-24

include/net/netfilter/nf_log.h

reviewed

··· 98 98 struct nf_log_buf *nf_log_buf_open(void); 99 99 __printf(2, 3) int nf_log_buf_add(struct nf_log_buf *m, const char *f, ...); 100 100 void nf_log_buf_close(struct nf_log_buf *m); 101 101 - 102 102 - /* common logging functions */ 103 103 - int nf_log_dump_udp_header(struct nf_log_buf *m, const struct sk_buff *skb, 104 104 - u8 proto, int fragment, unsigned int offset); 105 105 - int nf_log_dump_tcp_header(struct nf_log_buf *m, const struct sk_buff *skb, 106 106 - u8 proto, int fragment, unsigned int offset, 107 107 - unsigned int logflags); 108 108 - void nf_log_dump_sk_uid_gid(struct net *net, struct nf_log_buf *m, 109 109 - struct sock *sk); 110 110 - void nf_log_dump_vlan(struct nf_log_buf *m, const struct sk_buff *skb); 111 111 - void nf_log_dump_packet_common(struct nf_log_buf *m, u_int8_t pf, 112 112 - unsigned int hooknum, const struct sk_buff *skb, 113 113 - const struct net_device *in, 114 114 - const struct net_device *out, 115 115 - const struct nf_loginfo *loginfo, 116 116 - const char *prefix); 117 117 - void nf_log_l2packet(struct net *net, u_int8_t pf, 118 118 - __be16 protocol, 119 119 - unsigned int hooknum, 120 120 - const struct sk_buff *skb, 121 121 - const struct net_device *in, 122 122 - const struct net_device *out, 123 123 - const struct nf_loginfo *loginfo, const char *prefix); 124 124 - 125 101 #endif /* _NF_LOG_H */

+2 -6

net/netfilter/Kconfig

reviewed

··· 71 71 72 72 To compile it as a module, choose M here. If unsure, say N. 73 73 74 74 - config NF_LOG_COMMON 75 75 - tristate 76 76 - 77 74 config NF_LOG_SYSLOG 78 75 tristate "Syslog packet logging" 79 76 default m if NETFILTER_ADVANCED=n 80 80 - select NF_LOG_COMMON 81 77 help 82 78 This option enable support for packet logging via syslog. 83 83 - It supports IPv4 and common transport protocols such as TCP and UDP. 79 79 + It supports IPv4, IPV6, ARP and common transport protocols such 80 80 + as TCP and UDP. 84 81 This is a simpler but less flexible logging method compared to 85 82 CONFIG_NETFILTER_NETLINK_LOG. 86 83 If both are enabled the backend to use can be configured at run-time ··· 927 930 928 931 config NETFILTER_XT_TARGET_LOG 929 932 tristate "LOG target support" 930 930 - select NF_LOG_COMMON 931 933 select NF_LOG_SYSLOG 932 934 select NF_LOG_IPV6 if IP6_NF_IPTABLES 933 935 default m if NETFILTER_ADVANCED=n

-2

net/netfilter/Makefile

reviewed

··· 48 48 49 49 nf_nat-y := nf_nat_core.o nf_nat_proto.o nf_nat_helper.o 50 50 51 51 - # generic transport layer logging 52 52 - obj-$(CONFIG_NF_LOG_COMMON) += nf_log_common.o 53 51 obj-$(CONFIG_NF_LOG_SYSLOG) += nf_log_syslog.o 54 52 55 53 obj-$(CONFIG_NF_NAT) += nf_nat.o

