790 + default: 791 + break; 792 + } 793 + 794 + fallback: 795 + nf_log_buf_add(m, "MAC="); 796 + if (dev->hard_header_len && 797 + skb->mac_header != skb->network_header) { 798 + const unsigned char *p = skb_mac_header(skb); 799 + unsigned int i; 800 + 801 + nf_log_buf_add(m, "%02x", *p++); 802 + for (i = 1; i < dev->hard_header_len; i++, p++) 803 + nf_log_buf_add(m, ":%02x", *p); 804 + } 805 + nf_log_buf_add(m, " "); 806 + } 807 + 808 + static void nf_log_ip_packet(struct net *net, u_int8_t pf, 809 + unsigned int hooknum, const struct sk_buff *skb, 810 + const struct net_device *in, 811 + const struct net_device *out, 812 + const struct nf_loginfo *loginfo, 813 + const char *prefix) 814 + { 815 + struct nf_log_buf *m; 816 + 817 + /* FIXME: Disabled from containers until syslog ns is supported */ 818 + if (!net_eq(net, &init_net) && !sysctl_nf_log_all_netns) 819 + return; 820 + 821 + m = nf_log_buf_open(); 822 + 823 + if (!loginfo) 824 + loginfo = &default_loginfo; 825 + 826 + nf_log_dump_packet_common(m, pf, hooknum, skb, in, 827 + out, loginfo, prefix); 828 + 829 + if (in) 830 + dump_ipv4_mac_header(m, loginfo, skb); 831 + 832 + dump_ipv4_packet(net, m, loginfo, skb, 0); 833 + 834 + nf_log_buf_close(m); 835 + } 836 + 837 + static struct nf_logger nf_ip_logger __read_mostly = { 838 + .name = "nf_log_ipv4", 839 + .type = NF_LOG_TYPE_LOG, 840 + .logfn = nf_log_ip_packet, 841 + .me = THIS_MODULE, 842 + }; 843 + 844 + static void dump_ipv6_mac_header(struct nf_log_buf *m, 845 + const struct nf_loginfo *info, 846 + const struct sk_buff *skb) 847 + { 848 + struct net_device *dev = skb->dev; 849 + unsigned int logflags = 0; 850 + 851 + if (info->type == NF_LOG_TYPE_LOG) 852 + logflags = info->u.log.logflags; 853 + 854 + if (!(logflags & NF_LOG_MACDECODE)) 855 + goto fallback; 856 + 857 + switch (dev->type) { 858 + case ARPHRD_ETHER: 859 + nf_log_buf_add(m, "MACSRC=%pM MACDST=%pM ", 860 + eth_hdr(skb)->h_source, eth_hdr(skb)->h_dest); 861 + nf_log_dump_vlan(m, skb); 862 + nf_log_buf_add(m, "MACPROTO=%04x ", 863 + ntohs(eth_hdr(skb)->h_proto)); 864 + return; 865 + default: 866 + break; 867 + } 868 + 869 + fallback: 870 + nf_log_buf_add(m, "MAC="); 871 + if (dev->hard_header_len && 872 + skb->mac_header != skb->network_header) { 873 + const unsigned char *p = skb_mac_header(skb); 874 + unsigned int len = dev->hard_header_len; 875 + unsigned int i; 876 + 877 + if (dev->type == ARPHRD_SIT) { 878 + p -= ETH_HLEN; 879 + 880 + if (p < skb->head) 881 + p = NULL; 882 + } 883 + 884 + if (p) { 885 + nf_log_buf_add(m, "%02x", *p++); 886 + for (i = 1; i < len; i++) 887 + nf_log_buf_add(m, ":%02x", *p++); 888 + } 889 + nf_log_buf_add(m, " "); 890 + 891 + if (dev->type == ARPHRD_SIT) { 892 + const struct iphdr *iph = 893 + (struct iphdr *)skb_mac_header(skb); 894 + nf_log_buf_add(m, "TUNNEL=%pI4->%pI4 ", &iph->saddr, 895 + &iph->daddr); 896 + } 897 + } else { 898 + nf_log_buf_add(m, " "); 899 + } 900 + } 901 + 902 + static void nf_log_ip6_packet(struct net *net, u_int8_t pf, 903 + unsigned int hooknum, const struct sk_buff *skb, 904 + const struct net_device *in, 905 + const struct net_device *out, 906 + const struct nf_loginfo *loginfo, 907 + const char *prefix) 908 + { 909 + struct nf_log_buf *m; 910 + 911 + /* FIXME: Disabled from containers until syslog ns is supported */ 912 + if (!net_eq(net, &init_net) && !sysctl_nf_log_all_netns) 913 + return; 914 + 915 + m = nf_log_buf_open(); 916 + 917 + if (!loginfo) 918 + loginfo = &default_loginfo; 919 + 920 + nf_log_dump_packet_common(m, pf, hooknum, skb, in, out, 921 + loginfo, prefix); 922 + 923 + if (in) 924 + dump_ipv6_mac_header(m, loginfo, skb); 925 + 926 + dump_ipv6_packet(net, m, loginfo, skb, skb_network_offset(skb), 1); 927 + 928 + nf_log_buf_close(m); 929 + } 930 + 931 + static struct nf_logger nf_ip6_logger __read_mostly = { 932 + .name = "nf_log_ipv6", 933 + .type = NF_LOG_TYPE_LOG, 934 + .logfn = nf_log_ip6_packet, 935 + .me = THIS_MODULE, 936 + }; 937 + 938 + static void nf_log_netdev_packet(struct net *net, u_int8_t pf, 939 + unsigned int hooknum, 940 + const struct sk_buff *skb, 941 + const struct net_device *in, 942 + const struct net_device *out, 943 + const struct nf_loginfo *loginfo, 944 + const char *prefix) 945 + { 946 + switch (skb->protocol) { 947 + case htons(ETH_P_IP): 948 + nf_log_ip_packet(net, pf, hooknum, skb, in, out, loginfo, prefix); 949 + break; 950 + case htons(ETH_P_IPV6): 951 + nf_log_ip6_packet(net, pf, hooknum, skb, in, out, loginfo, prefix); 952 + break; 953 + case htons(ETH_P_ARP): 954 + case htons(ETH_P_RARP): 955 + nf_log_arp_packet(net, pf, hooknum, skb, in, out, loginfo, prefix); 956 + break; 957 + } 958 + } 959 + 960 + static struct nf_logger nf_netdev_logger __read_mostly = { 961 + .name = "nf_log_netdev", 962 + .type = NF_LOG_TYPE_LOG, 963 + .logfn = nf_log_netdev_packet, 964 + .me = THIS_MODULE, 965 + }; 966 + 967 + static struct nf_logger nf_bridge_logger __read_mostly = { 968 + .name = "nf_log_bridge", 969 + .type = NF_LOG_TYPE_LOG, 970 + .logfn = nf_log_netdev_packet, 971 + .me = THIS_MODULE, 972 + }; 973 + 974 + static int __net_init nf_log_syslog_net_init(struct net *net) 975 + { 976 + int ret = nf_log_set(net, NFPROTO_IPV4, &nf_ip_logger); 977 + 978 + if (ret) 979 + return ret; 980 + 981 + ret = nf_log_set(net, NFPROTO_ARP, &nf_arp_logger); 982 + if (ret) 983 + goto err1; 984 + 985 + ret = nf_log_set(net, NFPROTO_IPV6, &nf_ip6_logger); 986 + if (ret) 987 + goto err2; 988 + 989 + ret = nf_log_set(net, NFPROTO_NETDEV, &nf_netdev_logger); 990 + if (ret) 991 + goto err3; 992 + 993 + ret = nf_log_set(net, NFPROTO_BRIDGE, &nf_bridge_logger); 994 + if (ret) 995 + goto err4; 996 + return 0; 997 + err4: 998 + nf_log_unset(net, &nf_netdev_logger); 999 + err3: 1000 + nf_log_unset(net, &nf_ip6_logger); 1001 + err2: 1002 + nf_log_unset(net, &nf_arp_logger); 1003 + err1: 1004 + nf_log_unset(net, &nf_ip_logger); 1005 + return ret; 1006 + } 1007 + 1008 + static void __net_exit nf_log_syslog_net_exit(struct net *net) 1009 + { 1010 + nf_log_unset(net, &nf_ip_logger); 1011 + nf_log_unset(net, &nf_arp_logger); 1012 + nf_log_unset(net, &nf_ip6_logger); 1013 + nf_log_unset(net, &nf_netdev_logger); 1014 + } 1015 + 1016 + static struct pernet_operations nf_log_syslog_net_ops = { 1017 + .init = nf_log_syslog_net_init, 1018 + .exit = nf_log_syslog_net_exit, 1019 + }; 1020 + 1021 + static int __init nf_log_syslog_init(void) 1022 + { 1023 + int ret; 1024 + 1025 + ret = register_pernet_subsys(&nf_log_syslog_net_ops); 1026 + if (ret < 0) 1027 + return ret; 1028 + 1029 + ret = nf_log_register(NFPROTO_IPV4, &nf_ip_logger); 1030 + if (ret < 0) 1031 + goto err1; 1032 + 1033 + ret = nf_log_register(NFPROTO_ARP, &nf_arp_logger); 1034 + if (ret < 0) 1035 + goto err2; 1036 + 1037 + ret = nf_log_register(NFPROTO_IPV6, &nf_ip6_logger); 1038 + if (ret < 0) 1039 + goto err3; 1040 + 1041 + ret = nf_log_register(NFPROTO_NETDEV, &nf_netdev_logger); 1042 + if (ret < 0) 1043 + goto err4; 1044 + 1045 + ret = nf_log_register(NFPROTO_BRIDGE, &nf_bridge_logger); 1046 + if (ret < 0) 1047 + goto err5; 1048 + 1049 + return 0; 1050 + err5: 1051 + nf_log_unregister(&nf_netdev_logger); 1052 + err4: 1053 + nf_log_unregister(&nf_ip6_logger); 1054 + err3: 1055 + nf_log_unregister(&nf_arp_logger); 1056 + err2: 1057 + nf_log_unregister(&nf_ip_logger); 1058 + err1: 1059 + pr_err("failed to register logger\n"); 1060 + unregister_pernet_subsys(&nf_log_syslog_net_ops); 1061 + return ret; 1062 + } 1063 + 1064 + static void __exit nf_log_syslog_exit(void) 1065 + { 1066 + unregister_pernet_subsys(&nf_log_syslog_net_ops); 1067 + nf_log_unregister(&nf_ip_logger); 1068 + nf_log_unregister(&nf_arp_logger); 1069 + nf_log_unregister(&nf_ip6_logger); 1070 + nf_log_unregister(&nf_netdev_logger); 1071 + nf_log_unregister(&nf_bridge_logger); 1072 + } 1073 + 1074 + module_init(nf_log_syslog_init); 1075 + module_exit(nf_log_syslog_exit); 1076 + 1077 + MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>"); 1078 + MODULE_DESCRIPTION("Netfilter syslog packet logging"); 1079 + MODULE_LICENSE("GPL"); 1080 + MODULE_ALIAS("nf_log_arp"); 1081 + MODULE_ALIAS("nf_log_bridge"); 1082 + MODULE_ALIAS("nf_log_ipv4"); 1083 + MODULE_ALIAS("nf_log_ipv6"); 1084 + MODULE_ALIAS("nf_log_netdev"); 1085 + MODULE_ALIAS_NF_LOGGER(AF_BRIDGE, 0); 1086 + MODULE_ALIAS_NF_LOGGER(AF_INET, 0); 1087 + MODULE_ALIAS_NF_LOGGER(3, 0); 1088 + MODULE_ALIAS_NF_LOGGER(5, 0); /* NFPROTO_NETDEV */ 1089 + MODULE_ALIAS_NF_LOGGER(AF_INET6, 0);
+332 -300
net/netfilter/nf_tables_api.c
··· 21 21 #include <net/netfilter/nf_tables.h> 22 22 #include <net/netfilter/nf_tables_offload.h> 23 23 #include <net/net_namespace.h> 24 + #include <net/netns/generic.h> 24 25 #include <net/sock.h> 25 26 26 27 #define NFT_MODULE_AUTOLOAD_LIMIT (MODULE_NAME_LEN - sizeof("nft-expr-255-")) 28 + 29 + unsigned int nf_tables_net_id __read_mostly; 27 30 28 31 static LIST_HEAD(nf_tables_expressions); 29 32 static LIST_HEAD(nf_tables_objects); ··· 69 66 .automatic_shrinking = true, 70 67 }; 71 68 69 + struct nft_audit_data { 70 + struct nft_table *table; 71 + int entries; 72 + int op; 73 + struct list_head list; 74 + }; 75 + 76 + static const u8 nft2audit_op[NFT_MSG_MAX] = { // enum nf_tables_msg_types 77 + [NFT_MSG_NEWTABLE] = AUDIT_NFT_OP_TABLE_REGISTER, 78 + [NFT_MSG_GETTABLE] = AUDIT_NFT_OP_INVALID, 79 + [NFT_MSG_DELTABLE] = AUDIT_NFT_OP_TABLE_UNREGISTER, 80 + [NFT_MSG_NEWCHAIN] = AUDIT_NFT_OP_CHAIN_REGISTER, 81 + [NFT_MSG_GETCHAIN] = AUDIT_NFT_OP_INVALID, 82 + [NFT_MSG_DELCHAIN] = AUDIT_NFT_OP_CHAIN_UNREGISTER, 83 + [NFT_MSG_NEWRULE] = AUDIT_NFT_OP_RULE_REGISTER, 84 + [NFT_MSG_GETRULE] = AUDIT_NFT_OP_INVALID, 85 + [NFT_MSG_DELRULE] = AUDIT_NFT_OP_RULE_UNREGISTER, 86 + [NFT_MSG_NEWSET] = AUDIT_NFT_OP_SET_REGISTER, 87 + [NFT_MSG_GETSET] = AUDIT_NFT_OP_INVALID, 88 + [NFT_MSG_DELSET] = AUDIT_NFT_OP_SET_UNREGISTER, 89 + [NFT_MSG_NEWSETELEM] = AUDIT_NFT_OP_SETELEM_REGISTER, 90 + [NFT_MSG_GETSETELEM] = AUDIT_NFT_OP_INVALID, 91 + [NFT_MSG_DELSETELEM] = AUDIT_NFT_OP_SETELEM_UNREGISTER, 92 + [NFT_MSG_NEWGEN] = AUDIT_NFT_OP_GEN_REGISTER, 93 + [NFT_MSG_GETGEN] = AUDIT_NFT_OP_INVALID, 94 + [NFT_MSG_TRACE] = AUDIT_NFT_OP_INVALID, 95 + [NFT_MSG_NEWOBJ] = AUDIT_NFT_OP_OBJ_REGISTER, 96 + [NFT_MSG_GETOBJ] = AUDIT_NFT_OP_INVALID, 97 + [NFT_MSG_DELOBJ] = AUDIT_NFT_OP_OBJ_UNREGISTER, 98 + [NFT_MSG_GETOBJ_RESET] = AUDIT_NFT_OP_OBJ_RESET, 99 + [NFT_MSG_NEWFLOWTABLE] = AUDIT_NFT_OP_FLOWTABLE_REGISTER, 100 + [NFT_MSG_GETFLOWTABLE] = AUDIT_NFT_OP_INVALID, 101 + [NFT_MSG_DELFLOWTABLE] = AUDIT_NFT_OP_FLOWTABLE_UNREGISTER, 102 + }; 103 + 72 104 static void nft_validate_state_update(struct net *net, u8 new_validate_state) 73 105 { 74 - switch (net->nft.validate_state) { 106 + struct nftables_pernet *nft_net = net_generic(net, nf_tables_net_id); 107 + 108 + switch (nft_net->validate_state) { 75 109 case NFT_VALIDATE_SKIP: 76 110 WARN_ON_ONCE(new_validate_state == NFT_VALIDATE_DO); 77 111 break; ··· 119 79 return; 120 80 } 121 81 122 - net->nft.validate_state = new_validate_state; 82 + nft_net->validate_state = new_validate_state; 123 83 } 124 84 static void nf_tables_trans_destroy_work(struct work_struct *w); 125 85 static DECLARE_WORK(trans_destroy_work, nf_tables_trans_destroy_work); ··· 174 134 175 135 static void nft_set_trans_bind(const struct nft_ctx *ctx, struct nft_set *set) 176 136 { 137 + struct nftables_pernet *nft_net; 177 138 struct net *net = ctx->net; 178 139 struct nft_trans *trans; 179 140 180 141 if (!nft_set_is_anonymous(set)) 181 142 return; 182 143 183 - list_for_each_entry_reverse(trans, &net->nft.commit_list, list) { 144 + nft_net = net_generic(net, nf_tables_net_id); 145 + list_for_each_entry_reverse(trans, &nft_net->commit_list, list) { 184 146 switch (trans->msg_type) { 185 147 case NFT_MSG_NEWSET: 186 148 if (nft_trans_set(trans) == set) ··· 276 234 nf_unregister_net_hook(net, &basechain->ops); 277 235 } 278 236 237 + static void nft_trans_commit_list_add_tail(struct net *net, struct nft_trans *trans) 238 + { 239 + struct nftables_pernet *nft_net; 240 + 241 + nft_net = net_generic(net, nf_tables_net_id); 242 + list_add_tail(&trans->list, &nft_net->commit_list); 243 + } 244 + 279 245 static int nft_trans_table_add(struct nft_ctx *ctx, int msg_type) 280 246 { 281 247 struct nft_trans *trans; ··· 295 245 if (msg_type == NFT_MSG_NEWTABLE) 296 246 nft_activate_next(ctx->net, ctx->table); 297 247 298 - list_add_tail(&trans->list, &ctx->net->nft.commit_list); 248 + nft_trans_commit_list_add_tail(ctx->net, trans); 299 249 return 0; 300 250 } 301 251 ··· 328 278 } 329 279 } 330 280 331 - list_add_tail(&trans->list, &ctx->net->nft.commit_list); 281 + nft_trans_commit_list_add_tail(ctx->net, trans); 332 282 return trans; 333 283 } 334 284 ··· 401 351 ntohl(nla_get_be32(ctx->nla[NFTA_RULE_ID])); 402 352 } 403 353 nft_trans_rule(trans) = rule; 404 - list_add_tail(&trans->list, &ctx->net->nft.commit_list); 354 + nft_trans_commit_list_add_tail(ctx->net, trans); 405 355 406 356 return trans; 407 357 } ··· 467 417 nft_activate_next(ctx->net, set); 468 418 } 469 419 nft_trans_set(trans) = set; 470 - list_add_tail(&trans->list, &ctx->net->nft.commit_list); 420 + nft_trans_commit_list_add_tail(ctx->net, trans); 471 421 472 422 return 0; 473 423 } ··· 499 449 nft_activate_next(ctx->net, obj); 500 450 501 451 nft_trans_obj(trans) = obj; 502 - list_add_tail(&trans->list, &ctx->net->nft.commit_list); 452 + nft_trans_commit_list_add_tail(ctx->net, trans); 503 453 504 454 return 0; 505 455 } ··· 532 482 nft_activate_next(ctx->net, flowtable); 533 483 534 484 nft_trans_flowtable(trans) = flowtable; 535 - list_add_tail(&trans->list, &ctx->net->nft.commit_list); 485 + nft_trans_commit_list_add_tail(ctx->net, trans); 536 486 537 487 return 0; 538 488 } ··· 560 510 const struct nlattr *nla, 561 511 u8 family, u8 genmask, u32 nlpid) 562 512 { 513 + struct nftables_pernet *nft_net; 563 514 struct nft_table *table; 564 515 565 516 if (nla == NULL) 566 517 return ERR_PTR(-EINVAL); 567 518 568 - list_for_each_entry_rcu(table, &net->nft.tables, list, 569 - lockdep_is_held(&net->nft.commit_mutex)) { 519 + nft_net = net_generic(net, nf_tables_net_id); 520 + list_for_each_entry_rcu(table, &nft_net->tables, list, 521 + lockdep_is_held(&nft_net->commit_mutex)) { 570 522 if (!nla_strcmp(nla, table->name) && 571 523 table->family == family && 572 524 nft_active_genmask(table, genmask)) { ··· 587 535 const struct nlattr *nla, 588 536 u8 genmask) 589 537 { 538 + struct nftables_pernet *nft_net; 590 539 struct nft_table *table; 591 540 592 - list_for_each_entry(table, &net->nft.tables, list) { 541 + nft_net = net_generic(net, nf_tables_net_id); 542 + list_for_each_entry(table, &nft_net->tables, list) { 593 543 if (be64_to_cpu(nla_get_be64(nla)) == table->handle && 594 544 nft_active_genmask(table, genmask)) 595 545 return table; ··· 640 586 }; 641 587 642 588 #ifdef CONFIG_MODULES 643 - static __printf(2, 3) int nft_request_module(struct net *net, const char *fmt, 644 - ...) 589 + __printf(2, 3) int nft_request_module(struct net *net, const char *fmt, 590 + ...) 645 591 { 646 592 char module_name[MODULE_NAME_LEN]; 593 + struct nftables_pernet *nft_net; 647 594 struct nft_module_request *req; 648 595 va_list args; 649 596 int ret; ··· 655 600 if (ret >= MODULE_NAME_LEN) 656 601 return 0; 657 602 658 - list_for_each_entry(req, &net->nft.module_list, list) { 603 + nft_net = net_generic(net, nf_tables_net_id); 604 + list_for_each_entry(req, &nft_net->module_list, list) { 659 605 if (!strcmp(req->module, module_name)) { 660 606 if (req->done) 661 607 return 0; ··· 672 616 673 617 req->done = false; 674 618 strlcpy(req->module, module_name, MODULE_NAME_LEN); 675 - list_add_tail(&req->list, &net->nft.module_list); 619 + list_add_tail(&req->list, &nft_net->module_list); 676 620 677 621 return -EAGAIN; 678 622 } 623 + EXPORT_SYMBOL_GPL(nft_request_module); 679 624 #endif 680 625 681 626 static void lockdep_nfnl_nft_mutex_not_held(void) ··· 709 652 return ERR_PTR(-ENOENT); 710 653 } 711 654 655 + static __be16 nft_base_seq(const struct net *net) 656 + { 657 + struct nftables_pernet *nft_net = net_generic(net, nf_tables_net_id); 658 + 659 + return htons(nft_net->base_seq & 0xffff); 660 + } 661 + 712 662 static const struct nla_policy nft_table_policy[NFTA_TABLE_MAX + 1] = { 713 663 [NFTA_TABLE_NAME] = { .type = NLA_STRING, 714 664 .len = NFT_TABLE_MAXNAMELEN - 1 }, ··· 730 666 int family, const struct nft_table *table) 731 667 { 732 668 struct nlmsghdr *nlh; 733 - struct nfgenmsg *nfmsg; 734 669 735 670 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event); 736 - nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags); 737 - if (nlh == NULL) 671 + nlh = nfnl_msg_put(skb, portid, seq, event, flags, family, 672 + NFNETLINK_V0, nft_base_seq(net)); 673 + if (!nlh) 738 674 goto nla_put_failure; 739 - 740 - nfmsg = nlmsg_data(nlh); 741 - nfmsg->nfgen_family = family; 742 - nfmsg->version = NFNETLINK_V0; 743 - nfmsg->res_id = htons(net->nft.base_seq & 0xffff); 744 675 745 676 if (nla_put_string(skb, NFTA_TABLE_NAME, table->name) || 746 677 nla_put_be32(skb, NFTA_TABLE_FLAGS, htonl(table->flags)) || ··· 774 715 775 716 static void nf_tables_table_notify(const struct nft_ctx *ctx, int event) 776 717 { 718 + struct nftables_pernet *nft_net; 777 719 struct sk_buff *skb; 778 720 int err; 779 - char *buf = kasprintf(GFP_KERNEL, "%s:%llu;?:0", 780 - ctx->table->name, ctx->table->handle); 781 - 782 - audit_log_nfcfg(buf, 783 - ctx->family, 784 - ctx->table->use, 785 - event == NFT_MSG_NEWTABLE ? 786 - AUDIT_NFT_OP_TABLE_REGISTER : 787 - AUDIT_NFT_OP_TABLE_UNREGISTER, 788 - GFP_KERNEL); 789 - kfree(buf); 790 721 791 722 if (!ctx->report && 792 723 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES)) ··· 793 744 goto err; 794 745 } 795 746 796 - nft_notify_enqueue(skb, ctx->report, &ctx->net->nft.notify_list); 747 + nft_net = net_generic(ctx->net, nf_tables_net_id); 748 + nft_notify_enqueue(skb, ctx->report, &nft_net->notify_list); 797 749 return; 798 750 err: 799 751 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS); ··· 804 754 struct netlink_callback *cb) 805 755 { 806 756 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh); 757 + struct nftables_pernet *nft_net; 807 758 const struct nft_table *table; 808 759 unsigned int idx = 0, s_idx = cb->args[0]; 809 760 struct net *net = sock_net(skb->sk); 810 761 int family = nfmsg->nfgen_family; 811 762 812 763 rcu_read_lock(); 813 - cb->seq = net->nft.base_seq; 764 + nft_net = net_generic(net, nf_tables_net_id); 765 + cb->seq = nft_net->base_seq; 814 766 815 - list_for_each_entry_rcu(table, &net->nft.tables, list) { 767 + list_for_each_entry_rcu(table, &nft_net->tables, list) { 816 768 if (family != NFPROTO_UNSPEC && family != table->family) 817 769 continue; 818 770 ··· 999 947 1000 948 nft_trans_table_flags(trans) = flags; 1001 949 nft_trans_table_update(trans) = true; 1002 - list_add_tail(&trans->list, &ctx->net->nft.commit_list); 950 + nft_trans_commit_list_add_tail(ctx->net, trans); 1003 951 return 0; 1004 952 err: 1005 953 nft_trans_destroy(trans); ··· 1062 1010 const struct nlattr * const nla[], 1063 1011 struct netlink_ext_ack *extack) 1064 1012 { 1013 + struct nftables_pernet *nft_net = net_generic(net, nf_tables_net_id); 1065 1014 const struct nfgenmsg *nfmsg = nlmsg_data(nlh); 1066 1015 u8 genmask = nft_genmask_next(net); 1067 1016 int family = nfmsg->nfgen_family; ··· 1072 1019 u32 flags = 0; 1073 1020 int err; 1074 1021 1075 - lockdep_assert_held(&net->nft.commit_mutex); 1022 + lockdep_assert_held(&nft_net->commit_mutex); 1076 1023 attr = nla[NFTA_TABLE_NAME]; 1077 1024 table = nft_table_lookup(net, attr, family, genmask, 1078 1025 NETLINK_CB(skb).portid); ··· 1133 1080 if (err < 0) 1134 1081 goto err_trans; 1135 1082 1136 - list_add_tail_rcu(&table->list, &net->nft.tables); 1083 + list_add_tail_rcu(&table->list, &nft_net->tables); 1137 1084 return 0; 1138 1085 err_trans: 1139 1086 rhltable_destroy(&table->chains_ht); ··· 1221 1168 1222 1169 static int nft_flush(struct nft_ctx *ctx, int family) 1223 1170 { 1171 + struct nftables_pernet *nft_net = net_generic(ctx->net, nf_tables_net_id); 1224 1172 struct nft_table *table, *nt; 1225 1173 const struct nlattr * const *nla = ctx->nla; 1226 1174 int err = 0; 1227 1175 1228 - list_for_each_entry_safe(table, nt, &ctx->net->nft.tables, list) { 1176 + list_for_each_entry_safe(table, nt, &nft_net->tables, list) { 1229 1177 if (family != AF_UNSPEC && table->family != family) 1230 1178 continue; 1231 1179 ··· 1345 1291 static bool lockdep_commit_lock_is_held(const struct net *net) 1346 1292 { 1347 1293 #ifdef CONFIG_PROVE_LOCKING 1348 - return lockdep_is_held(&net->nft.commit_mutex); 1294 + struct nftables_pernet *nft_net = net_generic(net, nf_tables_net_id); 1295 + 1296 + return lockdep_is_held(&nft_net->commit_mutex); 1349 1297 #else 1350 1298 return true; 1351 1299 #endif ··· 1494 1438 const struct nft_chain *chain) 1495 1439 { 1496 1440 struct nlmsghdr *nlh; 1497 - struct nfgenmsg *nfmsg; 1498 1441 1499 1442 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event); 1500 - nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags); 1501 - if (nlh == NULL) 1443 + nlh = nfnl_msg_put(skb, portid, seq, event, flags, family, 1444 + NFNETLINK_V0, nft_base_seq(net)); 1445 + if (!nlh) 1502 1446 goto nla_put_failure; 1503 - 1504 - nfmsg = nlmsg_data(nlh); 1505 - nfmsg->nfgen_family = family; 1506 - nfmsg->version = NFNETLINK_V0; 1507 - nfmsg->res_id = htons(net->nft.base_seq & 0xffff); 1508 1447 1509 1448 if (nla_put_string(skb, NFTA_CHAIN_TABLE, table->name)) 1510 1449 goto nla_put_failure; ··· 1550 1499 1551 1500 static void nf_tables_chain_notify(const struct nft_ctx *ctx, int event) 1552 1501 { 1502 + struct nftables_pernet *nft_net; 1553 1503 struct sk_buff *skb; 1554 1504 int err; 1555 - char *buf = kasprintf(GFP_KERNEL, "%s:%llu;%s:%llu", 1556 - ctx->table->name, ctx->table->handle, 1557 - ctx->chain->name, ctx->chain->handle); 1558 - 1559 - audit_log_nfcfg(buf, 1560 - ctx->family, 1561 - ctx->chain->use, 1562 - event == NFT_MSG_NEWCHAIN ? 