Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next

+24 -2

include/net/netfilter/nf_conntrack_ecache.h

··· 18 18 u16 ctmask; /* bitmask of ct events to be delivered */ 19 19 u16 expmask; /* bitmask of expect events to be delivered */ 20 20 u32 portid; /* netlink portid of destroyer */ 21 - struct timer_list timeout; 22 21 }; 23 22 24 23 static inline struct nf_conntrack_ecache * ··· 215 216 216 217 int nf_conntrack_ecache_init(void); 217 218 void nf_conntrack_ecache_fini(void); 218 - #else /* CONFIG_NF_CONNTRACK_EVENTS */ 219 219 220 + static inline void nf_conntrack_ecache_delayed_work(struct net *net) 221 + { 222 + if (!delayed_work_pending(&net->ct.ecache_dwork)) { 223 + schedule_delayed_work(&net->ct.ecache_dwork, HZ); 224 + net->ct.ecache_dwork_pending = true; 225 + } 226 + } 227 + 228 + static inline void nf_conntrack_ecache_work(struct net *net) 229 + { 230 + if (net->ct.ecache_dwork_pending) { 231 + net->ct.ecache_dwork_pending = false; 232 + mod_delayed_work(system_wq, &net->ct.ecache_dwork, 0); 233 + } 234 + } 235 + #else /* CONFIG_NF_CONNTRACK_EVENTS */ 220 236 static inline void nf_conntrack_event_cache(enum ip_conntrack_events event, 221 237 struct nf_conn *ct) {} 222 238 static inline int nf_conntrack_eventmask_report(unsigned int eventmask, ··· 267 253 } 268 254 269 255 static inline void nf_conntrack_ecache_fini(void) 256 + { 257 + } 258 + 259 + static inline void nf_conntrack_ecache_delayed_work(struct net *net) 260 + { 261 + } 262 + 263 + static inline void nf_conntrack_ecache_work(struct net *net) 270 264 { 271 265 } 272 266 #endif /* CONFIG_NF_CONNTRACK_EVENTS */

+36 -6

include/net/netfilter/nf_log.h

··· 12 12 #define NF_LOG_UID 0x08 /* Log UID owning local socket */ 13 13 #define NF_LOG_MASK 0x0f 14 14 15 - #define NF_LOG_TYPE_LOG 0x01 16 - #define NF_LOG_TYPE_ULOG 0x02 15 + enum nf_log_type { 16 + NF_LOG_TYPE_LOG = 0, 17 + NF_LOG_TYPE_ULOG, 18 + NF_LOG_TYPE_MAX 19 + }; 17 20 18 21 struct nf_loginfo { 19 22 u_int8_t type; ··· 43 40 const char *prefix); 44 41 45 42 struct nf_logger { 46 - struct module *me; 47 - nf_logfn *logfn; 48 - char *name; 49 - struct list_head list[NFPROTO_NUMPROTO]; 43 + char *name; 44 + enum nf_log_type type; 45 + nf_logfn *logfn; 46 + struct module *me; 50 47 }; 51 48 52 49 /* Function to register/unregister log function. */ ··· 61 58 const struct nf_logger *logger); 62 59 void nf_log_unbind_pf(struct net *net, u_int8_t pf); 63 60 61 + int nf_logger_find_get(int pf, enum nf_log_type type); 62 + void nf_logger_put(int pf, enum nf_log_type type); 63 + void nf_logger_request_module(int pf, enum nf_log_type type); 64 + 65 + #define MODULE_ALIAS_NF_LOGGER(family, type) \ 66 + MODULE_ALIAS("nf-logger-" __stringify(family) "-" __stringify(type)) 67 + 64 68 /* Calls the registered backend logging function */ 65 69 __printf(8, 9) 66 70 void nf_log_packet(struct net *net, ··· 78 68 const struct net_device *out, 79 69 const struct nf_loginfo *li, 80 70 const char *fmt, ...); 71 + 72 + struct nf_log_buf; 73 + 74 + struct nf_log_buf *nf_log_buf_open(void); 75 + __printf(2, 3) int nf_log_buf_add(struct nf_log_buf *m, const char *f, ...); 76 + void nf_log_buf_close(struct nf_log_buf *m); 77 + 78 + /* common logging functions */ 79 + int nf_log_dump_udp_header(struct nf_log_buf *m, const struct sk_buff *skb, 80 + u8 proto, int fragment, unsigned int offset); 81 + int nf_log_dump_tcp_header(struct nf_log_buf *m, const struct sk_buff *skb, 82 + u8 proto, int fragment, unsigned int offset, 83 + unsigned int logflags); 84 + void nf_log_dump_sk_uid_gid(struct nf_log_buf *m, struct sock *sk); 85 + void nf_log_dump_packet_common(struct nf_log_buf *m, u_int8_t pf, 86 + unsigned int hooknum, const struct sk_buff *skb, 87 + const struct net_device *in, 88 + const struct net_device *out, 89 + const struct nf_loginfo *loginfo, 90 + const char *prefix); 81 91 82 92 #endif /* _NF_LOG_H */

-54

include/net/netfilter/xt_log.h

··· 1 - #define S_SIZE (1024 - (sizeof(unsigned int) + 1)) 2 - 3 - struct sbuff { 4 - unsigned int count; 5 - char buf[S_SIZE + 1]; 6 - }; 7 - static struct sbuff emergency, *emergency_ptr = &emergency; 8 - 9 - static __printf(2, 3) int sb_add(struct sbuff *m, const char *f, ...) 10 - { 11 - va_list args; 12 - int len; 13 - 14 - if (likely(m->count < S_SIZE)) { 15 - va_start(args, f); 16 - len = vsnprintf(m->buf + m->count, S_SIZE - m->count, f, args); 17 - va_end(args); 18 - if (likely(m->count + len < S_SIZE)) { 19 - m->count += len; 20 - return 0; 21 - } 22 - } 23 - m->count = S_SIZE; 24 - printk_once(KERN_ERR KBUILD_MODNAME " please increase S_SIZE\n"); 25 - return -1; 26 - } 27 - 28 - static struct sbuff *sb_open(void) 29 - { 30 - struct sbuff *m = kmalloc(sizeof(*m), GFP_ATOMIC); 31 - 32 - if (unlikely(!m)) { 33 - local_bh_disable(); 34 - do { 35 - m = xchg(&emergency_ptr, NULL); 36 - } while (!m); 37 - } 38 - m->count = 0; 39 - return m; 40 - } 41 - 42 - static void sb_close(struct sbuff *m) 43 - { 44 - m->buf[m->count] = 0; 45 - printk("%s\n", m->buf); 46 - 47 - if (likely(m != &emergency)) 48 - kfree(m); 49 - else { 50 - emergency_ptr = m; 51 - local_bh_enable(); 52 - } 53 - } 54 -

+5 -1

include/net/netns/conntrack.h

··· 4 4 #include <linux/list.h> 5 5 #include <linux/list_nulls.h> 6 6 #include <linux/atomic.h> 7 + #include <linux/workqueue.h> 7 8 #include <linux/netfilter/nf_conntrack_tcp.h> 8 9 #include <linux/seqlock.h> 9 10 ··· 74 73 struct netns_ct { 75 74 atomic_t count; 76 75 unsigned int expect_count; 76 + #ifdef CONFIG_NF_CONNTRACK_EVENTS 77 + struct delayed_work ecache_dwork; 78 + bool ecache_dwork_pending; 79 + #endif 77 80 #ifdef CONFIG_SYSCTL 78 81 struct ctl_table_header *sysctl_header; 79 82 struct ctl_table_header *acct_sysctl_header; ··· 87 82 #endif 88 83 char *slabname; 89 84 unsigned int sysctl_log_invalid; /* Log invalid packets */ 90 - unsigned int sysctl_events_retry_timeout; 91 85 int sysctl_events; 92 86 int sysctl_acct; 93 87 int sysctl_auto_assign_helper;

+4

include/uapi/linux/netfilter/nf_tables.h

··· 697 697 * @NFTA_LOG_PREFIX: prefix to prepend to log messages (NLA_STRING) 698 698 * @NFTA_LOG_SNAPLEN: length of payload to include in netlink message (NLA_U32) 699 699 * @NFTA_LOG_QTHRESHOLD: queue threshold (NLA_U32) 700 + * @NFTA_LOG_LEVEL: log level (NLA_U32) 701 + * @NFTA_LOG_FLAGS: logging flags (NLA_U32) 700 702 */ 701 703 enum nft_log_attributes { 702 704 NFTA_LOG_UNSPEC, ··· 706 704 NFTA_LOG_PREFIX, 707 705 NFTA_LOG_SNAPLEN, 708 706 NFTA_LOG_QTHRESHOLD, 707 + NFTA_LOG_LEVEL, 708 + NFTA_LOG_FLAGS, 709 709 __NFTA_LOG_MAX 710 710 }; 711 711 #define NFTA_LOG_MAX (__NFTA_LOG_MAX - 1)

-1

include/uapi/linux/netfilter_bridge/Kbuild

··· 14 14 header-y += ebt_pkttype.h 15 15 header-y += ebt_redirect.h 16 16 header-y += ebt_stp.h 17 - header-y += ebt_ulog.h 18 17 header-y += ebt_vlan.h 19 18 header-y += ebtables.h

-38

include/uapi/linux/netfilter_bridge/ebt_ulog.h

··· 1 - #ifndef _EBT_ULOG_H 2 - #define _EBT_ULOG_H 3 - 4 - #include <linux/types.h> 5 - 6 - #define EBT_ULOG_DEFAULT_NLGROUP 0 7 - #define EBT_ULOG_DEFAULT_QTHRESHOLD 1 8 - #define EBT_ULOG_MAXNLGROUPS 32 /* hardcoded netlink max */ 9 - #define EBT_ULOG_PREFIX_LEN 32 10 - #define EBT_ULOG_MAX_QLEN 50 11 - #define EBT_ULOG_WATCHER "ulog" 12 - #define EBT_ULOG_VERSION 1 13 - 14 - struct ebt_ulog_info { 15 - __u32 nlgroup; 16 - unsigned int cprange; 17 - unsigned int qthreshold; 18 - char prefix[EBT_ULOG_PREFIX_LEN]; 19 - }; 20 - 21 - typedef struct ebt_ulog_packet_msg { 22 - int version; 23 - char indev[IFNAMSIZ]; 24 - char outdev[IFNAMSIZ]; 25 - char physindev[IFNAMSIZ]; 26 - char physoutdev[IFNAMSIZ]; 27 - char prefix[EBT_ULOG_PREFIX_LEN]; 28 - struct timeval stamp; 29 - unsigned long mark; 30 - unsigned int hook; 31 - size_t data_len; 32 - /* The complete packet, including Ethernet header and perhaps 33 - * the VLAN header is appended */ 34 - unsigned char data[0] __attribute__ 35 - ((aligned (__alignof__(struct ebt_ulog_info)))); 36 - } ebt_ulog_packet_msg_t; 37 - 38 - #endif /* _EBT_ULOG_H */

-1

include/uapi/linux/netfilter_ipv4/Kbuild

··· 5 5 header-y += ipt_LOG.h 6 6 header-y += ipt_REJECT.h 7 7 header-y += ipt_TTL.h 8 - header-y += ipt_ULOG.h 9 8 header-y += ipt_ah.h 10 9 header-y += ipt_ecn.h 11 10 header-y += ipt_ttl.h

-49

include/uapi/linux/netfilter_ipv4/ipt_ULOG.h

··· 1 - /* Header file for IP tables userspace logging, Version 1.8 2 - * 3 - * (C) 2000-2002 by Harald Welte <laforge@gnumonks.org> 4 - * 5 - * Distributed under the terms of GNU GPL */ 6 - 7 - #ifndef _IPT_ULOG_H 8 - #define _IPT_ULOG_H 9 - 10 - #ifndef NETLINK_NFLOG 11 - #define NETLINK_NFLOG 5 12 - #endif 13 - 14 - #define ULOG_DEFAULT_NLGROUP 1 15 - #define ULOG_DEFAULT_QTHRESHOLD 1 16 - 17 - #define ULOG_MAC_LEN 80 18 - #define ULOG_PREFIX_LEN 32 19 - 20 - #define ULOG_MAX_QLEN 50 21 - /* Why 50? Well... there is a limit imposed by the slab cache 131000 22 - * bytes. So the multipart netlink-message has to be < 131000 bytes. 23 - * Assuming a standard ethernet-mtu of 1500, we could define this up 24 - * to 80... but even 50 seems to be big enough. */ 25 - 26 - /* private data structure for each rule with a ULOG target */ 27 - struct ipt_ulog_info { 28 - unsigned int nl_group; 29 - size_t copy_range; 30 - size_t qthreshold; 31 - char prefix[ULOG_PREFIX_LEN]; 32 - }; 33 - 34 - /* Format of the ULOG packets passed through netlink */ 35 - typedef struct ulog_packet_msg { 36 - unsigned long mark; 37 - long timestamp_sec; 38 - long timestamp_usec; 39 - unsigned int hook; 40 - char indev_name[IFNAMSIZ]; 41 - char outdev_name[IFNAMSIZ]; 42 - size_t data_len; 43 - char prefix[ULOG_PREFIX_LEN]; 44 - unsigned char mac_len; 45 - unsigned char mac[ULOG_MAC_LEN]; 46 - unsigned char payload[0]; 47 - } ulog_packet_msg_t; 48 - 49 - #endif /*_IPT_ULOG_H*/

+3 -16

net/bridge/netfilter/Kconfig

··· 14 14 help 15 15 Add support for bridge dedicated meta key. 16 16 17 + config NF_LOG_BRIDGE 18 + tristate "Bridge packet logging" 19 + 17 20 endif # NF_TABLES_BRIDGE 18 21 19 22 menuconfig BRIDGE_NF_EBTABLES ··· 202 199 This option adds the log watcher, that you can use in any rule 203 200 in any ebtables table. It records info about the frame header 204 201 to the syslog. 205 - 206 - To compile it as a module, choose M here. If unsure, say N. 207 - 208 - config BRIDGE_EBT_ULOG 209 - tristate "ebt: ulog support (OBSOLETE)" 210 - help 211 - This option enables the old bridge-specific "ebt_ulog" implementation 212 - which has been obsoleted by the new "nfnetlink_log" code (see 213 - CONFIG_NETFILTER_NETLINK_LOG). 214 - 215 - This option adds the ulog watcher, that you can use in any rule 216 - in any ebtables table. The packet is passed to a userspace 217 - logging daemon using netlink multicast sockets. This differs 218 - from the log watcher in the sense that the complete packet is 219 - sent to userspace instead of a descriptive text and that 220 - netlink multicast sockets are used instead of the syslog. 221 202 222 203 To compile it as a module, choose M here. If unsure, say N. 223 204

+3

net/bridge/netfilter/Makefile

··· 5 5 obj-$(CONFIG_NF_TABLES_BRIDGE) += nf_tables_bridge.o 6 6 obj-$(CONFIG_NFT_BRIDGE_META) += nft_meta_bridge.o 7 7 8 + # packet logging 9 + obj-$(CONFIG_NF_LOG_BRIDGE) += nf_log_bridge.o 10 + 8 11 obj-$(CONFIG_BRIDGE_NF_EBTABLES) += ebtables.o 9 12 10 13 # tables

+5 -42

net/bridge/netfilter/ebt_log.c

··· 186 186 li.u.log.level = info->loglevel; 187 187 li.u.log.logflags = info->bitmask; 188 188 189 + /* Remember that we have to use ebt_log_packet() not to break backward 190 + * compatibility. We cannot use the default bridge packet logger via 191 + * nf_log_packet() with NFT_LOG_TYPE_LOG here. --Pablo 192 + */ 189 193 if (info->bitmask & EBT_LOG_NFLOG) 190 194 nf_log_packet(net, NFPROTO_BRIDGE, par->hooknum, skb, 191 195 par->in, par->out, &li, "%s", info->prefix); ··· 209 205 .me = THIS_MODULE, 210 206 }; 211 207 212 - static struct nf_logger ebt_log_logger __read_mostly = { 213 - .name = "ebt_log", 214 - .logfn = &ebt_log_packet, 215 - .me = THIS_MODULE, 216 - }; 217 - 218 - static int __net_init ebt_log_net_init(struct net *net) 219 - { 220 - nf_log_set(net, NFPROTO_BRIDGE, &ebt_log_logger); 221 - return 0; 222 - } 223 - 224 - static void __net_exit ebt_log_net_fini(struct net *net) 225 - { 226 - nf_log_unset(net, &ebt_log_logger); 227 - } 228 - 229 - static struct pernet_operations ebt_log_net_ops = { 230 - .init = ebt_log_net_init, 231 - .exit = ebt_log_net_fini, 232 - }; 233 - 234 208 static int __init ebt_log_init(void) 235 209 { 236 - int ret; 237 - 238 - ret = register_pernet_subsys(&ebt_log_net_ops); 239 - if (ret < 0) 240 - goto err_pernet; 241 - 242 - ret = xt_register_target(&ebt_log_tg_reg); 243 - if (ret < 0) 244 - goto err_target; 245 - 246 - nf_log_register(NFPROTO_BRIDGE, &ebt_log_logger); 247 - 248 - return ret; 249 - 250 - err_target: 251 - unregister_pernet_subsys(&ebt_log_net_ops); 252 - err_pernet: 253 - return ret; 210 + return xt_register_target(&ebt_log_tg_reg); 254 211 } 255 212 256 213 static void __exit ebt_log_fini(void) 257 214 { 258 - unregister_pernet_subsys(&ebt_log_net_ops); 259 - nf_log_unregister(&ebt_log_logger); 260 215 xt_unregister_target(&ebt_log_tg_reg); 261 216 } 262 217

