netfilter: nfnetlink_log: allow to attach conntrack

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

This patch enables to include the conntrack information together
with the packet that is sent to user-space via NFLOG, then a
user-space program can acquire NATed information by this NFULA_CT
attribute.

Including the conntrack information is optional, you can set it
via NFULNL_CFG_F_CONNTRACK flag with the NFULA_CFG_FLAGS attribute
like NFQUEUE.

Signed-off-by: Ken-ichirou MATSUZAWA <chamas@h4.dion.ne.jp>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

authored by

Ken-ichirou MATSUZAWA and committed by

Pablo Neira Ayuso 10 years ago a29a9a58 224a0597

+40 -9

3 changed files

expand all

include

uapi

linux

netfilter

nfnetlink_log.h

net

netfilter

Kconfig

nfnetlink_log.c

include/uapi/linux/netfilter/nfnetlink_log.h

··· 51 51 NFULA_HWTYPE, /* hardware type */ 52 52 NFULA_HWHEADER, /* hardware header */ 53 53 NFULA_HWLEN, /* hardware header length */ 54 + NFULA_CT, /* nf_conntrack_netlink.h */ 55 + NFULA_CT_INFO, /* enum ip_conntrack_info */ 54 56 55 57 __NFULA_MAX 56 58 }; ··· 95 93 96 94 #define NFULNL_CFG_F_SEQ 0x0001 97 95 #define NFULNL_CFG_F_SEQ_GLOBAL 0x0002 96 + #define NFULNL_CFG_F_CONNTRACK 0x0004 98 97 99 98 #endif /* _NFNETLINK_LOG_H */

+5 -4

net/netfilter/Kconfig

··· 363 363 If unsure, say `N'. 364 364 365 365 config NETFILTER_NETLINK_GLUE_CT 366 - bool "NFQUEUE integration with Connection Tracking" 366 + bool "NFQUEUE and NFLOG integration with Connection Tracking" 367 367 default n 368 - depends on NETFILTER_NETLINK_QUEUE && NF_CT_NETLINK 368 + depends on (NETFILTER_NETLINK_QUEUE || NETFILTER_NETLINK_LOG) && NF_CT_NETLINK 369 369 help 370 - If this option is enabled, NFQUEUE can include Connection Tracking 371 - information together with the packet is the enqueued via NFNETLINK. 370 + If this option is enabled, NFQUEUE and NFLOG can include 371 + Connection Tracking information together with the packet is 372 + the enqueued via NFNETLINK. 372 373 373 374 config NF_NAT 374 375 tristate

+32 -5

net/netfilter/nfnetlink_log.c

··· 27 27 #include <net/netlink.h> 28 28 #include <linux/netfilter/nfnetlink.h> 29 29 #include <linux/netfilter/nfnetlink_log.h> 30 + #include <linux/netfilter/nf_conntrack_common.h> 30 31 #include <linux/spinlock.h> 31 32 #include <linux/sysctl.h> 32 33 #include <linux/proc_fs.h> ··· 402 401 unsigned int hooknum, 403 402 const struct net_device *indev, 404 403 const struct net_device *outdev, 405 - const char *prefix, unsigned int plen) 404 + const char *prefix, unsigned int plen, 405 + const struct nfnl_ct_hook *nfnl_ct, 406 + struct nf_conn *ct, enum ip_conntrack_info ctinfo) 406 407 { 407 408 struct nfulnl_msg_packet_hdr pmsg; 408 409 struct nlmsghdr *nlh; ··· 578 575 htonl(atomic_inc_return(&log->global_seq)))) 579 576 goto nla_put_failure; 580 577 578 + if (ct && nfnl_ct->build(inst->skb, ct, ctinfo, 579 + NFULA_CT, NFULA_CT_INFO) < 0) 580 + goto nla_put_failure; 581 + 581 582 if (data_len) { 582 583 struct nlattr *nla; 583 584 int size = nla_attr_size(data_len); ··· 627 620 const struct nf_loginfo *li_user, 628 621 const char *prefix) 629 622 { 630 - unsigned int size, data_len; 623 + size_t size; 624 + unsigned int data_len; 631 625 struct nfulnl_instance *inst; 632 626 const struct nf_loginfo *li; 633 627 unsigned int qthreshold; 634 628 unsigned int plen; 635 629 struct nfnl_log_net *log = nfnl_log_pernet(net); 630 + const struct nfnl_ct_hook *nfnl_ct = NULL; 631 + struct nf_conn *ct = NULL; 632 + enum ip_conntrack_info uninitialized_var(ctinfo); 636 633 637 634 if (li_user && li_user->type == NF_LOG_TYPE_ULOG) 638 635 li = li_user; ··· 682 671 size += nla_total_size(sizeof(u_int32_t)); 683 672 if (inst->flags & NFULNL_CFG_F_SEQ_GLOBAL) 684 673 size += nla_total_size(sizeof(u_int32_t)); 674 + if (inst->flags & NFULNL_CFG_F_CONNTRACK) { 675 + nfnl_ct = rcu_dereference(nfnl_ct_hook); 676 + if (nfnl_ct != NULL) { 677 + ct = nfnl_ct->get_ct(skb, &ctinfo); 678 + if (ct != NULL) 679 + size += nfnl_ct->build_size(ct); 680 + } 681 + } 685 682 686 683 qthreshold = inst->qthreshold; 687 684 /* per-rule qthreshold overrides per-instance */ ··· 734 715 inst->qlen++; 735 716 736 717 __build_packet_message(log, inst, skb, data_len, pf, 737 - hooknum, in, out, prefix, plen); 718 + hooknum, in, out, prefix, plen, 719 + nfnl_ct, ct, ctinfo); 738 720 739 721 if (inst->qlen >= qthreshold) 740 722 __nfulnl_flush(inst); ··· 919 899 } 920 900 921 901 if (nfula[NFULA_CFG_FLAGS]) { 922 - __be16 flags = nla_get_be16(nfula[NFULA_CFG_FLAGS]); 902 + u16 flags = ntohs(nla_get_be16(nfula[NFULA_CFG_FLAGS])); 923 903 924 904 if (!inst) { 925 905 ret = -ENODEV; 926 906 goto out; 927 907 } 928 - nfulnl_set_flags(inst, ntohs(flags)); 908 + 909 + if (flags & NFULNL_CFG_F_CONNTRACK && 910 + rcu_access_pointer(nfnl_ct_hook) == NULL) { 911 + ret = -EOPNOTSUPP; 912 + goto out; 913 + } 914 + 915 + nfulnl_set_flags(inst, flags); 929 916 } 930 917 931 918 out_put: