0001
0002
0003
0004
0005
0006 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
0007
0008 #include <linux/kernel.h>
0009 #include <linux/module.h>
0010 #include <linux/spinlock.h>
0011 #include <linux/skbuff.h>
0012 #include <linux/if_arp.h>
0013 #include <linux/ip.h>
0014 #include <net/ipv6.h>
0015 #include <net/icmp.h>
0016 #include <net/udp.h>
0017 #include <net/tcp.h>
0018 #include <net/route.h>
0019
0020 #include <linux/netfilter.h>
0021 #include <linux/netfilter_bridge.h>
0022 #include <linux/netfilter_ipv6.h>
0023 #include <linux/netfilter/xt_LOG.h>
0024 #include <net/netfilter/nf_log.h>
0025
0026 static const struct nf_loginfo default_loginfo = {
0027 .type = NF_LOG_TYPE_LOG,
0028 .u = {
0029 .log = {
0030 .level = LOGLEVEL_NOTICE,
0031 .logflags = NF_LOG_DEFAULT_MASK,
0032 },
0033 },
0034 };
0035
0036 struct arppayload {
0037 unsigned char mac_src[ETH_ALEN];
0038 unsigned char ip_src[4];
0039 unsigned char mac_dst[ETH_ALEN];
0040 unsigned char ip_dst[4];
0041 };
0042
0043
0044 static bool nf_log_allowed(const struct net *net)
0045 {
0046 return net_eq(net, &init_net) || sysctl_nf_log_all_netns;
0047 }
0048
0049 static void nf_log_dump_vlan(struct nf_log_buf *m, const struct sk_buff *skb)
0050 {
0051 u16 vid;
0052
0053 if (!skb_vlan_tag_present(skb))
0054 return;
0055
0056 vid = skb_vlan_tag_get(skb);
0057 nf_log_buf_add(m, "VPROTO=%04x VID=%u ", ntohs(skb->vlan_proto), vid);
0058 }
0059 static void noinline_for_stack
0060 dump_arp_packet(struct nf_log_buf *m,
0061 const struct nf_loginfo *info,
0062 const struct sk_buff *skb, unsigned int nhoff)
0063 {
0064 const struct arppayload *ap;
0065 struct arppayload _arpp;
0066 const struct arphdr *ah;
0067 unsigned int logflags;
0068 struct arphdr _arph;
0069
0070 ah = skb_header_pointer(skb, nhoff, sizeof(_arph), &_arph);
0071 if (!ah) {
0072 nf_log_buf_add(m, "TRUNCATED");
0073 return;
0074 }
0075
0076 if (info->type == NF_LOG_TYPE_LOG)
0077 logflags = info->u.log.logflags;
0078 else
0079 logflags = NF_LOG_DEFAULT_MASK;
0080
0081 if (logflags & NF_LOG_MACDECODE) {
0082 nf_log_buf_add(m, "MACSRC=%pM MACDST=%pM ",
0083 eth_hdr(skb)->h_source, eth_hdr(skb)->h_dest);
0084 nf_log_dump_vlan(m, skb);
0085 nf_log_buf_add(m, "MACPROTO=%04x ",
0086 ntohs(eth_hdr(skb)->h_proto));
0087 }
0088
0089 nf_log_buf_add(m, "ARP HTYPE=%d PTYPE=0x%04x OPCODE=%d",
0090 ntohs(ah->ar_hrd), ntohs(ah->ar_pro), ntohs(ah->ar_op));
0091
0092
0093
0094 if (ah->ar_hrd != htons(ARPHRD_ETHER) ||
0095 ah->ar_hln != ETH_ALEN ||
0096 ah->ar_pln != sizeof(__be32))
0097 return;
0098
0099 ap = skb_header_pointer(skb, nhoff + sizeof(_arph), sizeof(_arpp), &_arpp);
