Linux Kernel  3.7.1
 All Data Structures Namespaces Files Functions Variables Typedefs Enumerations Enumerator Macros Groups Pages
nfnetlink_log.c
Go to the documentation of this file.
1 /*
2  * This is a module which is used for logging packets to userspace via
3  * nfetlink.
4  *
5  * (C) 2005 by Harald Welte <[email protected]>
6  *
7  * Based on the old ipv4-only ipt_ULOG.c:
8  * (C) 2000-2004 by Harald Welte <[email protected]>
9  *
10  * This program is free software; you can redistribute it and/or modify
11  * it under the terms of the GNU General Public License version 2 as
12  * published by the Free Software Foundation.
13  */
14 #include <linux/module.h>
15 #include <linux/skbuff.h>
16 #include <linux/init.h>
17 #include <linux/ip.h>
18 #include <linux/ipv6.h>
19 #include <linux/netdevice.h>
20 #include <linux/netfilter.h>
21 #include <linux/netlink.h>
22 #include <linux/netfilter/nfnetlink.h>
23 #include <linux/netfilter/nfnetlink_log.h>
24 #include <linux/spinlock.h>
25 #include <linux/sysctl.h>
26 #include <linux/proc_fs.h>
27 #include <linux/security.h>
28 #include <linux/list.h>
29 #include <linux/jhash.h>
30 #include <linux/random.h>
31 #include <linux/slab.h>
32 #include <net/sock.h>
33 #include <net/netfilter/nf_log.h>
34 #include <net/netfilter/nfnetlink_log.h>
35 
36 #include <linux/atomic.h>
37 
38 #ifdef CONFIG_BRIDGE_NETFILTER
39 #include "../bridge/br_private.h"
40 #endif
41 
42 #define NFULNL_NLBUFSIZ_DEFAULT NLMSG_GOODSIZE
43 #define NFULNL_TIMEOUT_DEFAULT 100 /* every second */
44 #define NFULNL_QTHRESH_DEFAULT 100 /* 100 packets */
45 #define NFULNL_COPY_RANGE_MAX 0xFFFF /* max packet size is limited by 16-bit struct nfattr nfa_len field */
46 
47 #define PRINTR(x, args...) do { if (net_ratelimit()) \
48  printk(x, ## args); } while (0);
49 
50 struct nfulnl_instance {
51  struct hlist_node hlist; /* global list of instances */
52  spinlock_t lock;
53  atomic_t use; /* use count */
54 
55  unsigned int qlen; /* number of nlmsgs in skb */
56  struct sk_buff *skb; /* pre-allocatd skb */
57  struct timer_list timer;
58  struct user_namespace *peer_user_ns; /* User namespace of the peer process */
59  int peer_portid; /* PORTID of the peer process */
60 
61  /* configurable parameters */
62  unsigned int flushtimeout; /* timeout until queue flush */
63  unsigned int nlbufsiz; /* netlink buffer allocation size */
64  unsigned int qthreshold; /* threshold of the queue */
65  u_int32_t copy_range;
66  u_int32_t seq; /* instance-local sequential counter */
67  u_int16_t group_num; /* number of this queue */
68  u_int16_t flags;
69  u_int8_t copy_mode;
70  struct rcu_head rcu;
71 };
72 
73 static DEFINE_SPINLOCK(instances_lock);
74 static atomic_t global_seq;
75 
76 #define INSTANCE_BUCKETS 16
77 static struct hlist_head instance_table[INSTANCE_BUCKETS];
78 static unsigned int hash_init;
79 
80 static inline u_int8_t instance_hashfn(u_int16_t group_num)
81 {
82  return ((group_num & 0xff) % INSTANCE_BUCKETS);
83 }
84 
85 static struct nfulnl_instance *
86 __instance_lookup(u_int16_t group_num)
87 {
88  struct hlist_head *head;
89  struct hlist_node *pos;
90  struct nfulnl_instance *inst;
91 
92  head = &instance_table[instance_hashfn(group_num)];
93  hlist_for_each_entry_rcu(inst, pos, head, hlist) {
94  if (inst->group_num == group_num)
95  return inst;
96  }
97  return NULL;
98 }
99 
100 static inline void
101 instance_get(struct nfulnl_instance *inst)
102 {
103  atomic_inc(&inst->use);
104 }
105 
106 static struct nfulnl_instance *
107 instance_lookup_get(u_int16_t group_num)
108 {
109  struct nfulnl_instance *inst;
110 
111  rcu_read_lock_bh();