1563 - AUDIT_NFT_OP_CHAIN_REGISTER : 1564 - AUDIT_NFT_OP_CHAIN_UNREGISTER, 1565 - GFP_KERNEL); 1566 - kfree(buf); 1567 1505 1568 1506 if (!ctx->report && 1569 1507 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES)) ··· 1570 1530 goto err; 1571 1531 } 1572 1532 1573 - nft_notify_enqueue(skb, ctx->report, &ctx->net->nft.notify_list); 1533 + nft_net = net_generic(ctx->net, nf_tables_net_id); 1534 + nft_notify_enqueue(skb, ctx->report, &nft_net->notify_list); 1574 1535 return; 1575 1536 err: 1576 1537 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS); ··· 1586 1545 unsigned int idx = 0, s_idx = cb->args[0]; 1587 1546 struct net *net = sock_net(skb->sk); 1588 1547 int family = nfmsg->nfgen_family; 1548 + struct nftables_pernet *nft_net; 1589 1549 1590 1550 rcu_read_lock(); 1591 - cb->seq = net->nft.base_seq; 1551 + nft_net = net_generic(net, nf_tables_net_id); 1552 + cb->seq = nft_net->base_seq; 1592 1553 1593 - list_for_each_entry_rcu(table, &net->nft.tables, list) { 1554 + list_for_each_entry_rcu(table, &nft_net->tables, list) { 1594 1555 if (family != NFPROTO_UNSPEC && family != table->family) 1595 1556 continue; 1596 1557 ··· 1908 1865 struct nft_chain_hook *hook, u8 family, 1909 1866 bool autoload) 1910 1867 { 1868 + struct nftables_pernet *nft_net = net_generic(net, nf_tables_net_id); 1911 1869 struct nlattr *ha[NFTA_HOOK_MAX + 1]; 1912 1870 const struct nft_chain_type *type; 1913 1871 int err; 1914 1872 1915 - lockdep_assert_held(&net->nft.commit_mutex); 1873 + lockdep_assert_held(&nft_net->commit_mutex); 1916 1874 lockdep_nfnl_nft_mutex_not_held(); 1917 1875 1918 1876 err = nla_parse_nested_deprecated(ha, NFTA_HOOK_MAX, ··· 2302 2258 2303 2259 if (nla[NFTA_CHAIN_HANDLE] && 2304 2260 nla[NFTA_CHAIN_NAME]) { 2261 + struct nftables_pernet *nft_net = net_generic(ctx->net, nf_tables_net_id); 2305 2262 struct nft_trans *tmp; 2306 2263 char *name; 2307 2264 ··· 2312 2267 goto err; 2313 2268 2314 2269 err = -EEXIST; 2315 - list_for_each_entry(tmp, &ctx->net->nft.commit_list, list) { 2270 + list_for_each_entry(tmp, &nft_net->commit_list, list) { 2316 2271 if (tmp->msg_type == NFT_MSG_NEWCHAIN && 2317 2272 tmp->ctx.table == table && 2318 2273 nft_trans_chain_update(tmp) && ··· 2326 2281 2327 2282 nft_trans_chain_name(trans) = name; 2328 2283 } 2329 - list_add_tail(&trans->list, &ctx->net->nft.commit_list); 2284 + nft_trans_commit_list_add_tail(ctx->net, trans); 2330 2285 2331 2286 return 0; 2332 2287 err: ··· 2338 2293 static struct nft_chain *nft_chain_lookup_byid(const struct net *net, 2339 2294 const struct nlattr *nla) 2340 2295 { 2296 + struct nftables_pernet *nft_net = net_generic(net, nf_tables_net_id); 2341 2297 u32 id = ntohl(nla_get_be32(nla)); 2342 2298 struct nft_trans *trans; 2343 2299 2344 - list_for_each_entry(trans, &net->nft.commit_list, list) { 2300 + list_for_each_entry(trans, &nft_net->commit_list, list) { 2345 2301 struct nft_chain *chain = trans->ctx.chain; 2346 2302 2347 2303 if (trans->msg_type == NFT_MSG_NEWCHAIN && ··· 2357 2311 const struct nlattr * const nla[], 2358 2312 struct netlink_ext_ack *extack) 2359 2313 { 2314 + struct nftables_pernet *nft_net = net_generic(net, nf_tables_net_id); 2360 2315 const struct nfgenmsg *nfmsg = nlmsg_data(nlh); 2361 2316 u8 genmask = nft_genmask_next(net); 2362 2317 int family = nfmsg->nfgen_family; ··· 2369 2322 u64 handle = 0; 2370 2323 u32 flags = 0; 2371 2324 2372 - lockdep_assert_held(&net->nft.commit_mutex); 2325 + lockdep_assert_held(&nft_net->commit_mutex); 2373 2326 2374 2327 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask, 2375 2328 NETLINK_CB(skb).portid); ··· 2854 2807 const struct nft_rule *prule) 2855 2808 { 2856 2809 struct nlmsghdr *nlh; 2857 - struct nfgenmsg *nfmsg; 2858 2810 const struct nft_expr *expr, *next; 2859 2811 struct nlattr *list; 2860 2812 u16 type = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event); 2861 2813 2862 - nlh = nlmsg_put(skb, portid, seq, type, sizeof(struct nfgenmsg), flags); 2863 - if (nlh == NULL) 2814 + nlh = nfnl_msg_put(skb, portid, seq, type, flags, family, NFNETLINK_V0, 2815 + nft_base_seq(net)); 2816 + if (!nlh) 2864 2817 goto nla_put_failure; 2865 - 2866 - nfmsg = nlmsg_data(nlh); 2867 - nfmsg->nfgen_family = family; 2868 - nfmsg->version = NFNETLINK_V0; 2869 - nfmsg->res_id = htons(net->nft.base_seq & 0xffff); 2870 2818 2871 2819 if (nla_put_string(skb, NFTA_RULE_TABLE, table->name)) 2872 2820 goto nla_put_failure; ··· 2905 2863 static void nf_tables_rule_notify(const struct nft_ctx *ctx, 2906 2864 const struct nft_rule *rule, int event) 2907 2865 { 2866 + struct nftables_pernet *nft_net = net_generic(ctx->net, nf_tables_net_id); 2908 2867 struct sk_buff *skb; 2909 2868 int err; 2910 - char *buf = kasprintf(GFP_KERNEL, "%s:%llu;%s:%llu", 2911 - ctx->table->name, ctx->table->handle, 2912 - ctx->chain->name, ctx->chain->handle); 2913 - 2914 - audit_log_nfcfg(buf, 2915 - ctx->family, 2916 - rule->handle, 2917 - event == NFT_MSG_NEWRULE ? 2918 - AUDIT_NFT_OP_RULE_REGISTER : 2919 - AUDIT_NFT_OP_RULE_UNREGISTER, 2920 - GFP_KERNEL); 2921 - kfree(buf); 2922 2869 2923 2870 if (!ctx->report && 2924 2871 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES)) ··· 2925 2894 goto err; 2926 2895 } 2927 2896 2928 - nft_notify_enqueue(skb, ctx->report, &ctx->net->nft.notify_list); 2897 + nft_notify_enqueue(skb, ctx->report, &nft_net->notify_list); 2929 2898 return; 2930 2899 err: 2931 2900 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS); ··· 2983 2952 unsigned int idx = 0; 2984 2953 struct net *net = sock_net(skb->sk); 2985 2954 int family = nfmsg->nfgen_family; 2955 + struct nftables_pernet *nft_net; 2986 2956 2987 2957 rcu_read_lock(); 2988 - cb->seq = net->nft.base_seq; 2958 + nft_net = net_generic(net, nf_tables_net_id); 2959 + cb->seq = nft_net->base_seq; 2989 2960 2990 - list_for_each_entry_rcu(table, &net->nft.tables, list) { 2961 + list_for_each_entry_rcu(table, &nft_net->tables, list) { 2991 2962 if (family != NFPROTO_UNSPEC && family != table->family) 2992 2963 continue; 2993 2964 ··· 3220 3187 const struct nlattr * const nla[], 3221 3188 struct netlink_ext_ack *extack) 3222 3189 { 3190 + struct nftables_pernet *nft_net = net_generic(net, nf_tables_net_id); 3223 3191 const struct nfgenmsg *nfmsg = nlmsg_data(nlh); 3224 3192 u8 genmask = nft_genmask_next(net); 3225 3193 struct nft_expr_info *info = NULL; ··· 3238 3204 int err, rem; 3239 3205 u64 handle, pos_handle; 3240 3206 3241 - lockdep_assert_held(&net->nft.commit_mutex); 3207 + lockdep_assert_held(&nft_net->commit_mutex); 3242 3208 3243 3209 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask, 3244 3210 NETLINK_CB(skb).portid); ··· 3410 3376 kvfree(info); 3411 3377 chain->use++; 3412 3378 3413 - if (net->nft.validate_state == NFT_VALIDATE_DO) 3379 + if (nft_net->validate_state == NFT_VALIDATE_DO) 3414 3380 return nft_table_validate(net, table); 3415 3381 3416 3382 if (chain->flags & NFT_CHAIN_HW_OFFLOAD) { ··· 3439 3405 static struct nft_rule *nft_rule_lookup_byid(const struct net *net, 3440 3406 const struct nlattr *nla) 3441 3407 { 3408 + struct nftables_pernet *nft_net = net_generic(net, nf_tables_net_id); 3442 3409 u32 id = ntohl(nla_get_be32(nla)); 3443 3410 struct nft_trans *trans; 3444 3411 3445 - list_for_each_entry(trans, &net->nft.commit_list, list) { 3412 + list_for_each_entry(trans, &nft_net->commit_list, list) { 3446 3413 struct nft_rule *rule = nft_trans_rule(trans); 3447 3414 3448 3415 if (trans->msg_type == NFT_MSG_NEWRULE && ··· 3556 3521 const struct nft_set_desc *desc, 3557 3522 enum nft_set_policies policy) 3558 3523 { 3524 + struct nftables_pernet *nft_net = net_generic(ctx->net, nf_tables_net_id); 3559 3525 const struct nft_set_ops *ops, *bops; 3560 3526 struct nft_set_estimate est, best; 3561 3527 const struct nft_set_type *type; 3562 3528 u32 flags = 0; 3563 3529 int i; 3564 3530 3565 - lockdep_assert_held(&ctx->net->nft.commit_mutex); 3531 + lockdep_assert_held(&nft_net->commit_mutex); 3566 3532 lockdep_nfnl_nft_mutex_not_held(); 3567 3533 3568 3534 if (nla[NFTA_SET_FLAGS] != NULL) ··· 3701 3665 static struct nft_set *nft_set_lookup_byid(const struct net *net, 3702 3666 const struct nlattr *nla, u8 genmask) 3703 3667 { 3668 + struct nftables_pernet *nft_net = net_generic(net, nf_tables_net_id); 3704 3669 struct nft_trans *trans; 3705 3670 u32 id = ntohl(nla_get_be32(nla)); 3706 3671 3707 - list_for_each_entry(trans, &net->nft.commit_list, list) { 3672 + list_for_each_entry(trans, &nft_net->commit_list, list) { 3708 3673 if (trans->msg_type == NFT_MSG_NEWSET) { 3709 3674 struct nft_set *set = nft_trans_set(trans); 3710 3675 ··· 3840 3803 static int nf_tables_fill_set(struct sk_buff *skb, const struct nft_ctx *ctx, 3841 3804 const struct nft_set *set, u16 event, u16 flags) 3842 3805 { 3843 - struct nfgenmsg *nfmsg; 3844 3806 struct nlmsghdr *nlh; 3845 3807 u32 portid = ctx->portid; 3846 3808 struct nlattr *nest; ··· 3847 3811 int i; 3848 3812 3849 3813 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event); 3850 - nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), 3851 - flags); 3852 - if (nlh == NULL) 3814 + nlh = nfnl_msg_put(skb, portid, seq, event, flags, ctx->family, 3815 + NFNETLINK_V0, nft_base_seq(ctx->net)); 3816 + if (!nlh) 3853 3817 goto nla_put_failure; 3854 - 3855 - nfmsg = nlmsg_data(nlh); 3856 - nfmsg->nfgen_family = ctx->family; 3857 - nfmsg->version = NFNETLINK_V0; 3858 - nfmsg->res_id = htons(ctx->net->nft.base_seq & 0xffff); 3859 3818 3860 3819 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name)) 3861 3820 goto nla_put_failure; ··· 3939 3908 const struct nft_set *set, int event, 3940 3909 gfp_t gfp_flags) 3941 3910 { 3911 + struct nftables_pernet *nft_net = net_generic(ctx->net, nf_tables_net_id); 3942 3912 struct sk_buff *skb; 3943 3913 u32 portid = ctx->portid; 3944 3914 int err; 3945 - char *buf = kasprintf(gfp_flags, "%s:%llu;%s:%llu", 3946 - ctx->table->name, ctx->table->handle, 3947 - set->name, set->handle); 3948 - 3949 - audit_log_nfcfg(buf, 3950 - ctx->family, 3951 - set->field_count, 3952 - event == NFT_MSG_NEWSET ? 