Linux Kernel  3.7.1
 All Data Structures Namespaces Files Functions Variables Typedefs Enumerations Enumerator Macros Groups Pages
xt_LOG.c
Go to the documentation of this file.
1 /*
2  * This is a module which is used for logging packets.
3  */
4 
5 /* (C) 1999-2001 Paul `Rusty' Russell
6  * (C) 2002-2004 Netfilter Core Team <[email protected]>
7  *
8  * This program is free software; you can redistribute it and/or modify
9  * it under the terms of the GNU General Public License version 2 as
10  * published by the Free Software Foundation.
11  */
12 
13 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
14 #include <linux/module.h>
15 #include <linux/spinlock.h>
16 #include <linux/skbuff.h>
17 #include <linux/if_arp.h>
18 #include <linux/ip.h>
19 #include <net/ipv6.h>
20 #include <net/icmp.h>
21 #include <net/udp.h>
22 #include <net/tcp.h>
23 #include <net/route.h>
24 
25 #include <linux/netfilter.h>
26 #include <linux/netfilter/x_tables.h>
27 #include <linux/netfilter/xt_LOG.h>
28 #include <linux/netfilter_ipv6/ip6_tables.h>
29 #include <net/netfilter/nf_log.h>
30 #include <net/netfilter/xt_log.h>
31 
32 static struct nf_loginfo default_loginfo = {
33  .type = NF_LOG_TYPE_LOG,
34  .u = {
35  .log = {
36  .level = 5,
37  .logflags = NF_LOG_MASK,
38  },
39  },
40 };
41 
42 static int dump_udp_header(struct sbuff *m, const struct sk_buff *skb,
43  u8 proto, int fragment, unsigned int offset)
44 {
45  struct udphdr _udph;
46  const struct udphdr *uh;
47 
48  if (proto == IPPROTO_UDP)
49  /* Max length: 10 "PROTO=UDP " */
50  sb_add(m, "PROTO=UDP ");
51  else /* Max length: 14 "PROTO=UDPLITE " */
52  sb_add(m, "PROTO=UDPLITE ");
53 
54  if (fragment)
55  goto out;
56 
57  /* Max length: 25 "INCOMPLETE [65535 bytes] " */
58  uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
59  if (uh == NULL) {
60  sb_add(m, "INCOMPLETE [%u bytes] ", skb->len - offset);
61 
62  return 1;
63  }
64 
65  /* Max length: 20 "SPT=65535 DPT=65535 " */
66  sb_add(m, "SPT=%u DPT=%u LEN=%u ", ntohs(uh->source), ntohs(uh->dest),
67  ntohs(uh->len));
68 
69 out:
70  return 0;
71 }
72 
73 static int dump_tcp_header(struct sbuff *m, const struct sk_buff *skb,
74  u8 proto, int fragment, unsigned int offset,
75  unsigned int logflags)
76 {
77  struct tcphdr _tcph;
78  const struct tcphdr *th;
79 
80  /* Max length: 10 "PROTO=TCP " */
81  sb_add(m, "PROTO=TCP ");
82 
83  if (fragment)
84  return 0;
85 
86  /* Max length: 25 "INCOMPLETE [65535 bytes] " */
87  th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
88  if (th == NULL) {
89  sb_add(m, "INCOMPLETE [%u bytes] ", skb->len - offset);
90  return 1;
91  }
92 
93  /* Max length: 20 "SPT=65535 DPT=65535 " */
94  sb_add(m, "SPT=%u DPT=%u ", ntohs(th->source), ntohs(th->dest));
95  /* Max length: 30 "SEQ=4294967295 ACK=4294967295 " */
96  if (logflags & XT_LOG_TCPSEQ)
97  sb_add(m, "SEQ=%u ACK=%u ", ntohl(th->seq), ntohl(th->ack_seq));
98 
99  /* Max length: 13 "WINDOW=65535 " */
100  sb_add(m, "WINDOW=%u ", ntohs(th->window));
101  /* Max length: 9 "RES=0x3C " */
102  sb_add(m, "RES=0x%02x ", (u_int8_t)(ntohl(tcp_flag_word(th) &
103  TCP_RESERVED_BITS) >> 22));