-393

net/bridge/netfilter/ebt_ulog.c

··· 1 - /* 2 - * netfilter module for userspace bridged Ethernet frames logging daemons 3 - * 4 - * Authors: 5 - * Bart De Schuymer <bdschuym@pandora.be> 6 - * Harald Welte <laforge@netfilter.org> 7 - * 8 - * November, 2004 9 - * 10 - * Based on ipt_ULOG.c, which is 11 - * (C) 2000-2002 by Harald Welte <laforge@netfilter.org> 12 - * 13 - * This module accepts two parameters: 14 - * 15 - * nlbufsiz: 16 - * The parameter specifies how big the buffer for each netlink multicast 17 - * group is. e.g. If you say nlbufsiz=8192, up to eight kb of packets will 18 - * get accumulated in the kernel until they are sent to userspace. It is 19 - * NOT possible to allocate more than 128kB, and it is strongly discouraged, 20 - * because atomically allocating 128kB inside the network rx softirq is not 21 - * reliable. Please also keep in mind that this buffer size is allocated for 22 - * each nlgroup you are using, so the total kernel memory usage increases 23 - * by that factor. 24 - * 25 - * flushtimeout: 26 - * Specify, after how many hundredths of a second the queue should be 27 - * flushed even if it is not full yet. 28 - * 29 - */ 30 - #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt 31 - #include <linux/module.h> 32 - #include <linux/slab.h> 33 - #include <linux/spinlock.h> 34 - #include <linux/socket.h> 35 - #include <linux/skbuff.h> 36 - #include <linux/kernel.h> 37 - #include <linux/timer.h> 38 - #include <net/netlink.h> 39 - #include <linux/netdevice.h> 40 - #include <linux/netfilter/x_tables.h> 41 - #include <linux/netfilter_bridge/ebtables.h> 42 - #include <linux/netfilter_bridge/ebt_ulog.h> 43 - #include <net/netfilter/nf_log.h> 44 - #include <net/netns/generic.h> 45 - #include <net/sock.h> 46 - #include "../br_private.h" 47 - 48 - static unsigned int nlbufsiz = NLMSG_GOODSIZE; 49 - module_param(nlbufsiz, uint, 0600); 50 - MODULE_PARM_DESC(nlbufsiz, "netlink buffer size (number of bytes) " 51 - "(defaults to 4096)"); 52 - 53 - static unsigned int flushtimeout = 10; 54 - module_param(flushtimeout, uint, 0600); 55 - MODULE_PARM_DESC(flushtimeout, "buffer flush timeout (hundredths ofa second) " 56 - "(defaults to 10)"); 57 - 58 - typedef struct { 59 - unsigned int qlen; /* number of nlmsgs' in the skb */ 60 - struct nlmsghdr *lastnlh; /* netlink header of last msg in skb */ 61 - struct sk_buff *skb; /* the pre-allocated skb */ 62 - struct timer_list timer; /* the timer function */ 63 - spinlock_t lock; /* the per-queue lock */ 64 - } ebt_ulog_buff_t; 65 - 66 - static int ebt_ulog_net_id __read_mostly; 67 - struct ebt_ulog_net { 68 - unsigned int nlgroup[EBT_ULOG_MAXNLGROUPS]; 69 - ebt_ulog_buff_t ulog_buffers[EBT_ULOG_MAXNLGROUPS]; 70 - struct sock *ebtulognl; 71 - }; 72 - 73 - static struct ebt_ulog_net *ebt_ulog_pernet(struct net *net) 74 - { 75 - return net_generic(net, ebt_ulog_net_id); 76 - } 77 - 78 - /* send one ulog_buff_t to userspace */ 79 - static void ulog_send(struct ebt_ulog_net *ebt, unsigned int nlgroup) 80 - { 81 - ebt_ulog_buff_t *ub = &ebt->ulog_buffers[nlgroup]; 82 - 83 - del_timer(&ub->timer); 84 - 85 - if (!ub->skb) 86 - return; 87 - 88 - /* last nlmsg needs NLMSG_DONE */ 89 - if (ub->qlen > 1) 90 - ub->lastnlh->nlmsg_type = NLMSG_DONE; 91 - 92 - NETLINK_CB(ub->skb).dst_group = nlgroup + 1; 93 - netlink_broadcast(ebt->ebtulognl, ub->skb, 0, nlgroup + 1, GFP_ATOMIC); 94 - 95 - ub->qlen = 0; 96 - ub->skb = NULL; 97 - } 98 - 99 - /* timer function to flush queue in flushtimeout time */ 100 - static void ulog_timer(unsigned long data) 101 - { 102 - struct ebt_ulog_net *ebt = container_of((void *)data, 103 - struct ebt_ulog_net, 104 - nlgroup[*(unsigned int *)data]); 105 - 106 - ebt_ulog_buff_t *ub = &ebt->ulog_buffers[*(unsigned int *)data]; 107 - spin_lock_bh(&ub->lock); 108 - if (ub->skb) 109 - ulog_send(ebt, *(unsigned int *)data); 110 - spin_unlock_bh(&ub->lock); 111 - } 112 - 113 - static struct sk_buff *ulog_alloc_skb(unsigned int size) 114 - { 115 - struct sk_buff *skb; 116 - unsigned int n; 117 - 118 - n = max(size, nlbufsiz); 119 - skb = alloc_skb(n, GFP_ATOMIC | __GFP_NOWARN); 120 - if (!skb) { 121 - if (n > size) { 122 - /* try to allocate only as much as we need for 123 - * current packet */ 124 - skb = alloc_skb(size, GFP_ATOMIC); 125 - if (!skb) 126 - pr_debug("cannot even allocate buffer of size %ub\n", 127 - size); 128 - } 129 - } 130 - 131 - return skb; 132 - } 133 - 134 - static void ebt_ulog_packet(struct net *net, unsigned int hooknr, 135 - const struct sk_buff *skb, 136 - const struct net_device *in, 137 - const struct net_device *out, 138 - const struct ebt_ulog_info *uloginfo, 139 - const char *prefix) 140 - { 141 - ebt_ulog_packet_msg_t *pm; 142 - size_t size, copy_len; 143 - struct nlmsghdr *nlh; 144 - struct ebt_ulog_net *ebt = ebt_ulog_pernet(net); 145 - unsigned int group = uloginfo->nlgroup; 146 - ebt_ulog_buff_t *ub = &ebt->ulog_buffers[group]; 147 - spinlock_t *lock = &ub->lock; 148 - ktime_t kt; 149 - 150 - if ((uloginfo->cprange == 0) || 151 - (uloginfo->cprange > skb->len + ETH_HLEN)) 152 - copy_len = skb->len + ETH_HLEN; 153 - else 154 - copy_len = uloginfo->cprange; 155 - 156 - size = nlmsg_total_size(sizeof(*pm) + copy_len); 157 - if (size > nlbufsiz) { 158 - pr_debug("Size %Zd needed, but nlbufsiz=%d\n", size, nlbufsiz); 159 - return; 160 - } 161 - 162 - spin_lock_bh(lock); 163 - 164 - if (!ub->skb) { 165 - if (!(ub->skb = ulog_alloc_skb(size))) 166 - goto unlock; 167 - } else if (size > skb_tailroom(ub->skb)) { 168 - ulog_send(ebt, group); 169 - 170 - if (!(ub->skb = ulog_alloc_skb(size))) 171 - goto unlock; 172 - } 173 - 174 - nlh = nlmsg_put(ub->skb, 0, ub->qlen, 0, 175 - size - NLMSG_ALIGN(sizeof(*nlh)), 0); 176 - if (!nlh) { 177 - kfree_skb(ub->skb); 178 - ub->skb = NULL; 179 - goto unlock; 180 - } 181 - ub->qlen++; 182 - 183 - pm = nlmsg_data(nlh); 184 - memset(pm, 0, sizeof(*pm)); 185 - 186 - /* Fill in the ulog data */ 187 - pm->version = EBT_ULOG_VERSION; 188 - kt = ktime_get_real(); 189 - pm->stamp = ktime_to_timeval(kt); 190 - if (ub->qlen == 1) 191 - ub->skb->tstamp = kt; 192 - pm->data_len = copy_len; 193 - pm->mark = skb->mark; 194 - pm->hook = hooknr; 195 - if (uloginfo->prefix != NULL) 196 - strcpy(pm->prefix, uloginfo->prefix); 197 - 198 - if (in) { 199 - strcpy(pm->physindev, in->name); 200 - /* If in isn't a bridge, then physindev==indev */ 201 - if (br_port_exists(in)) 202 - /* rcu_read_lock()ed by nf_hook_slow */ 203 - strcpy(pm->indev, br_port_get_rcu(in)->br->dev->name); 204 - else 205 - strcpy(pm->indev, in->name); 206 - } 207 - 208 - if (out) { 209 - /* If out exists, then out is a bridge port */ 210 - strcpy(pm->physoutdev, out->name); 211 - /* rcu_read_lock()ed by nf_hook_slow */ 212 - strcpy(pm->outdev, br_port_get_rcu(out)->br->dev->name); 213 - } 214 - 215 - if (skb_copy_bits(skb, -ETH_HLEN, pm->data, copy_len) < 0) 216 - BUG(); 217 - 218 - if (ub->qlen > 1) 219 - ub->lastnlh->nlmsg_flags |= NLM_F_MULTI; 220 - 221 - ub->lastnlh = nlh; 222 - 223 - if (ub->qlen >= uloginfo->qthreshold) 224 - ulog_send(ebt, group); 225 - else if (!timer_pending(&ub->timer)) { 226 - ub->timer.expires = jiffies + flushtimeout * HZ / 100; 227 - add_timer(&ub->timer); 228 - } 229 - 230 - unlock: 231 - spin_unlock_bh(lock); 232 - } 233 - 234 - /* this function is registered with the netfilter core */ 235 - static void ebt_log_packet(struct net *net, u_int8_t pf, unsigned int hooknum, 236 - const struct sk_buff *skb, const struct net_device *in, 237 - const struct net_device *out, const struct nf_loginfo *li, 238 - const char *prefix) 239 - { 240 - struct ebt_ulog_info loginfo; 241 - 242 - if (!li || li->type != NF_LOG_TYPE_ULOG) { 243 - loginfo.nlgroup = EBT_ULOG_DEFAULT_NLGROUP; 244 - loginfo.cprange = 0; 245 - loginfo.qthreshold = EBT_ULOG_DEFAULT_QTHRESHOLD; 246 - loginfo.prefix[0] = '\0'; 247 - } else { 248 - loginfo.nlgroup = li->u.ulog.group; 249 - loginfo.cprange = li->u.ulog.copy_len; 250 - loginfo.qthreshold = li->u.ulog.qthreshold; 251 - strlcpy(loginfo.prefix, prefix, sizeof(loginfo.prefix)); 252 - } 253 - 254 - ebt_ulog_packet(net, hooknum, skb, in, out, &loginfo, prefix); 255 - } 256 - 257 - static unsigned int 258 - ebt_ulog_tg(struct sk_buff *skb, const struct xt_action_param *par) 259 - { 260 - struct net *net = dev_net(par->in ? par->in : par->out); 261 - 262 - ebt_ulog_packet(net, par->hooknum, skb, par->in, par->out, 263 - par->targinfo, NULL); 264 - return EBT_CONTINUE; 265 - } 266 - 267 - static int ebt_ulog_tg_check(const struct xt_tgchk_param *par) 268 - { 269 - struct ebt_ulog_info *uloginfo = par->targinfo; 270 - 271 - if (!par->net->xt.ebt_ulog_warn_deprecated) { 272 - pr_info("ebt_ulog is deprecated and it will be removed soon, " 273 - "use ebt_nflog instead\n"); 274 - par->net->xt.ebt_ulog_warn_deprecated = true; 275 - } 276 - 277 - if (uloginfo->nlgroup > 31) 278 - return -EINVAL; 279 - 280 - uloginfo->prefix[EBT_ULOG_PREFIX_LEN - 1] = '\0'; 281 - 282 - if (uloginfo->qthreshold > EBT_ULOG_MAX_QLEN) 283 - uloginfo->qthreshold = EBT_ULOG_MAX_QLEN; 284 - 285 - return 0; 286 - } 287 - 288 - static struct xt_target ebt_ulog_tg_reg __read_mostly = { 289 - .name = "ulog", 290 - .revision = 0, 291 - .family = NFPROTO_BRIDGE, 292 - .target = ebt_ulog_tg, 293 - .checkentry = ebt_ulog_tg_check, 294 - .targetsize = sizeof(struct ebt_ulog_info), 295 - .me = THIS_MODULE, 296 - }; 297 - 298 - static struct nf_logger ebt_ulog_logger __read_mostly = { 299 - .name = "ebt_ulog", 300 - .logfn = &ebt_log_packet, 301 - .me = THIS_MODULE, 302 - }; 303 - 304 - static int __net_init ebt_ulog_net_init(struct net *net) 305 - { 306 - int i; 307 - struct ebt_ulog_net *ebt = ebt_ulog_pernet(net); 308 - 309 - struct netlink_kernel_cfg cfg = { 310 - .groups = EBT_ULOG_MAXNLGROUPS, 311 - }; 312 - 313 - /* initialize ulog_buffers */ 314 - for (i = 0; i < EBT_ULOG_MAXNLGROUPS; i++) { 315 - ebt->nlgroup[i] = i; 316 - setup_timer(&ebt->ulog_buffers[i].timer, ulog_timer, 317 - (unsigned long)&ebt->nlgroup[i]); 318 - spin_lock_init(&ebt->ulog_buffers[i].lock); 319 - } 320 - 321 - ebt->ebtulognl = netlink_kernel_create(net, NETLINK_NFLOG, &cfg); 322 - if (!ebt->ebtulognl) 323 - return -ENOMEM; 324 - 325 - nf_log_set(net, NFPROTO_BRIDGE, &ebt_ulog_logger); 326 - return 0; 327 - } 328 - 329 - static void __net_exit ebt_ulog_net_fini(struct net *net) 330 - { 331 - int i; 332 - struct ebt_ulog_net *ebt = ebt_ulog_pernet(net); 333 - 334 - nf_log_unset(net, &ebt_ulog_logger); 335 - for (i = 0; i < EBT_ULOG_MAXNLGROUPS; i++) { 336 - ebt_ulog_buff_t *ub = &ebt->ulog_buffers[i]; 337 - del_timer(&ub->timer); 338 - 339 - if (ub->skb) { 340 - kfree_skb(ub->skb); 341 - ub->skb = NULL; 342 - } 343 - } 344 - netlink_kernel_release(ebt->ebtulognl); 345 - } 346 - 347 - static struct pernet_operations ebt_ulog_net_ops = { 348 - .init = ebt_ulog_net_init, 349 - .exit = ebt_ulog_net_fini, 350 - .id = &ebt_ulog_net_id, 351 - .size = sizeof(struct ebt_ulog_net), 352 - }; 353 - 354 - static int __init ebt_ulog_init(void) 355 - { 356 - int ret; 357 - 358 - if (nlbufsiz >= 128*1024) { 359 - pr_warn("Netlink buffer has to be <= 128kB," 360 - "please try a smaller nlbufsiz parameter.\n"); 361 - return -EINVAL; 362 - } 363 - 364 - ret = register_pernet_subsys(&ebt_ulog_net_ops); 365 - if (ret) 366 - goto out_pernet; 367 - 368 - ret = xt_register_target(&ebt_ulog_tg_reg); 369 - if (ret) 370 - goto out_target; 371 - 372 - nf_log_register(NFPROTO_BRIDGE, &ebt_ulog_logger); 373 - 374 - return 0; 375 - 376 - out_target: 377 - unregister_pernet_subsys(&ebt_ulog_net_ops); 378 - out_pernet: 379 - return ret; 380 - } 381 - 382 - static void __exit ebt_ulog_fini(void) 383 - { 384 - nf_log_unregister(&ebt_ulog_logger); 385 - xt_unregister_target(&ebt_ulog_tg_reg); 386 - unregister_pernet_subsys(&ebt_ulog_net_ops); 387 - } 388 - 389 - module_init(ebt_ulog_init); 390 - module_exit(ebt_ulog_fini); 391 - MODULE_LICENSE("GPL"); 392 - MODULE_AUTHOR("Bart De Schuymer <bdschuym@pandora.be>"); 393 - MODULE_DESCRIPTION("Ebtables: Packet logging to netlink using ULOG");

+96

net/bridge/netfilter/nf_log_bridge.c

··· 1 + /* 2 + * (C) 2014 by Pablo Neira Ayuso <pablo@netfilter.org> 3 + * 4 + * This program is free software; you can redistribute it and/or modify 5 + * it under the terms of the GNU General Public License version 2 as 6 + * published by the Free Software Foundation. 7 + */ 8 + 9 + #include <linux/module.h> 10 + #include <linux/spinlock.h> 11 + #include <linux/skbuff.h> 12 + #include <linux/if_bridge.h> 13 + #include <linux/ip.h> 14 + #include <net/route.h> 15 + 16 + #include <linux/netfilter.h> 17 + #include <net/netfilter/nf_log.h> 18 + 19 + static void nf_log_bridge_packet(struct net *net, u_int8_t pf, 20 + unsigned int hooknum, 21 + const struct sk_buff *skb, 22 + const struct net_device *in, 23 + const struct net_device *out, 24 + const struct nf_loginfo *loginfo, 25 + const char *prefix) 26 + { 27 + switch (eth_hdr(skb)->h_proto) { 28 + case htons(ETH_P_IP): 29 + nf_log_packet(net, NFPROTO_IPV4, hooknum, skb, in, out, 30 + loginfo, "%s", prefix); 31 + break; 32 + case htons(ETH_P_IPV6): 33 + nf_log_packet(net, NFPROTO_IPV6, hooknum, skb, in, out, 34 + loginfo, "%s", prefix); 35 + break; 36 + case htons(ETH_P_ARP): 37 + case htons(ETH_P_RARP): 38 + nf_log_packet(net, NFPROTO_ARP, hooknum, skb, in, out, 39 + loginfo, "%s", prefix); 40 + break; 41 + } 42 + } 43 + 44 + static struct nf_logger nf_bridge_logger __read_mostly = { 45 + .name = "nf_log_bridge", 46 + .type = NF_LOG_TYPE_LOG, 47 + .logfn = nf_log_bridge_packet, 48 + .me = THIS_MODULE, 49 + }; 50 + 51 + static int __net_init nf_log_bridge_net_init(struct net *net) 52 + { 53 + nf_log_set(net, NFPROTO_BRIDGE, &nf_bridge_logger); 54 + return 0; 55 + } 56 + 57 + static void __net_exit nf_log_bridge_net_exit(struct net *net) 58 + { 59 + nf_log_unset(net, &nf_bridge_logger); 60 + } 61 + 62 + static struct pernet_operations nf_log_bridge_net_ops = { 63 + .init = nf_log_bridge_net_init, 64 + .exit = nf_log_bridge_net_exit, 65 + }; 66 + 67 + static int __init nf_log_bridge_init(void) 68 + { 69 + int ret; 70 + 71 + /* Request to load the real packet loggers. */ 72 + nf_logger_request_module(NFPROTO_IPV4, NF_LOG_TYPE_LOG); 73 + nf_logger_request_module(NFPROTO_IPV6, NF_LOG_TYPE_LOG); 74 + nf_logger_request_module(NFPROTO_ARP, NF_LOG_TYPE_LOG); 75 + 76 + ret = register_pernet_subsys(&nf_log_bridge_net_ops); 77 + if (ret < 0) 78 + return ret; 79 + 80 + nf_log_register(NFPROTO_BRIDGE, &nf_bridge_logger); 81 + return 0; 82 + } 83 + 84 + static void __exit nf_log_bridge_exit(void) 85 + { 86 + unregister_pernet_subsys(&nf_log_bridge_net_ops); 87 + nf_log_unregister(&nf_bridge_logger); 88 + } 89 + 90 + module_init(nf_log_bridge_init); 91 + module_exit(nf_log_bridge_exit); 92 + 93 + MODULE_AUTHOR("Pablo Neira Ayuso <pablo@netfilter.org>"); 94 + MODULE_DESCRIPTION("Netfilter bridge packet logging"); 95 + MODULE_LICENSE("GPL"); 96 + MODULE_ALIAS_NF_LOGGER(AF_BRIDGE, 0);

+10 -19

net/ipv4/netfilter/Kconfig

··· 36 36 37 37 If unsure, say Y. 38 38 39 + config NF_LOG_ARP 40 + tristate "ARP packet logging" 41 + default m if NETFILTER_ADVANCED=n 42 + select NF_LOG_COMMON 43 + 44 + config NF_LOG_IPV4 45 + tristate "IPv4 packet logging" 46 + default m if NETFILTER_ADVANCED=n 47 + select NF_LOG_COMMON 48 + 39 49 config NF_TABLES_IPV4 40 50 depends on NF_TABLES 41 51 tristate "IPv4 nf_tables support" ··· 168 158 during SYN-flood attacks. 169 159 170 160 To compile it as a module, choose M here. If unsure, say N. 171 - 172 - config IP_NF_TARGET_ULOG 173 - tristate "ULOG target support (obsolete)" 174 - default m if NETFILTER_ADVANCED=n 175 - ---help--- 176 - 177 - This option enables the old IPv4-only "ipt_ULOG" implementation 178 - which has been obsoleted by the new "nfnetlink_log" code (see 179 - CONFIG_NETFILTER_NETLINK_LOG). 180 - 181 - This option adds a `ULOG' target, which allows you to create rules in 182 - any iptables table. The packet is passed to a userspace logging 183 - daemon using netlink multicast sockets; unlike the LOG target 184 - which can only be viewed through syslog. 185 - 186 - The appropriate userspace logging daemon (ulogd) may be obtained from 187 - <http://www.netfilter.org/projects/ulogd/index.html> 188 - 189 - To compile it as a module, choose M here. If unsure, say N. 190 161 191 162 # NAT + specific targets: nf_conntrack 192 163 config NF_NAT_IPV4

+4

net/ipv4/netfilter/Makefile

··· 19 19 # defrag 20 20 obj-$(CONFIG_NF_DEFRAG_IPV4) += nf_defrag_ipv4.o 21 21 22 + # logging 23 + obj-$(CONFIG_NF_LOG_ARP) += nf_log_arp.o 24 + obj-$(CONFIG_NF_LOG_IPV4) += nf_log_ipv4.o 25 + 22 26 # NAT helpers (nf_conntrack) 23 27 obj-$(CONFIG_NF_NAT_H323) += nf_nat_h323.o 24 28 obj-$(CONFIG_NF_NAT_PPTP) += nf_nat_pptp.o