3953 - AUDIT_NFT_OP_SET_REGISTER : 3954 - AUDIT_NFT_OP_SET_UNREGISTER, 3955 - gfp_flags); 3956 - kfree(buf); 3957 3915 3958 3916 if (!ctx->report && 3959 3917 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES)) ··· 3958 3938 goto err; 3959 3939 } 3960 3940 3961 - nft_notify_enqueue(skb, ctx->report, &ctx->net->nft.notify_list); 3941 + nft_notify_enqueue(skb, ctx->report, &nft_net->notify_list); 3962 3942 return; 3963 3943 err: 3964 3944 nfnetlink_set_err(ctx->net, portid, NFNLGRP_NFTABLES, -ENOBUFS); ··· 3971 3951 struct nft_table *table, *cur_table = (struct nft_table *)cb->args[2]; 3972 3952 struct net *net = sock_net(skb->sk); 3973 3953 struct nft_ctx *ctx = cb->data, ctx_set; 3954 + struct nftables_pernet *nft_net; 3974 3955 3975 3956 if (cb->args[1]) 3976 3957 return skb->len; 3977 3958 3978 3959 rcu_read_lock(); 3979 - cb->seq = net->nft.base_seq; 3960 + nft_net = net_generic(net, nf_tables_net_id); 3961 + cb->seq = nft_net->base_seq; 3980 3962 3981 - list_for_each_entry_rcu(table, &net->nft.tables, list) { 3963 + list_for_each_entry_rcu(table, &nft_net->tables, list) { 3982 3964 if (ctx->family != NFPROTO_UNSPEC && 3983 3965 ctx->family != table->family) 3984 3966 continue; ··· 4819 4797 { 4820 4798 struct nft_set_dump_ctx *dump_ctx = cb->data; 4821 4799 struct net *net = sock_net(skb->sk); 4800 + struct nftables_pernet *nft_net; 4822 4801 struct nft_table *table; 4823 4802 struct nft_set *set; 4824 4803 struct nft_set_dump_args args; 4825 4804 bool set_found = false; 4826 - struct nfgenmsg *nfmsg; 4827 4805 struct nlmsghdr *nlh; 4828 4806 struct nlattr *nest; 4829 4807 u32 portid, seq; 4830 4808 int event; 4831 4809 4832 4810 rcu_read_lock(); 4833 - list_for_each_entry_rcu(table, &net->nft.tables, list) { 4811 + nft_net = net_generic(net, nf_tables_net_id); 4812 + list_for_each_entry_rcu(table, &nft_net->tables, list) { 4834 4813 if (dump_ctx->ctx.family != NFPROTO_UNSPEC && 4835 4814 dump_ctx->ctx.family != table->family) 4836 4815 continue; ··· 4857 4834 portid = NETLINK_CB(cb->skb).portid; 4858 4835 seq = cb->nlh->nlmsg_seq; 4859 4836 4860 - nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), 4861 - NLM_F_MULTI); 4862 - if (nlh == NULL) 4837 + nlh = nfnl_msg_put(skb, portid, seq, event, NLM_F_MULTI, 4838 + table->family, NFNETLINK_V0, nft_base_seq(net)); 4839 + if (!nlh) 4863 4840 goto nla_put_failure; 4864 - 4865 - nfmsg = nlmsg_data(nlh); 4866 - nfmsg->nfgen_family = table->family; 4867 - nfmsg->version = NFNETLINK_V0; 4868 - nfmsg->res_id = htons(net->nft.base_seq & 0xffff); 4869 4841 4870 4842 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_TABLE, table->name)) 4871 4843 goto nla_put_failure; ··· 4918 4900 const struct nft_set *set, 4919 4901 const struct nft_set_elem *elem) 4920 4902 { 4921 - struct nfgenmsg *nfmsg; 4922 4903 struct nlmsghdr *nlh; 4923 4904 struct nlattr *nest; 4924 4905 int err; 4925 4906 4926 4907 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event); 4927 - nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), 4928 - flags); 4929 - if (nlh == NULL) 4908 + nlh = nfnl_msg_put(skb, portid, seq, event, flags, ctx->family, 4909 + NFNETLINK_V0, nft_base_seq(ctx->net)); 4910 + if (!nlh) 4930 4911 goto nla_put_failure; 4931 - 4932 - nfmsg = nlmsg_data(nlh); 4933 - nfmsg->nfgen_family = ctx->family; 4934 - nfmsg->version = NFNETLINK_V0; 4935 - nfmsg->res_id = htons(ctx->net->nft.base_seq & 0xffff); 4936 4912 4937 4913 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name)) 4938 4914 goto nla_put_failure; ··· 5115 5103 const struct nft_set_elem *elem, 5116 5104 int event, u16 flags) 5117 5105 { 5106 + struct nftables_pernet *nft_net; 5118 5107 struct net *net = ctx->net; 5119 5108 u32 portid = ctx->portid; 5120 5109 struct sk_buff *skb; 5121 5110 int err; 5122 - char *buf = kasprintf(GFP_KERNEL, "%s:%llu;%s:%llu", 5123 - ctx->table->name, ctx->table->handle, 5124 - set->name, set->handle); 5125 - 5126 - audit_log_nfcfg(buf, 5127 - ctx->family, 5128 - set->handle, 5129 - event == NFT_MSG_NEWSETELEM ? 5130 - AUDIT_NFT_OP_SETELEM_REGISTER : 5131 - AUDIT_NFT_OP_SETELEM_UNREGISTER, 5132 - GFP_KERNEL); 5133 - kfree(buf); 5134 5111 5135 5112 if (!ctx->report && !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES)) 5136 5113 return; ··· 5135 5134 goto err; 5136 5135 } 5137 5136 5138 - nft_notify_enqueue(skb, ctx->report, &ctx->net->nft.notify_list); 5137 + nft_net = net_generic(net, nf_tables_net_id); 5138 + nft_notify_enqueue(skb, ctx->report, &nft_net->notify_list); 5139 5139 return; 5140 5140 err: 5141 5141 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, -ENOBUFS); ··· 5604 5602 } 5605 5603 5606 5604 nft_trans_elem(trans) = elem; 5607 - list_add_tail(&trans->list, &ctx->net->nft.commit_list); 5605 + nft_trans_commit_list_add_tail(ctx->net, trans); 5608 5606 return 0; 5609 5607 5610 5608 err_set_full: ··· 5635 5633 const struct nlattr * const nla[], 5636 5634 struct netlink_ext_ack *extack) 5637 5635 { 5636 + struct nftables_pernet *nft_net = net_generic(net, nf_tables_net_id); 5638 5637 u8 genmask = nft_genmask_next(net); 5639 5638 const struct nlattr *attr; 5640 5639 struct nft_set *set; ··· 5664 5661 return err; 5665 5662 } 5666 5663 5667 - if (net->nft.validate_state == NFT_VALIDATE_DO) 5664 + if (nft_net->validate_state == NFT_VALIDATE_DO) 5668 5665 return nft_table_validate(net, ctx.table); 5669 5666 5670 5667 return 0; ··· 5800 5797 nft_set_elem_deactivate(ctx->net, set, &elem); 5801 5798 5802 5799 nft_trans_elem(trans) = elem; 5803 - list_add_tail(&trans->list, &ctx->net->nft.commit_list); 5800 + nft_trans_commit_list_add_tail(ctx->net, trans); 5804 5801 return 0; 5805 5802 5806 5803 fail_ops: ··· 5834 5831 nft_set_elem_deactivate(ctx->net, set, elem); 5835 5832 nft_trans_elem_set(trans) = set; 5836 5833 nft_trans_elem(trans) = *elem; 5837 - list_add_tail(&trans->list, &ctx->net->nft.commit_list); 5834 + nft_trans_commit_list_add_tail(ctx->net, trans); 5838 5835 5839 5836 return 0; 5840 5837 err1: ··· 6128 6125 nft_trans_obj(trans) = obj; 6129 6126 nft_trans_obj_update(trans) = true; 6130 6127 nft_trans_obj_newobj(trans) = newobj; 6131 - list_add_tail(&trans->list, &ctx->net->nft.commit_list); 6128 + nft_trans_commit_list_add_tail(ctx->net, trans); 6132 6129 6133 6130 return 0; 6134 6131 ··· 6248 6245 int family, const struct nft_table *table, 6249 6246 struct nft_object *obj, bool reset) 6250 6247 { 6251 - struct nfgenmsg *nfmsg; 6252 6248 struct nlmsghdr *nlh; 6253 6249 6254 6250 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event); 6255 - nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags); 6256 - if (nlh == NULL) 6251 + nlh = nfnl_msg_put(skb, portid, seq, event, flags, family, 6252 + NFNETLINK_V0, nft_base_seq(net)); 6253 + if (!nlh) 6257 6254 goto nla_put_failure; 6258 - 6259 - nfmsg = nlmsg_data(nlh); 6260 - nfmsg->nfgen_family = family; 6261 - nfmsg->version = NFNETLINK_V0; 6262 - nfmsg->res_id = htons(net->nft.base_seq & 0xffff); 6263 6255 6264 6256 if (nla_put_string(skb, NFTA_OBJ_TABLE, table->name) || 6265 6257 nla_put_string(skb, NFTA_OBJ_NAME, obj->key.name) || ··· 6290 6292 struct nft_obj_filter *filter = cb->data; 6291 6293 struct net *net = sock_net(skb->sk); 6292 6294 int family = nfmsg->nfgen_family; 6295 + struct nftables_pernet *nft_net; 6293 6296 struct nft_object *obj; 6294 6297 bool reset = false; 6295 6298 ··· 6298 6299 reset = true; 6299 6300 6300 6301 rcu_read_lock(); 6301 - cb->seq = net->nft.base_seq; 6302 + nft_net = net_generic(net, nf_tables_net_id); 6303 + cb->seq = nft_net->base_seq; 6302 6304 6303 - list_for_each_entry_rcu(table, &net->nft.tables, list) { 6305 + list_for_each_entry_rcu(table, &nft_net->tables, list) { 6304 6306 if (family != NFPROTO_UNSPEC && family != table->family) 6305 6307 continue; 6306 6308 ··· 6320 6320 filter->type != NFT_OBJECT_UNSPEC && 6321 6321 obj->ops->type->type != filter->type) 6322 6322 goto cont; 6323 - 6324 6323 if (reset) { 6325 6324 char *buf = kasprintf(GFP_ATOMIC, 6326 - "%s:%llu;?:0", 6325 + "%s:%u", 6327 6326 table->name, 6328 - table->handle); 6327 + nft_net->base_seq); 6329 6328 6330 6329 audit_log_nfcfg(buf, 6331 6330 family, ··· 6445 6446 reset = true; 6446 6447 6447 6448 if (reset) { 6448 - char *buf = kasprintf(GFP_ATOMIC, "%s:%llu;?:0", 6449 - table->name, table->handle); 6449 + const struct nftables_pernet *nft_net; 6450 + char *buf; 6451 + 6452 + nft_net = net_generic(net, nf_tables_net_id); 6453 + buf = kasprintf(GFP_ATOMIC, "%s:%u", table->name, nft_net->base_seq); 6450 6454 6451 6455 audit_log_nfcfg(buf, 6452 6456 family, ··· 6535 6533 struct nft_object *obj, u32 portid, u32 seq, int event, 6536 6534 int family, int report, gfp_t gfp) 6537 6535 { 6536 + struct nftables_pernet *nft_net = net_generic(net, nf_tables_net_id); 6538 6537 struct sk_buff *skb; 6539 6538 int err; 6540 - char *buf = kasprintf(gfp, "%s:%llu;?:0", 6541 - table->name, table->handle); 6539 + char *buf = kasprintf(gfp, "%s:%u", 6540 + table->name, nft_net->base_seq); 6542 6541 6543 6542 audit_log_nfcfg(buf, 6544 6543 family, 6545 6544 obj->handle, 6546 6545 event == NFT_MSG_NEWOBJ ? 