104  /* Max length: 32 "CWR ECE URG ACK PSH RST SYN FIN " */
105  if (th->cwr)
106  sb_add(m, "CWR ");
107  if (th->ece)
108  sb_add(m, "ECE ");
109  if (th->urg)
110  sb_add(m, "URG ");
111  if (th->ack)
112  sb_add(m, "ACK ");
113  if (th->psh)
114  sb_add(m, "PSH ");
115  if (th->rst)
116  sb_add(m, "RST ");
117  if (th->syn)
118  sb_add(m, "SYN ");
119  if (th->fin)
120  sb_add(m, "FIN ");
121  /* Max length: 11 "URGP=65535 " */
122  sb_add(m, "URGP=%u ", ntohs(th->urg_ptr));
123 
124  if ((logflags & XT_LOG_TCPOPT) && th->doff*4 > sizeof(struct tcphdr)) {
125  u_int8_t _opt[60 - sizeof(struct tcphdr)];
126  const u_int8_t *op;
127  unsigned int i;
128  unsigned int optsize = th->doff*4 - sizeof(struct tcphdr);
129 
130  op = skb_header_pointer(skb, offset + sizeof(struct tcphdr),
131  optsize, _opt);
132  if (op == NULL) {
133  sb_add(m, "OPT (TRUNCATED)");
134  return 1;
135  }
136 
137  /* Max length: 127 "OPT (" 15*4*2chars ") " */
138  sb_add(m, "OPT (");
139  for (i = 0; i < optsize; i++)
140  sb_add(m, "%02X", op[i]);
141 
142  sb_add(m, ") ");
143  }
144 
145  return 0;
146 }
147 
148 static void dump_sk_uid_gid(struct sbuff *m, struct sock *sk)
149 {
150  if (!sk || sk->sk_state == TCP_TIME_WAIT)
151  return;
152 
153  read_lock_bh(&sk->sk_callback_lock);
154  if (sk->sk_socket && sk->sk_socket->file) {
155  const struct cred *cred = sk->sk_socket->file->f_cred;
156  sb_add(m, "UID=%u GID=%u ",
157  from_kuid_munged(&init_user_ns, cred->fsuid),
158  from_kgid_munged(&init_user_ns, cred->fsgid));
159  }
160  read_unlock_bh(&sk->sk_callback_lock);
161 }
162 
163 /* One level of recursion won't kill us */
164 static void dump_ipv4_packet(struct sbuff *m,
165  const struct nf_loginfo *info,
166  const struct sk_buff *skb,
167  unsigned int iphoff)
168 {
169  struct iphdr _iph;
170  const struct iphdr *ih;
171  unsigned int logflags;
172 
173  if (info->type == NF_LOG_TYPE_LOG)
174  logflags = info->u.log.logflags;
175  else
176  logflags = NF_LOG_MASK;
177 
178  ih = skb_header_pointer(skb, iphoff, sizeof(_iph), &_iph);
179  if (ih == NULL) {
180  sb_add(m, "TRUNCATED");
181  return;
182  }
183 
184  /* Important fields:
185  * TOS, len, DF/MF, fragment offset, TTL, src, dst, options. */
186  /* Max length: 40 "SRC=255.255.255.255 DST=255.255.255.255 " */
187  sb_add(m, "SRC=%pI4 DST=%pI4 ",
188  &ih->saddr, &ih->daddr);
189 
190  /* Max length: 46 "LEN=65535 TOS=0xFF PREC=0xFF TTL=255 ID=65535 " */
191  sb_add(m, "LEN=%u TOS=0x%02X PREC=0x%02X TTL=%u ID=%u ",
192  ntohs(ih->tot_len), ih->tos & IPTOS_TOS_MASK,
193  ih->tos & IPTOS_PREC_MASK, ih->ttl, ntohs(ih->id));
194 
195  /* Max length: 6 "CE DF MF " */
196  if (ntohs(ih->frag_off) & IP_CE)
197  sb_add(m, "CE ");
198  if (ntohs(ih->frag_off) & IP_DF)
199  sb_add(m, "DF ");
200  if (ntohs(ih->frag_off) & IP_MF)
201  sb_add(m, "MF ");
202 
203  /* Max length: 11 "FRAG:65535 " */
204  if (ntohs(ih->frag_off) & IP_OFFSET)
205  sb_add(m, "FRAG:%u ", ntohs(ih->frag_off) & IP_OFFSET);
206 
207  if ((logflags & XT_LOG_IPOPT) &&
208  ih->ihl * 4 > sizeof(struct iphdr)) {
209  const unsigned char *op;
210  unsigned char _opt[4 * 15 - sizeof(struct iphdr)];
211  unsigned int i, optsize;