0100 if (!ap) {
0101 nf_log_buf_add(m, " INCOMPLETE [%zu bytes]",
0102 skb->len - sizeof(_arph));
0103 return;
0104 }
0105 nf_log_buf_add(m, " MACSRC=%pM IPSRC=%pI4 MACDST=%pM IPDST=%pI4",
0106 ap->mac_src, ap->ip_src, ap->mac_dst, ap->ip_dst);
0107 }
0108
0109 static void
0110 nf_log_dump_packet_common(struct nf_log_buf *m, u8 pf,
0111 unsigned int hooknum, const struct sk_buff *skb,
0112 const struct net_device *in,
0113 const struct net_device *out,
0114 const struct nf_loginfo *loginfo, const char *prefix)
0115 {
0116 const struct net_device *physoutdev __maybe_unused;
0117 const struct net_device *physindev __maybe_unused;
0118
0119 nf_log_buf_add(m, KERN_SOH "%c%sIN=%s OUT=%s ",
0120 '0' + loginfo->u.log.level, prefix,
0121 in ? in->name : "",
0122 out ? out->name : "");
0123 #if IS_ENABLED(CONFIG_BRIDGE_NETFILTER)
0124 physindev = nf_bridge_get_physindev(skb);
0125 if (physindev && in != physindev)
0126 nf_log_buf_add(m, "PHYSIN=%s ", physindev->name);
0127 physoutdev = nf_bridge_get_physoutdev(skb);
0128 if (physoutdev && out != physoutdev)
0129 nf_log_buf_add(m, "PHYSOUT=%s ", physoutdev->name);
0130 #endif
0131 }
0132
0133 static void nf_log_arp_packet(struct net *net, u_int8_t pf,
0134 unsigned int hooknum, const struct sk_buff *skb,
0135 const struct net_device *in,
0136 const struct net_device *out,
0137 const struct nf_loginfo *loginfo,
0138 const char *prefix)
0139 {
0140 struct nf_log_buf *m;
0141
0142 if (!nf_log_allowed(net))
0143 return;
0144
0145 m = nf_log_buf_open();
0146
0147 if (!loginfo)
0148 loginfo = &default_loginfo;
0149
0150 nf_log_dump_packet_common(m, pf, hooknum, skb, in, out, loginfo,
0151 prefix);
0152 dump_arp_packet(m, loginfo, skb, skb_network_offset(skb));
0153
0154 nf_log_buf_close(m);
0155 }
0156
0157 static struct nf_logger nf_arp_logger __read_mostly = {
0158 .name = "nf_log_arp",
0159 .type = NF_LOG_TYPE_LOG,
0160 .logfn = nf_log_arp_packet,
0161 .me = THIS_MODULE,
0162 };
0163
0164 static void nf_log_dump_sk_uid_gid(struct net *net, struct nf_log_buf *m,
0165 struct sock *sk)
0166 {
0167 if (!sk || !sk_fullsock(sk) || !net_eq(net, sock_net(sk)))
0168 return;
0169
0170 read_lock_bh(&sk->sk_callback_lock);
0171 if (sk->sk_socket && sk->sk_socket->file) {
0172 const struct cred *cred = sk->sk_socket->file->f_cred;
0173
0174 nf_log_buf_add(m, "UID=%u GID=%u ",
0175 from_kuid_munged(&init_user_ns, cred->fsuid),
0176 from_kgid_munged(&init_user_ns, cred->fsgid));
0177 }
0178 read_unlock_bh(&sk->sk_callback_lock);
0179 }
0180
0181 static noinline_for_stack int
0182 nf_log_dump_tcp_header(struct nf_log_buf *m,
0183 const struct sk_buff *skb,