-224

net/netfilter/nf_log_common.c

reviewed

··· 1 1 - // SPDX-License-Identifier: GPL-2.0-only 2 2 - /* (C) 1999-2001 Paul `Rusty' Russell 3 3 - * (C) 2002-2004 Netfilter Core Team <coreteam@netfilter.org> 4 4 - */ 5 5 - 6 6 - #include <linux/module.h> 7 7 - #include <linux/spinlock.h> 8 8 - #include <linux/skbuff.h> 9 9 - #include <linux/if_arp.h> 10 10 - #include <linux/ip.h> 11 11 - #include <net/icmp.h> 12 12 - #include <net/udp.h> 13 13 - #include <net/tcp.h> 14 14 - #include <net/route.h> 15 15 - 16 16 - #include <linux/netfilter.h> 17 17 - #include <linux/netfilter_bridge.h> 18 18 - #include <linux/netfilter/xt_LOG.h> 19 19 - #include <net/netfilter/nf_log.h> 20 20 - 21 21 - int nf_log_dump_udp_header(struct nf_log_buf *m, const struct sk_buff *skb, 22 22 - u8 proto, int fragment, unsigned int offset) 23 23 - { 24 24 - struct udphdr _udph; 25 25 - const struct udphdr *uh; 26 26 - 27 27 - if (proto == IPPROTO_UDP) 28 28 - /* Max length: 10 "PROTO=UDP " */ 29 29 - nf_log_buf_add(m, "PROTO=UDP "); 30 30 - else /* Max length: 14 "PROTO=UDPLITE " */ 31 31 - nf_log_buf_add(m, "PROTO=UDPLITE "); 32 32 - 33 33 - if (fragment) 34 34 - goto out; 35 35 - 36 36 - /* Max length: 25 "INCOMPLETE [65535 bytes] " */ 37 37 - uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph); 38 38 - if (uh == NULL) { 39 39 - nf_log_buf_add(m, "INCOMPLETE [%u bytes] ", skb->len - offset); 40 40 - 41 41 - return 1; 42 42 - } 43 43 - 44 44 - /* Max length: 20 "SPT=65535 DPT=65535 " */ 45 45 - nf_log_buf_add(m, "SPT=%u DPT=%u LEN=%u ", 46 46 - ntohs(uh->source), ntohs(uh->dest), ntohs(uh->len)); 47 47 - 48 48 - out: 49 49 - return 0; 50 50 - } 51 51 - EXPORT_SYMBOL_GPL(nf_log_dump_udp_header); 52 52 - 53 53 - int nf_log_dump_tcp_header(struct nf_log_buf *m, const struct sk_buff *skb, 54 54 - u8 proto, int fragment, unsigned int offset, 55 55 - unsigned int logflags) 56 56 - { 57 57 - struct tcphdr _tcph; 58 58 - const struct tcphdr *th; 59 59 - 60 60 - /* Max length: 10 "PROTO=TCP " */ 61 61 - nf_log_buf_add(m, "PROTO=TCP "); 62 62 - 63 63 - if (fragment) 64 64 - return 0; 65 65 - 66 66 - /* Max length: 25 "INCOMPLETE [65535 bytes] " */ 67 67 - th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph); 68 68 - if (th == NULL) { 69 69 - nf_log_buf_add(m, "INCOMPLETE [%u bytes] ", skb->len - offset); 70 70 - return 1; 71 71 - } 72 72 - 73 73 - /* Max length: 20 "SPT=65535 DPT=65535 " */ 74 74 - nf_log_buf_add(m, "SPT=%u DPT=%u ", 75 75 - ntohs(th->source), ntohs(th->dest)); 76 76 - /* Max length: 30 "SEQ=4294967295 ACK=4294967295 " */ 77 77 - if (logflags & NF_LOG_TCPSEQ) { 78 78 - nf_log_buf_add(m, "SEQ=%u ACK=%u ", 79 79 - ntohl(th->seq), ntohl(th->ack_seq)); 80 80 - } 81 81 - 82 82 - /* Max length: 13 "WINDOW=65535 " */ 83 83 - nf_log_buf_add(m, "WINDOW=%u ", ntohs(th->window)); 84 84 - /* Max length: 9 "RES=0x3C " */ 85 85 - nf_log_buf_add(m, "RES=0x%02x ", (u_int8_t)(ntohl(tcp_flag_word(th) & 86 86 - TCP_RESERVED_BITS) >> 22)); 87 87 - /* Max length: 32 "CWR ECE URG ACK PSH RST SYN FIN " */ 88 88 - if (th->cwr) 89 89 - nf_log_buf_add(m, "CWR "); 90 90 - if (th->ece) 91 91 - nf_log_buf_add(m, "ECE "); 92 92 - if (th->urg) 93 93 - nf_log_buf_add(m, "URG "); 94 94 - if (th->ack) 95 95 - nf_log_buf_add(m, "ACK "); 96 96 - if (th->psh) 97 97 - nf_log_buf_add(m, "PSH "); 98 98 - if (th->rst) 99 99 - nf_log_buf_add(m, "RST "); 100 100 - if (th->syn) 101 101 - nf_log_buf_add(m, "SYN "); 102 102 - if (th->fin) 103 103 - nf_log_buf_add(m, "FIN "); 104 104 - /* Max length: 11 "URGP=65535 " */ 105 105 - nf_log_buf_add(m, "URGP=%u ", ntohs(th->urg_ptr)); 106 106 - 107 107 - if ((logflags & NF_LOG_TCPOPT) && th->doff*4 > sizeof(struct tcphdr)) { 108 108 - u_int8_t _opt[60 - sizeof(struct tcphdr)]; 109 109 - const u_int8_t *op; 110 110 - unsigned int i; 111 111 - unsigned int optsize = th->doff*4 - sizeof(struct tcphdr); 112 112 - 113 113 - op = skb_header_pointer(skb, offset + sizeof(struct tcphdr), 114 114 - optsize, _opt); 115 115 - if (op == NULL) { 116 116 - nf_log_buf_add(m, "OPT (TRUNCATED)"); 117 117 - return 1; 118 118 - } 119 119 - 120 120 - /* Max length: 127 "OPT (" 15*4*2chars ") " */ 121 121 - nf_log_buf_add(m, "OPT ("); 122 122 - for (i = 0; i < optsize; i++) 123 123 - nf_log_buf_add(m, "%02X", op[i]); 124 124 - 125 125 - nf_log_buf_add(m, ") "); 126 126 - } 127 127 - 128 128 - return 0; 129 129 - } 130 130 - EXPORT_SYMBOL_GPL(nf_log_dump_tcp_header); 131 131 - 132 132 - void nf_log_dump_sk_uid_gid(struct net *net, struct nf_log_buf *m, 133 133 - struct sock *sk) 134 134 - { 135 135 - if (!sk || !sk_fullsock(sk) || !net_eq(net, sock_net(sk))) 136 136 - return; 137 137 - 138 138 - read_lock_bh(&sk->sk_callback_lock); 139 139 - if (sk->sk_socket && sk->sk_socket->file) { 140 140 - const struct cred *cred = sk->sk_socket->file->f_cred; 141 141 - nf_log_buf_add(m, "UID=%u GID=%u ", 142 142 - from_kuid_munged(&init_user_ns, cred->fsuid), 143 143 - from_kgid_munged(&init_user_ns, cred->fsgid)); 144 144 - } 145 145 - read_unlock_bh(&sk->sk_callback_lock); 146 146 - } 147 147 - EXPORT_SYMBOL_GPL(nf_log_dump_sk_uid_gid); 148 148 - 149 149 - void 150 150 - nf_log_dump_packet_common(struct nf_log_buf *m, u_int8_t pf, 151 151 - unsigned int hooknum, const