212 
213  optsize = ih->ihl * 4 - sizeof(struct iphdr);
214  op = skb_header_pointer(skb, iphoff+sizeof(_iph),
215  optsize, _opt);
216  if (op == NULL) {
217  sb_add(m, "TRUNCATED");
218  return;
219  }
220 
221  /* Max length: 127 "OPT (" 15*4*2chars ") " */
222  sb_add(m, "OPT (");
223  for (i = 0; i < optsize; i++)
224  sb_add(m, "%02X", op[i]);
225  sb_add(m, ") ");
226  }
227 
228  switch (ih->protocol) {
229  case IPPROTO_TCP:
230  if (dump_tcp_header(m, skb, ih->protocol,
231  ntohs(ih->frag_off) & IP_OFFSET,
232  iphoff+ih->ihl*4, logflags))
233  return;
234  break;
235  case IPPROTO_UDP:
236  case IPPROTO_UDPLITE:
237  if (dump_udp_header(m, skb, ih->protocol,
238  ntohs(ih->frag_off) & IP_OFFSET,
239  iphoff+ih->ihl*4))
240  return;
241  break;
242  case IPPROTO_ICMP: {
243  struct icmphdr _icmph;
244  const struct icmphdr *ich;
245  static const size_t required_len[NR_ICMP_TYPES+1]
246  = { [ICMP_ECHOREPLY] = 4,
247  [ICMP_DEST_UNREACH]
248  = 8 + sizeof(struct iphdr),
249  [ICMP_SOURCE_QUENCH]
250  = 8 + sizeof(struct iphdr),
251  [ICMP_REDIRECT]
252  = 8 + sizeof(struct iphdr),
253  [ICMP_ECHO] = 4,
254  [ICMP_TIME_EXCEEDED]
255  = 8 + sizeof(struct iphdr),
256  [ICMP_PARAMETERPROB]
257  = 8 + sizeof(struct iphdr),
258  [ICMP_TIMESTAMP] = 20,
259  [ICMP_TIMESTAMPREPLY] = 20,
260  [ICMP_ADDRESS] = 12,
261  [ICMP_ADDRESSREPLY] = 12 };
262 
263  /* Max length: 11 "PROTO=ICMP " */
264  sb_add(m, "PROTO=ICMP ");
265 
266  if (ntohs(ih->frag_off) & IP_OFFSET)
267  break;
268 
269  /* Max length: 25 "INCOMPLETE [65535 bytes] " */
270  ich = skb_header_pointer(skb, iphoff + ih->ihl * 4,
271  sizeof(_icmph), &_icmph);
272  if (ich == NULL) {
273  sb_add(m, "INCOMPLETE [%u bytes] ",
274  skb->len - iphoff - ih->ihl*4);
275  break;
276  }
277 
278  /* Max length: 18 "TYPE=255 CODE=255 " */
279  sb_add(m, "TYPE=%u CODE=%u ", ich->type, ich->code);
280 
281  /* Max length: 25 "INCOMPLETE [65535 bytes] " */
282  if (ich->type <= NR_ICMP_TYPES &&
283  required_len[ich->type] &&
284  skb->len-iphoff-ih->ihl*4 < required_len[ich->type]) {
285  sb_add(m, "INCOMPLETE [%u bytes] ",
286  skb->len - iphoff - ih->ihl*4);
287  break;
288  }
289 
290  switch (ich->type) {
291  case ICMP_ECHOREPLY:
292  case ICMP_ECHO:
293  /* Max length: 19 "ID=65535 SEQ=65535 " */
294  sb_add(m, "ID=%u SEQ=%u ",
295  ntohs(ich->un.echo.id),
296  ntohs(ich->un.echo.sequence));
297  break;
298 
299  case ICMP_PARAMETERPROB:
300  /* Max length: 14 "PARAMETER=255 " */
301  sb_add(m, "PARAMETER=%u ",
302  ntohl(ich->un.gateway) >> 24);
303  break;
304  case ICMP_REDIRECT:
305  /* Max length: 24 "GATEWAY=255.255.255.255 " */
306  sb_add(m, "GATEWAY=%pI4 ", &ich->un.gateway);
307  /* Fall through */
308  case ICMP_DEST_UNREACH:
309  case ICMP_SOURCE_QUENCH:
310  case ICMP_TIME_EXCEEDED:
311  /* Max length: 3+maxlen */
312  if (!iphoff) { /* Only recurse once. */
313  sb_add(m, "[");
314  dump_ipv4_packet(m, info, skb,
315  iphoff + ih->ihl*4+sizeof(_icmph));
316  sb_add(m, "] ");
317  }
318 
319  /* Max length: 10 "MTU=65535 " */
320  if (ich->type == ICMP_DEST_UNREACH &&
321  ich->code == ICMP_FRAG_NEEDED)