0184 u8 proto, int fragment,
0185 unsigned int offset,
0186 unsigned int logflags)
0187 {
0188 struct tcphdr _tcph;
0189 const struct tcphdr *th;
0190
0191
0192 nf_log_buf_add(m, "PROTO=TCP ");
0193
0194 if (fragment)
0195 return 0;
0196
0197
0198 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
0199 if (!th) {
0200 nf_log_buf_add(m, "INCOMPLETE [%u bytes] ", skb->len - offset);
0201 return 1;
0202 }
0203
0204
0205 nf_log_buf_add(m, "SPT=%u DPT=%u ",
0206 ntohs(th->source), ntohs(th->dest));
0207
0208 if (logflags & NF_LOG_TCPSEQ) {
0209 nf_log_buf_add(m, "SEQ=%u ACK=%u ",
0210 ntohl(th->seq), ntohl(th->ack_seq));
0211 }
0212
0213
0214 nf_log_buf_add(m, "WINDOW=%u ", ntohs(th->window));
0215
0216 nf_log_buf_add(m, "RES=0x%02x ", (u_int8_t)(ntohl(tcp_flag_word(th) &
0217 TCP_RESERVED_BITS) >> 22));
0218
0219 if (th->cwr)
0220 nf_log_buf_add(m, "CWR ");
0221 if (th->ece)
0222 nf_log_buf_add(m, "ECE ");
0223 if (th->urg)
0224 nf_log_buf_add(m, "URG ");
0225 if (th->ack)
0226 nf_log_buf_add(m, "ACK ");
0227 if (th->psh)
0228 nf_log_buf_add(m, "PSH ");
0229 if (th->rst)
0230 nf_log_buf_add(m, "RST ");
0231 if (th->syn)
0232 nf_log_buf_add(m, "SYN ");
0233 if (th->fin)
0234 nf_log_buf_add(m, "FIN ");
0235
0236 nf_log_buf_add(m, "URGP=%u ", ntohs(th->urg_ptr));
0237
0238 if ((logflags & NF_LOG_TCPOPT) && th->doff * 4 > sizeof(struct tcphdr)) {
0239 unsigned int optsize = th->doff * 4 - sizeof(struct tcphdr);
0240 u8 _opt[60 - sizeof(struct tcphdr)];
0241 unsigned int i;
0242 const u8 *op;
0243
0244 op = skb_header_pointer(skb, offset + sizeof(struct tcphdr),
0245 optsize, _opt);
0246 if (!op) {
0247 nf_log_buf_add(m, "OPT (TRUNCATED)");
0248 return 1;
0249 }
0250
0251
0252 nf_log_buf_add(m, "OPT (");
0253 for (i = 0; i < optsize; i++)
0254 nf_log_buf_add(m, "%02X", op[i]);
0255
0256 nf_log_buf_add(m, ") ");
0257 }
0258
0259 return 0;
0260 }
0261
0262 static noinline_for_stack int
0263 nf_log_dump_udp_header(struct nf_log_buf *m,
0264 const struct sk_buff *skb,
0265 u8 proto, int fragment,
0266 unsigned int offset)
0267 {
0268 struct udphdr _udph;
0269 const struct udphdr *uh;
0270
0271 if (proto == IPPROTO_UDP)
0272
0273 nf_log_buf_add(m, "PROTO=UDP ");
0274 else
0275 nf_log_buf_add(m, "PROTO=UDPLITE ");
0276
0277 if (fragment)
0278 goto out;
0279
0280
0281 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
0282 if (!uh) {
0283 nf_log_buf_add(m, "INCOMPLETE [%u bytes] ", skb->len - offset);
0284
0285 return 1;
0286 }
0287
0288
0289 nf_log_buf_add(m, "SPT=%u DPT=%u LEN=%u ",
0290 ntohs(uh->source), ntohs(uh->dest), ntohs(uh->len));
0291
0292 out:
0293 return 0;
0294 }