struct sk_buff *skb, 152 152 - const struct net_device *in, 153 153 - const struct net_device *out, 154 154 - const struct nf_loginfo *loginfo, const char *prefix) 155 155 - { 156 156 - const struct net_device *physoutdev __maybe_unused; 157 157 - const struct net_device *physindev __maybe_unused; 158 158 - 159 159 - nf_log_buf_add(m, KERN_SOH "%c%sIN=%s OUT=%s ", 160 160 - '0' + loginfo->u.log.level, prefix, 161 161 - in ? in->name : "", 162 162 - out ? out->name : ""); 163 163 - #if IS_ENABLED(CONFIG_BRIDGE_NETFILTER) 164 164 - physindev = nf_bridge_get_physindev(skb); 165 165 - if (physindev && in != physindev) 166 166 - nf_log_buf_add(m, "PHYSIN=%s ", physindev->name); 167 167 - physoutdev = nf_bridge_get_physoutdev(skb); 168 168 - if (physoutdev && out != physoutdev) 169 169 - nf_log_buf_add(m, "PHYSOUT=%s ", physoutdev->name); 170 170 - #endif 171 171 - } 172 172 - EXPORT_SYMBOL_GPL(nf_log_dump_packet_common); 173 173 - 174 174 - void nf_log_dump_vlan(struct nf_log_buf *m, const struct sk_buff *skb) 175 175 - { 176 176 - u16 vid; 177 177 - 178 178 - if (!skb_vlan_tag_present(skb)) 179 179 - return; 180 180 - 181 181 - vid = skb_vlan_tag_get(skb); 182 182 - nf_log_buf_add(m, "VPROTO=%04x VID=%u ", ntohs(skb->vlan_proto), vid); 183 183 - } 184 184 - EXPORT_SYMBOL_GPL(nf_log_dump_vlan); 185 185 - 186 186 - /* bridge and netdev logging families share this code. */ 187 187 - void nf_log_l2packet(struct net *net, u_int8_t pf, 188 188 - __be16 protocol, 189 189 - unsigned int hooknum, 190 190 - const struct sk_buff *skb, 191 191 - const struct net_device *in, 192 192 - const struct net_device *out, 193 193 - const struct nf_loginfo *loginfo, 194 194 - const char *prefix) 195 195 - { 196 196 - switch (protocol) { 197 197 - case htons(ETH_P_IP): 198 198 - nf_log_packet(net, NFPROTO_IPV4, hooknum, skb, in, out, 199 199 - loginfo, "%s", prefix); 200 200 - break; 201 201 - case htons(ETH_P_IPV6): 202 202 - nf_log_packet(net, NFPROTO_IPV6, hooknum, skb, in, out, 203 203 - loginfo, "%s", prefix); 204 204 - break; 205 205 - case htons(ETH_P_ARP): 206 206 - case htons(ETH_P_RARP): 207 207 - nf_log_packet(net, NFPROTO_ARP, hooknum, skb, in, out, 208 208 - loginfo, "%s", prefix); 209 209 - break; 210 210 - } 211 211 - } 212 212 - EXPORT_SYMBOL_GPL(nf_log_l2packet); 213 213 - 214 214 - static int __init nf_log_common_init(void) 215 215 - { 216 216 - return 0; 217 217 - } 218 218 - 219 219 - static void __exit nf_log_common_exit(void) {} 220 220 - 221 221 - module_init(nf_log_common_init); 222 222 - module_exit(nf_log_common_exit); 223 223 - 224 224 - MODULE_LICENSE("GPL");