322  sb_add(m, "MTU=%u ", ntohs(ich->un.frag.mtu));
323  }
324  break;
325  }
326  /* Max Length */
327  case IPPROTO_AH: {
328  struct ip_auth_hdr _ahdr;
329  const struct ip_auth_hdr *ah;
330 
331  if (ntohs(ih->frag_off) & IP_OFFSET)
332  break;
333 
334  /* Max length: 9 "PROTO=AH " */
335  sb_add(m, "PROTO=AH ");
336 
337  /* Max length: 25 "INCOMPLETE [65535 bytes] " */
338  ah = skb_header_pointer(skb, iphoff+ih->ihl*4,
339  sizeof(_ahdr), &_ahdr);
340  if (ah == NULL) {
341  sb_add(m, "INCOMPLETE [%u bytes] ",
342  skb->len - iphoff - ih->ihl*4);
343  break;
344  }
345 
346  /* Length: 15 "SPI=0xF1234567 " */
347  sb_add(m, "SPI=0x%x ", ntohl(ah->spi));
348  break;
349  }
350  case IPPROTO_ESP: {
351  struct ip_esp_hdr _esph;
352  const struct ip_esp_hdr *eh;
353 
354  /* Max length: 10 "PROTO=ESP " */
355  sb_add(m, "PROTO=ESP ");
356 
357  if (ntohs(ih->frag_off) & IP_OFFSET)
358  break;
359 
360  /* Max length: 25 "INCOMPLETE [65535 bytes] " */
361  eh = skb_header_pointer(skb, iphoff+ih->ihl*4,
362  sizeof(_esph), &_esph);
363  if (eh == NULL) {
364  sb_add(m, "INCOMPLETE [%u bytes] ",
365  skb->len - iphoff - ih->ihl*4);
366  break;
367  }
368 
369  /* Length: 15 "SPI=0xF1234567 " */
370  sb_add(m, "SPI=0x%x ", ntohl(eh->spi));
371  break;
372  }
373  /* Max length: 10 "PROTO 255 " */
374  default:
375  sb_add(m, "PROTO=%u ", ih->protocol);
376  }
377 
378  /* Max length: 15 "UID=4294967295 " */
379  if ((logflags & XT_LOG_UID) && !iphoff)
380  dump_sk_uid_gid(m, skb->sk);
381 
382  /* Max length: 16 "MARK=0xFFFFFFFF " */
383  if (!iphoff && skb->mark)
384  sb_add(m, "MARK=0x%x ", skb->mark);
385 
386  /* Proto Max log string length */
387  /* IP: 40+46+6+11+127 = 230 */
388  /* TCP: 10+max(25,20+30+13+9+32+11+127) = 252 */
389  /* UDP: 10+max(25,20) = 35 */
390  /* UDPLITE: 14+max(25,20) = 39 */
391  /* ICMP: 11+max(25, 18+25+max(19,14,24+3+n+10,3+n+10)) = 91+n */
392  /* ESP: 10+max(25)+15 = 50 */
393  /* AH: 9+max(25)+15 = 49 */
394  /* unknown: 10 */
395 
396  /* (ICMP allows recursion one level deep) */
397  /* maxlen = IP + ICMP + IP + max(TCP,UDP,ICMP,unknown) */
398  /* maxlen = 230+ 91 + 230 + 252 = 803 */
399 }
400 
401 static void dump_ipv4_mac_header(struct sbuff *m,
402  const struct nf_loginfo *info,
403  const struct sk_buff *skb)
404 {
405  struct net_device *dev = skb->dev;
406  unsigned int logflags = 0;
407 
408  if (info->type == NF_LOG_TYPE_LOG)
409  logflags = info->u.log.logflags;
410 
411  if (!(logflags & XT_LOG_MACDECODE))
412  goto fallback;
413 
414  switch (dev->type) {
415  case ARPHRD_ETHER:
416  sb_add(m, "MACSRC=%pM MACDST=%pM MACPROTO=%04x ",
417  eth_hdr(skb)->h_source, eth_hdr(skb)->h_dest,
418  ntohs(eth_hdr(skb)->h_proto));
419  return;
420  default:
421  break;
422  }
423 
424 fallback:
425  sb_add(m, "MAC=");
426  if (dev->hard_header_len &&
427  skb->mac_header != skb->network_header) {
428  const unsigned char *p = skb_mac_header(skb);
429  unsigned int i;
430 
431  sb_add(m, "%02x", *p++);
432  for (i = 1; i < dev->hard_header_len; i++, p++)
433  sb_add(m, ":%02x", *p);
434  }
435  sb_add(m, " ");
436 }
437 
438 static void
439 log_packet_common(struct sbuff *m,