112  inst = __instance_lookup(group_num);
113  if (inst && !atomic_inc_not_zero(&inst->use))
114  inst = NULL;
115  rcu_read_unlock_bh();
116 
117  return inst;
118 }
119 
120 static void nfulnl_instance_free_rcu(struct rcu_head *head)
121 {
122  kfree(container_of(head, struct nfulnl_instance, rcu));
123  module_put(THIS_MODULE);
124 }
125 
126 static void
127 instance_put(struct nfulnl_instance *inst)
128 {
129  if (inst && atomic_dec_and_test(&inst->use))
130  call_rcu_bh(&inst->rcu, nfulnl_instance_free_rcu);
131 }
132 
133 static void nfulnl_timer(unsigned long data);
134 
135 static struct nfulnl_instance *
136 instance_create(u_int16_t group_num, int portid, struct user_namespace *user_ns)
137 {
138  struct nfulnl_instance *inst;
139  int err;
140 
141  spin_lock_bh(&instances_lock);
142  if (__instance_lookup(group_num)) {
143  err = -EEXIST;
144  goto out_unlock;
145  }
146 
147  inst = kzalloc(sizeof(*inst), GFP_ATOMIC);
148  if (!inst) {
149  err = -ENOMEM;
150  goto out_unlock;
151  }
152 
153  if (!try_module_get(THIS_MODULE)) {
154  kfree(inst);
155  err = -EAGAIN;
156  goto out_unlock;
157  }
158 
159  INIT_HLIST_NODE(&inst->hlist);
160  spin_lock_init(&inst->lock);
161  /* needs to be two, since we _put() after creation */
162  atomic_set(&inst->use, 2);
163 
164  setup_timer(&inst->timer, nfulnl_timer, (unsigned long)inst);
165 
166  inst->peer_user_ns = user_ns;
167  inst->peer_portid = portid;
168  inst->group_num = group_num;
169 
170  inst->qthreshold = NFULNL_QTHRESH_DEFAULT;
171  inst->flushtimeout = NFULNL_TIMEOUT_DEFAULT;
172  inst->nlbufsiz = NFULNL_NLBUFSIZ_DEFAULT;
173  inst->copy_mode = NFULNL_COPY_PACKET;
174  inst->copy_range = NFULNL_COPY_RANGE_MAX;
175 
176  hlist_add_head_rcu(&inst->hlist,
177  &instance_table[instance_hashfn(group_num)]);
178 
179  spin_unlock_bh(&instances_lock);
180 
181  return inst;
182 
183 out_unlock:
184  spin_unlock_bh(&instances_lock);
185  return ERR_PTR(err);
186 }
187 
188 static void __nfulnl_flush(struct nfulnl_instance *inst);
189 
190 /* called with BH disabled */
191 static void
192 __instance_destroy(struct nfulnl_instance *inst)
193 {
194  /* first pull it out of the global list */
195  hlist_del_rcu(&inst->hlist);
196 
197  /* then flush all pending packets from skb */
198 
199  spin_lock(&inst->lock);
200 
201  /* lockless readers wont be able to use us */
202  inst->copy_mode = NFULNL_COPY_DISABLED;
203 
204  if (inst->skb)
205  __nfulnl_flush(inst);
206  spin_unlock(&inst->lock);
207 
208  /* and finally put the refcount */
209  instance_put(inst);
210 }
211 
212 static inline void
213 instance_destroy(struct nfulnl_instance *inst)
214 {
215  spin_lock_bh(&instances_lock);
216  __instance_destroy(inst);
217  spin_unlock_bh(&instances_lock);
218 }
219 
220 static int
221 nfulnl_set_mode(struct nfulnl_instance *inst, u_int8_t mode,
222  unsigned int range)
223 {
224  int status = 0;
225 
226  spin_lock_bh(&inst->lock);
227 
228  switch (mode) {
229  case NFULNL_COPY_NONE:
230  case NFULNL_COPY_META:
231  inst->copy_mode = mode;
232  inst->copy_range = 0;
233  break;
234 
235  case NFULNL_COPY_PACKET:
236  inst->copy_mode = mode;
237  inst->copy_range = min_t(unsigned int,
238  range, NFULNL_COPY_RANGE_MAX);
239  break;
240 
241  default:
242  status = -EINVAL;
243  break;
244  }
245 
246  spin_unlock_bh(&inst->lock);
247 
248  return status;
249 }
250 
251 static int
252 nfulnl_set_nlbufsiz(struct nfulnl_instance *inst, u_int32_t nlbufsiz)
253 {
254  int status;
255 
256  spin_lock_bh(&inst->lock);
257  if (nlbufsiz < NFULNL_NLBUFSIZ_DEFAULT)
258  status = -ERANGE;
259  else if (nlbufsiz > 131072)
260  status = -ERANGE;
261  else {