-498

net/ipv4/netfilter/ipt_ULOG.c

··· 1 - /* 2 - * netfilter module for userspace packet logging daemons 3 - * 4 - * (C) 2000-2004 by Harald Welte <laforge@netfilter.org> 5 - * (C) 1999-2001 Paul `Rusty' Russell 6 - * (C) 2002-2004 Netfilter Core Team <coreteam@netfilter.org> 7 - * (C) 2005-2007 Patrick McHardy <kaber@trash.net> 8 - * 9 - * This program is free software; you can redistribute it and/or modify 10 - * it under the terms of the GNU General Public License version 2 as 11 - * published by the Free Software Foundation. 12 - * 13 - * This module accepts two parameters: 14 - * 15 - * nlbufsiz: 16 - * The parameter specifies how big the buffer for each netlink multicast 17 - * group is. e.g. If you say nlbufsiz=8192, up to eight kb of packets will 18 - * get accumulated in the kernel until they are sent to userspace. It is 19 - * NOT possible to allocate more than 128kB, and it is strongly discouraged, 20 - * because atomically allocating 128kB inside the network rx softirq is not 21 - * reliable. Please also keep in mind that this buffer size is allocated for 22 - * each nlgroup you are using, so the total kernel memory usage increases 23 - * by that factor. 24 - * 25 - * Actually you should use nlbufsiz a bit smaller than PAGE_SIZE, since 26 - * nlbufsiz is used with alloc_skb, which adds another 27 - * sizeof(struct skb_shared_info). Use NLMSG_GOODSIZE instead. 28 - * 29 - * flushtimeout: 30 - * Specify, after how many hundredths of a second the queue should be 31 - * flushed even if it is not full yet. 32 - */ 33 - #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt 34 - #include <linux/module.h> 35 - #include <linux/spinlock.h> 36 - #include <linux/socket.h> 37 - #include <linux/slab.h> 38 - #include <linux/skbuff.h> 39 - #include <linux/kernel.h> 40 - #include <linux/timer.h> 41 - #include <net/netlink.h> 42 - #include <linux/netdevice.h> 43 - #include <linux/mm.h> 44 - #include <linux/moduleparam.h> 45 - #include <linux/netfilter.h> 46 - #include <linux/netfilter/x_tables.h> 47 - #include <linux/netfilter_ipv4/ipt_ULOG.h> 48 - #include <net/netfilter/nf_log.h> 49 - #include <net/netns/generic.h> 50 - #include <net/sock.h> 51 - #include <linux/bitops.h> 52 - #include <asm/unaligned.h> 53 - 54 - MODULE_LICENSE("GPL"); 55 - MODULE_AUTHOR("Harald Welte <laforge@gnumonks.org>"); 56 - MODULE_DESCRIPTION("Xtables: packet logging to netlink using ULOG"); 57 - MODULE_ALIAS_NET_PF_PROTO(PF_NETLINK, NETLINK_NFLOG); 58 - 59 - #define ULOG_NL_EVENT 111 /* Harald's favorite number */ 60 - #define ULOG_MAXNLGROUPS 32 /* numer of nlgroups */ 61 - 62 - static unsigned int nlbufsiz = NLMSG_GOODSIZE; 63 - module_param(nlbufsiz, uint, 0400); 64 - MODULE_PARM_DESC(nlbufsiz, "netlink buffer size"); 65 - 66 - static unsigned int flushtimeout = 10; 67 - module_param(flushtimeout, uint, 0600); 68 - MODULE_PARM_DESC(flushtimeout, "buffer flush timeout (hundredths of a second)"); 69 - 70 - static bool nflog = true; 71 - module_param(nflog, bool, 0400); 72 - MODULE_PARM_DESC(nflog, "register as internal netfilter logging module"); 73 - 74 - /* global data structures */ 75 - 76 - typedef struct { 77 - unsigned int qlen; /* number of nlmsgs' in the skb */ 78 - struct nlmsghdr *lastnlh; /* netlink header of last msg in skb */ 79 - struct sk_buff *skb; /* the pre-allocated skb */ 80 - struct timer_list timer; /* the timer function */ 81 - } ulog_buff_t; 82 - 83 - static int ulog_net_id __read_mostly; 84 - struct ulog_net { 85 - unsigned int nlgroup[ULOG_MAXNLGROUPS]; 86 - ulog_buff_t ulog_buffers[ULOG_MAXNLGROUPS]; 87 - struct sock *nflognl; 88 - spinlock_t lock; 89 - }; 90 - 91 - static struct ulog_net *ulog_pernet(struct net *net) 92 - { 93 - return net_generic(net, ulog_net_id); 94 - } 95 - 96 - /* send one ulog_buff_t to userspace */ 97 - static void ulog_send(struct ulog_net *ulog, unsigned int nlgroupnum) 98 - { 99 - ulog_buff_t *ub = &ulog->ulog_buffers[nlgroupnum]; 100 - 101 - pr_debug("ulog_send: timer is deleting\n"); 102 - del_timer(&ub->timer); 103 - 104 - if (!ub->skb) { 105 - pr_debug("ulog_send: nothing to send\n"); 106 - return; 107 - } 108 - 109 - /* last nlmsg needs NLMSG_DONE */ 110 - if (ub->qlen > 1) 111 - ub->lastnlh->nlmsg_type = NLMSG_DONE; 112 - 113 - NETLINK_CB(ub->skb).dst_group = nlgroupnum + 1; 114 - pr_debug("throwing %d packets to netlink group %u\n", 115 - ub->qlen, nlgroupnum + 1); 116 - netlink_broadcast(ulog->nflognl, ub->skb, 0, nlgroupnum + 1, 117 - GFP_ATOMIC); 118 - 119 - ub->qlen = 0; 120 - ub->skb = NULL; 121 - ub->lastnlh = NULL; 122 - } 123 - 124 - 125 - /* timer function to flush queue in flushtimeout time */ 126 - static void ulog_timer(unsigned long data) 127 - { 128 - unsigned int groupnum = *((unsigned int *)data); 129 - struct ulog_net *ulog = container_of((void *)data, 130 - struct ulog_net, 131 - nlgroup[groupnum]); 132 - pr_debug("timer function called, calling ulog_send\n"); 133 - 134 - /* lock to protect against somebody modifying our structure 135 - * from ipt_ulog_target at the same time */ 136 - spin_lock_bh(&ulog->lock); 137 - ulog_send(ulog, groupnum); 138 - spin_unlock_bh(&ulog->lock); 139 - } 140 - 141 - static struct sk_buff *ulog_alloc_skb(unsigned int size) 142 - { 143 - struct sk_buff *skb; 144 - unsigned int n; 145 - 146 - /* alloc skb which should be big enough for a whole 147 - * multipart message. WARNING: has to be <= 131000 148 - * due to slab allocator restrictions */ 149 - 150 - n = max(size, nlbufsiz); 151 - skb = alloc_skb(n, GFP_ATOMIC | __GFP_NOWARN); 152 - if (!skb) { 153 - if (n > size) { 154 - /* try to allocate only as much as we need for 155 - * current packet */ 156 - 157 - skb = alloc_skb(size, GFP_ATOMIC); 158 - if (!skb) 159 - pr_debug("cannot even allocate %ub\n", size); 160 - } 161 - } 162 - 163 - return skb; 164 - } 165 - 166 - static void ipt_ulog_packet(struct net *net, 167 - unsigned int hooknum, 168 - const struct sk_buff *skb, 169 - const struct net_device *in, 170 - const struct net_device *out, 171 - const struct ipt_ulog_info *loginfo, 172 - const char *prefix) 173 - { 174 - ulog_buff_t *ub; 175 - ulog_packet_msg_t *pm; 176 - size_t size, copy_len; 177 - struct nlmsghdr *nlh; 178 - struct timeval tv; 179 - struct ulog_net *ulog = ulog_pernet(net); 180 - 181 - /* ffs == find first bit set, necessary because userspace 182 - * is already shifting groupnumber, but we need unshifted. 183 - * ffs() returns [1..32], we need [0..31] */ 184 - unsigned int groupnum = ffs(loginfo->nl_group) - 1; 185 - 186 - /* calculate the size of the skb needed */ 187 - if (loginfo->copy_range == 0 || loginfo->copy_range > skb->len) 188 - copy_len = skb->len; 189 - else 190 - copy_len = loginfo->copy_range; 191 - 192 - size = nlmsg_total_size(sizeof(*pm) + copy_len); 193 - 194 - ub = &ulog->ulog_buffers[groupnum]; 195 - 196 - spin_lock_bh(&ulog->lock); 197 - 198 - if (!ub->skb) { 199 - if (!(ub->skb = ulog_alloc_skb(size))) 200 - goto alloc_failure; 201 - } else if (ub->qlen >= loginfo->qthreshold || 202 - size > skb_tailroom(ub->skb)) { 203 - /* either the queue len is too high or we don't have 204 - * enough room in nlskb left. send it to userspace. */ 205 - 206 - ulog_send(ulog, groupnum); 207 - 208 - if (!(ub->skb = ulog_alloc_skb(size))) 209 - goto alloc_failure; 210 - } 211 - 212 - pr_debug("qlen %d, qthreshold %Zu\n", ub->qlen, loginfo->qthreshold); 213 - 214 - nlh = nlmsg_put(ub->skb, 0, ub->qlen, ULOG_NL_EVENT, 215 - sizeof(*pm)+copy_len, 0); 216 - if (!nlh) { 217 - pr_debug("error during nlmsg_put\n"); 218 - goto out_unlock; 219 - } 220 - ub->qlen++; 221 - 222 - pm = nlmsg_data(nlh); 223 - memset(pm, 0, sizeof(*pm)); 224 - 225 - /* We might not have a timestamp, get one */ 226 - if (skb->tstamp.tv64 == 0) 227 - __net_timestamp((struct sk_buff *)skb); 228 - 229 - /* copy hook, prefix, timestamp, payload, etc. */ 230 - pm->data_len = copy_len; 231 - tv = ktime_to_timeval(skb->tstamp); 232 - put_unaligned(tv.tv_sec, &pm->timestamp_sec); 233 - put_unaligned(tv.tv_usec, &pm->timestamp_usec); 234 - put_unaligned(skb->mark, &pm->mark); 235 - pm->hook = hooknum; 236 - if (prefix != NULL) { 237 - strncpy(pm->prefix, prefix, sizeof(pm->prefix) - 1); 238 - pm->prefix[sizeof(pm->prefix) - 1] = '\0'; 239 - } 240 - else if (loginfo->prefix[0] != '\0') 241 - strncpy(pm->prefix, loginfo->prefix, sizeof(pm->prefix)); 242 - 243 - if (in && in->hard_header_len > 0 && 244 - skb->mac_header != skb->network_header && 245 - in->hard_header_len <= ULOG_MAC_LEN) { 246 - memcpy(pm->mac, skb_mac_header(skb), in->hard_header_len); 247 - pm->mac_len = in->hard_header_len; 248 - } else 249 - pm->mac_len = 0; 250 - 251 - if (in) 252 - strncpy(pm->indev_name, in->name, sizeof(pm->indev_name)); 253 - 254 - if (out) 255 - strncpy(pm->outdev_name, out->name, sizeof(pm->outdev_name)); 256 - 257 - /* copy_len <= skb->len, so can't fail. */ 258 - if (skb_copy_bits(skb, 0, pm->payload, copy_len) < 0) 259 - BUG(); 260 - 261 - /* check if we are building multi-part messages */ 262 - if (ub->qlen > 1) 263 - ub->lastnlh->nlmsg_flags |= NLM_F_MULTI; 264 - 265 - ub->lastnlh = nlh; 266 - 267 - /* if timer isn't already running, start it */ 268 - if (!timer_pending(&ub->timer)) { 269 - ub->timer.expires = jiffies + flushtimeout * HZ / 100; 270 - add_timer(&ub->timer); 271 - } 272 - 273 - /* if threshold is reached, send message to userspace */ 274 - if (ub->qlen >= loginfo->qthreshold) { 275 - if (loginfo->qthreshold > 1) 276 - nlh->nlmsg_type = NLMSG_DONE; 277 - ulog_send(ulog, groupnum); 278 - } 279 - out_unlock: 280 - spin_unlock_bh(&ulog->lock); 281 - 282 - return; 283 - 284 - alloc_failure: 285 - pr_debug("Error building netlink message\n"); 286 - spin_unlock_bh(&ulog->lock); 287 - } 288 - 289 - static unsigned int 290 - ulog_tg(struct sk_buff *skb, const struct xt_action_param *par) 291 - { 292 - struct net *net = dev_net(par->in ? par->in : par->out); 293 - 294 - ipt_ulog_packet(net, par->hooknum, skb, par->in, par->out, 295 - par->targinfo, NULL); 296 - return XT_CONTINUE; 297 - } 298 - 299 - static void ipt_logfn(struct net *net, 300 - u_int8_t pf, 301 - unsigned int hooknum, 302 - const struct sk_buff *skb, 303 - const struct net_device *in, 304 - const struct net_device *out, 305 - const struct nf_loginfo *li, 306 - const char *prefix) 307 - { 308 - struct ipt_ulog_info loginfo; 309 - 310 - if (!li || li->type != NF_LOG_TYPE_ULOG) { 311 - loginfo.nl_group = ULOG_DEFAULT_NLGROUP; 312 - loginfo.copy_range = 0; 313 - loginfo.qthreshold = ULOG_DEFAULT_QTHRESHOLD; 314 - loginfo.prefix[0] = '\0'; 315 - } else { 316 - loginfo.nl_group = li->u.ulog.group; 317 - loginfo.copy_range = li->u.ulog.copy_len; 318 - loginfo.qthreshold = li->u.ulog.qthreshold; 319 - strlcpy(loginfo.prefix, prefix, sizeof(loginfo.prefix)); 320 - } 321 - 322 - ipt_ulog_packet(net, hooknum, skb, in, out, &loginfo, prefix); 323 - } 324 - 325 - static int ulog_tg_check(const struct xt_tgchk_param *par) 326 - { 327 - const struct ipt_ulog_info *loginfo = par->targinfo; 328 - 329 - if (!par->net->xt.ulog_warn_deprecated) { 330 - pr_info("ULOG is deprecated and it will be removed soon, " 331 - "use NFLOG instead\n"); 332 - par->net->xt.ulog_warn_deprecated = true; 333 - } 334 - 335 - if (loginfo->prefix[sizeof(loginfo->prefix) - 1] != '\0') { 336 - pr_debug("prefix not null-terminated\n"); 337 - return -EINVAL; 338 - } 339 - if (loginfo->qthreshold > ULOG_MAX_QLEN) { 340 - pr_debug("queue threshold %Zu > MAX_QLEN\n", 341 - loginfo->qthreshold); 342 - return -EINVAL; 343 - } 344 - return 0; 345 - } 346 - 347 - #ifdef CONFIG_COMPAT 348 - struct compat_ipt_ulog_info { 349 - compat_uint_t nl_group; 350 - compat_size_t copy_range; 351 - compat_size_t qthreshold; 352 - char prefix[ULOG_PREFIX_LEN]; 353 - }; 354 - 355 - static void ulog_tg_compat_from_user(void *dst, const void *src) 356 - { 357 - const struct compat_ipt_ulog_info *cl = src; 358 - struct ipt_ulog_info l = { 359 - .nl_group = cl->nl_group, 360 - .copy_range = cl->copy_range, 361 - .qthreshold = cl->qthreshold, 362 - }; 363 - 364 - memcpy(l.prefix, cl->prefix, sizeof(l.prefix)); 365 - memcpy(dst, &l, sizeof(l)); 366 - } 367 - 368 - static int ulog_tg_compat_to_user(void __user *dst, const void *src) 369 - { 370 - const struct ipt_ulog_info *l = src; 371 - struct compat_ipt_ulog_info cl = { 372 - .nl_group = l->nl_group, 373 - .copy_range = l->copy_range, 374 - .qthreshold = l->qthreshold, 375 - }; 376 - 377 - memcpy(cl.prefix, l->prefix, sizeof(cl.prefix)); 378 - return copy_to_user(dst, &cl, sizeof(cl)) ? -EFAULT : 0; 379 - } 380 - #endif /* CONFIG_COMPAT */ 381 - 382 - static struct xt_target ulog_tg_reg __read_mostly = { 383 - .name = "ULOG", 384 - .family = NFPROTO_IPV4, 385 - .target = ulog_tg, 386 - .targetsize = sizeof(struct ipt_ulog_info), 387 - .checkentry = ulog_tg_check, 388 - #ifdef CONFIG_COMPAT 389 - .compatsize = sizeof(struct compat_ipt_ulog_info), 390 - .compat_from_user = ulog_tg_compat_from_user, 391 - .compat_to_user = ulog_tg_compat_to_user, 392 - #endif 393 - .me = THIS_MODULE, 394 - }; 395 - 396 - static struct nf_logger ipt_ulog_logger __read_mostly = { 397 - .name = "ipt_ULOG", 398 - .logfn = ipt_logfn, 399 - .me = THIS_MODULE, 400 - }; 401 - 402 - static int __net_init ulog_tg_net_init(struct net *net) 403 - { 404 - int i; 405 - struct ulog_net *ulog = ulog_pernet(net); 406 - struct netlink_kernel_cfg cfg = { 407 - .groups = ULOG_MAXNLGROUPS, 408 - }; 409 - 410 - spin_lock_init(&ulog->lock); 411 - /* initialize ulog_buffers */ 412 - for (i = 0; i < ULOG_MAXNLGROUPS; i++) { 413 - ulog->nlgroup[i] = i; 414 - setup_timer(&ulog->ulog_buffers[i].timer, ulog_timer, 415 - (unsigned long)&ulog->nlgroup[i]); 416 - } 417 - 418 - ulog->nflognl = netlink_kernel_create(net, NETLINK_NFLOG, &cfg); 419 - if (!ulog->nflognl) 420 - return -ENOMEM; 421 - 422 - if (nflog) 423 - nf_log_set(net, NFPROTO_IPV4, &ipt_ulog_logger); 424 - 425 - return 0; 426 - } 427 - 428 - static void __net_exit ulog_tg_net_exit(struct net *net) 429 - { 430 - ulog_buff_t *ub; 431 - int i; 432 - struct ulog_net *ulog = ulog_pernet(net); 433 - 434 - if (nflog) 435 - nf_log_unset(net, &ipt_ulog_logger); 436 - 437 - netlink_kernel_release(ulog->nflognl); 438 - 439 - /* remove pending timers and free allocated skb's */ 440 - for (i = 0; i < ULOG_MAXNLGROUPS; i++) { 441 - ub = &ulog->ulog_buffers[i]; 442 - pr_debug("timer is deleting\n"); 443 - del_timer(&ub->timer); 444 - 445 - if (ub->skb) { 446 - kfree_skb(ub->skb); 447 - ub->skb = NULL; 448 - } 449 - } 450 - } 451 - 452 - static struct pernet_operations ulog_tg_net_ops = { 453 - .init = ulog_tg_net_init, 454 - .exit = ulog_tg_net_exit, 455 - .id = &ulog_net_id, 456 - .size = sizeof(struct ulog_net), 457 - }; 458 - 459 - static int __init ulog_tg_init(void) 460 - { 461 - int ret; 462 - pr_debug("init module\n"); 463 - 464 - if (nlbufsiz > 128*1024) { 465 - pr_warn("Netlink buffer has to be <= 128kB\n"); 466 - return -EINVAL; 467 - } 468 - 469 - ret = register_pernet_subsys(&ulog_tg_net_ops); 470 - if (ret) 471 - goto out_pernet; 472 - 473 - ret = xt_register_target(&ulog_tg_reg); 474 - if (ret < 0) 475 - goto out_target; 476 - 477 - if (nflog) 478 - nf_log_register(NFPROTO_IPV4, &ipt_ulog_logger); 479 - 480 - return 0; 481 - 482 - out_target: 483 - unregister_pernet_subsys(&ulog_tg_net_ops); 484 - out_pernet: 485 - return ret; 486 - } 487 - 488 - static void __exit ulog_tg_exit(void) 489 - { 490 - pr_debug("cleanup_module\n"); 491 - if (nflog) 492 - nf_log_unregister(&ipt_ulog_logger); 493 - xt_unregister_target(&ulog_tg_reg); 494 - unregister_pernet_subsys(&ulog_tg_net_ops); 495 - } 496 - 497 - module_init(ulog_tg_init); 498 - module_exit(ulog_tg_exit);

+2 -2

net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c

··· 314 314 return -ENOENT; 315 315 } 316 316 317 - #if defined(CONFIG_NF_CT_NETLINK) || defined(CONFIG_NF_CT_NETLINK_MODULE) 317 + #if IS_ENABLED(CONFIG_NF_CT_NETLINK) 318 318 319 319 #include <linux/netfilter/nfnetlink.h> 320 320 #include <linux/netfilter/nfnetlink_conntrack.h> ··· 388 388 .invert_tuple = ipv4_invert_tuple, 389 389 .print_tuple = ipv4_print_tuple, 390 390 .get_l4proto = ipv4_get_l4proto, 391 - #if defined(CONFIG_NF_CT_NETLINK) || defined(CONFIG_NF_CT_NETLINK_MODULE) 391 + #if IS_ENABLED(CONFIG_NF_CT_NETLINK) 392 392 .tuple_to_nlattr = ipv4_tuple_to_nlattr, 393 393 .nlattr_tuple_size = ipv4_nlattr_tuple_size, 394 394 .nlattr_to_tuple = ipv4_nlattr_to_tuple,

+2 -2

net/ipv4/netfilter/nf_conntrack_proto_icmp.c

··· 226 226 return icmp_error_message(net, tmpl, skb, ctinfo, hooknum); 227 227 } 228 228 229 - #if defined(CONFIG_NF_CT_NETLINK) || defined(CONFIG_NF_CT_NETLINK_MODULE) 229 + #if IS_ENABLED(CONFIG_NF_CT_NETLINK) 230 230 231 231 #include <linux/netfilter/nfnetlink.h> 232 232 #include <linux/netfilter/nfnetlink_conntrack.h> ··· 408 408 .error = icmp_error, 409 409 .destroy = NULL, 410 410 .me = NULL, 411 - #if defined(CONFIG_NF_CT_NETLINK) || defined(CONFIG_NF_CT_NETLINK_MODULE) 411 + #if IS_ENABLED(CONFIG_NF_CT_NETLINK) 412 412 .tuple_to_nlattr = icmp_tuple_to_nlattr, 413 413 .nlattr_tuple_size = icmp_nlattr_tuple_size, 414 414 .nlattr_to_tuple = icmp_nlattr_to_tuple,

+4 -4

net/ipv4/netfilter/nf_defrag_ipv4.c

··· 17 17 #include <linux/netfilter_bridge.h> 18 18 #include <linux/netfilter_ipv4.h> 19 19 #include <net/netfilter/ipv4/nf_defrag_ipv4.h> 20 - #if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE) 20 + #if IS_ENABLED(CONFIG_NF_CONNTRACK) 21 21 #include <net/netfilter/nf_conntrack.h> 22 22 #endif 23 23 #include <net/netfilter/nf_conntrack_zones.h> ··· 45 45 { 46 46 u16 zone = NF_CT_DEFAULT_ZONE; 47 47 48 - #if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE) 48 + #if IS_ENABLED(CONFIG_NF_CONNTRACK) 49 49 if (skb->nfct) 50 50 zone = nf_ct_zone((struct nf_conn *)skb->nfct); 51 51 #endif ··· 74 74 inet->nodefrag) 75 75 return NF_ACCEPT; 76 76 77 - #if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE) 78 - #if !defined(CONFIG_NF_NAT) && !defined(CONFIG_NF_NAT_MODULE) 77 + #if IS_ENABLED(CONFIG_NF_CONNTRACK) 78 + #if !IS_ENABLED(CONFIG_NF_NAT) 79 79 /* Previously seen (loopback)? Ignore. Do this before 80 80 fragment check. */ 81 81 if (skb->nfct && !nf_ct_is_template((struct nf_conn *)skb->nfct))

+149

net/ipv4/netfilter/nf_log_arp.c

··· 1 + /* 2 + * (C) 2014 by Pablo Neira Ayuso <pablo@netfilter.org> 3 + * 4 + * Based on code from ebt_log from: 5 + * 6 + * Bart De Schuymer <bdschuym@pandora.be> 7 + * Harald Welte <laforge@netfilter.org> 8 + * 9 + * This program is free software; you can redistribute it and/or modify 10 + * it under the terms of the GNU General Public License version 2 as 11 + * published by the Free Software Foundation. 12 + */ 13 + 14 + #include <linux/module.h> 15 + #include <linux/spinlock.h> 16 + #include <linux/skbuff.h> 17 + #include <linux/if_arp.h> 18 + #include <linux/ip.h> 19 + #include <net/route.h> 20 + 21 + #include <linux/netfilter.h> 22 + #include <linux/netfilter/xt_LOG.h> 23 + #include <net/netfilter/nf_log.h> 24 + 25 + static struct nf_loginfo default_loginfo = { 26 + .type = NF_LOG_TYPE_LOG, 27 + .u = { 28 + .log = { 29 + .level = 5, 30 + .logflags = NF_LOG_MASK, 31 + }, 32 + }, 33 + }; 34 + 35 + struct arppayload { 36 + unsigned char mac_src[ETH_ALEN]; 37 + unsigned char ip_src[4]; 38 + unsigned char mac_dst[ETH_ALEN]; 39 + unsigned char ip_dst[4]; 40 + }; 41 + 42 + static void dump_arp_packet(struct nf_log_buf *m, 43 + const struct nf_loginfo *info, 44 + const struct sk_buff *skb, unsigned int nhoff) 45 + { 46 + const struct arphdr *ah; 47 + struct arphdr _arph; 48 + const struct arppayload *ap; 49 + struct arppayload _arpp; 50 + 51 + ah = skb_header_pointer(skb, 0, sizeof(_arph), &_arph); 52 + if (ah == NULL) { 53 + nf_log_buf_add(m, "TRUNCATED"); 54 + return; 55 + } 56 + nf_log_buf_add(m, "ARP HTYPE=%d PTYPE=0x%04x OPCODE=%d", 57 + ntohs(ah->ar_hrd), ntohs(ah->ar_pro), ntohs(ah->ar_op)); 58 + 59 + /* If it's for Ethernet and the lengths are OK, then log the ARP 60 + * payload. 61 + */ 62 + if (ah->ar_hrd != htons(1) || 63 + ah->ar_hln != ETH_ALEN || 64 + ah->ar_pln != sizeof(__be32)) 65 + return; 66 + 67 + ap = skb_header_pointer(skb, sizeof(_arph), sizeof(_arpp), &_arpp); 68 + if (ap == NULL) { 69 + nf_log_buf_add(m, " INCOMPLETE [%Zu bytes]", 70 + skb->len - sizeof(_arph)); 71 + return; 72 + } 73 + nf_log_buf_add(m, " MACSRC=%pM IPSRC=%pI4 MACDST=%pM IPDST=%pI4", 74 + ap->mac_src, ap->ip_src, ap->mac_dst, ap->ip_dst); 75 + } 76 + 77 + void nf_log_arp_packet(struct net *net, u_int8_t pf, 78 + unsigned int hooknum, const struct sk_buff *skb, 79 + const struct net_device *in, 80 + const struct net_device *out, 81 + const struct nf_loginfo *loginfo, 82 + const char *prefix) 83 + { 84 + struct nf_log_buf *m; 85 + 86 + /* FIXME: Disabled from containers until syslog ns is supported */ 87 + if (!net_eq(net, &init_net)) 88 + return; 89 + 90 + m = nf_log_buf_open(); 91 + 92 + if (!loginfo) 93 + loginfo = &default_loginfo; 94 + 95 + nf_log_dump_packet_common(m, pf, hooknum, skb, in, out, loginfo, 96 + prefix); 97 + dump_arp_packet(m, loginfo, skb, 0); 98 + 99 + nf_log_buf_close(m); 100 + } 101 + 102 + static struct nf_logger nf_arp_logger __read_mostly = { 103 + .name = "nf_log_arp", 104 + .type = NF_LOG_TYPE_LOG, 105 + .logfn = nf_log_arp_packet, 106 + .me = THIS_MODULE, 107 + }; 108 + 109 + static int __net_init nf_log_arp_net_init(struct net *net) 110 + { 111 + nf_log_set(net, NFPROTO_ARP, &nf_arp_logger); 112 + return 0; 113 + } 114 + 115 + static void __net_exit nf_log_arp_net_exit(struct net *net) 116 + { 117 + nf_log_unset(net, &nf_arp_logger); 118 + } 119 + 120 + static struct pernet_operations nf_log_arp_net_ops = { 121 + .init = nf_log_arp_net_init, 122 + .exit = nf_log_arp_net_exit, 123 + }; 124 + 125 + static int __init nf_log_arp_init(void) 126 + { 127 + int ret; 128 + 129 + ret = register_pernet_subsys(&nf_log_arp_net_ops); 130 + if (ret < 0) 131 + return ret; 132 + 133 + nf_log_register(NFPROTO_ARP, &nf_arp_logger); 134 + return 0; 135 + } 136 + 137 + static void __exit nf_log_arp_exit(void) 138 + { 139 + unregister_pernet_subsys(&nf_log_arp_net_ops); 140 + nf_log_unregister(&nf_arp_logger); 141 + } 142 + 143 + module_init(nf_log_arp_init); 144 + module_exit(nf_log_arp_exit); 145 + 146 + MODULE_AUTHOR("Pablo Neira Ayuso <pablo@netfilter.org>"); 147 + MODULE_DESCRIPTION("Netfilter ARP packet logging"); 148 + MODULE_LICENSE("GPL"); 149 + MODULE_ALIAS_NF_LOGGER(3, 0);