440  u_int8_t pf,
441  unsigned int hooknum,
442  const struct sk_buff *skb,
443  const struct net_device *in,
444  const struct net_device *out,
445  const struct nf_loginfo *loginfo,
446  const char *prefix)
447 {
448  sb_add(m, KERN_SOH "%c%sIN=%s OUT=%s ",
449  '0' + loginfo->u.log.level, prefix,
450  in ? in->name : "",
451  out ? out->name : "");
452 #ifdef CONFIG_BRIDGE_NETFILTER
453  if (skb->nf_bridge) {
454  const struct net_device *physindev;
455  const struct net_device *physoutdev;
456 
457  physindev = skb->nf_bridge->physindev;
458  if (physindev && in != physindev)
459  sb_add(m, "PHYSIN=%s ", physindev->name);
460  physoutdev = skb->nf_bridge->physoutdev;
461  if (physoutdev && out != physoutdev)
462  sb_add(m, "PHYSOUT=%s ", physoutdev->name);
463  }
464 #endif
465 }
466 
467 
468 static void
469 ipt_log_packet(u_int8_t pf,
470  unsigned int hooknum,
471  const struct sk_buff *skb,
472  const struct net_device *in,
473  const struct net_device *out,
474  const struct nf_loginfo *loginfo,
475  const char *prefix)
476 {
477  struct sbuff *m = sb_open();
478 
479  if (!loginfo)
480  loginfo = &default_loginfo;
481 
482  log_packet_common(m, pf, hooknum, skb, in, out, loginfo, prefix);
483 
484  if (in != NULL)
485  dump_ipv4_mac_header(m, loginfo, skb);
486 
487  dump_ipv4_packet(m, loginfo, skb, 0);
488 
489  sb_close(m);
490 }
491 
492 #if IS_ENABLED(CONFIG_IP6_NF_IPTABLES)
493 /* One level of recursion won't kill us */
494 static void dump_ipv6_packet(struct sbuff *m,
495  const struct nf_loginfo *info,
496  const struct sk_buff *skb, unsigned int ip6hoff,
497  int recurse)
498 {
499  u_int8_t currenthdr;
500  int fragment;
501  struct ipv6hdr _ip6h;
502  const struct ipv6hdr *ih;
503  unsigned int ptr;
504  unsigned int hdrlen = 0;
505  unsigned int logflags;
506 
507  if (info->type == NF_LOG_TYPE_LOG)
508  logflags = info->u.log.logflags;
509  else
510  logflags = NF_LOG_MASK;
511 
512  ih = skb_header_pointer(skb, ip6hoff, sizeof(_ip6h), &_ip6h);
513  if (ih == NULL) {
514  sb_add(m, "TRUNCATED");
515  return;
516  }
517 
518  /* Max length: 88 "SRC=0000.0000.0000.0000.0000.0000.0000.0000 DST=0000.0000.0000.0000.0000.0000.0000.0000 " */
519  sb_add(m, "SRC=%pI6 DST=%pI6 ", &ih->saddr, &ih->daddr);
520 
521  /* Max length: 44 "LEN=65535 TC=255 HOPLIMIT=255 FLOWLBL=FFFFF " */
522  sb_add(m, "LEN=%Zu TC=%u HOPLIMIT=%u FLOWLBL=%u ",
523  ntohs(ih->payload_len) + sizeof(struct ipv6hdr),
524  (ntohl(*(__be32 *)ih) & 0x0ff00000) >> 20,
525  ih->hop_limit,
526  (ntohl(*(__be32 *)ih) & 0x000fffff));
527 
528  fragment = 0;
529  ptr = ip6hoff + sizeof(struct ipv6hdr);
530  currenthdr = ih->nexthdr;
531  while (currenthdr != NEXTHDR_NONE && ip6t_ext_hdr(currenthdr)) {
532  struct ipv6_opt_hdr _hdr;
533  const struct ipv6_opt_hdr *hp;
534 
535  hp = skb_header_pointer(skb, ptr, sizeof(_hdr), &_hdr);
536  if (hp == NULL) {
537  sb_add(m, "TRUNCATED");
538  return;
539  }
540 
541  /* Max length: 48 "OPT (...) " */
542  if (logflags & XT_LOG_IPOPT)
543  sb_add(m, "OPT ( ");
544 
545  switch (currenthdr) {
546  case IPPROTO_FRAGMENT: {
547  struct frag_hdr _fhdr;
548  const struct frag_hdr *fh;
549 