262  inst->nlbufsiz = nlbufsiz;
263  status = 0;
264  }
265  spin_unlock_bh(&inst->lock);
266 
267  return status;
268 }
269 
270 static int
271 nfulnl_set_timeout(struct nfulnl_instance *inst, u_int32_t timeout)
272 {
273  spin_lock_bh(&inst->lock);
274  inst->flushtimeout = timeout;
275  spin_unlock_bh(&inst->lock);
276 
277  return 0;
278 }
279 
280 static int
281 nfulnl_set_qthresh(struct nfulnl_instance *inst, u_int32_t qthresh)
282 {
283  spin_lock_bh(&inst->lock);
284  inst->qthreshold = qthresh;
285  spin_unlock_bh(&inst->lock);
286 
287  return 0;
288 }
289 
290 static int
291 nfulnl_set_flags(struct nfulnl_instance *inst, u_int16_t flags)
292 {
293  spin_lock_bh(&inst->lock);
294  inst->flags = flags;
295  spin_unlock_bh(&inst->lock);
296 
297  return 0;
298 }
299 
300 static struct sk_buff *
301 nfulnl_alloc_skb(unsigned int inst_size, unsigned int pkt_size)
302 {
303  struct sk_buff *skb;
304  unsigned int n;
305 
306  /* alloc skb which should be big enough for a whole multipart
307  * message. WARNING: has to be <= 128k due to slab restrictions */
308 
309  n = max(inst_size, pkt_size);
310  skb = alloc_skb(n, GFP_ATOMIC);
311  if (!skb) {
312  if (n > pkt_size) {
313  /* try to allocate only as much as we need for current
314  * packet */
315 
316  skb = alloc_skb(pkt_size, GFP_ATOMIC);
317  if (!skb)
318  pr_err("nfnetlink_log: can't even alloc %u bytes\n",
319  pkt_size);
320  }
321  }
322 
323  return skb;
324 }
325 
326 static int
327 __nfulnl_send(struct nfulnl_instance *inst)
328 {
329  int status = -1;
330 
331  if (inst->qlen > 1) {
332  struct nlmsghdr *nlh = nlmsg_put(inst->skb, 0, 0,
333  NLMSG_DONE,
334  sizeof(struct nfgenmsg),
335  0);
336  if (!nlh)
337  goto out;
338  }
339  status = nfnetlink_unicast(inst->skb, &init_net, inst->peer_portid,
340  MSG_DONTWAIT);
341 
342  inst->qlen = 0;
343  inst->skb = NULL;
344 out:
345  return status;
346 }
347 
348 static void
349 __nfulnl_flush(struct nfulnl_instance *inst)
350 {
351  /* timer holds a reference */
352  if (del_timer(&inst->timer))
353  instance_put(inst);
354  if (inst->skb)
355  __nfulnl_send(inst);
356 }
357 
358 static void
359 nfulnl_timer(unsigned long data)
360 {
361  struct nfulnl_instance *inst = (struct nfulnl_instance *)data;
362 
363  spin_lock_bh(&inst->lock);
364  if (inst->skb)
365  __nfulnl_send(inst);
366  spin_unlock_bh(&inst->lock);
367  instance_put(inst);
368 }
369 
370 /* This is an inline function, we don't really care about a long
371  * list of arguments */
372 static inline int
373 __build_packet_message(struct nfulnl_instance *inst,
374  const struct sk_buff *skb,
375  unsigned int data_len,
376  u_int8_t pf,
377  unsigned int hooknum,
378  const struct net_device *indev,
379  const struct net_device *outdev,
380  const char *prefix, unsigned int plen)
381 {
382  struct nfulnl_msg_packet_hdr pmsg;
383  struct nlmsghdr *nlh;
384  struct nfgenmsg *nfmsg;
385  sk_buff_data_t old_tail = inst->skb->tail;
386  struct sock *sk;
387 
388  nlh = nlmsg_put(inst->skb, 0, 0,
389  NFNL_SUBSYS_ULOG << 8 | NFULNL_MSG_PACKET,
390  sizeof(struct nfgenmsg), 0);
391  if (!nlh)
392  return -1;
393  nfmsg = nlmsg_data(nlh);
394  nfmsg->nfgen_family = pf;
395  nfmsg->version = NFNETLINK_V0;
396  nfmsg->res_id = htons(inst->group_num);
397 
398  pmsg.hw_protocol = skb->protocol;
399  pmsg.hook = hooknum;
400 
401  if (nla_put(inst->skb, NFULA_PACKET_HDR, sizeof(pmsg), &pmsg))
402  goto nla_put_failure;
403 
404  if (prefix &&
405  nla_put(inst->skb, NFULA_PREFIX, plen, prefix))
406  goto nla_put_failure;
407 
408  if (indev) {
409 #ifndef CONFIG_BRIDGE_NETFILTER
410  if (nla_put_be32(inst->skb, NFULA_IFINDEX_INDEV,