+385

net/ipv4/netfilter/nf_log_ipv4.c

··· 1 + /* (C) 1999-2001 Paul `Rusty' Russell 2 + * (C) 2002-2004 Netfilter Core Team <coreteam@netfilter.org> 3 + * 4 + * This program is free software; you can redistribute it and/or modify 5 + * it under the terms of the GNU General Public License version 2 as 6 + * published by the Free Software Foundation. 7 + */ 8 + 9 + #include <linux/module.h> 10 + #include <linux/spinlock.h> 11 + #include <linux/skbuff.h> 12 + #include <linux/if_arp.h> 13 + #include <linux/ip.h> 14 + #include <net/ipv6.h> 15 + #include <net/icmp.h> 16 + #include <net/udp.h> 17 + #include <net/tcp.h> 18 + #include <net/route.h> 19 + 20 + #include <linux/netfilter.h> 21 + #include <linux/netfilter/xt_LOG.h> 22 + #include <net/netfilter/nf_log.h> 23 + 24 + static struct nf_loginfo default_loginfo = { 25 + .type = NF_LOG_TYPE_LOG, 26 + .u = { 27 + .log = { 28 + .level = 5, 29 + .logflags = NF_LOG_MASK, 30 + }, 31 + }, 32 + }; 33 + 34 + /* One level of recursion won't kill us */ 35 + static void dump_ipv4_packet(struct nf_log_buf *m, 36 + const struct nf_loginfo *info, 37 + const struct sk_buff *skb, unsigned int iphoff) 38 + { 39 + struct iphdr _iph; 40 + const struct iphdr *ih; 41 + unsigned int logflags; 42 + 43 + if (info->type == NF_LOG_TYPE_LOG) 44 + logflags = info->u.log.logflags; 45 + else 46 + logflags = NF_LOG_MASK; 47 + 48 + ih = skb_header_pointer(skb, iphoff, sizeof(_iph), &_iph); 49 + if (ih == NULL) { 50 + nf_log_buf_add(m, "TRUNCATED"); 51 + return; 52 + } 53 + 54 + /* Important fields: 55 + * TOS, len, DF/MF, fragment offset, TTL, src, dst, options. */ 56 + /* Max length: 40 "SRC=255.255.255.255 DST=255.255.255.255 " */ 57 + nf_log_buf_add(m, "SRC=%pI4 DST=%pI4 ", &ih->saddr, &ih->daddr); 58 + 59 + /* Max length: 46 "LEN=65535 TOS=0xFF PREC=0xFF TTL=255 ID=65535 " */ 60 + nf_log_buf_add(m, "LEN=%u TOS=0x%02X PREC=0x%02X TTL=%u ID=%u ", 61 + ntohs(ih->tot_len), ih->tos & IPTOS_TOS_MASK, 62 + ih->tos & IPTOS_PREC_MASK, ih->ttl, ntohs(ih->id)); 63 + 64 + /* Max length: 6 "CE DF MF " */ 65 + if (ntohs(ih->frag_off) & IP_CE) 66 + nf_log_buf_add(m, "CE "); 67 + if (ntohs(ih->frag_off) & IP_DF) 68 + nf_log_buf_add(m, "DF "); 69 + if (ntohs(ih->frag_off) & IP_MF) 70 + nf_log_buf_add(m, "MF "); 71 + 72 + /* Max length: 11 "FRAG:65535 " */ 73 + if (ntohs(ih->frag_off) & IP_OFFSET) 74 + nf_log_buf_add(m, "FRAG:%u ", ntohs(ih->frag_off) & IP_OFFSET); 75 + 76 + if ((logflags & XT_LOG_IPOPT) && 77 + ih->ihl * 4 > sizeof(struct iphdr)) { 78 + const unsigned char *op; 79 + unsigned char _opt[4 * 15 - sizeof(struct iphdr)]; 80 + unsigned int i, optsize; 81 + 82 + optsize = ih->ihl * 4 - sizeof(struct iphdr); 83 + op = skb_header_pointer(skb, iphoff+sizeof(_iph), 84 + optsize, _opt); 85 + if (op == NULL) { 86 + nf_log_buf_add(m, "TRUNCATED"); 87 + return; 88 + } 89 + 90 + /* Max length: 127 "OPT (" 15*4*2chars ") " */ 91 + nf_log_buf_add(m, "OPT ("); 92 + for (i = 0; i < optsize; i++) 93 + nf_log_buf_add(m, "%02X", op[i]); 94 + nf_log_buf_add(m, ") "); 95 + } 96 + 97 + switch (ih->protocol) { 98 + case IPPROTO_TCP: 99 + if (nf_log_dump_tcp_header(m, skb, ih->protocol, 100 + ntohs(ih->frag_off) & IP_OFFSET, 101 + iphoff+ih->ihl*4, logflags)) 102 + return; 103 + break; 104 + case IPPROTO_UDP: 105 + case IPPROTO_UDPLITE: 106 + if (nf_log_dump_udp_header(m, skb, ih->protocol, 107 + ntohs(ih->frag_off) & IP_OFFSET, 108 + iphoff+ih->ihl*4)) 109 + return; 110 + break; 111 + case IPPROTO_ICMP: { 112 + struct icmphdr _icmph; 113 + const struct icmphdr *ich; 114 + static const size_t required_len[NR_ICMP_TYPES+1] 115 + = { [ICMP_ECHOREPLY] = 4, 116 + [ICMP_DEST_UNREACH] 117 + = 8 + sizeof(struct iphdr), 118 + [ICMP_SOURCE_QUENCH] 119 + = 8 + sizeof(struct iphdr), 120 + [ICMP_REDIRECT] 121 + = 8 + sizeof(struct iphdr), 122 + [ICMP_ECHO] = 4, 123 + [ICMP_TIME_EXCEEDED] 124 + = 8 + sizeof(struct iphdr), 125 + [ICMP_PARAMETERPROB] 126 + = 8 + sizeof(struct iphdr), 127 + [ICMP_TIMESTAMP] = 20, 128 + [ICMP_TIMESTAMPREPLY] = 20, 129 + [ICMP_ADDRESS] = 12, 130 + [ICMP_ADDRESSREPLY] = 12 }; 131 + 132 + /* Max length: 11 "PROTO=ICMP " */ 133 + nf_log_buf_add(m, "PROTO=ICMP "); 134 + 135 + if (ntohs(ih->frag_off) & IP_OFFSET) 136 + break; 137 + 138 + /* Max length: 25 "INCOMPLETE [65535 bytes] " */ 139 + ich = skb_header_pointer(skb, iphoff + ih->ihl * 4, 140 + sizeof(_icmph), &_icmph); 141 + if (ich == NULL) { 142 + nf_log_buf_add(m, "INCOMPLETE [%u bytes] ", 143 + skb->len - iphoff - ih->ihl*4); 144 + break; 145 + } 146 + 147 + /* Max length: 18 "TYPE=255 CODE=255 " */ 148 + nf_log_buf_add(m, "TYPE=%u CODE=%u ", ich->type, ich->code); 149 + 150 + /* Max length: 25 "INCOMPLETE [65535 bytes] " */ 151 + if (ich->type <= NR_ICMP_TYPES && 152 + required_len[ich->type] && 153 + skb->len-iphoff-ih->ihl*4 < required_len[ich->type]) { 154 + nf_log_buf_add(m, "INCOMPLETE [%u bytes] ", 155 + skb->len - iphoff - ih->ihl*4); 156 + break; 157 + } 158 + 159 + switch (ich->type) { 160 + case ICMP_ECHOREPLY: 161 + case ICMP_ECHO: 162 + /* Max length: 19 "ID=65535 SEQ=65535 " */ 163 + nf_log_buf_add(m, "ID=%u SEQ=%u ", 164 + ntohs(ich->un.echo.id), 165 + ntohs(ich->un.echo.sequence)); 166 + break; 167 + 168 + case ICMP_PARAMETERPROB: 169 + /* Max length: 14 "PARAMETER=255 " */ 170 + nf_log_buf_add(m, "PARAMETER=%u ", 171 + ntohl(ich->un.gateway) >> 24); 172 + break; 173 + case ICMP_REDIRECT: 174 + /* Max length: 24 "GATEWAY=255.255.255.255 " */ 175 + nf_log_buf_add(m, "GATEWAY=%pI4 ", &ich->un.gateway); 176 + /* Fall through */ 177 + case ICMP_DEST_UNREACH: 178 + case ICMP_SOURCE_QUENCH: 179 + case ICMP_TIME_EXCEEDED: 180 + /* Max length: 3+maxlen */ 181 + if (!iphoff) { /* Only recurse once. */ 182 + nf_log_buf_add(m, "["); 183 + dump_ipv4_packet(m, info, skb, 184 + iphoff + ih->ihl*4+sizeof(_icmph)); 185 + nf_log_buf_add(m, "] "); 186 + } 187 + 188 + /* Max length: 10 "MTU=65535 " */ 189 + if (ich->type == ICMP_DEST_UNREACH && 190 + ich->code == ICMP_FRAG_NEEDED) { 191 + nf_log_buf_add(m, "MTU=%u ", 192 + ntohs(ich->un.frag.mtu)); 193 + } 194 + } 195 + break; 196 + } 197 + /* Max Length */ 198 + case IPPROTO_AH: { 199 + struct ip_auth_hdr _ahdr; 200 + const struct ip_auth_hdr *ah; 201 + 202 + if (ntohs(ih->frag_off) & IP_OFFSET) 203 + break; 204 + 205 + /* Max length: 9 "PROTO=AH " */ 206 + nf_log_buf_add(m, "PROTO=AH "); 207 + 208 + /* Max length: 25 "INCOMPLETE [65535 bytes] " */ 209 + ah = skb_header_pointer(skb, iphoff+ih->ihl*4, 210 + sizeof(_ahdr), &_ahdr); 211 + if (ah == NULL) { 212 + nf_log_buf_add(m, "INCOMPLETE [%u bytes] ", 213 + skb->len - iphoff - ih->ihl*4); 214 + break; 215 + } 216 + 217 + /* Length: 15 "SPI=0xF1234567 " */ 218 + nf_log_buf_add(m, "SPI=0x%x ", ntohl(ah->spi)); 219 + break; 220 + } 221 + case IPPROTO_ESP: { 222 + struct ip_esp_hdr _esph; 223 + const struct ip_esp_hdr *eh; 224 + 225 + /* Max length: 10 "PROTO=ESP " */ 226 + nf_log_buf_add(m, "PROTO=ESP "); 227 + 228 + if (ntohs(ih->frag_off) & IP_OFFSET) 229 + break; 230 + 231 + /* Max length: 25 "INCOMPLETE [65535 bytes] " */ 232 + eh = skb_header_pointer(skb, iphoff+ih->ihl*4, 233 + sizeof(_esph), &_esph); 234 + if (eh == NULL) { 235 + nf_log_buf_add(m, "INCOMPLETE [%u bytes] ", 236 + skb->len - iphoff - ih->ihl*4); 237 + break; 238 + } 239 + 240 + /* Length: 15 "SPI=0xF1234567 " */ 241 + nf_log_buf_add(m, "SPI=0x%x ", ntohl(eh->spi)); 242 + break; 243 + } 244 + /* Max length: 10 "PROTO 255 " */ 245 + default: 246 + nf_log_buf_add(m, "PROTO=%u ", ih->protocol); 247 + } 248 + 249 + /* Max length: 15 "UID=4294967295 " */ 250 + if ((logflags & XT_LOG_UID) && !iphoff) 251 + nf_log_dump_sk_uid_gid(m, skb->sk); 252 + 253 + /* Max length: 16 "MARK=0xFFFFFFFF " */ 254 + if (!iphoff && skb->mark) 255 + nf_log_buf_add(m, "MARK=0x%x ", skb->mark); 256 + 257 + /* Proto Max log string length */ 258 + /* IP: 40+46+6+11+127 = 230 */ 259 + /* TCP: 10+max(25,20+30+13+9+32+11+127) = 252 */ 260 + /* UDP: 10+max(25,20) = 35 */ 261 + /* UDPLITE: 14+max(25,20) = 39 */ 262 + /* ICMP: 11+max(25, 18+25+max(19,14,24+3+n+10,3+n+10)) = 91+n */ 263 + /* ESP: 10+max(25)+15 = 50 */ 264 + /* AH: 9+max(25)+15 = 49 */ 265 + /* unknown: 10 */ 266 + 267 + /* (ICMP allows recursion one level deep) */ 268 + /* maxlen = IP + ICMP + IP + max(TCP,UDP,ICMP,unknown) */ 269 + /* maxlen = 230+ 91 + 230 + 252 = 803 */ 270 + } 271 + 272 + static void dump_ipv4_mac_header(struct nf_log_buf *m, 273 + const struct nf_loginfo *info, 274 + const struct sk_buff *skb) 275 + { 276 + struct net_device *dev = skb->dev; 277 + unsigned int logflags = 0; 278 + 279 + if (info->type == NF_LOG_TYPE_LOG) 280 + logflags = info->u.log.logflags; 281 + 282 + if (!(logflags & XT_LOG_MACDECODE)) 283 + goto fallback; 284 + 285 + switch (dev->type) { 286 + case ARPHRD_ETHER: 287 + nf_log_buf_add(m, "MACSRC=%pM MACDST=%pM MACPROTO=%04x ", 288 + eth_hdr(skb)->h_source, eth_hdr(skb)->h_dest, 289 + ntohs(eth_hdr(skb)->h_proto)); 290 + return; 291 + default: 292 + break; 293 + } 294 + 295 + fallback: 296 + nf_log_buf_add(m, "MAC="); 297 + if (dev->hard_header_len && 298 + skb->mac_header != skb->network_header) { 299 + const unsigned char *p = skb_mac_header(skb); 300 + unsigned int i; 301 + 302 + nf_log_buf_add(m, "%02x", *p++); 303 + for (i = 1; i < dev->hard_header_len; i++, p++) 304 + nf_log_buf_add(m, ":%02x", *p); 305 + } 306 + nf_log_buf_add(m, " "); 307 + } 308 + 309 + static void nf_log_ip_packet(struct net *net, u_int8_t pf, 310 + unsigned int hooknum, const struct sk_buff *skb, 311 + const struct net_device *in, 312 + const struct net_device *out, 313 + const struct nf_loginfo *loginfo, 314 + const char *prefix) 315 + { 316 + struct nf_log_buf *m; 317 + 318 + /* FIXME: Disabled from containers until syslog ns is supported */ 319 + if (!net_eq(net, &init_net)) 320 + return; 321 + 322 + m = nf_log_buf_open(); 323 + 324 + if (!loginfo) 325 + loginfo = &default_loginfo; 326 + 327 + nf_log_dump_packet_common(m, pf, hooknum, skb, in, 328 + out, loginfo, prefix); 329 + 330 + if (in != NULL) 331 + dump_ipv4_mac_header(m, loginfo, skb); 332 + 333 + dump_ipv4_packet(m, loginfo, skb, 0); 334 + 335 + nf_log_buf_close(m); 336 + } 337 + 338 + static struct nf_logger nf_ip_logger __read_mostly = { 339 + .name = "nf_log_ipv4", 340 + .type = NF_LOG_TYPE_LOG, 341 + .logfn = nf_log_ip_packet, 342 + .me = THIS_MODULE, 343 + }; 344 + 345 + static int __net_init nf_log_ipv4_net_init(struct net *net) 346 + { 347 + nf_log_set(net, NFPROTO_IPV4, &nf_ip_logger); 348 + return 0; 349 + } 350 + 351 + static void __net_exit nf_log_ipv4_net_exit(struct net *net) 352 + { 353 + nf_log_unset(net, &nf_ip_logger); 354 + } 355 + 356 + static struct pernet_operations nf_log_ipv4_net_ops = { 357 + .init = nf_log_ipv4_net_init, 358 + .exit = nf_log_ipv4_net_exit, 359 + }; 360 + 361 + static int __init nf_log_ipv4_init(void) 362 + { 363 + int ret; 364 + 365 + ret = register_pernet_subsys(&nf_log_ipv4_net_ops); 366 + if (ret < 0) 367 + return ret; 368 + 369 + nf_log_register(NFPROTO_IPV4, &nf_ip_logger); 370 + return 0; 371 + } 372 + 373 + static void __exit nf_log_ipv4_exit(void) 374 + { 375 + unregister_pernet_subsys(&nf_log_ipv4_net_ops); 376 + nf_log_unregister(&nf_ip_logger); 377 + } 378 + 379 + module_init(nf_log_ipv4_init); 380 + module_exit(nf_log_ipv4_exit); 381 + 382 + MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>"); 383 + MODULE_DESCRIPTION("Netfilter IPv4 packet logging"); 384 + MODULE_LICENSE("GPL"); 385 + MODULE_ALIAS_NF_LOGGER(AF_INET, 0);

+4

net/ipv4/netfilter/nf_nat_l3proto_ipv4.c

··· 154 154 htons(oldlen), htons(datalen), 1); 155 155 } 156 156 157 + #if IS_ENABLED(CONFIG_NF_CT_NETLINK) 157 158 static int nf_nat_ipv4_nlattr_to_range(struct nlattr *tb[], 158 159 struct nf_nat_range *range) 159 160 { ··· 170 169 171 170 return 0; 172 171 } 172 + #endif 173 173 174 174 static const struct nf_nat_l3proto nf_nat_l3proto_ipv4 = { 175 175 .l3proto = NFPROTO_IPV4, ··· 179 177 .manip_pkt = nf_nat_ipv4_manip_pkt, 180 178 .csum_update = nf_nat_ipv4_csum_update, 181 179 .csum_recalc = nf_nat_ipv4_csum_recalc, 180 + #if IS_ENABLED(CONFIG_NF_CT_NETLINK) 182 181 .nlattr_to_range = nf_nat_ipv4_nlattr_to_range, 182 + #endif 183 183 #ifdef CONFIG_XFRM 184 184 .decode_session = nf_nat_ipv4_decode_session, 185 185 #endif

+1 -1

net/ipv4/netfilter/nf_nat_proto_gre.c

··· 124 124 .manip_pkt = gre_manip_pkt, 125 125 .in_range = nf_nat_l4proto_in_range, 126 126 .unique_tuple = gre_unique_tuple, 127 - #if defined(CONFIG_NF_CT_NETLINK) || defined(CONFIG_NF_CT_NETLINK_MODULE) 127 + #if IS_ENABLED(CONFIG_NF_CT_NETLINK) 128 128 .nlattr_to_range = nf_nat_l4proto_nlattr_to_range, 129 129 #endif 130 130 };

+1 -1

net/ipv4/netfilter/nf_nat_proto_icmp.c

··· 77 77 .manip_pkt = icmp_manip_pkt, 78 78 .in_range = icmp_in_range, 79 79 .unique_tuple = icmp_unique_tuple, 80 - #if defined(CONFIG_NF_CT_NETLINK) || defined(CONFIG_NF_CT_NETLINK_MODULE) 80 + #if IS_ENABLED(CONFIG_NF_CT_NETLINK) 81 81 .nlattr_to_range = nf_nat_l4proto_nlattr_to_range, 82 82 #endif 83 83 };

+5

net/ipv6/netfilter/Kconfig

··· 55 55 default NFT_REJECT 56 56 tristate 57 57 58 + config NF_LOG_IPV6 59 + tristate "IPv6 packet logging" 60 + depends on NETFILTER_ADVANCED 61 + select NF_LOG_COMMON 62 + 58 63 config IP6_NF_IPTABLES 59 64 tristate "IP6 tables support (required for filtering)" 60 65 depends on INET && IPV6

+3

net/ipv6/netfilter/Makefile

··· 23 23 nf_defrag_ipv6-y := nf_defrag_ipv6_hooks.o nf_conntrack_reasm.o 24 24 obj-$(CONFIG_NF_DEFRAG_IPV6) += nf_defrag_ipv6.o 25 25 26 + # logging 27 + obj-$(CONFIG_NF_LOG_IPV6) += nf_log_ipv6.o 28 + 26 29 # nf_tables 27 30 obj-$(CONFIG_NF_TABLES_IPV6) += nf_tables_ipv6.o 28 31 obj-$(CONFIG_NFT_CHAIN_ROUTE_IPV6) += nft_chain_route_ipv6.o