550  sb_add(m, "FRAG:");
551  fh = skb_header_pointer(skb, ptr, sizeof(_fhdr),
552  &_fhdr);
553  if (fh == NULL) {
554  sb_add(m, "TRUNCATED ");
555  return;
556  }
557 
558  /* Max length: 6 "65535 " */
559  sb_add(m, "%u ", ntohs(fh->frag_off) & 0xFFF8);
560 
561  /* Max length: 11 "INCOMPLETE " */
562  if (fh->frag_off & htons(0x0001))
563  sb_add(m, "INCOMPLETE ");
564 
565  sb_add(m, "ID:%08x ", ntohl(fh->identification));
566 
567  if (ntohs(fh->frag_off) & 0xFFF8)
568  fragment = 1;
569 
570  hdrlen = 8;
571 
572  break;
573  }
574  case IPPROTO_DSTOPTS:
575  case IPPROTO_ROUTING:
576  case IPPROTO_HOPOPTS:
577  if (fragment) {
578  if (logflags & XT_LOG_IPOPT)
579  sb_add(m, ")");
580  return;
581  }
582  hdrlen = ipv6_optlen(hp);
583  break;
584  /* Max Length */
585  case IPPROTO_AH:
586  if (logflags & XT_LOG_IPOPT) {
587  struct ip_auth_hdr _ahdr;
588  const struct ip_auth_hdr *ah;
589 
590  /* Max length: 3 "AH " */
591  sb_add(m, "AH ");
592 
593  if (fragment) {
594  sb_add(m, ")");
595  return;
596  }
597 
598  ah = skb_header_pointer(skb, ptr, sizeof(_ahdr),
599  &_ahdr);
600  if (ah == NULL) {
601  /*
602  * Max length: 26 "INCOMPLETE [65535
603  * bytes] )"
604  */
605  sb_add(m, "INCOMPLETE [%u bytes] )",
606  skb->len - ptr);
607  return;
608  }
609 
610  /* Length: 15 "SPI=0xF1234567 */
611  sb_add(m, "SPI=0x%x ", ntohl(ah->spi));
612 
613  }
614 
615  hdrlen = (hp->hdrlen+2)<<2;
616  break;
617  case IPPROTO_ESP:
618  if (logflags & XT_LOG_IPOPT) {
619  struct ip_esp_hdr _esph;
620  const struct ip_esp_hdr *eh;
621 
622  /* Max length: 4 "ESP " */
623  sb_add(m, "ESP ");
624 
625  if (fragment) {
626  sb_add(m, ")");
627  return;
628  }
629 
630  /*
631  * Max length: 26 "INCOMPLETE [65535 bytes] )"
632  */
633  eh = skb_header_pointer(skb, ptr, sizeof(_esph),
634  &_esph);
635  if (eh == NULL) {
636  sb_add(m, "INCOMPLETE [%u bytes] )",
637  skb->len - ptr);
638  return;
639  }
640 
641  /* Length: 16 "SPI=0xF1234567 )" */
642  sb_add(m, "SPI=0x%x )", ntohl(eh->spi));
643 
644  }
645  return;
646  default:
647  /* Max length: 20 "Unknown Ext Hdr 255" */
648  sb_add(m, "Unknown Ext Hdr %u", currenthdr);
649  return;
650  }
651  if (logflags & XT_LOG_IPOPT)
652  sb_add(m, ") ");
653 
654  currenthdr = hp->nexthdr;
655  ptr += hdrlen;
656  }
657 
658  switch (currenthdr) {
659  case IPPROTO_TCP:
660  if (dump_tcp_header(m, skb, currenthdr, fragment, ptr,
661  logflags))
662  return;
663  break;
664  case IPPROTO_UDP:
665  case IPPROTO_UDPLITE:
666  if (dump_udp_header(m, skb, currenthdr, fragment, ptr))
667  return;
668  break;
669  case IPPROTO_ICMPV6: {
670  struct icmp6hdr _icmp6h;
671  const struct icmp6hdr *ic;
672 
673  /* Max length: 13 "PROTO=ICMPv6 " */
674  sb_add(m, "PROTO=ICMPv6 ");
675 
676  if (fragment)
677  break;
678 
679  /* Max length: 25 "INCOMPLETE [65535 bytes] " */
680  ic = skb_header_pointer(skb, ptr, sizeof(_icmp6h), &_icmp6h);
681  if (ic == NULL) {
682  sb_add(m, "INCOMPLETE [%u bytes] ", skb->len - ptr);
683  return;
684  }
685 
686  /* Max length: 18 "TYPE=255 CODE=255 " */
687  sb_add(m, "TYPE=%u CODE=%u ", ic->icmp6_type, ic->icmp6_code);
688 
689  switch (ic->icmp6_type) {