411  htonl(indev->ifindex)))
412  goto nla_put_failure;
413 #else
414  if (pf == PF_BRIDGE) {
415  /* Case 1: outdev is physical input device, we need to
416  * look for bridge group (when called from
417  * netfilter_bridge) */
418  if (nla_put_be32(inst->skb, NFULA_IFINDEX_PHYSINDEV,
419  htonl(indev->ifindex)) ||
420  /* this is the bridge group "brX" */
421  /* rcu_read_lock()ed by nf_hook_slow or nf_log_packet */
422  nla_put_be32(inst->skb, NFULA_IFINDEX_INDEV,
423  htonl(br_port_get_rcu(indev)->br->dev->ifindex)))
424  goto nla_put_failure;
425  } else {
426  /* Case 2: indev is bridge group, we need to look for
427  * physical device (when called from ipv4) */
428  if (nla_put_be32(inst->skb, NFULA_IFINDEX_INDEV,
429  htonl(indev->ifindex)))
430  goto nla_put_failure;
431  if (skb->nf_bridge && skb->nf_bridge->physindev &&
432  nla_put_be32(inst->skb, NFULA_IFINDEX_PHYSINDEV,
433  htonl(skb->nf_bridge->physindev->ifindex)))
434  goto nla_put_failure;
435  }
436 #endif
437  }
438 
439  if (outdev) {
440 #ifndef CONFIG_BRIDGE_NETFILTER
441  if (nla_put_be32(inst->skb, NFULA_IFINDEX_OUTDEV,
442  htonl(outdev->ifindex)))
443  goto nla_put_failure;
444 #else
445  if (pf == PF_BRIDGE) {
446  /* Case 1: outdev is physical output device, we need to
447  * look for bridge group (when called from
448  * netfilter_bridge) */
449  if (nla_put_be32(inst->skb, NFULA_IFINDEX_PHYSOUTDEV,
450  htonl(outdev->ifindex)) ||
451  /* this is the bridge group "brX" */
452  /* rcu_read_lock()ed by nf_hook_slow or nf_log_packet */
453  nla_put_be32(inst->skb, NFULA_IFINDEX_OUTDEV,
454  htonl(br_port_get_rcu(outdev)->br->dev->ifindex)))
455  goto nla_put_failure;
456  } else {
457  /* Case 2: indev is a bridge group, we need to look
458  * for physical device (when called from ipv4) */
459  if (nla_put_be32(inst->skb, NFULA_IFINDEX_OUTDEV,
460  htonl(outdev->ifindex)))
461  goto nla_put_failure;
462  if (skb->nf_bridge && skb->nf_bridge->physoutdev &&
463  nla_put_be32(inst->skb, NFULA_IFINDEX_PHYSOUTDEV,
464  htonl(skb->nf_bridge->physoutdev->ifindex)))
465  goto nla_put_failure;
466  }
467 #endif
468  }
469 
470  if (skb->mark &&
471  nla_put_be32(inst->skb, NFULA_MARK, htonl(skb->mark)))
472  goto nla_put_failure;
473 
474  if (indev && skb->dev &&
475  skb->mac_header != skb->network_header) {
476  struct nfulnl_msg_packet_hw phw;
477  int len = dev_parse_header(skb, phw.hw_addr);
478  if (len > 0) {
479  phw.hw_addrlen = htons(len);
480  if (nla_put(inst->skb, NFULA_HWADDR, sizeof(phw), &phw))
481  goto nla_put_failure;
482  }
483  }
484 
485  if (indev && skb_mac_header_was_set(skb)) {
486  if (nla_put_be16(inst->skb, NFULA_HWTYPE, htons(skb->dev->type)) ||
487  nla_put_be16(inst->skb, NFULA_HWLEN,
488  htons(skb->dev->hard_header_len)) ||
489  nla_put(inst->skb, NFULA_HWHEADER, skb->dev->hard_header_len,
490  skb_mac_header(skb)))
491  goto nla_put_failure;
492  }
493 
494  if (skb->tstamp.tv64) {
495  struct nfulnl_msg_packet_timestamp ts;
496  struct timeval tv = ktime_to_timeval(skb->tstamp);
497  ts.sec = cpu_to_be64(tv.tv_sec);
498  ts.usec = cpu_to_be64(tv.tv_usec);
499 
500  if (nla_put(inst->skb, NFULA_TIMESTAMP, sizeof(ts), &ts))
501  goto nla_put_failure;
502  }
503 
504  /* UID */
505  sk = skb->sk;
506  if (sk && sk->sk_state != TCP_TIME_WAIT) {
507  read_lock_bh(&sk->sk_callback_lock);
508  if (sk->sk_socket && sk->sk_socket->file) {
509  struct file *file = sk->sk_socket->file;
510  const struct cred *cred = file->f_cred;
511  struct user_namespace *user_ns = inst->peer_user_ns;
512  __be32 uid = htonl(from_kuid_munged(user_ns, cred->fsuid));