0295
0296
0297 static noinline_for_stack void
0298 dump_ipv4_packet(struct net *net, struct nf_log_buf *m,
0299 const struct nf_loginfo *info,
0300 const struct sk_buff *skb, unsigned int iphoff)
0301 {
0302 const struct iphdr *ih;
0303 unsigned int logflags;
0304 struct iphdr _iph;
0305
0306 if (info->type == NF_LOG_TYPE_LOG)
0307 logflags = info->u.log.logflags;
0308 else
0309 logflags = NF_LOG_DEFAULT_MASK;
0310
0311 ih = skb_header_pointer(skb, iphoff, sizeof(_iph), &_iph);
0312 if (!ih) {
0313 nf_log_buf_add(m, "TRUNCATED");
0314 return;
0315 }
0316
0317
0318
0319
0320
0321 nf_log_buf_add(m, "SRC=%pI4 DST=%pI4 ", &ih->saddr, &ih->daddr);
0322
0323
0324 nf_log_buf_add(m, "LEN=%u TOS=0x%02X PREC=0x%02X TTL=%u ID=%u ",
0325 ntohs(ih->tot_len), ih->tos & IPTOS_TOS_MASK,
0326 ih->tos & IPTOS_PREC_MASK, ih->ttl, ntohs(ih->id));
0327
0328
0329 if (ntohs(ih->frag_off) & IP_CE)
0330 nf_log_buf_add(m, "CE ");
0331 if (ntohs(ih->frag_off) & IP_DF)
0332 nf_log_buf_add(m, "DF ");
0333 if (ntohs(ih->frag_off) & IP_MF)
0334 nf_log_buf_add(m, "MF ");
0335
0336
0337 if (ntohs(ih->frag_off) & IP_OFFSET)
0338 nf_log_buf_add(m, "FRAG:%u ", ntohs(ih->frag_off) & IP_OFFSET);
0339
0340 if ((logflags & NF_LOG_IPOPT) &&
0341 ih->ihl * 4 > sizeof(struct iphdr)) {
0342 unsigned char _opt[4 * 15 - sizeof(struct iphdr)];
0343 const unsigned char *op;
0344 unsigned int i, optsize;
0345
0346 optsize = ih->ihl * 4 - sizeof(struct iphdr);
0347 op = skb_header_pointer(skb, iphoff + sizeof(_iph),
0348 optsize, _opt);
0349 if (!op) {
0350 nf_log_buf_add(m, "TRUNCATED");
0351 return;
0352 }
0353
0354
0355 nf_log_buf_add(m, "OPT (");
0356 for (i = 0; i < optsize; i++)
0357 nf_log_buf_add(m, "%02X", op[i]);
0358 nf_log_buf_add(m, ") ");
0359 }
0360
0361 switch (ih->protocol) {
0362 case IPPROTO_TCP:
0363 if (nf_log_dump_tcp_header(m, skb, ih->protocol,
0364 ntohs(ih->frag_off) & IP_OFFSET,
0365 iphoff + ih->ihl * 4, logflags))
0366 return;
0367 break;
0368 case IPPROTO_UDP:
0369 case IPPROTO_UDPLITE:
0370 if (nf_log_dump_udp_header(m, skb, ih->protocol,
0371 ntohs(ih->frag_off) & IP_OFFSET,
0372 iphoff + ih->ihl * 4))
0373 return;
0374 break;
0375 case IPPROTO_ICMP: {
0376 static const size_t required_len[NR_ICMP_TYPES + 1] = {
0377 [ICMP_ECHOREPLY] = 4,
0378 [ICMP_DEST_UNREACH] = 8 + sizeof(struct iphdr),
0379 [ICMP_SOURCE_QUENCH] = 8 + sizeof(struct iphdr),
0380 [ICMP_REDIRECT] = 8 + sizeof(struct iphdr),
0381 [ICMP_ECHO] = 4,
0382 [ICMP_TIME_EXCEEDED] = 8 + sizeof(struct iphdr),
0383 [ICMP_PARAMETERPROB] = 8 + sizeof(struct iphdr),
0384 [ICMP_TIMESTAMP] = 20,
0385 [ICMP_TIMESTAMPREPLY] = 20,