690  case ICMPV6_ECHO_REQUEST:
691  case ICMPV6_ECHO_REPLY:
692  /* Max length: 19 "ID=65535 SEQ=65535 " */
693  sb_add(m, "ID=%u SEQ=%u ",
694  ntohs(ic->icmp6_identifier),
695  ntohs(ic->icmp6_sequence));
696  break;
697  case ICMPV6_MGM_QUERY:
698  case ICMPV6_MGM_REPORT:
699  case ICMPV6_MGM_REDUCTION:
700  break;
701 
702  case ICMPV6_PARAMPROB:
703  /* Max length: 17 "POINTER=ffffffff " */
704  sb_add(m, "POINTER=%08x ", ntohl(ic->icmp6_pointer));
705  /* Fall through */
706  case ICMPV6_DEST_UNREACH:
707  case ICMPV6_PKT_TOOBIG:
708  case ICMPV6_TIME_EXCEED:
709  /* Max length: 3+maxlen */
710  if (recurse) {
711  sb_add(m, "[");
712  dump_ipv6_packet(m, info, skb,
713  ptr + sizeof(_icmp6h), 0);
714  sb_add(m, "] ");
715  }
716 
717  /* Max length: 10 "MTU=65535 " */
718  if (ic->icmp6_type == ICMPV6_PKT_TOOBIG)
719  sb_add(m, "MTU=%u ", ntohl(ic->icmp6_mtu));
720  }
721  break;
722  }
723  /* Max length: 10 "PROTO=255 " */
724  default:
725  sb_add(m, "PROTO=%u ", currenthdr);
726  }
727 
728  /* Max length: 15 "UID=4294967295 " */
729  if ((logflags & XT_LOG_UID) && recurse)
730  dump_sk_uid_gid(m, skb->sk);
731 
732  /* Max length: 16 "MARK=0xFFFFFFFF " */
733  if (!recurse && skb->mark)
734  sb_add(m, "MARK=0x%x ", skb->mark);
735 }
736 
737 static void dump_ipv6_mac_header(struct sbuff *m,
738  const struct nf_loginfo *info,
739  const struct sk_buff *skb)
740 {
741  struct net_device *dev = skb->dev;
742  unsigned int logflags = 0;
743 
744  if (info->type == NF_LOG_TYPE_LOG)
745  logflags = info->u.log.logflags;
746 
747  if (!(logflags & XT_LOG_MACDECODE))
748  goto fallback;
749 
750  switch (dev->type) {
751  case ARPHRD_ETHER:
752  sb_add(m, "MACSRC=%pM MACDST=%pM MACPROTO=%04x ",
753  eth_hdr(skb)->h_source, eth_hdr(skb)->h_dest,
754  ntohs(eth_hdr(skb)->h_proto));
755  return;
756  default:
757  break;
758  }
759 
760 fallback:
761  sb_add(m, "MAC=");
762  if (dev->hard_header_len &&
763  skb->mac_header != skb->network_header) {
764  const unsigned char *p = skb_mac_header(skb);
765  unsigned int len = dev->hard_header_len;
766  unsigned int i;
767 
768  if (dev->type == ARPHRD_SIT) {
769  p -= ETH_HLEN;
770 
771  if (p < skb->head)
772  p = NULL;
773  }
774 
775  if (p != NULL) {
776  sb_add(m, "%02x", *p++);
777  for (i = 1; i < len; i++)
778  sb_add(m, ":%02x", *p++);
779  }
780  sb_add(m, " ");
781 
782  if (dev->type == ARPHRD_SIT) {
783  const struct iphdr *iph =
784  (struct iphdr *)skb_mac_header(skb);
785  sb_add(m, "TUNNEL=%pI4->%pI4 ", &iph->saddr,
786  &iph->daddr);
787  }
788  } else
789  sb_add(m, " ");
790 }
791 
792 static void
793 ip6t_log_packet(u_int8_t pf,
794  unsigned int hooknum,
795  const struct sk_buff *skb,
796  const struct net_device *in,
797  const struct net_device *out,
798  const struct nf_loginfo *loginfo,
799  const char *prefix)
800 {
801  struct sbuff *m = sb_open();
802 
803  if (!loginfo)
804  loginfo = &default_loginfo;
805 
806  log_packet_common(m, pf, hooknum, skb, in, out, loginfo, prefix);
807 
808  if (in != NULL)
809  dump_ipv6_mac_header(m, loginfo, skb);
810 
811  dump_ipv6_packet(m, loginfo, skb, skb_network_offset(skb), 1);