513  __be32 gid = htonl(from_kgid_munged(user_ns, cred->fsgid));
514  read_unlock_bh(&sk->sk_callback_lock);
515  if (nla_put_be32(inst->skb, NFULA_UID, uid) ||
516  nla_put_be32(inst->skb, NFULA_GID, gid))
517  goto nla_put_failure;
518  } else
519  read_unlock_bh(&sk->sk_callback_lock);
520  }
521 
522  /* local sequence number */
523  if ((inst->flags & NFULNL_CFG_F_SEQ) &&
524  nla_put_be32(inst->skb, NFULA_SEQ, htonl(inst->seq++)))
525  goto nla_put_failure;
526 
527  /* global sequence number */
528  if ((inst->flags & NFULNL_CFG_F_SEQ_GLOBAL) &&
529  nla_put_be32(inst->skb, NFULA_SEQ_GLOBAL,
530  htonl(atomic_inc_return(&global_seq))))
531  goto nla_put_failure;
532 
533  if (data_len) {
534  struct nlattr *nla;
535  int size = nla_attr_size(data_len);
536 
537  if (skb_tailroom(inst->skb) < nla_total_size(data_len)) {
538  printk(KERN_WARNING "nfnetlink_log: no tailroom!\n");
539  return -1;
540  }
541 
542  nla = (struct nlattr *)skb_put(inst->skb, nla_total_size(data_len));
543  nla->nla_type = NFULA_PAYLOAD;
544  nla->nla_len = size;
545 
546  if (skb_copy_bits(skb, 0, nla_data(nla), data_len))
547  BUG();
548  }
549 
550  nlh->nlmsg_len = inst->skb->tail - old_tail;
551  return 0;
552 
553 nla_put_failure:
554  PRINTR(KERN_ERR "nfnetlink_log: error creating log nlmsg\n");
555  return -1;
556 }
557 
558 #define RCV_SKB_FAIL(err) do { netlink_ack(skb, nlh, (err)); return; } while (0)
559 
560 static struct nf_loginfo default_loginfo = {
561  .type = NF_LOG_TYPE_ULOG,
562  .u = {
563  .ulog = {
564  .copy_len = 0xffff,
565  .group = 0,
566  .qthreshold = 1,
567  },
568  },
569 };
570 
571 /* log handler for internal netfilter logging api */
572 void
573 nfulnl_log_packet(u_int8_t pf,
574  unsigned int hooknum,
575  const struct sk_buff *skb,
576  const struct net_device *in,
577  const struct net_device *out,
578  const struct nf_loginfo *li_user,
579  const char *prefix)
580 {
581  unsigned int size, data_len;
582  struct nfulnl_instance *inst;
583  const struct nf_loginfo *li;
584  unsigned int qthreshold;
585  unsigned int plen;
586 
587  if (li_user && li_user->type == NF_LOG_TYPE_ULOG)
588  li = li_user;
589  else
590  li = &default_loginfo;
591 
592  inst = instance_lookup_get(li->u.ulog.group);
593  if (!inst)
594  return;
595 
596  plen = 0;
597  if (prefix)
598  plen = strlen(prefix) + 1;
599 
600  /* FIXME: do we want to make the size calculation conditional based on
601  * what is actually present? way more branches and checks, but more
602  * memory efficient... */
603  size = NLMSG_SPACE(sizeof(struct nfgenmsg))
604  + nla_total_size(sizeof(struct nfulnl_msg_packet_hdr))
605  + nla_total_size(sizeof(u_int32_t)) /* ifindex */
606  + nla_total_size(sizeof(u_int32_t)) /* ifindex */
607 #ifdef CONFIG_BRIDGE_NETFILTER
608  + nla_total_size(sizeof(u_int32_t)) /* ifindex */
609  + nla_total_size(sizeof(u_int32_t)) /* ifindex */
610 #endif
611  + nla_total_size(sizeof(u_int32_t)) /* mark */
612  + nla_total_size(sizeof(u_int32_t)) /* uid */
613  + nla_total_size(sizeof(u_int32_t)) /* gid */
614  + nla_total_size(plen) /* prefix */
615  + nla_total_size(sizeof(struct nfulnl_msg_packet_hw))
616  + nla_total_size(sizeof(struct nfulnl_msg_packet_timestamp));
617 
618  if (in && skb_mac_header_was_set(skb)) {
619  size += nla_total_size(skb->dev->hard_header_len)
620  + nla_total_size(sizeof(u_int16_t)) /* hwtype */
621  + nla_total_size(sizeof(u_int16_t)); /* hwlen */
622  }
623 
624  spin_lock_bh(&inst->lock);
625 
626  if (inst->flags & NFULNL_CFG_F_SEQ)
627  size += nla_total_size(sizeof(u_int32_t));
628  if (inst->flags & NFULNL_CFG_F_SEQ_GLOBAL)
629  size += nla_total_size(sizeof(u_int32_t));