6547 - AUDIT_NFT_OP_OBJ_REGISTER : 6548 - AUDIT_NFT_OP_OBJ_UNREGISTER, 6546 + AUDIT_NFT_OP_OBJ_REGISTER : 6547 + AUDIT_NFT_OP_OBJ_UNREGISTER, 6549 6548 gfp); 6550 6549 kfree(buf); 6551 6550 ··· 6565 6562 goto err; 6566 6563 } 6567 6564 6568 - nft_notify_enqueue(skb, report, &net->nft.notify_list); 6565 + nft_notify_enqueue(skb, report, &nft_net->notify_list); 6569 6566 return; 6570 6567 err: 6571 6568 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, -ENOBUFS); ··· 6897 6894 INIT_LIST_HEAD(&nft_trans_flowtable_hooks(trans)); 6898 6895 list_splice(&flowtable_hook.list, &nft_trans_flowtable_hooks(trans)); 6899 6896 6900 - list_add_tail(&trans->list, &ctx->net->nft.commit_list); 6897 + nft_trans_commit_list_add_tail(ctx->net, trans); 6901 6898 6902 6899 return 0; 6903 6900 ··· 7085 7082 INIT_LIST_HEAD(&nft_trans_flowtable_hooks(trans)); 7086 7083 nft_flowtable_hook_release(&flowtable_hook); 7087 7084 7088 - list_add_tail(&trans->list, &ctx->net->nft.commit_list); 7085 + nft_trans_commit_list_add_tail(ctx->net, trans); 7089 7086 7090 7087 return 0; 7091 7088 ··· 7161 7158 struct list_head *hook_list) 7162 7159 { 7163 7160 struct nlattr *nest, *nest_devs; 7164 - struct nfgenmsg *nfmsg; 7165 7161 struct nft_hook *hook; 7166 7162 struct nlmsghdr *nlh; 7167 7163 7168 7164 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event); 7169 - nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags); 7170 - if (nlh == NULL) 7165 + nlh = nfnl_msg_put(skb, portid, seq, event, flags, family, 7166 + NFNETLINK_V0, nft_base_seq(net)); 7167 + if (!nlh) 7171 7168 goto nla_put_failure; 7172 - 7173 - nfmsg = nlmsg_data(nlh); 7174 - nfmsg->nfgen_family = family; 7175 - nfmsg->version = NFNETLINK_V0; 7176 - nfmsg->res_id = htons(net->nft.base_seq & 0xffff); 7177 7169 7178 7170 if (nla_put_string(skb, NFTA_FLOWTABLE_TABLE, flowtable->table->name) || 7179 7171 nla_put_string(skb, NFTA_FLOWTABLE_NAME, flowtable->name) || ··· 7217 7219 struct net *net = sock_net(skb->sk); 7218 7220 int family = nfmsg->nfgen_family; 7219 7221 struct nft_flowtable *flowtable; 7222 + struct nftables_pernet *nft_net; 7220 7223 const struct nft_table *table; 7221 7224 7222 7225 rcu_read_lock(); 7223 - cb->seq = net->nft.base_seq; 7226 + nft_net = net_generic(net, nf_tables_net_id); 7227 + cb->seq = nft_net->base_seq; 7224 7228 7225 - list_for_each_entry_rcu(table, &net->nft.tables, list) { 7229 + list_for_each_entry_rcu(table, &nft_net->tables, list) { 7226 7230 if (family != NFPROTO_UNSPEC && family != table->family) 7227 7231 continue; 7228 7232 ··· 7359 7359 struct list_head *hook_list, 7360 7360 int event) 7361 7361 { 7362 + struct nftables_pernet *nft_net = net_generic(ctx->net, nf_tables_net_id); 7362 7363 struct sk_buff *skb; 7363 7364 int err; 7364 - char *buf = kasprintf(GFP_KERNEL, "%s:%llu;%s:%llu", 7365 - flowtable->table->name, flowtable->table->handle, 7366 - flowtable->name, flowtable->handle); 7367 - 7368 - audit_log_nfcfg(buf, 7369 - ctx->family, 7370 - flowtable->hooknum, 7371 - event == NFT_MSG_NEWFLOWTABLE ? 7372 - AUDIT_NFT_OP_FLOWTABLE_REGISTER : 7373 - AUDIT_NFT_OP_FLOWTABLE_UNREGISTER, 7374 - GFP_KERNEL); 7375 - kfree(buf); 7376 7365 7377 7366 if (!ctx->report && 7378 7367 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES)) ··· 7379 7390 goto err; 7380 7391 } 7381 7392 7382 - nft_notify_enqueue(skb, ctx->report, &ctx->net->nft.notify_list); 7393 + nft_notify_enqueue(skb, ctx->report, &nft_net->notify_list); 7383 7394 return; 7384 7395 err: 7385 7396 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS); ··· 7404 7415 static int nf_tables_fill_gen_info(struct sk_buff *skb, struct net *net, 7405 7416 u32 portid, u32 seq) 7406 7417 { 7418 + struct nftables_pernet *nft_net = net_generic(net, nf_tables_net_id); 7407 7419 struct nlmsghdr *nlh; 7408 - struct nfgenmsg *nfmsg; 7409 7420 char buf[TASK_COMM_LEN]; 7410 7421 int event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, NFT_MSG_NEWGEN); 7411 7422 7412 - nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), 0); 7413 - if (nlh == NULL) 7423 + nlh = nfnl_msg_put(skb, portid, seq, event, 0, AF_UNSPEC, 7424 + NFNETLINK_V0, nft_base_seq(net)); 7425 + if (!nlh) 7414 7426 goto nla_put_failure; 7415 7427 7416 - nfmsg = nlmsg_data(nlh); 7417 - nfmsg->nfgen_family = AF_UNSPEC; 7418 - nfmsg->version = NFNETLINK_V0; 7419 - nfmsg->res_id = htons(net->nft.base_seq & 0xffff); 7420 - 7421 - if (nla_put_be32(skb, NFTA_GEN_ID, htonl(net->nft.base_seq)) || 7428 + if (nla_put_be32(skb, NFTA_GEN_ID, htonl(nft_net->base_seq)) || 7422 7429 nla_put_be32(skb, NFTA_GEN_PROC_PID, htonl(task_pid_nr(current))) || 7423 7430 nla_put_string(skb, NFTA_GEN_PROC_NAME, get_task_comm(buf, current))) 7424 7431 goto nla_put_failure; ··· 7449 7464 { 7450 7465 struct net_device *dev = netdev_notifier_info_to_dev(ptr); 7451 7466 struct nft_flowtable *flowtable; 7467 + struct nftables_pernet *nft_net; 7452 7468 struct nft_table *table; 7453 7469 struct net *net; 7454 7470 ··· 7457 7471 return 0; 7458 7472 7459 7473 net = dev_net(dev); 7460 - mutex_lock(&net->nft.commit_mutex); 7461 - list_for_each_entry(table, &net->nft.tables, list) { 7474 + nft_net = net_generic(net, nf_tables_net_id); 7475 + mutex_lock(&nft_net->commit_mutex); 7476 + list_for_each_entry(table, &nft_net->tables, list) { 7462 7477 list_for_each_entry(flowtable, &table->flowtables, list) { 7463 7478 nft_flowtable_event(event, dev, flowtable); 7464 7479 } 7465 7480 } 7466 - mutex_unlock(&net->nft.commit_mutex); 7481 + mutex_unlock(&nft_net->commit_mutex); 7467 7482 7468 7483 return NOTIFY_DONE; 7469 7484 } ··· 7479 7492 struct nlmsghdr *nlh = nlmsg_hdr(skb); 7480 7493 struct sk_buff *skb2; 7481 7494 int err; 7482 - 7483 - audit_log_nfcfg("?:0;?:0", 0, net->nft.base_seq, 7484 - AUDIT_NFT_OP_GEN_REGISTER, GFP_KERNEL); 7485 7495 7486 7496 if (!nlmsg_report(nlh) && 7487 7497 !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES)) ··· 7645 7661 7646 7662 static int nf_tables_validate(struct net *net) 7647 7663 { 7664 + struct nftables_pernet *nft_net = net_generic(net, nf_tables_net_id); 7648 7665 struct nft_table *table; 7649 7666 7650 - switch (net->nft.validate_state) { 7667 + switch (nft_net->validate_state) { 7651 7668 case NFT_VALIDATE_SKIP: 7652 7669 break; 7653 7670 case NFT_VALIDATE_NEED: 7654 7671 nft_validate_state_update(net, NFT_VALIDATE_DO); 7655 7672 fallthrough; 7656 7673 case NFT_VALIDATE_DO: 7657 - list_for_each_entry(table, &net->nft.tables, list) { 7674 + list_for_each_entry(table, &nft_net->tables, list) { 7658 7675 if (nft_table_validate(net, table) < 0) 7659 7676 return -EAGAIN; 7660 7677 } ··· 7830 7845 7831 7846 static void nf_tables_commit_chain_prepare_cancel(struct net *net) 7832 7847 { 7848 + struct nftables_pernet *nft_net = net_generic(net, nf_tables_net_id); 7833 7849 struct nft_trans *trans, *next; 7834 7850 7835 - list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) { 7851 + list_for_each_entry_safe(trans, next, &nft_net->commit_list, list) { 7836 7852 struct nft_chain *chain = trans->ctx.chain; 7837 7853 7838 7854 if (trans->msg_type == NFT_MSG_NEWRULE || ··· 7942 7956 7943 7957 static void nf_tables_module_autoload_cleanup(struct net *net) 7944 7958 { 7959 + struct nftables_pernet *nft_net = net_generic(net, nf_tables_net_id); 7945 7960 struct nft_module_request *req, *next; 7946 7961 7947 - WARN_ON_ONCE(!list_empty(&net->nft.commit_list)); 7948 - list_for_each_entry_safe(req, next, &net->nft.module_list, list) { 7962 + WARN_ON_ONCE(!list_empty(&nft_net->commit_list)); 7963 + list_for_each_entry_safe(req, next, &nft_net->module_list, list) { 7949 7964 WARN_ON_ONCE(!req->done); 7950 7965 list_del(&req->list); 7951 7966 kfree(req); ··· 7955 7968 7956 7969 static void nf_tables_commit_release(struct net *net) 7957 7970 { 7971 + struct nftables_pernet *nft_net = net_generic(net, nf_tables_net_id); 7958 7972 struct nft_trans *trans; 7959 7973 7960 7974 /* all side effects have to be made visible. ··· 7965 7977 * Memory reclaim happens asynchronously from work queue 7966 7978 * to prevent expensive synchronize_rcu() in commit phase. 7967 7979 */ 7968 - if (list_empty(&net->nft.commit_list)) { 7980 + if (list_empty(&nft_net->commit_list)) { 7969 7981 nf_tables_module_autoload_cleanup(net); 7970 - mutex_unlock(&net->nft.commit_mutex); 7982 + mutex_unlock(&nft_net->commit_mutex); 7971 7983 return; 7972 7984 } 7973 7985 7974 - trans = list_last_entry(&net->nft.commit_list, 7986 + trans = list_last_entry(&nft_net->commit_list, 7975 7987 struct nft_trans, list); 7976 7988 get_net(trans->ctx.net); 7977 7989 WARN_ON_ONCE(trans->put_net); 7978 7990 7979 7991 trans->put_net = true; 7980 7992 spin_lock(&nf_tables_destroy_list_lock); 7981 - list_splice_tail_init(&net->nft.commit_list, &nf_tables_destroy_list); 7993 + list_splice_tail_init(&nft_net->commit_list, &nf_tables_destroy_list); 7982 7994 spin_unlock(&nf_tables_destroy_list_lock); 7983 7995 7984 7996 nf_tables_module_autoload_cleanup(net); 7985 7997 schedule_work(&trans_destroy_work); 7986 7998 7987 - mutex_unlock(&net->nft.commit_mutex); 7999 + mutex_unlock(&nft_net->commit_mutex); 7988 8000 } 7989 8001 7990 8002 static void nft_commit_notify(struct net *net, u32 portid) 7991 8003 { 8004 + struct nftables_pernet *nft_net = net_generic(net, nf_tables_net_id); 7992 8005 struct sk_buff *batch_skb = NULL, *nskb, *skb; 7993 8006 unsigned char *data; 7994 8007 int len; 7995 8008 7996 - list_for_each_entry_safe(skb, nskb, &net->nft.notify_list, list) { 8009 + list_for_each_entry_safe(skb, nskb, &nft_net->notify_list, list) { 7997 8010 if (!batch_skb) { 7998 8011 new_batch: 7999 8012 batch_skb = skb; ··· 8020 8031 NFT_CB(batch_skb).report, GFP_KERNEL); 8021 8032 } 8022 8033 8023 - WARN_ON_ONCE(!list_empty(&net->nft.notify_list)); 8034 + WARN_ON_ONCE(!list_empty(&nft_net->notify_list)); 8035 + } 8036 + 8037 + static int nf_tables_commit_audit_alloc(struct list_head *adl, 8038 + struct nft_table *table) 8039 + { 8040 + struct nft_audit_data *adp; 8041 + 8042 + list_for_each_entry(adp, adl, list) { 8043 + if (adp->table == table) 8044 + return 0; 8045 + } 8046 + adp = kzalloc(sizeof(*adp), GFP_KERNEL); 8047 + if (!adp) 8048 + return -ENOMEM; 8049 + adp->table = table; 8050 + list_add(&adp->list, adl); 8051 + return 0; 8052 + } 8053 + 8054 + static void nf_tables_commit_audit_collect(struct list_head *adl, 8055 + struct nft_table *table, u32 op) 8056 + { 8057 + struct nft_audit_data *adp; 8058 + 8059 + list_for_each_entry(adp, adl, list) { 8060 + if (adp->table == table) 8061 + goto found; 8062 + } 8063 + WARN_ONCE(1, "table=%s not expected in commit list", table->name); 8064 + return; 8065 + found: 8066 + adp->entries++; 8067 + if (!adp->op || adp->op > op) 8068 + adp->op = op; 8069 + } 8070 + 8071 + #define AUNFTABLENAMELEN (NFT_TABLE_MAXNAMELEN + 22) 8072 + 8073 + static void nf_tables_commit_audit_log(struct list_head *adl, u32 generation) 8074 + { 8075 + struct nft_audit_data *adp, *adn; 8076 + char aubuf[AUNFTABLENAMELEN]; 8077 + 8078 + list_for_each_entry_safe(adp, adn, adl, list) { 8079 + snprintf(aubuf, AUNFTABLENAMELEN, "%s:%u", adp->table->name, 8080 + generation); 8081 + audit_log_nfcfg(aubuf, adp->table->family, adp->entries, 8082 + nft2audit_op[adp->op], GFP_KERNEL); 8083 + list_del(&adp->list); 8084 + kfree(adp); 8085 + } 8024 8086 } 8025 8087 8026 8088 static int nf_tables_commit(struct net *net, struct sk_buff *skb) 8027 8089 { 8090 + struct nftables_pernet *nft_net = net_generic(net, nf_tables_net_id); 8028 8091 struct nft_trans *trans, *next; 8029 8092 struct nft_trans_elem *te; 8030 8093 struct nft_chain *chain; 8031 8094 struct nft_table *table; 8095 + LIST_HEAD(adl); 8032 8096 int err; 8033 8097 8034 - if (list_empty(&net->nft.commit_list)) { 8035 - mutex_unlock(&net->nft.commit_mutex); 8098 + if (list_empty(&nft_net->commit_list)) { 8099 + mutex_unlock(&nft_net->commit_mutex); 8036 8100 return 0; 8037 8101 } 8038 8102 ··· 8098 8056 return err; 8099 8057 8100 8058 /* 1. Allocate space for next generation rules_gen_X[] */ 8101 - list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) { 8059 + list_for_each_entry_safe(trans, next, &nft_net->commit_list, list) { 8102 8060 int ret; 8103 8061 8062 + ret = nf_tables_commit_audit_alloc(&adl, trans->ctx.table); 8063 + if (ret) { 8064 + nf_tables_commit_chain_prepare_cancel(net); 8065 + return ret; 8066 + } 8104 8067 if (trans->msg_type == NFT_MSG_NEWRULE || 8105 8068 trans->msg_type == NFT_MSG_DELRULE) { 8106 8069 chain = trans->ctx.chain; ··· 8119 8072 } 8120 8073 8121 8074 /* step 2. Make rules_gen_X visible to packet path */ 8122 - list_for_each_entry(table, &net->nft.tables, list) { 8075 + list_for_each_entry(table, &nft_net->tables, list) { 8123 8076 list_for_each_entry(chain, &table->chains, list) 8124 8077 nf_tables_commit_chain(net, chain); 8125 8078 } ··· 8128 8081 * Bump generation counter, invalidate any dump in progress. 8129 8082 * Cannot fail after this point. 8130 8083 */ 8131 - while (++net->nft.base_seq == 0); 8084 + while (++nft_net->base_seq == 0) 8085 + ; 8132 8086 8133 8087 /* step 3. Start new generation, rules_gen_X now in use. */ 8134 8088 net->nft.gencursor = nft_gencursor_next(net); 8135 8089 8136 - list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) { 8090 + list_for_each_entry_safe(trans, next, &nft_net->commit_list, list) { 8091 + nf_tables_commit_audit_collect(&adl, trans->ctx.table, 8092 + trans->msg_type); 8137 8093 switch (trans->msg_type) { 8138 8094 case NFT_MSG_NEWTABLE: 8139 8095 if (nft_trans_table_update(trans)) { ··· 8289 8239 8290 8240 nft_commit_notify(net, NETLINK_CB(skb).portid); 8291 8241 nf_tables_gen_notify(net, skb, NFT_MSG_NEWGEN); 8242 + nf_tables_commit_audit_log(&adl, nft_net->base_seq); 8292 8243 nf_tables_commit_release(net); 8293 8244 8294 8245 return 0; ··· 8297 8246 8298 8247 static void nf_tables_module_autoload(struct net *net) 8299 8248 { 8249 + struct nftables_pernet *nft_net = net_generic(net, nf_tables_net_id); 8300 8250 struct nft_module_request *req, *next; 8301 8251 LIST_HEAD(module_list); 8302 8252 8303 - list_splice_init(&net->nft.module_list, &module_list); 8304 - mutex_unlock(&net->nft.commit_mutex); 8253 + list_splice_init(&nft_net->module_list, &module_list); 8254 + mutex_unlock(&nft_net->commit_mutex); 8305 8255 list_for_each_entry_safe(req, next, &module_list, list) { 8306 8256 request_module("%s", req->module); 8307 8257 req->done = true; 8308 8258 } 8309 - mutex_lock(&net->nft.commit_mutex); 8310 - list_splice(&module_list, &net->nft.module_list); 8259 + mutex_lock(&nft_net->commit_mutex); 8260 + list_splice(&module_list, &nft_net->module_list); 8311 8261 } 8312 8262 8313 8263 static void nf_tables_abort_release(struct nft_trans *trans) ··· 8345 8293 8346 8294 static int __nf_tables_abort(struct net *net, enum nfnl_abort_action action) 8347 8295 { 8296 + struct nftables_pernet *nft_net = net_generic(net, nf_tables_net_id); 8348 8297 struct nft_trans *trans, *next; 8349 8298 struct nft_trans_elem *te; 8350 8299 struct nft_hook *hook; ··· 8354 8301 nf_tables_validate(net) < 0) 8355 8302 return -EAGAIN; 8356 8303 8357 - list_for_each_entry_safe_reverse(trans, next, &net->nft.commit_list, 8304 + list_for_each_entry_safe_reverse(trans, next, &nft_net->commit_list, 8358 8305 list) { 8359 8306 switch (trans->msg_type) { 8360 8307 case NFT_MSG_NEWTABLE: ··· 8478 8425 synchronize_rcu(); 8479 8426 8480 8427 list_for_each_entry_safe_reverse(trans, next, 8481 - &net->nft.commit_list, list) { 8428 + &nft_net->commit_list, list) { 8482 8429 list_del(&trans->list); 8483 8430 nf_tables_abort_release(trans); 8484 8431 } ··· 8499 8446 static int nf_tables_abort(struct net *net, struct sk_buff *skb, 8500 8447 enum nfnl_abort_action action) 8501 8448 { 8449 + struct nftables_pernet *nft_net = net_generic(net, nf_tables_net_id); 8502 8450 int ret = __nf_tables_abort(net, action); 8503 8451 8504 - mutex_unlock(&net->nft.commit_mutex); 8452 + mutex_unlock(&nft_net->commit_mutex); 8505 8453 8506 8454 return ret; 8507 8455 } 8508 8456 8509 8457 static bool nf_tables_valid_genid(struct net *net, u32 genid) 8510 8458 { 8459 + struct nftables_pernet *nft_net = net_generic(net, nf_tables_net_id); 8511 8460 bool genid_ok; 8512 8461 8513 - mutex_lock(&net->nft.commit_mutex); 8462 + mutex_lock(&nft_net->commit_mutex); 8514 8463 8515 - genid_ok = genid == 0 || net->nft.base_seq == genid; 8464 + genid_ok = genid == 0 || nft_net->base_seq == genid; 8516 8465 if (!genid_ok) 8517 - mutex_unlock(&net->nft.commit_mutex); 8466 + mutex_unlock(&nft_net->commit_mutex); 8518 8467 8519 8468 /* else, commit mutex has to be released by commit or abort function */ 8520 8469 return genid_ok; ··· 8692 8637 } 8693 8638 EXPORT_SYMBOL_GPL(nft_parse_u32_check); 8694 8639 8695 - /** 8696 - * nft_parse_register - parse a register value from a netlink attribute 8697 - * 8698 - * @attr: netlink attribute 8699 - * 8700 - * Parse and translate a register value from a netlink attribute. 8701 - * Registers used to be 128 bit wide, these register numbers will be 8702 - * mapped to the corresponding 32 bit register numbers. 8703 - */ 8704 8640 static unsigned int nft_parse_register(const struct nlattr *attr) 8705 8641 { 8706 8642 unsigned int reg; ··· 8727 8681 } 8728 8682 EXPORT_SYMBOL_GPL(nft_dump_register); 8729 8683 8730 - /** 8731 - * nft_validate_register_load - validate a load from a register 8732 - * 8733 - * @reg: the register number 8734 - * @len: the length of the data 8735 - * 8736 - * Validate that the input register is one of the general purpose 8737 - * registers and that the length of the load is within the bounds. 8738 - */ 8739 8684 static int nft_validate_register_load(enum nft_registers reg, unsigned int len) 8740 8685 { 8741 8686 if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE) ··· 8754 8717 } 8755 8718 EXPORT_SYMBOL_GPL(nft_parse_register_load); 8756 8719 8757 - /** 8758 - * nft_validate_register_store - validate an expressions' register store 8759 - * 8760 - * @ctx: context of the expression performing the load 8761 - * @reg: the destination register number 8762 - * @data: the data to load 8763 - * @type: the data type 8764 - * @len: the length of the data 8765 - * 8766 - * Validate that a data load uses the appropriate data type for 8767 - * the destination register and the length is within the bounds. 8768 - * A value of NULL for the data means that its runtime gathered 8769 - * data. 8770 - */ 8771 8720 static int nft_validate_register_store(const struct nft_ctx *ctx, 8772 8721 enum nft_registers reg, 8773 8722 const struct nft_data *data, ··· 9071 9048 9072 9049 static void __nft_release_hooks(struct net *net) 9073 9050 { 9051 + struct nftables_pernet *nft_net = net_generic(net, nf_tables_net_id); 9074 9052 struct nft_table *table; 9075 9053 9076 - list_for_each_entry(table, &net->nft.tables, list) { 9054 + list_for_each_entry(table, &nft_net->tables, list) { 9077 9055 if (nft_table_has_owner(table)) 9078 9056 continue; 9079 9057 ··· 9131 9107 9132 9108 static void __nft_release_tables(struct net *net) 9133 9109 { 9110 + struct nftables_pernet *nft_net = net_generic(net, nf_tables_net_id); 9134 9111 struct nft_table *table, *nt; 9135 9112 9136 - list_for_each_entry_safe(table, nt, &net->nft.tables, list) { 9113 + list_for_each_entry_safe(table, nt, &nft_net->tables, list) { 9137 9114 if (nft_table_has_owner(table)) 9138 9115 continue; 9139 9116 ··· 9145 9120 static int nft_rcv_nl_event(struct notifier_block *this, unsigned long event, 9146 9121 void *ptr) 9147 9122 { 9123 + struct nftables_pernet *nft_net; 9148 9124 struct netlink_notify *n = ptr; 9149 9125 struct nft_table *table, *nt; 9150 9126 struct net *net = n->net; ··· 9154 9128 if (event != NETLINK_URELEASE || n->protocol != NETLINK_NETFILTER) 9155 9129 return NOTIFY_DONE; 9156 9130 9157 - mutex_lock(&net->nft.commit_mutex); 9158 - list_for_each_entry(table, &net->nft.tables, list) { 9131 + nft_net = net_generic(net, nf_tables_net_id); 9132 + mutex_lock(&nft_net->commit_mutex); 9133 + list_for_each_entry(table, &nft_net->tables, list) { 9159 9134 if (nft_table_has_owner(table) && 9160 9135 n->portid == table->nlpid) { 9161 9136 __nft_release_hook(net, table); ··· 9165 9138 } 9166 9139 if (release) { 9167 9140 synchronize_rcu(); 9168 - list_for_each_entry_safe(table, nt, &net->nft.tables, list) { 9141 + list_for_each_entry_safe(table, nt, &nft_net->tables, list) { 9169 9142 if (nft_table_has_owner(table) && 9170 9143 n->portid == table->nlpid) 9171 9144 __nft_release_table(net, table); 9172 9145 } 9173 9146 } 9174 - mutex_unlock(&net->nft.commit_mutex); 9147 + mutex_unlock(&nft_net->commit_mutex); 9175 9148 9176 9149 return NOTIFY_DONE; 9177 9150 } ··· 9182 9155 9183 9156 static int __net_init nf_tables_init_net(struct net *net) 9184 9157 { 9185 - INIT_LIST_HEAD(&net->nft.tables); 9186 - INIT_LIST_HEAD(&net->nft.commit_list); 9187 - INIT_LIST_HEAD(&net->nft.module_list); 9188 - INIT_LIST_HEAD(&net->nft.notify_list); 9189 - mutex_init(&net->nft.commit_mutex); 9190 - net->nft.base_seq = 1; 9191 - net->nft.validate_state = NFT_VALIDATE_SKIP; 9158 + struct nftables_pernet *nft_net = net_generic(net, nf_tables_net_id); 9159 + 9160 + INIT_LIST_HEAD(&nft_net->tables); 9161 + INIT_LIST_HEAD(&nft_net->commit_list); 9162 + INIT_LIST_HEAD(&nft_net->module_list); 9163 + INIT_LIST_HEAD(&nft_net->notify_list); 9164 + mutex_init(&nft_net->commit_mutex); 9165 + nft_net->base_seq = 1; 9166 + nft_net->validate_state = NFT_VALIDATE_SKIP; 9192 9167 9193 9168 return 0; 9194 9169 } ··· 9202 9173 9203 9174 static void __net_exit nf_tables_exit_net(struct net *net) 9204 9175 { 9205 - mutex_lock(&net->nft.commit_mutex); 9206 - if (!list_empty(&net->nft.commit_list)) 9176 + struct nftables_pernet *nft_net = net_generic(net, nf_tables_net_id); 9177 + 9178 + mutex_lock(&nft_net->commit_mutex); 9179 + if (!list_empty(&nft_net->commit_list)) 9207 9180 __nf_tables_abort(net, NFNL_ABORT_NONE); 9208 9181 __nft_release_tables(net); 9209 - mutex_unlock(&net->nft.commit_mutex); 9210 - WARN_ON_ONCE(!list_empty(&net->nft.tables)); 9211 - WARN_ON_ONCE(!list_empty(&net->nft.module_list)); 9212 - WARN_ON_ONCE(!list_empty(&net->nft.notify_list)); 9182 + mutex_unlock(&nft_net->commit_mutex); 9183 + WARN_ON_ONCE(!list_empty(&nft_net->tables)); 9184 + WARN_ON_ONCE(!list_empty(&nft_net->module_list)); 9185 + WARN_ON_ONCE(!list_empty(&nft_net->notify_list)); 9213 9186 } 9214 9187 9215 9188 static struct pernet_operations nf_tables_net_ops = { 9216 9189 .init = nf_tables_init_net, 9217 9190 .pre_exit = nf_tables_pre_exit_net, 9218 9191 .exit = nf_tables_exit_net, 9192 + .id = &nf_tables_net_id, 9193 + .size = sizeof(struct nftables_pernet), 9219 9194 }; 9220 9195 9221 9196 static int __init nf_tables_module_init(void) 9222 9197 { 9223 9198 int err; 9224 9199 9225 - spin_lock_init(&nf_tables_destroy_list_lock); 9226 9200 err = register_pernet_subsys(&nf_tables_net_ops); 9227 9201 if (err < 0) 9228 9202 return err;