+179 -2

net/netfilter/nf_log_syslog.c

reviewed

··· 18 18 #include <net/route.h> 19 19 20 20 #include <linux/netfilter.h> 21 21 + #include <linux/netfilter_bridge.h> 21 22 #include <linux/netfilter_ipv6.h> 22 23 #include <linux/netfilter/xt_LOG.h> 23 24 #include <net/netfilter/nf_log.h> ··· 40 39 unsigned char ip_dst[4]; 41 40 }; 42 41 42 42 + static void nf_log_dump_vlan(struct nf_log_buf *m, const struct sk_buff *skb) 43 43 + { 44 44 + u16 vid; 45 45 + 46 46 + if (!skb_vlan_tag_present(skb)) 47 47 + return; 48 48 + 49 49 + vid = skb_vlan_tag_get(skb); 50 50 + nf_log_buf_add(m, "VPROTO=%04x VID=%u ", ntohs(skb->vlan_proto), vid); 51 51 + } 43 52 static void noinline_for_stack 44 53 dump_arp_packet(struct nf_log_buf *m, 45 54 const struct nf_loginfo *info, ··· 100 89 ap->mac_src, ap->ip_src, ap->mac_dst, ap->ip_dst); 101 90 } 102 91 92 92 + static void 93 93 + nf_log_dump_packet_common(struct nf_log_buf *m, u8 pf, 94 94 + unsigned int hooknum, const struct sk_buff *skb, 95 95 + const struct net_device *in, 96 96 + const struct net_device *out, 97 97 + const struct nf_loginfo *loginfo, const char *prefix) 98 98 + { 99 99 + const struct net_device *physoutdev __maybe_unused; 100 100 + const struct net_device *physindev __maybe_unused; 101 101 + 102 102 + nf_log_buf_add(m, KERN_SOH "%c%sIN=%s OUT=%s ", 103 103 + '0' + loginfo->u.log.level, prefix, 104 104 + in ? in->name : "", 105 105 + out ? out->name : ""); 106 106 + #if IS_ENABLED(CONFIG_BRIDGE_NETFILTER) 107 107 + physindev = nf_bridge_get_physindev(skb); 108 108 + if (physindev && in != physindev) 109 109 + nf_log_buf_add(m, "PHYSIN=%s ", physindev->name); 110 110 + physoutdev = nf_bridge_get_physoutdev(skb); 111 111 + if (physoutdev && out != physoutdev) 112 112 + nf_log_buf_add(m, "PHYSOUT=%s ", physoutdev->name); 113 113 + #endif 114 114 + } 115 115 + 103 116 static void nf_log_arp_packet(struct net *net, u_int8_t pf, 104 117 unsigned int hooknum, const struct sk_buff *skb, 105 118 const struct net_device *in, ··· 155 120 .logfn = nf_log_arp_packet, 156 121 .me = THIS_MODULE, 157 122 }; 123 123 + 124 124 + static void nf_log_dump_sk_uid_gid(struct net *net, struct nf_log_buf *m, 125 125 + struct sock *sk) 126 126 + { 127 127 + if (!sk || !sk_fullsock(sk) || !net_eq(net, sock_net(sk))) 128 128 + return; 129 129 + 130 130 + read_lock_bh(&sk->sk_callback_lock); 131 131 + if (sk->sk_socket && sk->sk_socket->file) { 132 132 + const struct cred *cred = sk->sk_socket->file->f_cred; 133 133 + 134 134 + nf_log_buf_add(m, "UID=%u GID=%u ", 135 135 + from_kuid_munged(&init_user_ns, cred->fsuid), 136 136 + from_kgid_munged(&init_user_ns, cred->fsgid)); 137 137 + } 138 138 + read_unlock_bh(&sk->sk_callback_lock); 139 139 + } 140 140 + 141 141 + static noinline_for_stack int 142 142 + nf_log_dump_tcp_header(struct nf_log_buf *m, 143 143 + const struct sk_buff *skb, 144 144 + u8 proto, int fragment, 145 145 + unsigned int offset, 146 146 + unsigned int logflags) 147 147 + { 148 148 + struct tcphdr _tcph; 149 149 + const struct tcphdr *th; 150 150 + 151 151 + /* Max length: 10 "PROTO=TCP " */ 152 152 + nf_log_buf_add(m, "PROTO=TCP "); 153 153 + 154 154 + if (fragment) 155 155 + return 0; 156 156 + 157 157 + /* Max length: 25 "INCOMPLETE [65535 bytes] " */ 158 158 + th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph); 159 159 + if (!th) { 160 160 + nf_log_buf_add(m, "INCOMPLETE [%u bytes] ", skb->len - offset); 161 161 + return 1; 162 162 + } 163 163 + 164 164 + /* Max length: 20 "SPT=65535 DPT=65535 " */ 165 165 + nf_log_buf_add(m, "SPT=%u DPT=%u ", 166 166 + ntohs(th->source), ntohs(th->dest)); 167 167 + /* Max length: 30 "SEQ=4294967295 ACK=4294967295 " */ 168 168 + if (logflags & NF_LOG_TCPSEQ) { 