+417

net/ipv6/netfilter/nf_log_ipv6.c

··· 1 + /* (C) 1999-2001 Paul `Rusty' Russell 2 + * (C) 2002-2004 Netfilter Core Team <coreteam@netfilter.org> 3 + * 4 + * This program is free software; you can redistribute it and/or modify 5 + * it under the terms of the GNU General Public License version 2 as 6 + * published by the Free Software Foundation. 7 + */ 8 + 9 + #include <linux/module.h> 10 + #include <linux/spinlock.h> 11 + #include <linux/skbuff.h> 12 + #include <linux/if_arp.h> 13 + #include <linux/ip.h> 14 + #include <net/ipv6.h> 15 + #include <net/icmp.h> 16 + #include <net/udp.h> 17 + #include <net/tcp.h> 18 + #include <net/route.h> 19 + 20 + #include <linux/netfilter.h> 21 + #include <linux/netfilter_ipv6/ip6_tables.h> 22 + #include <linux/netfilter/xt_LOG.h> 23 + #include <net/netfilter/nf_log.h> 24 + 25 + static struct nf_loginfo default_loginfo = { 26 + .type = NF_LOG_TYPE_LOG, 27 + .u = { 28 + .log = { 29 + .level = 5, 30 + .logflags = NF_LOG_MASK, 31 + }, 32 + }, 33 + }; 34 + 35 + /* One level of recursion won't kill us */ 36 + static void dump_ipv6_packet(struct nf_log_buf *m, 37 + const struct nf_loginfo *info, 38 + const struct sk_buff *skb, unsigned int ip6hoff, 39 + int recurse) 40 + { 41 + u_int8_t currenthdr; 42 + int fragment; 43 + struct ipv6hdr _ip6h; 44 + const struct ipv6hdr *ih; 45 + unsigned int ptr; 46 + unsigned int hdrlen = 0; 47 + unsigned int logflags; 48 + 49 + if (info->type == NF_LOG_TYPE_LOG) 50 + logflags = info->u.log.logflags; 51 + else 52 + logflags = NF_LOG_MASK; 53 + 54 + ih = skb_header_pointer(skb, ip6hoff, sizeof(_ip6h), &_ip6h); 55 + if (ih == NULL) { 56 + nf_log_buf_add(m, "TRUNCATED"); 57 + return; 58 + } 59 + 60 + /* Max length: 88 "SRC=0000.0000.0000.0000.0000.0000.0000.0000 DST=0000.0000.0000.0000.0000.0000.0000.0000 " */ 61 + nf_log_buf_add(m, "SRC=%pI6 DST=%pI6 ", &ih->saddr, &ih->daddr); 62 + 63 + /* Max length: 44 "LEN=65535 TC=255 HOPLIMIT=255 FLOWLBL=FFFFF " */ 64 + nf_log_buf_add(m, "LEN=%Zu TC=%u HOPLIMIT=%u FLOWLBL=%u ", 65 + ntohs(ih->payload_len) + sizeof(struct ipv6hdr), 66 + (ntohl(*(__be32 *)ih) & 0x0ff00000) >> 20, 67 + ih->hop_limit, 68 + (ntohl(*(__be32 *)ih) & 0x000fffff)); 69 + 70 + fragment = 0; 71 + ptr = ip6hoff + sizeof(struct ipv6hdr); 72 + currenthdr = ih->nexthdr; 73 + while (currenthdr != NEXTHDR_NONE && ip6t_ext_hdr(currenthdr)) { 74 + struct ipv6_opt_hdr _hdr; 75 + const struct ipv6_opt_hdr *hp; 76 + 77 + hp = skb_header_pointer(skb, ptr, sizeof(_hdr), &_hdr); 78 + if (hp == NULL) { 79 + nf_log_buf_add(m, "TRUNCATED"); 80 + return; 81 + } 82 + 83 + /* Max length: 48 "OPT (...) " */ 84 + if (logflags & XT_LOG_IPOPT) 85 + nf_log_buf_add(m, "OPT ( "); 86 + 87 + switch (currenthdr) { 88 + case IPPROTO_FRAGMENT: { 89 + struct frag_hdr _fhdr; 90 + const struct frag_hdr *fh; 91 + 92 + nf_log_buf_add(m, "FRAG:"); 93 + fh = skb_header_pointer(skb, ptr, sizeof(_fhdr), 94 + &_fhdr); 95 + if (fh == NULL) { 96 + nf_log_buf_add(m, "TRUNCATED "); 97 + return; 98 + } 99 + 100 + /* Max length: 6 "65535 " */ 101 + nf_log_buf_add(m, "%u ", ntohs(fh->frag_off) & 0xFFF8); 102 + 103 + /* Max length: 11 "INCOMPLETE " */ 104 + if (fh->frag_off & htons(0x0001)) 105 + nf_log_buf_add(m, "INCOMPLETE "); 106 + 107 + nf_log_buf_add(m, "ID:%08x ", 108 + ntohl(fh->identification)); 109 + 110 + if (ntohs(fh->frag_off) & 0xFFF8) 111 + fragment = 1; 112 + 113 + hdrlen = 8; 114 + 115 + break; 116 + } 117 + case IPPROTO_DSTOPTS: 118 + case IPPROTO_ROUTING: 119 + case IPPROTO_HOPOPTS: 120 + if (fragment) { 121 + if (logflags & XT_LOG_IPOPT) 122 + nf_log_buf_add(m, ")"); 123 + return; 124 + } 125 + hdrlen = ipv6_optlen(hp); 126 + break; 127 + /* Max Length */ 128 + case IPPROTO_AH: 129 + if (logflags & XT_LOG_IPOPT) { 130 + struct ip_auth_hdr _ahdr; 131 + const struct ip_auth_hdr *ah; 132 + 133 + /* Max length: 3 "AH " */ 134 + nf_log_buf_add(m, "AH "); 135 + 136 + if (fragment) { 137 + nf_log_buf_add(m, ")"); 138 + return; 139 + } 140 + 141 + ah = skb_header_pointer(skb, ptr, sizeof(_ahdr), 142 + &_ahdr); 143 + if (ah == NULL) { 144 + /* 145 + * Max length: 26 "INCOMPLETE [65535 146 + * bytes] )" 147 + */ 148 + nf_log_buf_add(m, "INCOMPLETE [%u bytes] )", 149 + skb->len - ptr); 150 + return; 151 + } 152 + 153 + /* Length: 15 "SPI=0xF1234567 */ 154 + nf_log_buf_add(m, "SPI=0x%x ", ntohl(ah->spi)); 155 + 156 + } 157 + 158 + hdrlen = (hp->hdrlen+2)<<2; 159 + break; 160 + case IPPROTO_ESP: 161 + if (logflags & XT_LOG_IPOPT) { 162 + struct ip_esp_hdr _esph; 163 + const struct ip_esp_hdr *eh; 164 + 165 + /* Max length: 4 "ESP " */ 166 + nf_log_buf_add(m, "ESP "); 167 + 168 + if (fragment) { 169 + nf_log_buf_add(m, ")"); 170 + return; 171 + } 172 + 173 + /* 174 + * Max length: 26 "INCOMPLETE [65535 bytes] )" 175 + */ 176 + eh = skb_header_pointer(skb, ptr, sizeof(_esph), 177 + &_esph); 178 + if (eh == NULL) { 179 + nf_log_buf_add(m, "INCOMPLETE [%u bytes] )", 180 + skb->len - ptr); 181 + return; 182 + } 183 + 184 + /* Length: 16 "SPI=0xF1234567 )" */ 185 + nf_log_buf_add(m, "SPI=0x%x )", 186 + ntohl(eh->spi)); 187 + } 188 + return; 189 + default: 190 + /* Max length: 20 "Unknown Ext Hdr 255" */ 191 + nf_log_buf_add(m, "Unknown Ext Hdr %u", currenthdr); 192 + return; 193 + } 194 + if (logflags & XT_LOG_IPOPT) 195 + nf_log_buf_add(m, ") "); 196 + 197 + currenthdr = hp->nexthdr; 198 + ptr += hdrlen; 199 + } 200 + 201 + switch (currenthdr) { 202 + case IPPROTO_TCP: 203 + if (nf_log_dump_tcp_header(m, skb, currenthdr, fragment, 204 + ptr, logflags)) 205 + return; 206 + break; 207 + case IPPROTO_UDP: 208 + case IPPROTO_UDPLITE: 209 + if (nf_log_dump_udp_header(m, skb, currenthdr, fragment, ptr)) 210 + return; 211 + break; 212 + case IPPROTO_ICMPV6: { 213 + struct icmp6hdr _icmp6h; 214 + const struct icmp6hdr *ic; 215 + 216 + /* Max length: 13 "PROTO=ICMPv6 " */ 217 + nf_log_buf_add(m, "PROTO=ICMPv6 "); 218 + 219 + if (fragment) 220 + break; 221 + 222 + /* Max length: 25 "INCOMPLETE [65535 bytes] " */ 223 + ic = skb_header_pointer(skb, ptr, sizeof(_icmp6h), &_icmp6h); 224 + if (ic == NULL) { 225 + nf_log_buf_add(m, "INCOMPLETE [%u bytes] ", 226 + skb->len - ptr); 227 + return; 228 + } 229 + 230 + /* Max length: 18 "TYPE=255 CODE=255 " */ 231 + nf_log_buf_add(m, "TYPE=%u CODE=%u ", 232 + ic->icmp6_type, ic->icmp6_code); 233 + 234 + switch (ic->icmp6_type) { 235 + case ICMPV6_ECHO_REQUEST: 236 + case ICMPV6_ECHO_REPLY: 237 + /* Max length: 19 "ID=65535 SEQ=65535 " */ 238 + nf_log_buf_add(m, "ID=%u SEQ=%u ", 239 + ntohs(ic->icmp6_identifier), 240 + ntohs(ic->icmp6_sequence)); 241 + break; 242 + case ICMPV6_MGM_QUERY: 243 + case ICMPV6_MGM_REPORT: 244 + case ICMPV6_MGM_REDUCTION: 245 + break; 246 + 247 + case ICMPV6_PARAMPROB: 248 + /* Max length: 17 "POINTER=ffffffff " */ 249 + nf_log_buf_add(m, "POINTER=%08x ", 250 + ntohl(ic->icmp6_pointer)); 251 + /* Fall through */ 252 + case ICMPV6_DEST_UNREACH: 253 + case ICMPV6_PKT_TOOBIG: 254 + case ICMPV6_TIME_EXCEED: 255 + /* Max length: 3+maxlen */ 256 + if (recurse) { 257 + nf_log_buf_add(m, "["); 258 + dump_ipv6_packet(m, info, skb, 259 + ptr + sizeof(_icmp6h), 0); 260 + nf_log_buf_add(m, "] "); 261 + } 262 + 263 + /* Max length: 10 "MTU=65535 " */ 264 + if (ic->icmp6_type == ICMPV6_PKT_TOOBIG) { 265 + nf_log_buf_add(m, "MTU=%u ", 266 + ntohl(ic->icmp6_mtu)); 267 + } 268 + } 269 + break; 270 + } 271 + /* Max length: 10 "PROTO=255 " */ 272 + default: 273 + nf_log_buf_add(m, "PROTO=%u ", currenthdr); 274 + } 275 + 276 + /* Max length: 15 "UID=4294967295 " */ 277 + if ((logflags & XT_LOG_UID) && recurse) 278 + nf_log_dump_sk_uid_gid(m, skb->sk); 279 + 280 + /* Max length: 16 "MARK=0xFFFFFFFF " */ 281 + if (recurse && skb->mark) 282 + nf_log_buf_add(m, "MARK=0x%x ", skb->mark); 283 + } 284 + 285 + static void dump_ipv6_mac_header(struct nf_log_buf *m, 286 + const struct nf_loginfo *info, 287 + const struct sk_buff *skb) 288 + { 289 + struct net_device *dev = skb->dev; 290 + unsigned int logflags = 0; 291 + 292 + if (info->type == NF_LOG_TYPE_LOG) 293 + logflags = info->u.log.logflags; 294 + 295 + if (!(logflags & XT_LOG_MACDECODE)) 296 + goto fallback; 297 + 298 + switch (dev->type) { 299 + case ARPHRD_ETHER: 300 + nf_log_buf_add(m, "MACSRC=%pM MACDST=%pM MACPROTO=%04x ", 301 + eth_hdr(skb)->h_source, eth_hdr(skb)->h_dest, 302 + ntohs(eth_hdr(skb)->h_proto)); 303 + return; 304 + default: 305 + break; 306 + } 307 + 308 + fallback: 309 + nf_log_buf_add(m, "MAC="); 310 + if (dev->hard_header_len && 311 + skb->mac_header != skb->network_header) { 312 + const unsigned char *p = skb_mac_header(skb); 313 + unsigned int len = dev->hard_header_len; 314 + unsigned int i; 315 + 316 + if (dev->type == ARPHRD_SIT) { 317 + p -= ETH_HLEN; 318 + 319 + if (p < skb->head) 320 + p = NULL; 321 + } 322 + 323 + if (p != NULL) { 324 + nf_log_buf_add(m, "%02x", *p++); 325 + for (i = 1; i < len; i++) 326 + nf_log_buf_add(m, ":%02x", *p++); 327 + } 328 + nf_log_buf_add(m, " "); 329 + 330 + if (dev->type == ARPHRD_SIT) { 331 + const struct iphdr *iph = 332 + (struct iphdr *)skb_mac_header(skb); 333 + nf_log_buf_add(m, "TUNNEL=%pI4->%pI4 ", &iph->saddr, 334 + &iph->daddr); 335 + } 336 + } else { 337 + nf_log_buf_add(m, " "); 338 + } 339 + } 340 + 341 + static void nf_log_ip6_packet(struct net *net, u_int8_t pf, 342 + unsigned int hooknum, const struct sk_buff *skb, 343 + const struct net_device *in, 344 + const struct net_device *out, 345 + const struct nf_loginfo *loginfo, 346 + const char *prefix) 347 + { 348 + struct nf_log_buf *m; 349 + 350 + /* FIXME: Disabled from containers until syslog ns is supported */ 351 + if (!net_eq(net, &init_net)) 352 + return; 353 + 354 + m = nf_log_buf_open(); 355 + 356 + if (!loginfo) 357 + loginfo = &default_loginfo; 358 + 359 + nf_log_dump_packet_common(m, pf, hooknum, skb, in, out, 360 + loginfo, prefix); 361 + 362 + if (in != NULL) 363 + dump_ipv6_mac_header(m, loginfo, skb); 364 + 365 + dump_ipv6_packet(m, loginfo, skb, skb_network_offset(skb), 1); 366 + 367 + nf_log_buf_close(m); 368 + } 369 + 370 + static struct nf_logger nf_ip6_logger __read_mostly = { 371 + .name = "nf_log_ipv6", 372 + .type = NF_LOG_TYPE_LOG, 373 + .logfn = nf_log_ip6_packet, 374 + .me = THIS_MODULE, 375 + }; 376 + 377 + static int __net_init nf_log_ipv6_net_init(struct net *net) 378 + { 379 + nf_log_set(net, NFPROTO_IPV6, &nf_ip6_logger); 380 + return 0; 381 + } 382 + 383 + static void __net_exit nf_log_ipv6_net_exit(struct net *net) 384 + { 385 + nf_log_unset(net, &nf_ip6_logger); 386 + } 387 + 388 + static struct pernet_operations nf_log_ipv6_net_ops = { 389 + .init = nf_log_ipv6_net_init, 390 + .exit = nf_log_ipv6_net_exit, 391 + }; 392 + 393 + static int __init nf_log_ipv6_init(void) 394 + { 395 + int ret; 396 + 397 + ret = register_pernet_subsys(&nf_log_ipv6_net_ops); 398 + if (ret < 0) 399 + return ret; 400 + 401 + nf_log_register(NFPROTO_IPV6, &nf_ip6_logger); 402 + return 0; 403 + } 404 + 405 + static void __exit nf_log_ipv6_exit(void) 406 + { 407 + unregister_pernet_subsys(&nf_log_ipv6_net_ops); 408 + nf_log_unregister(&nf_ip6_logger); 409 + } 410 + 411 + module_init(nf_log_ipv6_init); 412 + module_exit(nf_log_ipv6_exit); 413 + 414 + MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>"); 415 + MODULE_DESCRIPTION("Netfilter IPv4 packet logging"); 416 + MODULE_LICENSE("GPL"); 417 + MODULE_ALIAS_NF_LOGGER(AF_INET6, 0);

+4

net/ipv6/netfilter/nf_nat_l3proto_ipv6.c

··· 158 158 htons(oldlen), htons(datalen), 1); 159 159 } 160 160 161 + #if IS_ENABLED(CONFIG_NF_CT_NETLINK) 161 162 static int nf_nat_ipv6_nlattr_to_range(struct nlattr *tb[], 162 163 struct nf_nat_range *range) 163 164 { ··· 176 175 177 176 return 0; 178 177 } 178 + #endif 179 179 180 180 static const struct nf_nat_l3proto nf_nat_l3proto_ipv6 = { 181 181 .l3proto = NFPROTO_IPV6, ··· 185 183 .manip_pkt = nf_nat_ipv6_manip_pkt, 186 184 .csum_update = nf_nat_ipv6_csum_update, 187 185 .csum_recalc = nf_nat_ipv6_csum_recalc, 186 + #if IS_ENABLED(CONFIG_NF_CT_NETLINK) 188 187 .nlattr_to_range = nf_nat_ipv6_nlattr_to_range, 188 + #endif 189 189 #ifdef CONFIG_XFRM 190 190 .decode_session = nf_nat_ipv6_decode_session, 191 191 #endif

+4

net/netfilter/Kconfig

··· 46 46 47 47 To compile it as a module, choose M here. If unsure, say N. 48 48 49 + config NF_LOG_COMMON 50 + tristate 51 + 49 52 if NF_CONNTRACK 50 53 51 54 config NF_CONNTRACK_MARK ··· 747 744 748 745 config NETFILTER_XT_TARGET_LOG 749 746 tristate "LOG target support" 747 + depends on NF_LOG_IPV4 && NF_LOG_IPV6 750 748 default m if NETFILTER_ADVANCED=n 751 749 help 752 750 This option adds a `LOG' target, which allows you to create rules in

+3

net/netfilter/Makefile

··· 47 47 nf_nat-y := nf_nat_core.o nf_nat_proto_unknown.o nf_nat_proto_common.o \ 48 48 nf_nat_proto_udp.o nf_nat_proto_tcp.o nf_nat_helper.o 49 49 50 + # generic transport layer logging 51 + obj-$(CONFIG_NF_LOG_COMMON) += nf_log_common.o 52 + 50 53 obj-$(CONFIG_NF_NAT) += nf_nat.o 51 54 52 55 # NAT protocols (nf_nat)

-86

net/netfilter/ipvs/ip_vs_ctl.c

··· 1807 1807 .proc_handler = proc_dointvec, 1808 1808 }, 1809 1809 #endif 1810 - #if 0 1811 - { 1812 - .procname = "timeout_established", 1813 - .data = &vs_timeout_table_dos.timeout[IP_VS_S_ESTABLISHED], 1814 - .maxlen = sizeof(int), 1815 - .mode = 0644, 1816 - .proc_handler = proc_dointvec_jiffies, 1817 - }, 1818 - { 1819 - .procname = "timeout_synsent", 1820 - .data = &vs_timeout_table_dos.timeout[IP_VS_S_SYN_SENT], 1821 - .maxlen = sizeof(int), 1822 - .mode = 0644, 1823 - .proc_handler = proc_dointvec_jiffies, 1824 - }, 1825 - { 1826 - .procname = "timeout_synrecv", 1827 - .data = &vs_timeout_table_dos.timeout[IP_VS_S_SYN_RECV], 1828 - .maxlen = sizeof(int), 1829 - .mode = 0644, 1830 - .proc_handler = proc_dointvec_jiffies, 1831 - }, 1832 - { 1833 - .procname = "timeout_finwait", 1834 - .data = &vs_timeout_table_dos.timeout[IP_VS_S_FIN_WAIT], 1835 - .maxlen = sizeof(int), 1836 - .mode = 0644, 1837 - .proc_handler = proc_dointvec_jiffies, 1838 - }, 1839 - { 1840 - .procname = "timeout_timewait", 1841 - .data = &vs_timeout_table_dos.timeout[IP_VS_S_TIME_WAIT], 1842 - .maxlen = sizeof(int), 1843 - .mode = 0644, 1844 - .proc_handler = proc_dointvec_jiffies, 1845 - }, 1846 - { 1847 - .procname = "timeout_close", 1848 - .data = &vs_timeout_table_dos.timeout[IP_VS_S_CLOSE], 1849 - .maxlen = sizeof(int), 1850 - .mode = 0644, 1851 - .proc_handler = proc_dointvec_jiffies, 1852 - }, 1853 - { 1854 - .procname = "timeout_closewait", 1855 - .data = &vs_timeout_table_dos.timeout[IP_VS_S_CLOSE_WAIT], 1856 - .maxlen = sizeof(int), 1857 - .mode = 0644, 1858 - .proc_handler = proc_dointvec_jiffies, 1859 - }, 1860 - { 1861 - .procname = "timeout_lastack", 1862 - .data = &vs_timeout_table_dos.timeout[IP_VS_S_LAST_ACK], 1863 - .maxlen = sizeof(int), 1864 - .mode = 0644, 1865 - .proc_handler = proc_dointvec_jiffies, 1866 - }, 1867 - { 1868 - .procname = "timeout_listen", 1869 - .data = &vs_timeout_table_dos.timeout[IP_VS_S_LISTEN], 1870 - .maxlen = sizeof(int), 1871 - .mode = 0644, 1872 - .proc_handler = proc_dointvec_jiffies, 1873 - }, 1874 - { 1875 - .procname = "timeout_synack", 1876 - .data = &vs_timeout_table_dos.timeout[IP_VS_S_SYNACK], 1877 - .maxlen = sizeof(int), 1878 - .mode = 0644, 1879 - .proc_handler = proc_dointvec_jiffies, 1880 - }, 1881 - { 1882 - .procname = "timeout_udp", 1883 - .data = &vs_timeout_table_dos.timeout[IP_VS_S_UDP], 1884 - .maxlen = sizeof(int), 1885 - .mode = 0644, 1886 - .proc_handler = proc_dointvec_jiffies, 1887 - }, 1888 - { 1889 - .procname = "timeout_icmp", 1890 - .data = &vs_timeout_table_dos.timeout[IP_VS_S_ICMP], 1891 - .maxlen = sizeof(int), 1892 - .mode = 0644, 1893 - .proc_handler = proc_dointvec_jiffies, 1894 - }, 1895 - #endif 1896 1810 { } 1897 1811 }; 1898 1812

+1 -2

net/netfilter/ipvs/ip_vs_sync.c

··· 886 886 cp = ip_vs_conn_new(param, daddr, dport, flags, dest, fwmark); 887 887 rcu_read_unlock(); 888 888 if (!cp) { 889 - if (param->pe_data) 890 - kfree(param->pe_data); 889 + kfree(param->pe_data); 891 890 IP_VS_DBG(2, "BACKUP, add new conn. failed\n"); 892 891 return; 893 892 }

+9 -59

net/netfilter/nf_conntrack_core.c

··· 352 352 local_bh_enable(); 353 353 } 354 354 355 - static void death_by_event(unsigned long ul_conntrack) 356 - { 357 - struct nf_conn *ct = (void *)ul_conntrack; 358 - struct net *net = nf_ct_net(ct); 359 - struct nf_conntrack_ecache *ecache = nf_ct_ecache_find(ct); 360 - 361 - BUG_ON(ecache == NULL); 362 - 363 - if (nf_conntrack_event(IPCT_DESTROY, ct) < 0) { 364 - /* bad luck, let's retry again */ 365 - ecache->timeout.expires = jiffies + 366 - (prandom_u32() % net->ct.sysctl_events_retry_timeout); 367 - add_timer(&ecache->timeout); 368 - return; 369 - } 370 - /* we've got the event delivered, now it's dying */ 371 - set_bit(IPS_DYING_BIT, &ct->status); 372 - nf_ct_put(ct); 373 - } 374 - 375 - static void nf_ct_dying_timeout(struct nf_conn *ct) 376 - { 377 - struct net *net = nf_ct_net(ct); 378 - struct nf_conntrack_ecache *ecache = nf_ct_ecache_find(ct); 379 - 380 - BUG_ON(ecache == NULL); 381 - 382 - /* set a new timer to retry event delivery */ 383 - setup_timer(&ecache->timeout, death_by_event, (unsigned long)ct); 384 - ecache->timeout.expires = jiffies + 385 - (prandom_u32() % net->ct.sysctl_events_retry_timeout); 386 - add_timer(&ecache->timeout); 387 - } 388 - 389 355 bool nf_ct_delete(struct nf_conn *ct, u32 portid, int report) 390 356 { 391 357 struct nf_conn_tstamp *tstamp; ··· 360 394 if (tstamp && tstamp->stop == 0) 361 395 tstamp->stop = ktime_to_ns(ktime_get_real()); 362 396 363 - if (!nf_ct_is_dying(ct) && 364 - unlikely(nf_conntrack_event_report(IPCT_DESTROY, ct, 365 - portid, report) < 0)) { 397 + if (nf_ct_is_dying(ct)) 398 + goto delete; 399 + 400 + if (nf_conntrack_event_report(IPCT_DESTROY, ct, 401 + portid, report) < 0) { 366 402 /* destroy event was not delivered */ 367 403 nf_ct_delete_from_lists(ct); 368 - nf_ct_dying_timeout(ct); 404 + nf_conntrack_ecache_delayed_work(nf_ct_net(ct)); 369 405 return false; 370 406 } 407 + 408 + nf_conntrack_ecache_work(nf_ct_net(ct)); 371 409 set_bit(IPS_DYING_BIT, &ct->status); 410 + delete: 372 411 nf_ct_delete_from_lists(ct); 373 412 nf_ct_put(ct); 374 413 return true; ··· 1435 1464 } 1436 1465 EXPORT_SYMBOL_GPL(nf_conntrack_flush_report); 1437 1466 1438 - static void nf_ct_release_dying_list(struct net *net) 1439 - { 1440 - struct nf_conntrack_tuple_hash *h; 1441 - struct nf_conn *ct; 1442 - struct hlist_nulls_node *n; 1443 - int cpu; 1444 - 1445 - for_each_possible_cpu(cpu) { 1446 - struct ct_pcpu *pcpu = per_cpu_ptr(net->ct.pcpu_lists, cpu); 1447 - 1448 - spin_lock_bh(&pcpu->lock); 1449 - hlist_nulls_for_each_entry(h, n, &pcpu->dying, hnnode) { 1450 - ct = nf_ct_tuplehash_to_ctrack(h); 1451 - /* never fails to remove them, no listeners at this point */ 1452 - nf_ct_kill(ct); 1453 - } 1454 - spin_unlock_bh(&pcpu->lock); 1455 - } 1456 - } 1457 - 1458 1467 static int untrack_refs(void) 1459 1468 { 1460 1469 int cnt = 0, cpu; ··· 1499 1548 busy = 0; 1500 1549 list_for_each_entry(net, net_exit_list, exit_list) { 1501 1550 nf_ct_iterate_cleanup(net, kill_all, NULL, 0, 0); 1502 - nf_ct_release_dying_list(net); 1503 1551 if (atomic_read(&net->ct.count) != 0) 1504 1552 busy = 1; 1505 1553 }