+19 -11
net/netfilter/nf_tables_offload.c
··· 7 7 #include <net/netfilter/nf_tables_offload.h> 8 8 #include <net/pkt_cls.h> 9 9 10 + extern unsigned int nf_tables_net_id; 11 + 10 12 static struct nft_flow_rule *nft_flow_rule_alloc(int num_actions) 11 13 { 12 14 struct nft_flow_rule *flow; ··· 309 307 struct nft_base_chain *basechain = block_cb->indr.data; 310 308 struct net_device *dev = block_cb->indr.dev; 311 309 struct netlink_ext_ack extack = {}; 310 + struct nftables_pernet *nft_net; 312 311 struct net *net = dev_net(dev); 313 312 struct flow_block_offload bo; 314 313 315 314 nft_flow_block_offload_init(&bo, dev_net(dev), FLOW_BLOCK_UNBIND, 316 315 basechain, &extack); 317 - mutex_lock(&net->nft.commit_mutex); 316 + nft_net = net_generic(net, nf_tables_net_id); 317 + mutex_lock(&nft_net->commit_mutex); 318 318 list_del(&block_cb->driver_list); 319 319 list_move(&block_cb->list, &bo.cb_list); 320 320 nft_flow_offload_unbind(&bo, basechain); 321 - mutex_unlock(&net->nft.commit_mutex); 321 + mutex_unlock(&nft_net->commit_mutex); 322 322 } 323 323 324 324 static int nft_indr_block_offload_cmd(struct nft_base_chain *basechain, ··· 416 412 static void nft_flow_rule_offload_abort(struct net *net, 417 413 struct nft_trans *trans) 418 414 { 415 + struct nftables_pernet *nft_net = net_generic(net, nf_tables_net_id); 419 416 int err = 0; 420 417 421 - list_for_each_entry_continue_reverse(trans, &net->nft.commit_list, list) { 418 + list_for_each_entry_continue_reverse(trans, &nft_net->commit_list, list) { 422 419 if (trans->ctx.family != NFPROTO_NETDEV) 423 420 continue; 424 421 ··· 465 460 466 461 int nft_flow_rule_offload_commit(struct net *net) 467 462 { 463 + struct nftables_pernet *nft_net = net_generic(net, nf_tables_net_id); 468 464 struct nft_trans *trans; 469 465 int err = 0; 470 466 u8 policy; 471 467 472 - list_for_each_entry(trans, &net->nft.commit_list, list) { 468 + list_for_each_entry(trans, &nft_net->commit_list, list) { 473 469 if (trans->ctx.family != NFPROTO_NETDEV) 474 470 continue; 475 471 ··· 522 516 } 523 517 } 524 518 525 - list_for_each_entry(trans, &net->nft.commit_list, list) { 519 + list_for_each_entry(trans, &nft_net->commit_list, list) { 526 520 if (trans->ctx.family != NFPROTO_NETDEV) 527 521 continue; 528 522 ··· 542 536 return err; 543 537 } 544 538 545 - static struct nft_chain *__nft_offload_get_chain(struct net_device *dev) 539 + static struct nft_chain *__nft_offload_get_chain(const struct nftables_pernet *nft_net, 540 + struct net_device *dev) 546 541 { 547 542 struct nft_base_chain *basechain; 548 - struct net *net = dev_net(dev); 549 543 struct nft_hook *hook, *found; 550 544 const struct nft_table *table; 551 545 struct nft_chain *chain; 552 546 553 - list_for_each_entry(table, &net->nft.tables, list) { 547 + list_for_each_entry(table, &nft_net->tables, list) { 554 548 if (table->family != NFPROTO_NETDEV) 555 549 continue; 556 550 ··· 582 576 unsigned long event, void *ptr) 583 577 { 584 578 struct net_device *dev = netdev_notifier_info_to_dev(ptr); 579 + struct nftables_pernet *nft_net; 585 580 struct net *net = dev_net(dev); 586 581 struct nft_chain *chain; 587 582 588 583 if (event != NETDEV_UNREGISTER) 589 584 return NOTIFY_DONE; 590 585 591 - mutex_lock(&net->nft.commit_mutex); 592 - chain = __nft_offload_get_chain(dev); 586 + nft_net = net_generic(net, nf_tables_net_id); 587 + mutex_lock(&nft_net->commit_mutex); 588 + chain = __nft_offload_get_chain(nft_net, dev); 593 589 if (chain) 594 590 nft_flow_block_chain(nft_base_chain(chain), dev, 595 591 FLOW_BLOCK_UNBIND); 596 592 597 - mutex_unlock(&net->nft.commit_mutex); 593 + mutex_unlock(&nft_net->commit_mutex); 598 594 599 595 return NOTIFY_DONE; 600 596 }
+2 -7
net/netfilter/nf_tables_trace.c
··· 183 183 void nft_trace_notify(struct nft_traceinfo *info) 184 184 { 185 185 const struct nft_pktinfo *pkt = info->pkt; 186 - struct nfgenmsg *nfmsg; 187 186 struct nlmsghdr *nlh; 188 187 struct sk_buff *skb; 189 188 unsigned int size; ··· 218 219 return; 219 220 220 221 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, NFT_MSG_TRACE); 221 - nlh = nlmsg_put(skb, 0, 0, event, sizeof(struct nfgenmsg), 0); 222 + nlh = nfnl_msg_put(skb, 0, 0, event, 0, info->basechain->type->family, 223 + NFNETLINK_V0, 0); 222 224 if (!nlh) 223 225 goto nla_put_failure; 224 - 225 - nfmsg = nlmsg_data(nlh); 226 - nfmsg->nfgen_family = info->basechain->type->family; 227 - nfmsg->version = NFNETLINK_V0; 228 - nfmsg->res_id = 0; 229 226 230 227 if (nla_put_be32(skb, NFTA_TRACE_NFPROTO, htonl(nft_pf(pkt)))) 231 228 goto nla_put_failure;
+50 -17
net/netfilter/nfnetlink.c
··· 28 28 #include <linux/sched/signal.h> 29 29 30 30 #include <net/netlink.h> 31 + #include <net/netns/generic.h> 31 32 #include <linux/netfilter/nfnetlink.h> 32 33 33 34 MODULE_LICENSE("GPL"); ··· 41 40 lockdep_nfnl_is_held((id))) 42 41 43 42 #define NFNL_MAX_ATTR_COUNT 32 43 + 44 + static unsigned int nfnetlink_pernet_id __read_mostly; 45 + 46 + struct nfnl_net { 47 + struct sock *nfnl; 48 + }; 44 49 45 50 static struct { 46 51 struct mutex mutex; ··· 81 74 [NFNLGRP_ACCT_QUOTA] = NFNL_SUBSYS_ACCT, 82 75 [NFNLGRP_NFTRACE] = NFNL_SUBSYS_NFTABLES, 83 76 }; 77 + 78 + static struct nfnl_net *nfnl_pernet(struct net *net) 79 + { 80 + return net_generic(net, nfnetlink_pernet_id); 81 + } 84 82 85 83 void nfnl_lock(__u8 subsys_id) 86 84 { ··· 161 149 162 150 int nfnetlink_has_listeners(struct net *net, unsigned int group) 163 151 { 164 - return netlink_has_listeners(net->nfnl, group); 152 + struct nfnl_net *nfnlnet = nfnl_pernet(net); 153 + 154 + return netlink_has_listeners(nfnlnet->nfnl, group); 165 155 } 166 156 EXPORT_SYMBOL_GPL(nfnetlink_has_listeners); 167 157 168 158 int nfnetlink_send(struct sk_buff *skb, struct net *net, u32 portid, 169 159 unsigned int group, int echo, gfp_t flags) 170 160 { 171 - return nlmsg_notify(net->nfnl, skb, portid, group, echo, flags); 161 + struct nfnl_net *nfnlnet = nfnl_pernet(net); 162 + 163 + return nlmsg_notify(nfnlnet->nfnl, skb, portid, group, echo, flags); 172 164 } 173 165 EXPORT_SYMBOL_GPL(nfnetlink_send); 174 166 175 167 int nfnetlink_set_err(struct net *net, u32 portid, u32 group, int error) 176 168 { 177 - return netlink_set_err(net->nfnl, portid, group, error); 169 + struct nfnl_net *nfnlnet = nfnl_pernet(net); 170 + 171 + return netlink_set_err(nfnlnet->nfnl, portid, group, error); 178 172 } 179 173 EXPORT_SYMBOL_GPL(nfnetlink_set_err); 180 174 181 175 int nfnetlink_unicast(struct sk_buff *skb, struct net *net, u32 portid) 182 176 { 177 + struct nfnl_net *nfnlnet = nfnl_pernet(net); 183 178 int err; 184 179 185 - err = nlmsg_unicast(net->nfnl, skb, portid); 180 + err = nlmsg_unicast(nfnlnet->nfnl, skb, portid); 186 181 if (err == -EAGAIN) 187 182 err = -ENOBUFS; 188 183 189 184 return err; 190 185 } 191 186 EXPORT_SYMBOL_GPL(nfnetlink_unicast); 187 + 188 + void nfnetlink_broadcast(struct net *net, struct sk_buff *skb, __u32 portid, 189 + __u32 group, gfp_t allocation) 190 + { 191 + struct nfnl_net *nfnlnet = nfnl_pernet(net); 192 + 193 + netlink_broadcast(nfnlnet->nfnl, skb, portid, group, allocation); 194 + } 195 + EXPORT_SYMBOL_GPL(nfnetlink_broadcast); 192 196 193 197 /* Process one complete nfnetlink message. */ 194 198 static int nfnetlink_rcv_msg(struct sk_buff *skb, struct nlmsghdr *nlh, ··· 222 194 type = nlh->nlmsg_type; 223 195 replay: 224 196 rcu_read_lock(); 197 + 225 198 ss = nfnetlink_get_subsys(type); 226 199 if (!ss) { 227 200 #ifdef CONFIG_MODULES ··· 246 217 247 218 { 248 219 int min_len = nlmsg_total_size(sizeof(struct nfgenmsg)); 220 + struct nfnl_net *nfnlnet = nfnl_pernet(net); 249 221 u8 cb_id = NFNL_MSG_TYPE(nlh->nlmsg_type); 250 222 struct nlattr *cda[NFNL_MAX_ATTR_COUNT + 1]; 251 223 struct nlattr *attr = (void *)nlh + min_len; ··· 268 238 } 269 239 270 240 if (nc->call_rcu) { 271 - err = nc->call_rcu(net, net->nfnl, skb, nlh, 241 + err = nc->call_rcu(net, nfnlnet->nfnl, skb, nlh, 272 242 (const struct nlattr **)cda, 273 243 extack); 274 244 rcu_read_unlock(); ··· 279 249 nfnetlink_find_client(type, ss) != nc) 280 250 err = -EAGAIN; 281 251 else if (nc->call) 282 - err = nc->call(net, net->nfnl, skb, nlh, 252 + err = nc->call(net, nfnlnet->nfnl, skb, nlh, 283 253 (const struct nlattr **)cda, 284 254 extack); 285 255 else ··· 483 453 goto ack; 484 454 485 455 if (nc->call_batch) { 486 - err = nc->call_batch(net, net->nfnl, skb, nlh, 456 + struct nfnl_net *nfnlnet = nfnl_pernet(net); 457 + 458 + err = nc->call_batch(net, nfnlnet->nfnl, skb, nlh, 487 459 (const struct nlattr **)cda, 488 460 &extack); 489 461 } ··· 654 622 655 623 static int __net_init nfnetlink_net_init(struct net *net) 656 624 { 657 - struct sock *nfnl; 625 + struct nfnl_net *nfnlnet = nfnl_pernet(net); 658 626 struct netlink_kernel_cfg cfg = { 659 627 .groups = NFNLGRP_MAX, 660 628 .input = nfnetlink_rcv, ··· 663 631 #endif 664 632 }; 665 633 666 - nfnl = netlink_kernel_create(net, NETLINK_NETFILTER, &cfg); 667 - if (!nfnl) 634 + nfnlnet->nfnl = netlink_kernel_create(net, NETLINK_NETFILTER, &cfg); 635 + if (!nfnlnet->nfnl) 668 636 return -ENOMEM; 669 - net->nfnl_stash = nfnl; 670 - rcu_assign_pointer(net->nfnl, nfnl); 671 637 return 0; 672 638 } 673 639 674 640 static void __net_exit nfnetlink_net_exit_batch(struct list_head *net_exit_list) 675 641 { 642 + struct nfnl_net *nfnlnet; 676 643 struct net *net; 677 644 678 - list_for_each_entry(net, net_exit_list, exit_list) 679 - RCU_INIT_POINTER(net->nfnl, NULL); 680 - synchronize_net(); 681 - list_for_each_entry(net, net_exit_list, exit_list) 682 - netlink_kernel_release(net->nfnl_stash); 645 + list_for_each_entry(net, net_exit_list, exit_list) { 646 + nfnlnet = nfnl_pernet(net); 647 + 648 + netlink_kernel_release(nfnlnet->nfnl); 649 + } 683 650 } 684 651 685 652 static struct pernet_operations nfnetlink_net_ops = { 686 653 .init = nfnetlink_net_init, 687 654 .exit_batch = nfnetlink_net_exit_batch, 655 + .id = &nfnetlink_pernet_id, 656 + .size = sizeof(struct nfnl_net), 688 657 }; 689 658 690 659 static int __init nfnetlink_init(void)