630 
631  qthreshold = inst->qthreshold;
632  /* per-rule qthreshold overrides per-instance */
633  if (li->u.ulog.qthreshold)
634  if (qthreshold > li->u.ulog.qthreshold)
635  qthreshold = li->u.ulog.qthreshold;
636 
637 
638  switch (inst->copy_mode) {
639  case NFULNL_COPY_META:
640  case NFULNL_COPY_NONE:
641  data_len = 0;
642  break;
643 
644  case NFULNL_COPY_PACKET:
645  if (inst->copy_range == 0
646  || inst->copy_range > skb->len)
647  data_len = skb->len;
648  else
649  data_len = inst->copy_range;
650 
651  size += nla_total_size(data_len);
652  break;
653 
654  case NFULNL_COPY_DISABLED:
655  default:
656  goto unlock_and_release;
657  }
658 
659  if (inst->skb &&
660  size > skb_tailroom(inst->skb) - sizeof(struct nfgenmsg)) {
661  /* either the queue len is too high or we don't have
662  * enough room in the skb left. flush to userspace. */
663  __nfulnl_flush(inst);
664  }
665 
666  if (!inst->skb) {
667  inst->skb = nfulnl_alloc_skb(inst->nlbufsiz, size);
668  if (!inst->skb)
669  goto alloc_failure;
670  }
671 
672  inst->qlen++;
673 
674  __build_packet_message(inst, skb, data_len, pf,
675  hooknum, in, out, prefix, plen);
676 
677  if (inst->qlen >= qthreshold)
678  __nfulnl_flush(inst);
679  /* timer_pending always called within inst->lock, so there
680  * is no chance of a race here */
681  else if (!timer_pending(&inst->timer)) {
682  instance_get(inst);
683  inst->timer.expires = jiffies + (inst->flushtimeout*HZ/100);
684  add_timer(&inst->timer);
685  }
686 
687 unlock_and_release:
688  spin_unlock_bh(&inst->lock);
689  instance_put(inst);
690  return;
691 
692 alloc_failure:
693  /* FIXME: statistics */
694  goto unlock_and_release;
695 }
696 EXPORT_SYMBOL_GPL(nfulnl_log_packet);
697 
698 static int
699 nfulnl_rcv_nl_event(struct notifier_block *this,
700  unsigned long event, void *ptr)
701 {
702  struct netlink_notify *n = ptr;
703 
704  if (event == NETLINK_URELEASE && n->protocol == NETLINK_NETFILTER) {
705  int i;
706 
707  /* destroy all instances for this portid */
708  spin_lock_bh(&instances_lock);
709  for (i = 0; i < INSTANCE_BUCKETS; i++) {
710  struct hlist_node *tmp, *t2;
711  struct nfulnl_instance *inst;
712  struct hlist_head *head = &instance_table[i];
713 
714  hlist_for_each_entry_safe(inst, tmp, t2, head, hlist) {
715  if ((net_eq(n->net, &init_net)) &&
716  (n->portid == inst->peer_portid))
717  __instance_destroy(inst);
718  }
719  }
720  spin_unlock_bh(&instances_lock);
721  }
722  return NOTIFY_DONE;
723 }
724 
725 static struct notifier_block nfulnl_rtnl_notifier = {
726  .notifier_call = nfulnl_rcv_nl_event,
727 };
728 
729 static int
730 nfulnl_recv_unsupp(struct sock *ctnl, struct sk_buff *skb,
731  const struct nlmsghdr *nlh,
732  const struct nlattr * const nfqa[])
733 {
734  return -ENOTSUPP;
735 }
736 
737 static struct nf_logger nfulnl_logger __read_mostly = {
738  .name = "nfnetlink_log",
739  .logfn = &nfulnl_log_packet,
740  .me = THIS_MODULE,
741 };
742 
743 static const struct nla_policy nfula_cfg_policy[NFULA_CFG_MAX+1] = {
744  [NFULA_CFG_CMD] = { .len = sizeof(struct nfulnl_msg_config_cmd) },
745  [NFULA_CFG_MODE] = { .len = sizeof(struct nfulnl_msg_config_mode) },
746  [NFULA_CFG_TIMEOUT] = { .type = NLA_U32 },
747  [NFULA_CFG_QTHRESH] = { .type = NLA_U32 },
748  [NFULA_CFG_NLBUFSIZ] = { .type = NLA_U32 },
749  [NFULA_CFG_FLAGS] = { .type = NLA_U16 },
750 };
751 
752 static int
753 nfulnl_recv_config(struct sock *ctnl, struct sk_buff *skb,
754  const struct nlmsghdr *nlh,
755  const struct nlattr * const nfula[])
756 {
757  struct nfgenmsg *nfmsg = nlmsg_data(nlh);
758  u_int16_t group_num = ntohs(nfmsg->res_id);