812 
813  sb_close(m);
814 }
815 #endif
816 
817 static unsigned int
818 log_tg(struct sk_buff *skb, const struct xt_action_param *par)
819 {
820  const struct xt_log_info *loginfo = par->targinfo;
821  struct nf_loginfo li;
822 
823  li.type = NF_LOG_TYPE_LOG;
824  li.u.log.level = loginfo->level;
825  li.u.log.logflags = loginfo->logflags;
826 
827  if (par->family == NFPROTO_IPV4)
828  ipt_log_packet(NFPROTO_IPV4, par->hooknum, skb, par->in,
829  par->out, &li, loginfo->prefix);
830 #if IS_ENABLED(CONFIG_IP6_NF_IPTABLES)
831  else if (par->family == NFPROTO_IPV6)
832  ip6t_log_packet(NFPROTO_IPV6, par->hooknum, skb, par->in,
833  par->out, &li, loginfo->prefix);
834 #endif
835  else
836  WARN_ON_ONCE(1);
837 
838  return XT_CONTINUE;
839 }
840 
841 static int log_tg_check(const struct xt_tgchk_param *par)
842 {
843  const struct xt_log_info *loginfo = par->targinfo;
844 
845  if (par->family != NFPROTO_IPV4 && par->family != NFPROTO_IPV6)
846  return -EINVAL;
847 
848  if (loginfo->level >= 8) {
849  pr_debug("level %u >= 8\n", loginfo->level);
850  return -EINVAL;
851  }
852 
853  if (loginfo->prefix[sizeof(loginfo->prefix)-1] != '\0') {
854  pr_debug("prefix is not null-terminated\n");
855  return -EINVAL;
856  }
857 
858  return 0;
859 }
860 
861 static struct xt_target log_tg_regs[] __read_mostly = {
862  {
863  .name = "LOG",
864  .family = NFPROTO_IPV4,
865  .target = log_tg,
866  .targetsize = sizeof(struct xt_log_info),
867  .checkentry = log_tg_check,
868  .me = THIS_MODULE,
869  },
870 #if IS_ENABLED(CONFIG_IP6_NF_IPTABLES)
871  {
872  .name = "LOG",
873  .family = NFPROTO_IPV6,
874  .target = log_tg,
875  .targetsize = sizeof(struct xt_log_info),
876  .checkentry = log_tg_check,
877  .me = THIS_MODULE,
878  },
879 #endif
880 };
881 
882 static struct nf_logger ipt_log_logger __read_mostly = {
883  .name = "ipt_LOG",
884  .logfn = &ipt_log_packet,
885  .me = THIS_MODULE,
886 };
887 
888 #if IS_ENABLED(CONFIG_IP6_NF_IPTABLES)
889 static struct nf_logger ip6t_log_logger __read_mostly = {
890  .name = "ip6t_LOG",
891  .logfn = &ip6t_log_packet,
892  .me = THIS_MODULE,
893 };
894 #endif
895 
896 static int __init log_tg_init(void)
897 {
898  int ret;
899 
900  ret = xt_register_targets(log_tg_regs, ARRAY_SIZE(log_tg_regs));
901  if (ret < 0)
902  return ret;
903 
904  nf_log_register(NFPROTO_IPV4, &ipt_log_logger);
905 #if IS_ENABLED(CONFIG_IP6_NF_IPTABLES)
906  nf_log_register(NFPROTO_IPV6, &ip6t_log_logger);
907 #endif
908  return 0;
909 }
910 
911 static void __exit log_tg_exit(void)
912 {
913  nf_log_unregister(&ipt_log_logger);
914 #if IS_ENABLED(CONFIG_IP6_NF_IPTABLES)
915  nf_log_unregister(&ip6t_log_logger);
916 #endif
917  xt_unregister_targets(log_tg_regs, ARRAY_SIZE(log_tg_regs));
918 }
919 
920 module_init(log_tg_init);
921 module_exit(log_tg_exit);
922 
923 MODULE_LICENSE("GPL");
924 MODULE_AUTHOR("Netfilter Core Team <[email protected]>");
925 MODULE_AUTHOR("Jan Rekorajski <[email protected]>");
926 MODULE_DESCRIPTION("Xtables: IPv4/IPv6 packet logging");
927 MODULE_ALIAS("ipt_LOG");
928 MODULE_ALIAS("ip6t_LOG");
Generated on Thu Jan 10 2013 15:00:56 for Linux Kernel by   doxygen 1.8.2