+8 -3
net/netfilter/nft_chain_filter.c
··· 2 2 #include <linux/kernel.h> 3 3 #include <linux/netdevice.h> 4 4 #include <net/net_namespace.h> 5 + #include <net/netns/generic.h> 5 6 #include <net/netfilter/nf_tables.h> 6 7 #include <linux/netfilter_ipv4.h> 7 8 #include <linux/netfilter_ipv6.h> ··· 10 9 #include <linux/netfilter_arp.h> 11 10 #include <net/netfilter/nf_tables_ipv4.h> 12 11 #include <net/netfilter/nf_tables_ipv6.h> 12 + 13 + extern unsigned int nf_tables_net_id; 13 14 14 15 #ifdef CONFIG_NF_TABLES_IPV4 15 16 static unsigned int nft_do_chain_ipv4(void *priv, ··· 358 355 unsigned long event, void *ptr) 359 356 { 360 357 struct net_device *dev = netdev_notifier_info_to_dev(ptr); 358 + struct nftables_pernet *nft_net; 361 359 struct nft_table *table; 362 360 struct nft_chain *chain, *nr; 363 361 struct nft_ctx ctx = { ··· 369 365 event != NETDEV_CHANGENAME) 370 366 return NOTIFY_DONE; 371 367 372 - mutex_lock(&ctx.net->nft.commit_mutex); 373 - list_for_each_entry(table, &ctx.net->nft.tables, list) { 368 + nft_net = net_generic(ctx.net, nf_tables_net_id); 369 + mutex_lock(&nft_net->commit_mutex); 370 + list_for_each_entry(table, &nft_net->tables, list) { 374 371 if (table->family != NFPROTO_NETDEV) 375 372 continue; 376 373 ··· 385 380 nft_netdev_event(event, dev, &ctx); 386 381 } 387 382 } 388 - mutex_unlock(&ctx.net->nft.commit_mutex); 383 + mutex_unlock(&nft_net->commit_mutex); 389 384 390 385 return NOTIFY_DONE; 391 386 }
+3 -8
net/netfilter/nft_compat.c
··· 591 591 int rev, int target) 592 592 { 593 593 struct nlmsghdr *nlh; 594 - struct nfgenmsg *nfmsg; 595 594 unsigned int flags = portid ? NLM_F_MULTI : 0; 596 595 597 596 event = nfnl_msg_type(NFNL_SUBSYS_NFT_COMPAT, event); 598 - nlh = nlmsg_put(skb, portid, seq, event, sizeof(*nfmsg), flags); 599 - if (nlh == NULL) 597 + nlh = nfnl_msg_put(skb, portid, seq, event, flags, family, 598 + NFNETLINK_V0, 0); 599 + if (!nlh) 600 600 goto nlmsg_failure; 601 - 602 - nfmsg = nlmsg_data(nlh); 603 - nfmsg->nfgen_family = family; 604 - nfmsg->version = NFNETLINK_V0; 605 - nfmsg->res_id = 0; 606 601 607 602 if (nla_put_string(skb, NFTA_COMPAT_NAME, name) || 608 603 nla_put_be32(skb, NFTA_COMPAT_REV, htonl(rev)) ||
+5 -1
net/netfilter/nft_dynset.c
··· 11 11 #include <linux/netfilter/nf_tables.h> 12 12 #include <net/netfilter/nf_tables.h> 13 13 #include <net/netfilter/nf_tables_core.h> 14 + #include <net/netns/generic.h> 15 + 16 + extern unsigned int nf_tables_net_id; 14 17 15 18 struct nft_dynset { 16 19 struct nft_set *set; ··· 164 161 const struct nft_expr *expr, 165 162 const struct nlattr * const tb[]) 166 163 { 164 + struct nftables_pernet *nft_net = net_generic(ctx->net, nf_tables_net_id); 167 165 struct nft_dynset *priv = nft_expr_priv(expr); 168 166 u8 genmask = nft_genmask_next(ctx->net); 169 167 struct nft_set *set; 170 168 u64 timeout; 171 169 int err, i; 172 170 173 - lockdep_assert_held(&ctx->net->nft.commit_mutex); 171 + lockdep_assert_held(&nft_net->commit_mutex); 174 172 175 173 if (tb[NFTA_DYNSET_SET_NAME] == NULL || 176 174 tb[NFTA_DYNSET_OP] == NULL ||
+19 -1
net/netfilter/nft_log.c
··· 128 128 [NFTA_LOG_FLAGS] = { .type = NLA_U32 }, 129 129 }; 130 130 131 + static int nft_log_modprobe(struct net *net, enum nf_log_type t) 132 + { 133 + switch (t) { 134 + case NF_LOG_TYPE_LOG: 135 + return nft_request_module(net, "%s", "nf_log_syslog"); 136 + case NF_LOG_TYPE_ULOG: 137 + return nft_request_module(net, "%s", "nfnetlink_log"); 138 + case NF_LOG_TYPE_MAX: 139 + break; 140 + } 141 + 142 + return -ENOENT; 143 + } 144 + 131 145 static int nft_log_init(const struct nft_ctx *ctx, 132 146 const struct nft_expr *expr, 133 147 const struct nlattr * const tb[]) ··· 211 197 return 0; 212 198 213 199 err = nf_logger_find_get(ctx->family, li->type); 214 - if (err < 0) 200 + if (err < 0) { 201 + if (nft_log_modprobe(ctx->net, li->type) == -EAGAIN) 202 + err = -EAGAIN; 203 + 215 204 goto err1; 205 + } 216 206 217 207 return 0; 218 208
+33 -13
net/netfilter/x_tables.c
··· 24 24 #include <linux/audit.h> 25 25 #include <linux/user_namespace.h> 26 26 #include <net/net_namespace.h> 27 + #include <net/netns/generic.h> 27 28 28 29 #include <linux/netfilter/x_tables.h> 29 30 #include <linux/netfilter_arp.h> ··· 38 37 39 38 #define XT_PCPU_BLOCK_SIZE 4096 40 39 #define XT_MAX_TABLE_SIZE (512 * 1024 * 1024) 40 + 41 + struct xt_pernet { 42 + struct list_head tables[NFPROTO_NUMPROTO]; 43 + }; 41 44 42 45 struct compat_delta { 43 46 unsigned int offset; /* offset in kernel */ ··· 60 55 #endif 61 56 }; 62 57 63 - static struct xt_af *xt; 58 + static unsigned int xt_pernet_id __read_mostly; 59 + static struct xt_af *xt __read_mostly; 64 60 65 61 static const char *const xt_prefix[NFPROTO_NUMPROTO] = { 66 62 [NFPROTO_UNSPEC] = "x", ··· 1209 1203 struct xt_table *xt_find_table_lock(struct net *net, u_int8_t af, 1210 1204 const char *name) 1211 1205 { 1206 + struct xt_pernet *xt_net = net_generic(net, xt_pernet_id); 1212 1207 struct xt_table *t, *found = NULL; 1213 1208 1214 1209 mutex_lock(&xt[af].mutex); 1215 - list_for_each_entry(t, &net->xt.tables[af], list) 1210 + list_for_each_entry(t, &xt_net->tables[af], list) 1216 1211 if (strcmp(t->name, name) == 0 && try_module_get(t->me)) 1217 1212 return t; 1218 1213 ··· 1221 1214 goto out; 1222 1215 1223 1216 /* Table doesn't exist in this netns, re-try init */ 1224 - list_for_each_entry(t, &init_net.xt.tables[af], list) { 1217 + xt_net = net_generic(&init_net, xt_pernet_id); 1218 + list_for_each_entry(t, &xt_net->tables[af], list) { 1225 1219 int err; 1226 1220 1227 1221 if (strcmp(t->name, name)) ··· 1245 1237 if (!found) 1246 1238 goto out; 1247 1239 1240 + xt_net = net_generic(net, xt_pernet_id); 1248 1241 /* and once again: */ 1249 - list_for_each_entry(t, &net->xt.tables[af], list) 1242 + list_for_each_entry(t, &xt_net->tables[af], list) 1250 1243 if (strcmp(t->name, name) == 0) 1251 1244 return t; 1252 1245 ··· 1432 1423 struct xt_table_info *bootstrap, 1433 1424 struct xt_table_info *newinfo) 1434 1425 { 1435 - int ret; 1426 + struct xt_pernet *xt_net = net_generic(net, xt_pernet_id); 1436 1427 struct xt_table_info *private; 1437 1428 struct xt_table *t, *table; 1429 + int ret; 1438 1430 1439 1431 /* Don't add one object to multiple lists. */ 1440 1432 table = kmemdup(input_table, sizeof(struct xt_table), GFP_KERNEL); ··· 1446 1436 1447 1437 mutex_lock(&xt[table->af].mutex); 1448 1438 /* Don't autoload: we'd eat our tail... */ 1449 - list_for_each_entry(t, &net->xt.tables[table->af], list) { 1439 + list_for_each_entry(t, &xt_net->tables[table->af], list) { 1450 1440 if (strcmp(t->name, table->name) == 0) { 1451 1441 ret = -EEXIST; 1452 1442 goto unlock; ··· 1465 1455 /* save number of initial entries */ 1466 1456 private->initial_entries = private->number; 1467 1457 1468 - list_add(&table->list, &net->xt.tables[table->af]); 1458 + list_add(&table->list, &xt_net->tables[table->af]); 1469 1459 mutex_unlock(&xt[table->af].mutex); 1470 1460 return table; 1471 1461 ··· 1496 1486 #ifdef CONFIG_PROC_FS 1497 1487 static void *xt_table_seq_start(struct seq_file *seq, loff_t *pos) 1498 1488 { 1489 + u8 af = (unsigned long)PDE_DATA(file_inode(seq->file)); 1499 1490 struct net *net = seq_file_net(seq); 1500 - u_int8_t af = (unsigned long)PDE_DATA(file_inode(seq->file)); 1491 + struct xt_pernet *xt_net; 1492 + 1493 + xt_net = net_generic(net, xt_pernet_id); 1501 1494 1502 1495 mutex_lock(&xt[af].mutex); 1503 - return seq_list_start(&net->xt.tables[af], *pos); 1496 + return seq_list_start(&xt_net->tables[af], *pos); 1504 1497 } 1505 1498 1506 1499 static void *xt_table_seq_next(struct seq_file *seq, void *v, loff_t *pos) 1507 1500 { 1501 + u8 af = (unsigned long)PDE_DATA(file_inode(seq->file)); 1508 1502 struct net *net = seq_file_net(seq); 1509 - u_int8_t af = (unsigned long)PDE_DATA(file_inode(seq->file)); 1503 + struct xt_pernet *xt_net; 1510 1504 1511 - return seq_list_next(v, &net->xt.tables[af], pos); 1505 + xt_net = net_generic(net, xt_pernet_id); 1506 + 1507 + return seq_list_next(v, &xt_net->tables[af], pos); 1512 1508 } 1513 1509 1514 1510 static void xt_table_seq_stop(struct seq_file *seq, void *v) ··· 1880 1864 1881 1865 static int __net_init xt_net_init(struct net *net) 1882 1866 { 1867 + struct xt_pernet *xt_net = net_generic(net, xt_pernet_id); 1883 1868 int i; 1884 1869 1885 1870 for (i = 0; i < NFPROTO_NUMPROTO; i++) 1886 - INIT_LIST_HEAD(&net->xt.tables[i]); 1871 + INIT_LIST_HEAD(&xt_net->tables[i]); 1887 1872 return 0; 1888 1873 } 1889 1874 1890 1875 static void __net_exit xt_net_exit(struct net *net) 1891 1876 { 1877 + struct xt_pernet *xt_net = net_generic(net, xt_pernet_id); 1892 1878 int i; 1893 1879 1894 1880 for (i = 0; i < NFPROTO_NUMPROTO; i++) 1895 - WARN_ON_ONCE(!list_empty(&net->xt.tables[i])); 1881 + WARN_ON_ONCE(!list_empty(&xt_net->tables[i])); 1896 1882 } 1897 1883 1898 1884 static struct pernet_operations xt_net_ops = { 1899 1885 .init = xt_net_init, 1900 1886 .exit = xt_net_exit, 1887 + .id = &xt_pernet_id, 1888 + .size = sizeof(struct xt_pernet), 1901 1889 }; 1902 1890 1903 1891 static int __init xt_init(void)
+1
net/netfilter/xt_LOG.c
··· 108 108 MODULE_DESCRIPTION("Xtables: IPv4/IPv6 packet logging"); 109 109 MODULE_ALIAS("ipt_LOG"); 110 110 MODULE_ALIAS("ip6t_LOG"); 111 + MODULE_SOFTDEP("pre: nf_log_syslog");
+1
net/netfilter/xt_NFLOG.c
··· 79 79 80 80 module_init(nflog_tg_init); 81 81 module_exit(nflog_tg_exit); 82 + MODULE_SOFTDEP("pre: nfnetlink_log");
+1
net/netfilter/xt_TRACE.c
··· 52 52 53 53 module_init(trace_tg_init); 54 54 module_exit(trace_tg_exit); 55 + MODULE_SOFTDEP("pre: nf_log_syslog");