+86 -10

net/netfilter/nf_conntrack_ecache.c

··· 29 29 30 30 static DEFINE_MUTEX(nf_ct_ecache_mutex); 31 31 32 + #define ECACHE_RETRY_WAIT (HZ/10) 33 + 34 + enum retry_state { 35 + STATE_CONGESTED, 36 + STATE_RESTART, 37 + STATE_DONE, 38 + }; 39 + 40 + static enum retry_state ecache_work_evict_list(struct ct_pcpu *pcpu) 41 + { 42 + struct nf_conn *refs[16]; 43 + struct nf_conntrack_tuple_hash *h; 44 + struct hlist_nulls_node *n; 45 + unsigned int evicted = 0; 46 + enum retry_state ret = STATE_DONE; 47 + 48 + spin_lock(&pcpu->lock); 49 + 50 + hlist_nulls_for_each_entry(h, n, &pcpu->dying, hnnode) { 51 + struct nf_conn *ct = nf_ct_tuplehash_to_ctrack(h); 52 + 53 + if (nf_ct_is_dying(ct)) 54 + continue; 55 + 56 + if (nf_conntrack_event(IPCT_DESTROY, ct)) { 57 + ret = STATE_CONGESTED; 58 + break; 59 + } 60 + 61 + /* we've got the event delivered, now it's dying */ 62 + set_bit(IPS_DYING_BIT, &ct->status); 63 + refs[evicted] = ct; 64 + 65 + if (++evicted >= ARRAY_SIZE(refs)) { 66 + ret = STATE_RESTART; 67 + break; 68 + } 69 + } 70 + 71 + spin_unlock(&pcpu->lock); 72 + 73 + /* can't _put while holding lock */ 74 + while (evicted) 75 + nf_ct_put(refs[--evicted]); 76 + 77 + return ret; 78 + } 79 + 80 + static void ecache_work(struct work_struct *work) 81 + { 82 + struct netns_ct *ctnet = 83 + container_of(work, struct netns_ct, ecache_dwork.work); 84 + int cpu, delay = -1; 85 + struct ct_pcpu *pcpu; 86 + 87 + local_bh_disable(); 88 + 89 + for_each_possible_cpu(cpu) { 90 + enum retry_state ret; 91 + 92 + pcpu = per_cpu_ptr(ctnet->pcpu_lists, cpu); 93 + 94 + ret = ecache_work_evict_list(pcpu); 95 + 96 + switch (ret) { 97 + case STATE_CONGESTED: 98 + delay = ECACHE_RETRY_WAIT; 99 + goto out; 100 + case STATE_RESTART: 101 + delay = 0; 102 + break; 103 + case STATE_DONE: 104 + break; 105 + } 106 + } 107 + 108 + out: 109 + local_bh_enable(); 110 + 111 + ctnet->ecache_dwork_pending = delay > 0; 112 + if (delay >= 0) 113 + schedule_delayed_work(&ctnet->ecache_dwork, delay); 114 + } 115 + 32 116 /* deliver cached events and clear cache entry - must be called with locally 33 117 * disabled softirqs */ 34 118 void nf_ct_deliver_cached_events(struct nf_conn *ct) ··· 241 157 242 158 #define NF_CT_EVENTS_DEFAULT 1 243 159 static int nf_ct_events __read_mostly = NF_CT_EVENTS_DEFAULT; 244 - static int nf_ct_events_retry_timeout __read_mostly = 15*HZ; 245 160 246 161 #ifdef CONFIG_SYSCTL 247 162 static struct ctl_table event_sysctl_table[] = { ··· 250 167 .maxlen = sizeof(unsigned int), 251 168 .mode = 0644, 252 169 .proc_handler = proc_dointvec, 253 - }, 254 - { 255 - .procname = "nf_conntrack_events_retry_timeout", 256 - .data = &init_net.ct.sysctl_events_retry_timeout, 257 - .maxlen = sizeof(unsigned int), 258 - .mode = 0644, 259 - .proc_handler = proc_dointvec_jiffies, 260 170 }, 261 171 {} 262 172 }; ··· 272 196 goto out; 273 197 274 198 table[0].data = &net->ct.sysctl_events; 275 - table[1].data = &net->ct.sysctl_events_retry_timeout; 276 199 277 200 /* Don't export sysctls to unprivileged users */ 278 201 if (net->user_ns != &init_user_ns) ··· 313 238 int nf_conntrack_ecache_pernet_init(struct net *net) 314 239 { 315 240 net->ct.sysctl_events = nf_ct_events; 316 - net->ct.sysctl_events_retry_timeout = nf_ct_events_retry_timeout; 241 + INIT_DELAYED_WORK(&net->ct.ecache_dwork, ecache_work); 317 242 return nf_conntrack_event_init_sysctl(net); 318 243 } 319 244 320 245 void nf_conntrack_ecache_pernet_fini(struct net *net) 321 246 { 247 + cancel_delayed_work_sync(&net->ct.ecache_dwork); 322 248 nf_conntrack_event_fini_sysctl(net); 323 249 } 324 250

+1 -2

net/netfilter/nf_conntrack_netlink.c

··· 745 745 { 746 746 if (cb->args[1]) 747 747 nf_ct_put((struct nf_conn *)cb->args[1]); 748 - if (cb->data) 749 - kfree(cb->data); 748 + kfree(cb->data); 750 749 return 0; 751 750 } 752 751

+128 -27

net/netfilter/nf_log.c

··· 16 16 #define NF_LOG_PREFIXLEN 128 17 17 #define NFLOGGER_NAME_LEN 64 18 18 19 - static struct list_head nf_loggers_l[NFPROTO_NUMPROTO] __read_mostly; 19 + static struct nf_logger __rcu *loggers[NFPROTO_NUMPROTO][NF_LOG_TYPE_MAX] __read_mostly; 20 20 static DEFINE_MUTEX(nf_log_mutex); 21 21 22 22 static struct nf_logger *__find_logger(int pf, const char *str_logger) 23 23 { 24 - struct nf_logger *t; 24 + struct nf_logger *log; 25 + int i; 25 26 26 - list_for_each_entry(t, &nf_loggers_l[pf], list[pf]) { 27 - if (!strnicmp(str_logger, t->name, strlen(t->name))) 28 - return t; 27 + for (i = 0; i < NF_LOG_TYPE_MAX; i++) { 28 + if (loggers[pf][i] == NULL) 29 + continue; 30 + 31 + log = rcu_dereference_protected(loggers[pf][i], 32 + lockdep_is_held(&nf_log_mutex)); 33 + if (!strnicmp(str_logger, log->name, strlen(log->name))) 34 + return log; 29 35 } 30 36 31 37 return NULL; ··· 79 73 if (pf >= ARRAY_SIZE(init_net.nf.nf_loggers)) 80 74 return -EINVAL; 81 75 82 - for (i = 0; i < ARRAY_SIZE(logger->list); i++) 83 - INIT_LIST_HEAD(&logger->list[i]); 84 - 85 76 mutex_lock(&nf_log_mutex); 86 77 87 78 if (pf == NFPROTO_UNSPEC) { 88 79 for (i = NFPROTO_UNSPEC; i < NFPROTO_NUMPROTO; i++) 89 - list_add_tail(&(logger->list[i]), &(nf_loggers_l[i])); 80 + rcu_assign_pointer(loggers[i][logger->type], logger); 90 81 } else { 91 82 /* register at end of list to honor first register win */ 92 - list_add_tail(&logger->list[pf], &nf_loggers_l[pf]); 83 + rcu_assign_pointer(loggers[pf][logger->type], logger); 93 84 } 94 85 95 86 mutex_unlock(&nf_log_mutex); ··· 101 98 102 99 mutex_lock(&nf_log_mutex); 103 100 for (i = 0; i < NFPROTO_NUMPROTO; i++) 104 - list_del(&logger->list[i]); 101 + RCU_INIT_POINTER(loggers[i][logger->type], NULL); 105 102 mutex_unlock(&nf_log_mutex); 106 103 } 107 104 EXPORT_SYMBOL(nf_log_unregister); ··· 132 129 } 133 130 EXPORT_SYMBOL(nf_log_unbind_pf); 134 131 132 + void nf_logger_request_module(int pf, enum nf_log_type type) 133 + { 134 + if (loggers[pf][type] == NULL) 135 + request_module("nf-logger-%u-%u", pf, type); 136 + } 137 + EXPORT_SYMBOL_GPL(nf_logger_request_module); 138 + 139 + int nf_logger_find_get(int pf, enum nf_log_type type) 140 + { 141 + struct nf_logger *logger; 142 + int ret = -ENOENT; 143 + 144 + logger = loggers[pf][type]; 145 + if (logger == NULL) 146 + request_module("nf-logger-%u-%u", pf, type); 147 + 148 + rcu_read_lock(); 149 + logger = rcu_dereference(loggers[pf][type]); 150 + if (logger == NULL) 151 + goto out; 152 + 153 + if (logger && try_module_get(logger->me)) 154 + ret = 0; 155 + out: 156 + rcu_read_unlock(); 157 + return ret; 158 + } 159 + EXPORT_SYMBOL_GPL(nf_logger_find_get); 160 + 161 + void nf_logger_put(int pf, enum nf_log_type type) 162 + { 163 + struct nf_logger *logger; 164 + 165 + BUG_ON(loggers[pf][type] == NULL); 166 + 167 + rcu_read_lock(); 168 + logger = rcu_dereference(loggers[pf][type]); 169 + module_put(logger->me); 170 + rcu_read_unlock(); 171 + } 172 + EXPORT_SYMBOL_GPL(nf_logger_put); 173 + 135 174 void nf_log_packet(struct net *net, 136 175 u_int8_t pf, 137 176 unsigned int hooknum, ··· 188 143 const struct nf_logger *logger; 189 144 190 145 rcu_read_lock(); 191 - logger = rcu_dereference(net->nf.nf_loggers[pf]); 146 + if (loginfo != NULL) 147 + logger = rcu_dereference(loggers[pf][loginfo->type]); 148 + else 149 + logger = rcu_dereference(net->nf.nf_loggers[pf]); 150 + 192 151 if (logger) { 193 152 va_start(args, fmt); 194 153 vsnprintf(prefix, sizeof(prefix), fmt, args); ··· 202 153 rcu_read_unlock(); 203 154 } 204 155 EXPORT_SYMBOL(nf_log_packet); 156 + 157 + #define S_SIZE (1024 - (sizeof(unsigned int) + 1)) 158 + 159 + struct nf_log_buf { 160 + unsigned int count; 161 + char buf[S_SIZE + 1]; 162 + }; 163 + static struct nf_log_buf emergency, *emergency_ptr = &emergency; 164 + 165 + __printf(2, 3) int nf_log_buf_add(struct nf_log_buf *m, const char *f, ...) 166 + { 167 + va_list args; 168 + int len; 169 + 170 + if (likely(m->count < S_SIZE)) { 171 + va_start(args, f); 172 + len = vsnprintf(m->buf + m->count, S_SIZE - m->count, f, args); 173 + va_end(args); 174 + if (likely(m->count + len < S_SIZE)) { 175 + m->count += len; 176 + return 0; 177 + } 178 + } 179 + m->count = S_SIZE; 180 + printk_once(KERN_ERR KBUILD_MODNAME " please increase S_SIZE\n"); 181 + return -1; 182 + } 183 + EXPORT_SYMBOL_GPL(nf_log_buf_add); 184 + 185 + struct nf_log_buf *nf_log_buf_open(void) 186 + { 187 + struct nf_log_buf *m = kmalloc(sizeof(*m), GFP_ATOMIC); 188 + 189 + if (unlikely(!m)) { 190 + local_bh_disable(); 191 + do { 192 + m = xchg(&emergency_ptr, NULL); 193 + } while (!m); 194 + } 195 + m->count = 0; 196 + return m; 197 + } 198 + EXPORT_SYMBOL_GPL(nf_log_buf_open); 199 + 200 + void nf_log_buf_close(struct nf_log_buf *m) 201 + { 202 + m->buf[m->count] = 0; 203 + printk("%s\n", m->buf); 204 + 205 + if (likely(m != &emergency)) 206 + kfree(m); 207 + else { 208 + emergency_ptr = m; 209 + local_bh_enable(); 210 + } 211 + } 212 + EXPORT_SYMBOL_GPL(nf_log_buf_close); 205 213 206 214 #ifdef CONFIG_PROC_FS 207 215 static void *seq_start(struct seq_file *seq, loff_t *pos) ··· 294 188 { 295 189 loff_t *pos = v; 296 190 const struct nf_logger *logger; 297 - struct nf_logger *t; 298 - int ret; 191 + int i, ret; 299 192 struct net *net = seq_file_net(s); 300 193 301 194 logger = rcu_dereference_protected(net->nf.nf_loggers[*pos], ··· 308 203 if (ret < 0) 309 204 return ret; 310 205 311 - list_for_each_entry(t, &nf_loggers_l[*pos], list[*pos]) { 312 - ret = seq_printf(s, "%s", t->name); 206 + for (i = 0; i < NF_LOG_TYPE_MAX; i++) { 207 + if (loggers[*pos][i] == NULL) 208 + continue; 209 + 210 + logger = rcu_dereference_protected(loggers[*pos][i], 211 + lockdep_is_held(&nf_log_mutex)); 212 + ret = seq_printf(s, "%s", logger->name); 313 213 if (ret < 0) 314 214 return ret; 315 - if (&t->list[*pos] != nf_loggers_l[*pos].prev) { 215 + if (i == 0 && loggers[*pos][i + 1] != NULL) { 316 216 ret = seq_printf(s, ","); 317 217 if (ret < 0) 318 218 return ret; ··· 499 389 500 390 int __init netfilter_log_init(void) 501 391 { 502 - int i, ret; 503 - 504 - ret = register_pernet_subsys(&nf_log_net_ops); 505 - if (ret < 0) 506 - return ret; 507 - 508 - for (i = NFPROTO_UNSPEC; i < NFPROTO_NUMPROTO; i++) 509 - INIT_LIST_HEAD(&(nf_loggers_l[i])); 510 - 511 - return 0; 392 + return register_pernet_subsys(&nf_log_net_ops); 512 393 }

+187

net/netfilter/nf_log_common.c

··· 1 + /* (C) 1999-2001 Paul `Rusty' Russell 2 + * (C) 2002-2004 Netfilter Core Team <coreteam@netfilter.org> 3 + * 4 + * This program is free software; you can redistribute it and/or modify 5 + * it under the terms of the GNU General Public License version 2 as 6 + * published by the Free Software Foundation. 7 + */ 8 + 9 + #include <linux/module.h> 10 + #include <linux/spinlock.h> 11 + #include <linux/skbuff.h> 12 + #include <linux/if_arp.h> 13 + #include <linux/ip.h> 14 + #include <net/icmp.h> 15 + #include <net/udp.h> 16 + #include <net/tcp.h> 17 + #include <net/route.h> 18 + 19 + #include <linux/netfilter.h> 20 + #include <linux/netfilter/xt_LOG.h> 21 + #include <net/netfilter/nf_log.h> 22 + 23 + int nf_log_dump_udp_header(struct nf_log_buf *m, const struct sk_buff *skb, 24 + u8 proto, int fragment, unsigned int offset) 25 + { 26 + struct udphdr _udph; 27 + const struct udphdr *uh; 28 + 29 + if (proto == IPPROTO_UDP) 30 + /* Max length: 10 "PROTO=UDP " */ 31 + nf_log_buf_add(m, "PROTO=UDP "); 32 + else /* Max length: 14 "PROTO=UDPLITE " */ 33 + nf_log_buf_add(m, "PROTO=UDPLITE "); 34 + 35 + if (fragment) 36 + goto out; 37 + 38 + /* Max length: 25 "INCOMPLETE [65535 bytes] " */ 39 + uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph); 40 + if (uh == NULL) { 41 + nf_log_buf_add(m, "INCOMPLETE [%u bytes] ", skb->len - offset); 42 + 43 + return 1; 44 + } 45 + 46 + /* Max length: 20 "SPT=65535 DPT=65535 " */ 47 + nf_log_buf_add(m, "SPT=%u DPT=%u LEN=%u ", 48 + ntohs(uh->source), ntohs(uh->dest), ntohs(uh->len)); 49 + 50 + out: 51 + return 0; 52 + } 53 + EXPORT_SYMBOL_GPL(nf_log_dump_udp_header); 54 + 55 + int nf_log_dump_tcp_header(struct nf_log_buf *m, const struct sk_buff *skb, 56 + u8 proto, int fragment, unsigned int offset, 57 + unsigned int logflags) 58 + { 59 + struct tcphdr _tcph; 60 + const struct tcphdr *th; 61 + 62 + /* Max length: 10 "PROTO=TCP " */ 63 + nf_log_buf_add(m, "PROTO=TCP "); 64 + 65 + if (fragment) 66 + return 0; 67 + 68 + /* Max length: 25 "INCOMPLETE [65535 bytes] " */ 69 + th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph); 70 + if (th == NULL) { 71 + nf_log_buf_add(m, "INCOMPLETE [%u bytes] ", skb->len - offset); 72 + return 1; 73 + } 74 + 75 + /* Max length: 20 "SPT=65535 DPT=65535 " */ 76 + nf_log_buf_add(m, "SPT=%u DPT=%u ", 77 + ntohs(th->source), ntohs(th->dest)); 78 + /* Max length: 30 "SEQ=4294967295 ACK=4294967295 " */ 79 + if (logflags & XT_LOG_TCPSEQ) { 80 + nf_log_buf_add(m, "SEQ=%u ACK=%u ", 81 + ntohl(th->seq), ntohl(th->ack_seq)); 82 + } 83 + 84 + /* Max length: 13 "WINDOW=65535 " */ 85 + nf_log_buf_add(m, "WINDOW=%u ", ntohs(th->window)); 86 + /* Max length: 9 "RES=0x3C " */ 87 + nf_log_buf_add(m, "RES=0x%02x ", (u_int8_t)(ntohl(tcp_flag_word(th) & 88 + TCP_RESERVED_BITS) >> 22)); 89 + /* Max length: 32 "CWR ECE URG ACK PSH RST SYN FIN " */ 90 + if (th->cwr) 91 + nf_log_buf_add(m, "CWR "); 92 + if (th->ece) 93 + nf_log_buf_add(m, "ECE "); 94 + if (th->urg) 95 + nf_log_buf_add(m, "URG "); 96 + if (th->ack) 97 + nf_log_buf_add(m, "ACK "); 98 + if (th->psh) 99 + nf_log_buf_add(m, "PSH "); 100 + if (th->rst) 101 + nf_log_buf_add(m, "RST "); 102 + if (th->syn) 103 + nf_log_buf_add(m, "SYN "); 104 + if (th->fin) 105 + nf_log_buf_add(m, "FIN "); 106 + /* Max length: 11 "URGP=65535 " */ 107 + nf_log_buf_add(m, "URGP=%u ", ntohs(th->urg_ptr)); 108 + 109 + if ((logflags & XT_LOG_TCPOPT) && th->doff*4 > sizeof(struct tcphdr)) { 110 + u_int8_t _opt[60 - sizeof(struct tcphdr)]; 111 + const u_int8_t *op; 112 + unsigned int i; 113 + unsigned int optsize = th->doff*4 - sizeof(struct tcphdr); 114 + 115 + op = skb_header_pointer(skb, offset + sizeof(struct tcphdr), 116 + optsize, _opt); 117 + if (op == NULL) { 118 + nf_log_buf_add(m, "OPT (TRUNCATED)"); 119 + return 1; 120 + } 121 + 122 + /* Max length: 127 "OPT (" 15*4*2chars ") " */ 123 + nf_log_buf_add(m, "OPT ("); 124 + for (i = 0; i < optsize; i++) 125 + nf_log_buf_add(m, "%02X", op[i]); 126 + 127 + nf_log_buf_add(m, ") "); 128 + } 129 + 130 + return 0; 131 + } 132 + EXPORT_SYMBOL_GPL(nf_log_dump_tcp_header); 133 + 134 + void nf_log_dump_sk_uid_gid(struct nf_log_buf *m, struct sock *sk) 135 + { 136 + if (!sk || sk->sk_state == TCP_TIME_WAIT) 137 + return; 138 + 139 + read_lock_bh(&sk->sk_callback_lock); 140 + if (sk->sk_socket && sk->sk_socket->file) { 141 + const struct cred *cred = sk->sk_socket->file->f_cred; 142 + nf_log_buf_add(m, "UID=%u GID=%u ", 143 + from_kuid_munged(&init_user_ns, cred->fsuid), 144 + from_kgid_munged(&init_user_ns, cred->fsgid)); 145 + } 146 + read_unlock_bh(&sk->sk_callback_lock); 147 + } 148 + EXPORT_SYMBOL_GPL(nf_log_dump_sk_uid_gid); 149 + 150 + void 151 + nf_log_dump_packet_common(struct nf_log_buf *m, u_int8_t pf, 152 + unsigned int hooknum, const struct sk_buff *skb, 153 + const struct net_device *in, 154 + const struct net_device *out, 155 + const struct nf_loginfo *loginfo, const char *prefix) 156 + { 157 + nf_log_buf_add(m, KERN_SOH "%c%sIN=%s OUT=%s ", 158 + '0' + loginfo->u.log.level, prefix, 159 + in ? in->name : "", 160 + out ? out->name : ""); 161 + #ifdef CONFIG_BRIDGE_NETFILTER 162 + if (skb->nf_bridge) { 163 + const struct net_device *physindev; 164 + const struct net_device *physoutdev; 165 + 166 + physindev = skb->nf_bridge->physindev; 167 + if (physindev && in != physindev) 168 + nf_log_buf_add(m, "PHYSIN=%s ", physindev->name); 169 + physoutdev = skb->nf_bridge->physoutdev; 170 + if (physoutdev && out != physoutdev) 171 + nf_log_buf_add(m, "PHYSOUT=%s ", physoutdev->name); 172 + } 173 + #endif 174 + } 175 + EXPORT_SYMBOL_GPL(nf_log_dump_packet_common); 176 + 177 + static int __init nf_log_common_init(void) 178 + { 179 + return 0; 180 + } 181 + 182 + static void __exit nf_log_common_exit(void) {} 183 + 184 + module_init(nf_log_common_init); 185 + module_exit(nf_log_common_exit); 186 + 187 + MODULE_LICENSE("GPL");

+1 -1

net/netfilter/nf_nat_core.c

··· 710 710 .flags = NF_CT_EXT_F_PREALLOC, 711 711 }; 712 712 713 - #if defined(CONFIG_NF_CT_NETLINK) || defined(CONFIG_NF_CT_NETLINK_MODULE) 713 + #if IS_ENABLED(CONFIG_NF_CT_NETLINK) 714 714 715 715 #include <linux/netfilter/nfnetlink.h> 716 716 #include <linux/netfilter/nfnetlink_conntrack.h>

+1 -1

net/netfilter/nf_nat_proto_common.c

··· 95 95 } 96 96 EXPORT_SYMBOL_GPL(nf_nat_l4proto_unique_tuple); 97 97 98 - #if defined(CONFIG_NF_CT_NETLINK) || defined(CONFIG_NF_CT_NETLINK_MODULE) 98 + #if IS_ENABLED(CONFIG_NF_CT_NETLINK) 99 99 int nf_nat_l4proto_nlattr_to_range(struct nlattr *tb[], 100 100 struct nf_nat_range *range) 101 101 {

+1 -1

net/netfilter/nf_nat_proto_dccp.c

··· 78 78 .manip_pkt = dccp_manip_pkt, 79 79 .in_range = nf_nat_l4proto_in_range, 80 80 .unique_tuple = dccp_unique_tuple, 81 - #if defined(CONFIG_NF_CT_NETLINK) || defined(CONFIG_NF_CT_NETLINK_MODULE) 81 + #if IS_ENABLED(CONFIG_NF_CT_NETLINK) 82 82 .nlattr_to_range = nf_nat_l4proto_nlattr_to_range, 83 83 #endif 84 84 };

+1 -1

net/netfilter/nf_nat_proto_sctp.c

··· 59 59 .manip_pkt = sctp_manip_pkt, 60 60 .in_range = nf_nat_l4proto_in_range, 61 61 .unique_tuple = sctp_unique_tuple, 62 - #if defined(CONFIG_NF_CT_NETLINK) || defined(CONFIG_NF_CT_NETLINK_MODULE) 62 + #if IS_ENABLED(CONFIG_NF_CT_NETLINK) 63 63 .nlattr_to_range = nf_nat_l4proto_nlattr_to_range, 64 64 #endif 65 65 };

+1 -1

net/netfilter/nf_nat_proto_tcp.c

··· 79 79 .manip_pkt = tcp_manip_pkt, 80 80 .in_range = nf_nat_l4proto_in_range, 81 81 .unique_tuple = tcp_unique_tuple, 82 - #if defined(CONFIG_NF_CT_NETLINK) || defined(CONFIG_NF_CT_NETLINK_MODULE) 82 + #if IS_ENABLED(CONFIG_NF_CT_NETLINK) 83 83 .nlattr_to_range = nf_nat_l4proto_nlattr_to_range, 84 84 #endif 85 85 };

+1 -1

net/netfilter/nf_nat_proto_udp.c

··· 70 70 .manip_pkt = udp_manip_pkt, 71 71 .in_range = nf_nat_l4proto_in_range, 72 72 .unique_tuple = udp_unique_tuple, 73 - #if defined(CONFIG_NF_CT_NETLINK) || defined(CONFIG_NF_CT_NETLINK_MODULE) 73 + #if IS_ENABLED(CONFIG_NF_CT_NETLINK) 74 74 .nlattr_to_range = nf_nat_l4proto_nlattr_to_range, 75 75 #endif 76 76 };