759  struct nfulnl_instance *inst;
760  struct nfulnl_msg_config_cmd *cmd = NULL;
761  int ret = 0;
762 
763  if (nfula[NFULA_CFG_CMD]) {
764  u_int8_t pf = nfmsg->nfgen_family;
765  cmd = nla_data(nfula[NFULA_CFG_CMD]);
766 
767  /* Commands without queue context */
768  switch (cmd->command) {
769  case NFULNL_CFG_CMD_PF_BIND:
770  return nf_log_bind_pf(pf, &nfulnl_logger);
771  case NFULNL_CFG_CMD_PF_UNBIND:
772  nf_log_unbind_pf(pf);
773  return 0;
774  }
775  }
776 
777  inst = instance_lookup_get(group_num);
778  if (inst && inst->peer_portid != NETLINK_CB(skb).portid) {
779  ret = -EPERM;
780  goto out_put;
781  }
782 
783  if (cmd != NULL) {
784  switch (cmd->command) {
785  case NFULNL_CFG_CMD_BIND:
786  if (inst) {
787  ret = -EBUSY;
788  goto out_put;
789  }
790 
791  inst = instance_create(group_num,
792  NETLINK_CB(skb).portid,
793  sk_user_ns(NETLINK_CB(skb).ssk));
794  if (IS_ERR(inst)) {
795  ret = PTR_ERR(inst);
796  goto out;
797  }
798  break;
799  case NFULNL_CFG_CMD_UNBIND:
800  if (!inst) {
801  ret = -ENODEV;
802  goto out;
803  }
804 
805  instance_destroy(inst);
806  goto out_put;
807  default:
808  ret = -ENOTSUPP;
809  break;
810  }
811  }
812 
813  if (nfula[NFULA_CFG_MODE]) {
814  struct nfulnl_msg_config_mode *params;
815  params = nla_data(nfula[NFULA_CFG_MODE]);
816 
817  if (!inst) {
818  ret = -ENODEV;
819  goto out;
820  }
821  nfulnl_set_mode(inst, params->copy_mode,
822  ntohl(params->copy_range));
823  }
824 
825  if (nfula[NFULA_CFG_TIMEOUT]) {
826  __be32 timeout = nla_get_be32(nfula[NFULA_CFG_TIMEOUT]);
827 
828  if (!inst) {
829  ret = -ENODEV;
830  goto out;
831  }
832  nfulnl_set_timeout(inst, ntohl(timeout));
833  }
834 
835  if (nfula[NFULA_CFG_NLBUFSIZ]) {
836  __be32 nlbufsiz = nla_get_be32(nfula[NFULA_CFG_NLBUFSIZ]);
837 
838  if (!inst) {
839  ret = -ENODEV;
840  goto out;
841  }
842  nfulnl_set_nlbufsiz(inst, ntohl(nlbufsiz));
843  }
844 
845  if (nfula[NFULA_CFG_QTHRESH]) {
846  __be32 qthresh = nla_get_be32(nfula[NFULA_CFG_QTHRESH]);
847 
848  if (!inst) {
849  ret = -ENODEV;
850  goto out;
851  }
852  nfulnl_set_qthresh(inst, ntohl(qthresh));
853  }
854 
855  if (nfula[NFULA_CFG_FLAGS]) {
856  __be16 flags = nla_get_be16(nfula[NFULA_CFG_FLAGS]);
857 
858  if (!inst) {
859  ret = -ENODEV;
860  goto out;
861  }
862  nfulnl_set_flags(inst, ntohs(flags));
863  }
864 
865 out_put:
866  instance_put(inst);
867 out:
868  return ret;
869 }
870 
871 static const struct nfnl_callback nfulnl_cb[NFULNL_MSG_MAX] = {
872  [NFULNL_MSG_PACKET] = { .call = nfulnl_recv_unsupp,
873  .attr_count = NFULA_MAX, },
874  [NFULNL_MSG_CONFIG] = { .call = nfulnl_recv_config,
875  .attr_count = NFULA_CFG_MAX,
876  .policy = nfula_cfg_policy },
877 };
878 
879 static const struct nfnetlink_subsystem nfulnl_subsys = {
880  .name = "log",
881  .subsys_id = NFNL_SUBSYS_ULOG,
882  .cb_count = NFULNL_MSG_MAX,
883  .cb = nfulnl_cb,
884 };
885 
886 #ifdef CONFIG_PROC_FS
887 struct iter_state {
888  unsigned int bucket;
889 };
890 
891 static struct hlist_node *get_first(struct iter_state *st)
892 {
893  if (!st)
894  return NULL;
895 
896  for (st->bucket = 0; st->bucket < INSTANCE_BUCKETS; st->bucket++) {
897  if (!hlist_empty(&instance_table[st->bucket]))
898  return rcu_dereference_bh(hlist_first_rcu(&instance_table[st->bucket]));
899  }
900  return NULL;
901 }
902 
903 static struct hlist_node *get_next(struct iter_state *st, struct hlist_node *h)
904 {
905  h = rcu_dereference_bh(hlist_next_rcu(h));
906  while (!h) {
907  if (++st->bucket >= INSTANCE_BUCKETS)
908  return NULL;
909 
910  h = rcu_dereference_bh(hlist_first_rcu(&instance_table[st->bucket]));
911  }
912  return h;
913 }
914 
915 static struct hlist_node *get_idx(struct iter_state *st, loff_t pos)
916 {
917  struct hlist_node *head;
918  head = get_first(st);
919 
920  if (head)
921  while (pos && (head = get_next(st, head)))
922  pos--;
923  return pos ? NULL : head;
924 }
925 
926 static void *seq_start(struct seq_file *seq, loff_t *pos)
927  __acquires(rcu_bh)
928 {
929  rcu_read_lock_bh();
930  return get_idx(seq->private, *pos);
931 }
932 
933 static void *seq_next(struct seq_file *s, void *v, loff_t *pos)
934 {
935  (*pos)++;
936  return get_next(s->private, v);
937 }
938 
939 static void seq_stop(struct seq_file *s, void *v)
940  __releases(rcu_bh)
941 {
942  rcu_read_unlock_bh();
943 }
944 
945 static int seq_show(struct seq_file *s, void *v)
946 {
947  const struct nfulnl_instance *inst = v;
948 
949  return seq_printf(s, "%5d %6d %5d %1d %5d %6d %2d\n",
950  inst->group_num,
951  inst->peer_portid, inst->qlen,
952  inst->copy_mode, inst->copy_range,
953  inst->flushtimeout, atomic_read(&inst->use));
954 }
955 
956 static const struct seq_operations nful_seq_ops = {
957  .start = seq_start,
958  .next = seq_next,
959  .stop = seq_stop,
960  .show = seq_show,
961 };
962 
963 static int nful_open(struct inode *inode, struct file *file)
964 {
965  return seq_open_private(file, &nful_seq_ops,
966  sizeof(struct iter_state));
967 }
968 
969 static const struct file_operations nful_file_ops = {
970  .owner = THIS_MODULE,
971  .open = nful_open,
972  .read = seq_read,
973  .llseek = seq_lseek,
974  .release = seq_release_private,
975 };
976 
977 #endif /* PROC_FS */
978 
979 static int __init nfnetlink_log_init(void)
980 {
981  int i, status = -ENOMEM;
982 
983  for (i = 0; i < INSTANCE_BUCKETS; i++)
984  INIT_HLIST_HEAD(&instance_table[i]);
985 
986  /* it's not really all that important to have a random value, so
987  * we can do this from the init function, even if there hasn't
988  * been that much entropy yet */
989  get_random_bytes(&hash_init, sizeof(hash_init));
990 
991  netlink_register_notifier(&nfulnl_rtnl_notifier);
992  status = nfnetlink_subsys_register(&nfulnl_subsys);
993  if (status < 0) {
994  printk(KERN_ERR "log: failed to create netlink socket\n");
995  goto cleanup_netlink_notifier;
996  }
997 
998  status = nf_log_register(NFPROTO_UNSPEC, &nfulnl_logger);
999  if (status < 0) {
1000  printk(KERN_ERR "log: failed to register logger\n");
1001  goto cleanup_subsys;
1002  }
1003 
1004 #ifdef CONFIG_PROC_FS
1005  if (!proc_create("nfnetlink_log", 0440,
1006  proc_net_netfilter, &nful_file_ops)) {
1007  status = -ENOMEM;
1008  goto cleanup_logger;
1009  }
1010 #endif
1011  return status;
1012 
1013 #ifdef CONFIG_PROC_FS
1014 cleanup_logger:
1015  nf_log_unregister(&nfulnl_logger);
1016 #endif
1017 cleanup_subsys:
1018  nfnetlink_subsys_unregister(&nfulnl_subsys);
1019 cleanup_netlink_notifier:
1020  netlink_unregister_notifier(&nfulnl_rtnl_notifier);
1021  return status;
1022 }
1023 
1024 static void __exit nfnetlink_log_fini(void)
1025 {
1026  nf_log_unregister(&nfulnl_logger);
1027 #ifdef CONFIG_PROC_FS
1028  remove_proc_entry("nfnetlink_log", proc_net_netfilter);
1029 #endif
1030  nfnetlink_subsys_unregister(&nfulnl_subsys);
1031  netlink_unregister_notifier(&nfulnl_rtnl_notifier);
1032 }
1033 
1034 MODULE_DESCRIPTION("netfilter userspace logging");
1035 MODULE_AUTHOR("Harald Welte <[email protected]>");
1036 MODULE_LICENSE("GPL");
1037 MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_ULOG);
1038 
1039 module_init(nfnetlink_log_init);
1040 module_exit(nfnetlink_log_fini);
Generated on Thu Jan 10 2013 15:00:48 for Linux Kernel by   doxygen 1.8.2