169 169 + nf_log_buf_add(m, "SEQ=%u ACK=%u ", 170 170 + ntohl(th->seq), ntohl(th->ack_seq)); 171 171 + } 172 172 + 173 173 + /* Max length: 13 "WINDOW=65535 " */ 174 174 + nf_log_buf_add(m, "WINDOW=%u ", ntohs(th->window)); 175 175 + /* Max length: 9 "RES=0x3C " */ 176 176 + nf_log_buf_add(m, "RES=0x%02x ", (u_int8_t)(ntohl(tcp_flag_word(th) & 177 177 + TCP_RESERVED_BITS) >> 22)); 178 178 + /* Max length: 32 "CWR ECE URG ACK PSH RST SYN FIN " */ 179 179 + if (th->cwr) 180 180 + nf_log_buf_add(m, "CWR "); 181 181 + if (th->ece) 182 182 + nf_log_buf_add(m, "ECE "); 183 183 + if (th->urg) 184 184 + nf_log_buf_add(m, "URG "); 185 185 + if (th->ack) 186 186 + nf_log_buf_add(m, "ACK "); 187 187 + if (th->psh) 188 188 + nf_log_buf_add(m, "PSH "); 189 189 + if (th->rst) 190 190 + nf_log_buf_add(m, "RST "); 191 191 + if (th->syn) 192 192 + nf_log_buf_add(m, "SYN "); 193 193 + if (th->fin) 194 194 + nf_log_buf_add(m, "FIN "); 195 195 + /* Max length: 11 "URGP=65535 " */ 196 196 + nf_log_buf_add(m, "URGP=%u ", ntohs(th->urg_ptr)); 197 197 + 198 198 + if ((logflags & NF_LOG_TCPOPT) && th->doff * 4 > sizeof(struct tcphdr)) { 199 199 + unsigned int optsize = th->doff * 4 - sizeof(struct tcphdr); 200 200 + u8 _opt[60 - sizeof(struct tcphdr)]; 201 201 + unsigned int i; 202 202 + const u8 *op; 203 203 + 204 204 + op = skb_header_pointer(skb, offset + sizeof(struct tcphdr), 205 205 + optsize, _opt); 206 206 + if (!op) { 207 207 + nf_log_buf_add(m, "OPT (TRUNCATED)"); 208 208 + return 1; 209 209 + } 210 210 + 211 211 + /* Max length: 127 "OPT (" 15*4*2chars ") " */ 212 212 + nf_log_buf_add(m, "OPT ("); 213 213 + for (i = 0; i < optsize; i++) 214 214 + nf_log_buf_add(m, "%02X", op[i]); 215 215 + 216 216 + nf_log_buf_add(m, ") "); 217 217 + } 218 218 + 219 219 + return 0; 220 220 + } 221 221 + 222 222 + static noinline_for_stack int 223 223 + nf_log_dump_udp_header(struct nf_log_buf *m, 224 224 + const struct sk_buff *skb, 225 225 + u8 proto, int fragment, 226 226 + unsigned int offset) 227 227 + { 228 228 + struct udphdr _udph; 229 229 + const struct udphdr *uh; 230 230 + 231 231 + if (proto == IPPROTO_UDP) 232 232 + /* Max length: 10 "PROTO=UDP " */ 233 233 + nf_log_buf_add(m, "PROTO=UDP "); 234 234 + else /* Max length: 14 "PROTO=UDPLITE " */ 235 235 + nf_log_buf_add(m, "PROTO=UDPLITE "); 236 236 + 237 237 + if (fragment) 238 238 + goto out; 239 239 + 240 240 + /* Max length: 25 "INCOMPLETE [65535 bytes] " */ 241 241 + uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph); 242 242 + if (!uh) { 243 243 + nf_log_buf_add(m, "INCOMPLETE [%u bytes] ", skb->len - offset); 244 244 + 245 245 + return 1; 246 246 + } 247 247 + 248 248 + /* Max length: 20 "SPT=65535 DPT=65535 " */ 249 249 + nf_log_buf_add(m, "SPT=%u DPT=%u LEN=%u ", 250 250 + ntohs(uh->source), ntohs(uh->dest), ntohs(uh->len)); 251 251 + 252 252 + out: 253 253 + return 0; 254 254 + } 158 255 159 256 /* One level of recursion won't kill us */ 160 257 static noinline_for_stack void ··· 943 776 const struct nf_loginfo *loginfo, 944 777 const char *prefix) 945 778 { 946 946 - nf_log_l2packet(net, pf, skb->protocol, hooknum, skb, in, out, 947 947 - loginfo, prefix); 779 779 + switch (skb->protocol) { 780 780 + case htons(ETH_P_IP): 781 781 + nf_log_ip_packet(net, pf, hooknum, skb, in, out, loginfo, prefix); 782 782 + break; 783 783 + case htons(ETH_P_IPV6): 784 784 + nf_log_ip6_packet(net, pf, hooknum, skb, in, out, loginfo, prefix); 785 785 + break; 786 786 + case htons(ETH_P_ARP): 787 787 + case htons(ETH_P_RARP): 788 788 + nf_log_arp_packet(net, pf, hooknum, skb, in, out, loginfo, prefix); 789 789 + break; 790 790 + } 948 791 } 949 792 950 793 static struct nf_logger nf_netdev_logger __read_mostly = {