+1 -1

net/netfilter/nf_nat_proto_udplite.c

··· 69 69 .manip_pkt = udplite_manip_pkt, 70 70 .in_range = nf_nat_l4proto_in_range, 71 71 .unique_tuple = udplite_unique_tuple, 72 - #if defined(CONFIG_NF_CT_NETLINK) || defined(CONFIG_NF_CT_NETLINK_MODULE) 72 + #if IS_ENABLED(CONFIG_NF_CT_NETLINK) 73 73 .nlattr_to_range = nf_nat_l4proto_nlattr_to_range, 74 74 #endif 75 75 };

+4

net/netfilter/nfnetlink_log.c

··· 773 773 774 774 static struct nf_logger nfulnl_logger __read_mostly = { 775 775 .name = "nfnetlink_log", 776 + .type = NF_LOG_TYPE_ULOG, 776 777 .logfn = &nfulnl_log_packet, 777 778 .me = THIS_MODULE, 778 779 }; ··· 1106 1105 MODULE_AUTHOR("Harald Welte <laforge@netfilter.org>"); 1107 1106 MODULE_LICENSE("GPL"); 1108 1107 MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_ULOG); 1108 + MODULE_ALIAS_NF_LOGGER(AF_INET, 1); 1109 + MODULE_ALIAS_NF_LOGGER(AF_INET6, 1); 1110 + MODULE_ALIAS_NF_LOGGER(AF_BRIDGE, 1); 1109 1111 1110 1112 module_init(nfnetlink_log_init); 1111 1113 module_exit(nfnetlink_log_fini);

+85 -21

net/netfilter/nft_log.c

··· 1 1 /* 2 2 * Copyright (c) 2008-2009 Patrick McHardy <kaber@trash.net> 3 + * Copyright (c) 2012-2014 Pablo Neira Ayuso <pablo@netfilter.org> 3 4 * 4 5 * This program is free software; you can redistribute it and/or modify 5 6 * it under the terms of the GNU General Public License version 2 as ··· 42 41 [NFTA_LOG_PREFIX] = { .type = NLA_STRING }, 43 42 [NFTA_LOG_SNAPLEN] = { .type = NLA_U32 }, 44 43 [NFTA_LOG_QTHRESHOLD] = { .type = NLA_U16 }, 44 + [NFTA_LOG_LEVEL] = { .type = NLA_U32 }, 45 + [NFTA_LOG_FLAGS] = { .type = NLA_U32 }, 45 46 }; 46 47 47 48 static int nft_log_init(const struct nft_ctx *ctx, ··· 53 50 struct nft_log *priv = nft_expr_priv(expr); 54 51 struct nf_loginfo *li = &priv->loginfo; 55 52 const struct nlattr *nla; 53 + int ret; 56 54 57 55 nla = tb[NFTA_LOG_PREFIX]; 58 56 if (nla != NULL) { ··· 61 57 if (priv->prefix == NULL) 62 58 return -ENOMEM; 63 59 nla_strlcpy(priv->prefix, nla, nla_len(nla) + 1); 64 - } else 60 + } else { 65 61 priv->prefix = (char *)nft_log_null_prefix; 66 - 67 - li->type = NF_LOG_TYPE_ULOG; 68 - if (tb[NFTA_LOG_GROUP] != NULL) 69 - li->u.ulog.group = ntohs(nla_get_be16(tb[NFTA_LOG_GROUP])); 70 - 71 - if (tb[NFTA_LOG_SNAPLEN] != NULL) 72 - li->u.ulog.copy_len = ntohl(nla_get_be32(tb[NFTA_LOG_SNAPLEN])); 73 - if (tb[NFTA_LOG_QTHRESHOLD] != NULL) { 74 - li->u.ulog.qthreshold = 75 - ntohs(nla_get_be16(tb[NFTA_LOG_QTHRESHOLD])); 76 62 } 77 63 78 - return 0; 64 + li->type = NF_LOG_TYPE_LOG; 65 + if (tb[NFTA_LOG_LEVEL] != NULL && 66 + tb[NFTA_LOG_GROUP] != NULL) 67 + return -EINVAL; 68 + if (tb[NFTA_LOG_GROUP] != NULL) 69 + li->type = NF_LOG_TYPE_ULOG; 70 + 71 + switch (li->type) { 72 + case NF_LOG_TYPE_LOG: 73 + if (tb[NFTA_LOG_LEVEL] != NULL) { 74 + li->u.log.level = 75 + ntohl(nla_get_be32(tb[NFTA_LOG_LEVEL])); 76 + } else { 77 + li->u.log.level = 4; 78 + } 79 + if (tb[NFTA_LOG_FLAGS] != NULL) { 80 + li->u.log.logflags = 81 + ntohl(nla_get_be32(tb[NFTA_LOG_FLAGS])); 82 + } 83 + break; 84 + case NF_LOG_TYPE_ULOG: 85 + li->u.ulog.group = ntohs(nla_get_be16(tb[NFTA_LOG_GROUP])); 86 + if (tb[NFTA_LOG_SNAPLEN] != NULL) { 87 + li->u.ulog.copy_len = 88 + ntohl(nla_get_be32(tb[NFTA_LOG_SNAPLEN])); 89 + } 90 + if (tb[NFTA_LOG_QTHRESHOLD] != NULL) { 91 + li->u.ulog.qthreshold = 92 + ntohs(nla_get_be16(tb[NFTA_LOG_QTHRESHOLD])); 93 + } 94 + break; 95 + } 96 + 97 + if (ctx->afi->family == NFPROTO_INET) { 98 + ret = nf_logger_find_get(NFPROTO_IPV4, li->type); 99 + if (ret < 0) 100 + return ret; 101 + 102 + ret = nf_logger_find_get(NFPROTO_IPV6, li->type); 103 + if (ret < 0) { 104 + nf_logger_put(NFPROTO_IPV4, li->type); 105 + return ret; 106 + } 107 + return 0; 108 + } 109 + 110 + return nf_logger_find_get(ctx->afi->family, li->type); 79 111 } 80 112 81 113 static void nft_log_destroy(const struct nft_ctx *ctx, 82 114 const struct nft_expr *expr) 83 115 { 84 116 struct nft_log *priv = nft_expr_priv(expr); 117 + struct nf_loginfo *li = &priv->loginfo; 85 118 86 119 if (priv->prefix != nft_log_null_prefix) 87 120 kfree(priv->prefix); 121 + 122 + if (ctx->afi->family == NFPROTO_INET) { 123 + nf_logger_put(NFPROTO_IPV4, li->type); 124 + nf_logger_put(NFPROTO_IPV6, li->type); 125 + } else { 126 + nf_logger_put(ctx->afi->family, li->type); 127 + } 88 128 } 89 129 90 130 static int nft_log_dump(struct sk_buff *skb, const struct nft_expr *expr) ··· 139 91 if (priv->prefix != nft_log_null_prefix) 140 92 if (nla_put_string(skb, NFTA_LOG_PREFIX, priv->prefix)) 141 93 goto nla_put_failure; 142 - if (li->u.ulog.group) 94 + switch (li->type) { 95 + case NF_LOG_TYPE_LOG: 96 + if (nla_put_be32(skb, NFTA_LOG_LEVEL, htonl(li->u.log.level))) 97 + goto nla_put_failure; 98 + 99 + if (li->u.log.logflags) { 100 + if (nla_put_be32(skb, NFTA_LOG_FLAGS, 101 + htonl(li->u.log.logflags))) 102 + goto nla_put_failure; 103 + } 104 + break; 105 + case NF_LOG_TYPE_ULOG: 143 106 if (nla_put_be16(skb, NFTA_LOG_GROUP, htons(li->u.ulog.group))) 144 107 goto nla_put_failure; 145 - if (li->u.ulog.copy_len) 146 - if (nla_put_be32(skb, NFTA_LOG_SNAPLEN, 147 - htonl(li->u.ulog.copy_len))) 148 - goto nla_put_failure; 149 - if (li->u.ulog.qthreshold) 150 - if (nla_put_be16(skb, NFTA_LOG_QTHRESHOLD, 151 - htons(li->u.ulog.qthreshold))) 152 - goto nla_put_failure; 108 + 109 + if (li->u.ulog.copy_len) { 110 + if (nla_put_be32(skb, NFTA_LOG_SNAPLEN, 111 + htonl(li->u.ulog.copy_len))) 112 + goto nla_put_failure; 113 + } 114 + if (li->u.ulog.qthreshold) { 115 + if (nla_put_be16(skb, NFTA_LOG_QTHRESHOLD, 116 + htons(li->u.ulog.qthreshold))) 117 + goto nla_put_failure; 118 + } 119 + break; 120 + } 153 121 return 0; 154 122 155 123 nla_put_failure:

+5 -18

net/netfilter/x_tables.c

··· 711 711 { 712 712 int cpu; 713 713 714 - for_each_possible_cpu(cpu) { 715 - if (info->size <= PAGE_SIZE) 716 - kfree(info->entries[cpu]); 717 - else 718 - vfree(info->entries[cpu]); 719 - } 714 + for_each_possible_cpu(cpu) 715 + kvfree(info->entries[cpu]); 720 716 721 717 if (info->jumpstack != NULL) { 722 - if (sizeof(void *) * info->stacksize > PAGE_SIZE) { 723 - for_each_possible_cpu(cpu) 724 - vfree(info->jumpstack[cpu]); 725 - } else { 726 - for_each_possible_cpu(cpu) 727 - kfree(info->jumpstack[cpu]); 728 - } 718 + for_each_possible_cpu(cpu) 719 + kvfree(info->jumpstack[cpu]); 720 + kvfree(info->jumpstack); 729 721 } 730 - 731 - if (sizeof(void **) * nr_cpu_ids > PAGE_SIZE) 732 - vfree(info->jumpstack); 733 - else 734 - kfree(info->jumpstack); 735 722 736 723 free_percpu(info->stackptr); 737 724

+11 -873

net/netfilter/xt_LOG.c

··· 27 27 #include <linux/netfilter/xt_LOG.h> 28 28 #include <linux/netfilter_ipv6/ip6_tables.h> 29 29 #include <net/netfilter/nf_log.h> 30 - #include <net/netfilter/xt_log.h> 31 - 32 - static struct nf_loginfo default_loginfo = { 33 - .type = NF_LOG_TYPE_LOG, 34 - .u = { 35 - .log = { 36 - .level = 5, 37 - .logflags = NF_LOG_MASK, 38 - }, 39 - }, 40 - }; 41 - 42 - static int dump_udp_header(struct sbuff *m, const struct sk_buff *skb, 43 - u8 proto, int fragment, unsigned int offset) 44 - { 45 - struct udphdr _udph; 46 - const struct udphdr *uh; 47 - 48 - if (proto == IPPROTO_UDP) 49 - /* Max length: 10 "PROTO=UDP " */ 50 - sb_add(m, "PROTO=UDP "); 51 - else /* Max length: 14 "PROTO=UDPLITE " */ 52 - sb_add(m, "PROTO=UDPLITE "); 53 - 54 - if (fragment) 55 - goto out; 56 - 57 - /* Max length: 25 "INCOMPLETE [65535 bytes] " */ 58 - uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph); 59 - if (uh == NULL) { 60 - sb_add(m, "INCOMPLETE [%u bytes] ", skb->len - offset); 61 - 62 - return 1; 63 - } 64 - 65 - /* Max length: 20 "SPT=65535 DPT=65535 " */ 66 - sb_add(m, "SPT=%u DPT=%u LEN=%u ", ntohs(uh->source), ntohs(uh->dest), 67 - ntohs(uh->len)); 68 - 69 - out: 70 - return 0; 71 - } 72 - 73 - static int dump_tcp_header(struct sbuff *m, const struct sk_buff *skb, 74 - u8 proto, int fragment, unsigned int offset, 75 - unsigned int logflags) 76 - { 77 - struct tcphdr _tcph; 78 - const struct tcphdr *th; 79 - 80 - /* Max length: 10 "PROTO=TCP " */ 81 - sb_add(m, "PROTO=TCP "); 82 - 83 - if (fragment) 84 - return 0; 85 - 86 - /* Max length: 25 "INCOMPLETE [65535 bytes] " */ 87 - th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph); 88 - if (th == NULL) { 89 - sb_add(m, "INCOMPLETE [%u bytes] ", skb->len - offset); 90 - return 1; 91 - } 92 - 93 - /* Max length: 20 "SPT=65535 DPT=65535 " */ 94 - sb_add(m, "SPT=%u DPT=%u ", ntohs(th->source), ntohs(th->dest)); 95 - /* Max length: 30 "SEQ=4294967295 ACK=4294967295 " */ 96 - if (logflags & XT_LOG_TCPSEQ) 97 - sb_add(m, "SEQ=%u ACK=%u ", ntohl(th->seq), ntohl(th->ack_seq)); 98 - 99 - /* Max length: 13 "WINDOW=65535 " */ 100 - sb_add(m, "WINDOW=%u ", ntohs(th->window)); 101 - /* Max length: 9 "RES=0x3C " */ 102 - sb_add(m, "RES=0x%02x ", (u_int8_t)(ntohl(tcp_flag_word(th) & 103 - TCP_RESERVED_BITS) >> 22)); 104 - /* Max length: 32 "CWR ECE URG ACK PSH RST SYN FIN " */ 105 - if (th->cwr) 106 - sb_add(m, "CWR "); 107 - if (th->ece) 108 - sb_add(m, "ECE "); 109 - if (th->urg) 110 - sb_add(m, "URG "); 111 - if (th->ack) 112 - sb_add(m, "ACK "); 113 - if (th->psh) 114 - sb_add(m, "PSH "); 115 - if (th->rst) 116 - sb_add(m, "RST "); 117 - if (th->syn) 118 - sb_add(m, "SYN "); 119 - if (th->fin) 120 - sb_add(m, "FIN "); 121 - /* Max length: 11 "URGP=65535 " */ 122 - sb_add(m, "URGP=%u ", ntohs(th->urg_ptr)); 123 - 124 - if ((logflags & XT_LOG_TCPOPT) && th->doff*4 > sizeof(struct tcphdr)) { 125 - u_int8_t _opt[60 - sizeof(struct tcphdr)]; 126 - const u_int8_t *op; 127 - unsigned int i; 128 - unsigned int optsize = th->doff*4 - sizeof(struct tcphdr); 129 - 130 - op = skb_header_pointer(skb, offset + sizeof(struct tcphdr), 131 - optsize, _opt); 132 - if (op == NULL) { 133 - sb_add(m, "OPT (TRUNCATED)"); 134 - return 1; 135 - } 136 - 137 - /* Max length: 127 "OPT (" 15*4*2chars ") " */ 138 - sb_add(m, "OPT ("); 139 - for (i = 0; i < optsize; i++) 140 - sb_add(m, "%02X", op[i]); 141 - 142 - sb_add(m, ") "); 143 - } 144 - 145 - return 0; 146 - } 147 - 148 - static void dump_sk_uid_gid(struct sbuff *m, struct sock *sk) 149 - { 150 - if (!sk || sk->sk_state == TCP_TIME_WAIT) 151 - return; 152 - 153 - read_lock_bh(&sk->sk_callback_lock); 154 - if (sk->sk_socket && sk->sk_socket->file) { 155 - const struct cred *cred = sk->sk_socket->file->f_cred; 156 - sb_add(m, "UID=%u GID=%u ", 157 - from_kuid_munged(&init_user_ns, cred->fsuid), 158 - from_kgid_munged(&init_user_ns, cred->fsgid)); 159 - } 160 - read_unlock_bh(&sk->sk_callback_lock); 161 - } 162 - 163 - /* One level of recursion won't kill us */ 164 - static void dump_ipv4_packet(struct sbuff *m, 165 - const struct nf_loginfo *info, 166 - const struct sk_buff *skb, 167 - unsigned int iphoff) 168 - { 169 - struct iphdr _iph; 170 - const struct iphdr *ih; 171 - unsigned int logflags; 172 - 173 - if (info->type == NF_LOG_TYPE_LOG) 174 - logflags = info->u.log.logflags; 175 - else 176 - logflags = NF_LOG_MASK; 177 - 178 - ih = skb_header_pointer(skb, iphoff, sizeof(_iph), &_iph); 179 - if (ih == NULL) { 180 - sb_add(m, "TRUNCATED"); 181 - return; 182 - } 183 - 184 - /* Important fields: 185 - * TOS, len, DF/MF, fragment offset, TTL, src, dst, options. */ 186 - /* Max length: 40 "SRC=255.255.255.255 DST=255.255.255.255 " */ 187 - sb_add(m, "SRC=%pI4 DST=%pI4 ", 188 - &ih->saddr, &ih->daddr); 189 - 190 - /* Max length: 46 "LEN=65535 TOS=0xFF PREC=0xFF TTL=255 ID=65535 " */ 191 - sb_add(m, "LEN=%u TOS=0x%02X PREC=0x%02X TTL=%u ID=%u ", 192 - ntohs(ih->tot_len), ih->tos & IPTOS_TOS_MASK, 193 - ih->tos & IPTOS_PREC_MASK, ih->ttl, ntohs(ih->id)); 194 - 195 - /* Max length: 6 "CE DF MF " */ 196 - if (ntohs(ih->frag_off) & IP_CE) 197 - sb_add(m, "CE "); 198 - if (ntohs(ih->frag_off) & IP_DF) 199 - sb_add(m, "DF "); 200 - if (ntohs(ih->frag_off) & IP_MF) 201 - sb_add(m, "MF "); 202 - 203 - /* Max length: 11 "FRAG:65535 " */ 204 - if (ntohs(ih->frag_off) & IP_OFFSET) 205 - sb_add(m, "FRAG:%u ", ntohs(ih->frag_off) & IP_OFFSET); 206 - 207 - if ((logflags & XT_LOG_IPOPT) && 208 - ih->ihl * 4 > sizeof(struct iphdr)) { 209 - const unsigned char *op; 210 - unsigned char _opt[4 * 15 - sizeof(struct iphdr)]; 211 - unsigned int i, optsize; 212 - 213 - optsize = ih->ihl * 4 - sizeof(struct iphdr); 214 - op = skb_header_pointer(skb, iphoff+sizeof(_iph), 215 - optsize, _opt); 216 - if (op == NULL) { 217 - sb_add(m, "TRUNCATED"); 218 - return; 219 - } 220 - 221 - /* Max length: 127 "OPT (" 15*4*2chars ") " */ 222 - sb_add(m, "OPT ("); 223 - for (i = 0; i < optsize; i++) 224 - sb_add(m, "%02X", op[i]); 225 - sb_add(m, ") "); 226 - } 227 - 228 - switch (ih->protocol) { 229 - case IPPROTO_TCP: 230 - if (dump_tcp_header(m, skb, ih->protocol, 231 - ntohs(ih->frag_off) & IP_OFFSET, 232 - iphoff+ih->ihl*4, logflags)) 233 - return; 234 - break; 235 - case IPPROTO_UDP: 236 - case IPPROTO_UDPLITE: 237 - if (dump_udp_header(m, skb, ih->protocol, 238 - ntohs(ih->frag_off) & IP_OFFSET, 239 - iphoff+ih->ihl*4)) 240 - return; 241 - break; 242 - case IPPROTO_ICMP: { 243 - struct icmphdr _icmph; 244 - const struct icmphdr *ich; 245 - static const size_t required_len[NR_ICMP_TYPES+1] 246 - = { [ICMP_ECHOREPLY] = 4, 247 - [ICMP_DEST_UNREACH] 248 - = 8 + sizeof(struct iphdr), 249 - [ICMP_SOURCE_QUENCH] 250 - = 8 + sizeof(struct iphdr), 251 - [ICMP_REDIRECT] 252 - = 8 + sizeof(struct iphdr), 253 - [ICMP_ECHO] = 4, 254 - [ICMP_TIME_EXCEEDED] 255 - = 8 + sizeof(struct iphdr), 256 - [ICMP_PARAMETERPROB] 257 - = 8 + sizeof(struct iphdr), 258 - [ICMP_TIMESTAMP] = 20, 259 - [ICMP_TIMESTAMPREPLY] = 20, 260 - [ICMP_ADDRESS] = 12, 261 - [ICMP_ADDRESSREPLY] = 12 }; 262 - 263 - /* Max length: 11 "PROTO=ICMP " */ 264 - sb_add(m, "PROTO=ICMP "); 265 - 266 - if (ntohs(ih->frag_off) & IP_OFFSET) 267 - break; 268 - 269 - /* Max length: 25 "INCOMPLETE [65535 bytes] " */ 270 - ich = skb_header_pointer(skb, iphoff + ih->ihl * 4, 271 - sizeof(_icmph), &_icmph); 272 - if (ich == NULL) { 273 - sb_add(m, "INCOMPLETE [%u bytes] ", 274 - skb->len - iphoff - ih->ihl*4); 275 - break; 276 - } 277 - 278 - /* Max length: 18 "TYPE=255 CODE=255 " */ 279 - sb_add(m, "TYPE=%u CODE=%u ", ich->type, ich->code); 280 - 281 - /* Max length: 25 "INCOMPLETE [65535 bytes] " */ 282 - if (ich->type <= NR_ICMP_TYPES && 283 - required_len[ich->type] && 284 - skb->len-iphoff-ih->ihl*4 < required_len[ich->type]) { 285 - sb_add(m, "INCOMPLETE [%u bytes] ", 286 - skb->len - iphoff - ih->ihl*4); 287 - break; 288 - } 289 - 290 - switch (ich->type) { 291 - case ICMP_ECHOREPLY: 292 - case ICMP_ECHO: 293 - /* Max length: 19 "ID=65535 SEQ=65535 " */ 294 - sb_add(m, "ID=%u SEQ=%u ", 295 - ntohs(ich->un.echo.id), 296 - ntohs(ich->un.echo.sequence)); 297 - break; 298 - 299 - case ICMP_PARAMETERPROB: 300 - /* Max length: 14 "PARAMETER=255 " */ 301 - sb_add(m, "PARAMETER=%u ", 302 - ntohl(ich->un.gateway) >> 24); 303 - break; 304 - case ICMP_REDIRECT: 305 - /* Max length: 24 "GATEWAY=255.255.255.255 " */ 306 - sb_add(m, "GATEWAY=%pI4 ", &ich->un.gateway); 307 - /* Fall through */ 308 - case ICMP_DEST_UNREACH: 309 - case ICMP_SOURCE_QUENCH: 310 - case ICMP_TIME_EXCEEDED: 311 - /* Max length: 3+maxlen */ 312 - if (!iphoff) { /* Only recurse once. */ 313 - sb_add(m, "["); 314 - dump_ipv4_packet(m, info, skb, 315 - iphoff + ih->ihl*4+sizeof(_icmph)); 316 - sb_add(m, "] "); 317 - } 318 - 319 - /* Max length: 10 "MTU=65535 " */ 320 - if (ich->type == ICMP_DEST_UNREACH && 321 - ich->code == ICMP_FRAG_NEEDED) 322 - sb_add(m, "MTU=%u ", ntohs(ich->un.frag.mtu)); 323 - } 324 - break; 325 - } 326 - /* Max Length */ 327 - case IPPROTO_AH: { 328 - struct ip_auth_hdr _ahdr; 329 - const struct ip_auth_hdr *ah; 330 - 331 - if (ntohs(ih->frag_off) & IP_OFFSET) 332 - break; 333 - 334 - /* Max length: 9 "PROTO=AH " */ 335 - sb_add(m, "PROTO=AH "); 336 - 337 - /* Max length: 25 "INCOMPLETE [65535 bytes] " */ 338 - ah = skb_header_pointer(skb, iphoff+ih->ihl*4, 339 - sizeof(_ahdr), &_ahdr); 340 - if (ah == NULL) { 341 - sb_add(m, "INCOMPLETE [%u bytes] ", 342 - skb->len - iphoff - ih->ihl*4); 343 - break; 344 - } 345 - 346 - /* Length: 15 "SPI=0xF1234567 " */ 347 - sb_add(m, "SPI=0x%x ", ntohl(ah->spi)); 348 - break; 349 - } 350 - case IPPROTO_ESP: { 351 - struct ip_esp_hdr _esph; 352 - const struct ip_esp_hdr *eh; 353 - 354 - /* Max length: 10 "PROTO=ESP " */ 355 - sb_add(m, "PROTO=ESP "); 356 - 357 - if (ntohs(ih->frag_off) & IP_OFFSET) 358 - break; 359 - 360 - /* Max length: 25 "INCOMPLETE [65535 bytes] " */ 361 - eh = skb_header_pointer(skb, iphoff+ih->ihl*4, 362 - sizeof(_esph), &_esph); 363 - if (eh == NULL) { 364 - sb_add(m, "INCOMPLETE [%u bytes] ", 365 - skb->len - iphoff - ih->ihl*4); 366 - break; 367 - } 368 - 369 - /* Length: 15 "SPI=0xF1234567 " */ 370 - sb_add(m, "SPI=0x%x ", ntohl(eh->spi)); 371 - break; 372 - } 373 - /* Max length: 10 "PROTO 255 " */ 374 - default: 375 - sb_add(m, "PROTO=%u ", ih->protocol); 376 - } 377 - 378 - /* Max length: 15 "UID=4294967295 " */ 379 - if ((logflags & XT_LOG_UID) && !iphoff) 380 - dump_sk_uid_gid(m, skb->sk); 381 - 382 - /* Max length: 16 "MARK=0xFFFFFFFF " */ 383 - if (!iphoff && skb->mark) 384 - sb_add(m, "MARK=0x%x ", skb->mark); 385 - 386 - /* Proto Max log string length */ 387 - /* IP: 40+46+6+11+127 = 230 */ 388 - /* TCP: 10+max(25,20+30+13+9+32+11+127) = 252 */ 389 - /* UDP: 10+max(25,20) = 35 */ 390 - /* UDPLITE: 14+max(25,20) = 39 */ 391 - /* ICMP: 11+max(25, 18+25+max(19,14,24+3+n+10,3+n+10)) = 91+n */ 392 - /* ESP: 10+max(25)+15 = 50 */ 393 - /* AH: 9+max(25)+15 = 49 */ 394 - /* unknown: 10 */ 395 - 396 - /* (ICMP allows recursion one level deep) */ 397 - /* maxlen = IP + ICMP + IP + max(TCP,UDP,ICMP,unknown) */ 398 - /* maxlen = 230+ 91 + 230 + 252 = 803 */ 399 - } 400 - 401 - static void dump_ipv4_mac_header(struct sbuff *m, 402 - const struct nf_loginfo *info, 403 - const struct sk_buff *skb) 404 - { 405 - struct net_device *dev = skb->dev; 406 - unsigned int logflags = 0; 407 - 408 - if (info->type == NF_LOG_TYPE_LOG) 409 - logflags = info->u.log.logflags; 410 - 411 - if (!(logflags & XT_LOG_MACDECODE)) 412 - goto fallback; 413 - 414 - switch (dev->type) { 415 - case ARPHRD_ETHER: 416 - sb_add(m, "MACSRC=%pM MACDST=%pM MACPROTO=%04x ", 417 - eth_hdr(skb)->h_source, eth_hdr(skb)->h_dest, 418 - ntohs(eth_hdr(skb)->h_proto)); 419 - return; 420 - default: 421 - break; 422 - } 423 - 424 - fallback: 425 - sb_add(m, "MAC="); 426 - if (dev->hard_header_len && 427 - skb->mac_header != skb->network_header) { 428 - const unsigned char *p = skb_mac_header(skb); 429 - unsigned int i; 430 - 431 - sb_add(m, "%02x", *p++); 432 - for (i = 1; i < dev->hard_header_len; i++, p++) 433 - sb_add(m, ":%02x", *p); 434 - } 435 - sb_add(m, " "); 436 - } 437 - 438 - static void 439 - log_packet_common(struct sbuff *m, 440 - u_int8_t pf, 441 - unsigned int hooknum, 442 - const struct sk_buff *skb, 443 - const struct net_device *in, 444 - const struct net_device *out, 445 - const struct nf_loginfo *loginfo, 446 - const char *prefix) 447 - { 448 - sb_add(m, KERN_SOH "%c%sIN=%s OUT=%s ", 449 - '0' + loginfo->u.log.level, prefix, 450 - in ? in->name : "", 451 - out ? out->name : ""); 452 - #ifdef CONFIG_BRIDGE_NETFILTER 453 - if (skb->nf_bridge) { 454 - const struct net_device *physindev; 455 - const struct net_device *physoutdev; 456 - 457 - physindev = skb->nf_bridge->physindev; 458 - if (physindev && in != physindev) 459 - sb_add(m, "PHYSIN=%s ", physindev->name); 460 - physoutdev = skb->nf_bridge->physoutdev; 461 - if (physoutdev && out != physoutdev) 462 - sb_add(m, "PHYSOUT=%s ", physoutdev->name); 463 - } 464 - #endif 465 - } 466 - 467 - 468 - static void 469 - ipt_log_packet(struct net *net, 470 - u_int8_t pf, 471 - unsigned int hooknum, 472 - const struct sk_buff *skb, 473 - const struct net_device *in, 474 - const struct net_device *out, 475 - const struct nf_loginfo *loginfo, 476 - const char *prefix) 477 - { 478 - struct sbuff *m; 479 - 480 - /* FIXME: Disabled from containers until syslog ns is supported */ 481 - if (!net_eq(net, &init_net)) 482 - return; 483 - 484 - m = sb_open(); 485 - 486 - if (!loginfo) 487 - loginfo = &default_loginfo; 488 - 489 - log_packet_common(m, pf, hooknum, skb, in, out, loginfo, prefix); 490 - 491 - if (in != NULL) 492 - dump_ipv4_mac_header(m, loginfo, skb); 493 - 494 - dump_ipv4_packet(m, loginfo, skb, 0); 495 - 496 - sb_close(m); 497 - } 498 - 499 - #if IS_ENABLED(CONFIG_IP6_NF_IPTABLES) 500 - /* One level of recursion won't kill us */ 501 - static void dump_ipv6_packet(struct sbuff *m, 502 - const struct nf_loginfo *info, 503 - const struct sk_buff *skb, unsigned int ip6hoff, 504 - int recurse) 505 - { 506 - u_int8_t currenthdr; 507 - int fragment; 508 - struct ipv6hdr _ip6h; 509 - const struct ipv6hdr *ih; 510 - unsigned int ptr; 511 - unsigned int hdrlen = 0; 512 - unsigned int logflags; 513 - 514 - if (info->type == NF_LOG_TYPE_LOG) 515 - logflags = info->u.log.logflags; 516 - else 517 - logflags = NF_LOG_MASK; 518 - 519 - ih = skb_header_pointer(skb, ip6hoff, sizeof(_ip6h), &_ip6h); 520 - if (ih == NULL) { 521 - sb_add(m, "TRUNCATED"); 522 - return; 523 - } 524 - 525 - /* Max length: 88 "SRC=0000.0000.0000.0000.0000.0000.0000.0000 DST=0000.0000.0000.0000.0000.0000.0000.0000 " */ 526 - sb_add(m, "SRC=%pI6 DST=%pI6 ", &ih->saddr, &ih->daddr); 527 - 528 - /* Max length: 44 "LEN=65535 TC=255 HOPLIMIT=255 FLOWLBL=FFFFF " */ 529 - sb_add(m, "LEN=%Zu TC=%u HOPLIMIT=%u FLOWLBL=%u ", 530 - ntohs(ih->payload_len) + sizeof(struct ipv6hdr), 531 - (ntohl(*(__be32 *)ih) & 0x0ff00000) >> 20, 532 - ih->hop_limit, 533 - (ntohl(*(__be32 *)ih) & 0x000fffff)); 534 - 535 - fragment = 0; 536 - ptr = ip6hoff + sizeof(struct ipv6hdr); 537 - currenthdr = ih->nexthdr; 538 - while (currenthdr != NEXTHDR_NONE && ip6t_ext_hdr(currenthdr)) { 539 - struct ipv6_opt_hdr _hdr; 540 - const struct ipv6_opt_hdr *hp; 541 - 542 - hp = skb_header_pointer(skb, ptr, sizeof(_hdr), &_hdr); 543 - if (hp == NULL) { 544 - sb_add(m, "TRUNCATED"); 545 - return; 546 - } 547 - 548 - /* Max length: 48 "OPT (...) " */ 549 - if (logflags & XT_LOG_IPOPT) 550 - sb_add(m, "OPT ( "); 551 - 552 - switch (currenthdr) { 553 - case IPPROTO_FRAGMENT: { 554 - struct frag_hdr _fhdr; 555 - const struct frag_hdr *fh; 556 - 557 - sb_add(m, "FRAG:"); 558 - fh = skb_header_pointer(skb, ptr, sizeof(_fhdr), 559 - &_fhdr); 560 - if (fh == NULL) { 561 - sb_add(m, "TRUNCATED "); 562 - return; 563 - } 564 - 565 - /* Max length: 6 "65535 " */ 566 - sb_add(m, "%u ", ntohs(fh->frag_off) & 0xFFF8); 567 - 568 - /* Max length: 11 "INCOMPLETE " */ 569 - if (fh->frag_off & htons(0x0001)) 570 - sb_add(m, "INCOMPLETE "); 571 - 572 - sb_add(m, "ID:%08x ", ntohl(fh->identification)); 573 - 574 - if (ntohs(fh->frag_off) & 0xFFF8) 575 - fragment = 1; 576 - 577 - hdrlen = 8; 578 - 579 - break; 580 - } 581 - case IPPROTO_DSTOPTS: 582 - case IPPROTO_ROUTING: 583 - case IPPROTO_HOPOPTS: 584 - if (fragment) { 585 - if (logflags & XT_LOG_IPOPT) 586 - sb_add(m, ")"); 587 - return; 588 - } 589 - hdrlen = ipv6_optlen(hp); 590 - break; 591 - /* Max Length */ 592 - case IPPROTO_AH: 593 - if (logflags & XT_LOG_IPOPT) { 594 - struct ip_auth_hdr _ahdr; 595 - const struct ip_auth_hdr *ah; 596 - 597 - /* Max length: 3 "AH " */ 598 - sb_add(m, "AH "); 599 - 600 - if (fragment) { 601 - sb_add(m, ")"); 602 - return; 603 - } 604 - 605 - ah = skb_header_pointer(skb, ptr, sizeof(_ahdr), 606 - &_ahdr); 607 - if (ah == NULL) { 608 - /* 609 - * Max length: 26 "INCOMPLETE [65535 610 - * bytes] )" 611 - */ 612 - sb_add(m, "INCOMPLETE [%u bytes] )", 613 - skb->len - ptr); 614 - return; 615 - } 616 - 617 - /* Length: 15 "SPI=0xF1234567 */ 618 - sb_add(m, "SPI=0x%x ", ntohl(ah->spi)); 619 - 620 - } 621 - 622 - hdrlen = (hp->hdrlen+2)<<2; 623 - break; 624 - case IPPROTO_ESP: 625 - if (logflags & XT_LOG_IPOPT) { 626 - struct ip_esp_hdr _esph; 627 - const struct ip_esp_hdr *eh; 628 - 629 - /* Max length: 4 "ESP " */ 630 - sb_add(m, "ESP "); 631 - 632 - if (fragment) { 633 - sb_add(m, ")"); 634 - return; 635 - } 636 - 637 - /* 638 - * Max length: 26 "INCOMPLETE [65535 bytes] )" 639 - */ 640 - eh = skb_header_pointer(skb, ptr, sizeof(_esph), 641 - &_esph); 642 - if (eh == NULL) { 643 - sb_add(m, "INCOMPLETE [%u bytes] )", 644 - skb->len - ptr); 645 - return; 646 - } 647 - 648 - /* Length: 16 "SPI=0xF1234567 )" */ 649 - sb_add(m, "SPI=0x%x )", ntohl(eh->spi)); 650 - 651 - } 652 - return; 653 - default: 654 - /* Max length: 20 "Unknown Ext Hdr 255" */ 655 - sb_add(m, "Unknown Ext Hdr %u", currenthdr); 656 - return; 657 - } 658 - if (logflags & XT_LOG_IPOPT) 659 - sb_add(m, ") "); 660 - 661 - currenthdr = hp->nexthdr; 662 - ptr += hdrlen; 663 - } 664 - 665 - switch (currenthdr) { 666 - case IPPROTO_TCP: 667 - if (dump_tcp_header(m, skb, currenthdr, fragment, ptr, 668 - logflags)) 669 - return; 670 - break; 671 - case IPPROTO_UDP: 672 - case IPPROTO_UDPLITE: 673 - if (dump_udp_header(m, skb, currenthdr, fragment, ptr)) 674 - return; 675 - break; 676 - case IPPROTO_ICMPV6: { 677 - struct icmp6hdr _icmp6h; 678 - const struct icmp6hdr *ic; 679 - 680 - /* Max length: 13 "PROTO=ICMPv6 " */ 681 - sb_add(m, "PROTO=ICMPv6 "); 682 - 683 - if (fragment) 684 - break; 685 - 686 - /* Max length: 25 "INCOMPLETE [65535 bytes] " */ 687 - ic = skb_header_pointer(skb, ptr, sizeof(_icmp6h), &_icmp6h); 688 - if (ic == NULL) { 689 - sb_add(m, "INCOMPLETE [%u bytes] ", skb->len - ptr); 690 - return; 691 - } 692 - 693 - /* Max length: 18 "TYPE=255 CODE=255 " */ 694 - sb_add(m, "TYPE=%u CODE=%u ", ic->icmp6_type, ic->icmp6_code); 695 - 696 - switch (ic->icmp6_type) { 697 - case ICMPV6_ECHO_REQUEST: 698 - case ICMPV6_ECHO_REPLY: 699 - /* Max length: 19 "ID=65535 SEQ=65535 " */ 700 - sb_add(m, "ID=%u SEQ=%u ", 701 - ntohs(ic->icmp6_identifier), 702 - ntohs(ic->icmp6_sequence)); 703 - break; 704 - case ICMPV6_MGM_QUERY: 705 - case ICMPV6_MGM_REPORT: 706 - case ICMPV6_MGM_REDUCTION: 707 - break; 708 - 709 - case ICMPV6_PARAMPROB: 710 - /* Max length: 17 "POINTER=ffffffff " */ 711 - sb_add(m, "POINTER=%08x ", ntohl(ic->icmp6_pointer)); 712 - /* Fall through */ 713 - case ICMPV6_DEST_UNREACH: 714 - case ICMPV6_PKT_TOOBIG: 715 - case ICMPV6_TIME_EXCEED: 716 - /* Max length: 3+maxlen */ 717 - if (recurse) { 718 - sb_add(m, "["); 719 - dump_ipv6_packet(m, info, skb, 720 - ptr + sizeof(_icmp6h), 0); 721 - sb_add(m, "] "); 722 - } 723 - 724 - /* Max length: 10 "MTU=65535 " */ 725 - if (ic->icmp6_type == ICMPV6_PKT_TOOBIG) 726 - sb_add(m, "MTU=%u ", ntohl(ic->icmp6_mtu)); 727 - } 728 - break; 729 - } 730 - /* Max length: 10 "PROTO=255 " */ 731 - default: 732 - sb_add(m, "PROTO=%u ", currenthdr); 733 - } 734 - 735 - /* Max length: 15 "UID=4294967295 " */ 736 - if ((logflags & XT_LOG_UID) && recurse) 737 - dump_sk_uid_gid(m, skb->sk); 738 - 739 - /* Max length: 16 "MARK=0xFFFFFFFF " */ 740 - if (recurse && skb->mark) 741 - sb_add(m, "MARK=0x%x ", skb->mark); 742 - } 743 - 744 - static void dump_ipv6_mac_header(struct sbuff *m, 745 - const struct nf_loginfo *info, 746 - const struct sk_buff *skb) 747 - { 748 - struct net_device *dev = skb->dev; 749 - unsigned int logflags = 0; 750 - 751 - if (info->type == NF_LOG_TYPE_LOG) 752 - logflags = info->u.log.logflags; 753 - 754 - if (!(logflags & XT_LOG_MACDECODE)) 755 - goto fallback; 756 - 757 - switch (dev->type) { 758 - case ARPHRD_ETHER: 759 - sb_add(m, "MACSRC=%pM MACDST=%pM MACPROTO=%04x ", 760 - eth_hdr(skb)->h_source, eth_hdr(skb)->h_dest, 761 - ntohs(eth_hdr(skb)->h_proto)); 762 - return; 763 - default: 764 - break; 765 - } 766 - 767 - fallback: 768 - sb_add(m, "MAC="); 769 - if (dev->hard_header_len && 770 - skb->mac_header != skb->network_header) { 771 - const unsigned char *p = skb_mac_header(skb); 772 - unsigned int len = dev->hard_header_len; 773 - unsigned int i; 774 - 775 - if (dev->type == ARPHRD_SIT) { 776 - p -= ETH_HLEN; 777 - 778 - if (p < skb->head) 779 - p = NULL; 780 - } 781 - 782 - if (p != NULL) { 783 - sb_add(m, "%02x", *p++); 784 - for (i = 1; i < len; i++) 785 - sb_add(m, ":%02x", *p++); 786 - } 787 - sb_add(m, " "); 788 - 789 - if (dev->type == ARPHRD_SIT) { 790 - const struct iphdr *iph = 791 - (struct iphdr *)skb_mac_header(skb); 792 - sb_add(m, "TUNNEL=%pI4->%pI4 ", &iph->saddr, 793 - &iph->daddr); 794 - } 795 - } else 796 - sb_add(m, " "); 797 - } 798 - 799 - static void 800 - ip6t_log_packet(struct net *net, 801 - u_int8_t pf, 802 - unsigned int hooknum, 803 - const struct sk_buff *skb, 804 - const struct net_device *in, 805 - const struct net_device *out, 806 - const struct nf_loginfo *loginfo, 807 - const char *prefix) 808 - { 809 - struct sbuff *m; 810 - 811 - /* FIXME: Disabled from containers until syslog ns is supported */ 812 - if (!net_eq(net, &init_net)) 813 - return; 814 - 815 - m = sb_open(); 816 - 817 - if (!loginfo) 818 - loginfo = &default_loginfo; 819 - 820 - log_packet_common(m, pf, hooknum, skb, in, out, loginfo, prefix); 821 - 822 - if (in != NULL) 823 - dump_ipv6_mac_header(m, loginfo, skb); 824 - 825 - dump_ipv6_packet(m, loginfo, skb, skb_network_offset(skb), 1); 826 - 827 - sb_close(m); 828 - } 829 - #endif 830 30 831 31 static unsigned int 832 32 log_tg(struct sk_buff *skb, const struct xt_action_param *par) ··· 39 839 li.u.log.level = loginfo->level; 40 840 li.u.log.logflags = loginfo->logflags; 41 841 42 - if (par->family == NFPROTO_IPV4) 43 - ipt_log_packet(net, NFPROTO_IPV4, par->hooknum, skb, par->in, 44 - par->out, &li, loginfo->prefix); 45 - #if IS_ENABLED(CONFIG_IP6_NF_IPTABLES) 46 - else if (par->family == NFPROTO_IPV6) 47 - ip6t_log_packet(net, NFPROTO_IPV6, par->hooknum, skb, par->in, 48 - par->out, &li, loginfo->prefix); 49 - #endif 50 - else 51 - WARN_ON_ONCE(1); 52 - 842 + nf_log_packet(net, par->family, par->hooknum, skb, par->in, par->out, 843 + &li, "%s", loginfo->prefix); 53 844 return XT_CONTINUE; 54 845 } 55 846 ··· 61 870 return -EINVAL; 62 871 } 63 872 64 - return 0; 873 + return nf_logger_find_get(par->family, NF_LOG_TYPE_LOG); 874 + } 875 + 876 + static void log_tg_destroy(const struct xt_tgdtor_param *par) 877 + { 878 + nf_logger_put(par->family, NF_LOG_TYPE_LOG); 65 879 } 66 880 67 881 static struct xt_target log_tg_regs[] __read_mostly = { ··· 76 880 .target = log_tg, 77 881 .targetsize = sizeof(struct xt_log_info), 78 882 .checkentry = log_tg_check, 883 + .destroy = log_tg_destroy, 79 884 .me = THIS_MODULE, 80 885 }, 81 886 #if IS_ENABLED(CONFIG_IP6_NF_IPTABLES) ··· 86 889 .target = log_tg, 87 890 .targetsize = sizeof(struct xt_log_info), 88 891 .checkentry = log_tg_check, 892 + .destroy = log_tg_destroy, 89 893 .me = THIS_MODULE, 90 894 }, 91 895 #endif 92 896 }; 93 897 94 - static struct nf_logger ipt_log_logger __read_mostly = { 95 - .name = "ipt_LOG", 96 - .logfn = &ipt_log_packet, 97 - .me = THIS_MODULE, 98 - }; 99 - 100 - #if IS_ENABLED(CONFIG_IP6_NF_IPTABLES) 101 - static struct nf_logger ip6t_log_logger __read_mostly = { 102 - .name = "ip6t_LOG", 103 - .logfn = &ip6t_log_packet, 104 - .me = THIS_MODULE, 105 - }; 106 - #endif 107 - 108 - static int __net_init log_net_init(struct net *net) 109 - { 110 - nf_log_set(net, NFPROTO_IPV4, &ipt_log_logger); 111 - #if IS_ENABLED(CONFIG_IP6_NF_IPTABLES) 112 - nf_log_set(net, NFPROTO_IPV6, &ip6t_log_logger); 113 - #endif 114 - return 0; 115 - } 116 - 117 - static void __net_exit log_net_exit(struct net *net) 118 - { 119 - nf_log_unset(net, &ipt_log_logger); 120 - #if IS_ENABLED(CONFIG_IP6_NF_IPTABLES) 121 - nf_log_unset(net, &ip6t_log_logger); 122 - #endif 123 - } 124 - 125 - static struct pernet_operations log_net_ops = { 126 - .init = log_net_init, 127 - .exit = log_net_exit, 128 - }; 129 - 130 898 static int __init log_tg_init(void) 131 899 { 132 - int ret; 133 - 134 - ret = register_pernet_subsys(&log_net_ops); 135 - if (ret < 0) 136 - goto err_pernet; 137 - 138 - ret = xt_register_targets(log_tg_regs, ARRAY_SIZE(log_tg_regs)); 139 - if (ret < 0) 140 - goto err_target; 141 - 142 - nf_log_register(NFPROTO_IPV4, &ipt_log_logger); 143 - #if IS_ENABLED(CONFIG_IP6_NF_IPTABLES) 144 - nf_log_register(NFPROTO_IPV6, &ip6t_log_logger); 145 - #endif 146 - return 0; 147 - 148 - err_target: 149 - unregister_pernet_subsys(&log_net_ops); 150 - err_pernet: 151 - return ret; 900 + return xt_register_targets(log_tg_regs, ARRAY_SIZE(log_tg_regs)); 152 901 } 153 902 154 903 static void __exit log_tg_exit(void) 155 904 { 156 - unregister_pernet_subsys(&log_net_ops); 157 - nf_log_unregister(&ipt_log_logger); 158 - #if IS_ENABLED(CONFIG_IP6_NF_IPTABLES) 159 - nf_log_unregister(&ip6t_log_logger); 160 - #endif 161 905 xt_unregister_targets(log_tg_regs, ARRAY_SIZE(log_tg_regs)); 162 906 } 163 907