0386 [ICMP_ADDRESS] = 12,
0387 [ICMP_ADDRESSREPLY] = 12 };
0388 const struct icmphdr *ich;
0389 struct icmphdr _icmph;
0390
0391
0392 nf_log_buf_add(m, "PROTO=ICMP ");
0393
0394 if (ntohs(ih->frag_off) & IP_OFFSET)
0395 break;
0396
0397
0398 ich = skb_header_pointer(skb, iphoff + ih->ihl * 4,
0399 sizeof(_icmph), &_icmph);
0400 if (!ich) {
0401 nf_log_buf_add(m, "INCOMPLETE [%u bytes] ",
0402 skb->len - iphoff - ih->ihl * 4);
0403 break;
0404 }
0405
0406
0407 nf_log_buf_add(m, "TYPE=%u CODE=%u ", ich->type, ich->code);
0408
0409
0410 if (ich->type <= NR_ICMP_TYPES &&
0411 required_len[ich->type] &&
0412 skb->len - iphoff - ih->ihl * 4 < required_len[ich->type]) {
0413 nf_log_buf_add(m, "INCOMPLETE [%u bytes] ",
0414 skb->len - iphoff - ih->ihl * 4);
0415 break;
0416 }
0417
0418 switch (ich->type) {
0419 case ICMP_ECHOREPLY:
0420 case ICMP_ECHO:
0421
0422 nf_log_buf_add(m, "ID=%u SEQ=%u ",
0423 ntohs(ich->un.echo.id),
0424 ntohs(ich->un.echo.sequence));
0425 break;
0426
0427 case ICMP_PARAMETERPROB:
0428
0429 nf_log_buf_add(m, "PARAMETER=%u ",
0430 ntohl(ich->un.gateway) >> 24);
0431 break;
0432 case ICMP_REDIRECT:
0433
0434 nf_log_buf_add(m, "GATEWAY=%pI4 ", &ich->un.gateway);
0435 fallthrough;
0436 case ICMP_DEST_UNREACH:
0437 case ICMP_SOURCE_QUENCH:
0438 case ICMP_TIME_EXCEEDED:
0439
0440 if (!iphoff) {
0441 nf_log_buf_add(m, "[");
0442 dump_ipv4_packet(net, m, info, skb,
0443 iphoff + ih->ihl * 4 + sizeof(_icmph));
0444 nf_log_buf_add(m, "] ");
0445 }
0446
0447
0448 if (ich->type == ICMP_DEST_UNREACH &&
0449 ich->code == ICMP_FRAG_NEEDED) {
0450 nf_log_buf_add(m, "MTU=%u ",
0451 ntohs(ich->un.frag.mtu));
0452 }
0453 }
0454 break;
0455 }
0456
0457 case IPPROTO_AH: {
0458 const struct ip_auth_hdr *ah;
0459 struct ip_auth_hdr _ahdr;
0460
0461 if (ntohs(ih->frag_off) & IP_OFFSET)
0462 break;
0463
0464
0465 nf_log_buf_add(m, "PROTO=AH ");
0466
0467
0468 ah = skb_header_pointer(skb, iphoff + ih->ihl * 4,
0469 sizeof(_ahdr), &_ahdr);
0470 if (!ah) {
0471 nf_log_buf_add(m, "INCOMPLETE [%u bytes] ",
0472 skb->len - iphoff - ih->ihl * 4);
0473 break;
0474 }
0475
0476
0477 nf_log_buf_add(m, "SPI=0x%x ", ntohl(ah->spi));
0478 break;
0479 }
0480 case IPPROTO_ESP: {
0481 const struct ip_esp_hdr *eh;
0482 struct ip_esp_hdr _esph;
0483
0484
0485 nf_log_buf_add(m, "PROTO=ESP ");
0486
0487 if (ntohs(ih->frag_off) & IP_OFFSET)
0488 break;
0489
0490
0491 eh = skb_header_pointer(skb, iphoff + ih->ihl * 4,
0492 sizeof(_esph), &_esph);
0493 if (!eh) {
0494 nf_log_buf_add(m, "INCOMPLETE [%u bytes] ",
0495 skb->len - iphoff - ih->ihl * 4);
0496 break;
0497 }
0498
0499
0500 nf_log_buf_add(m, "SPI=0x%x ", ntohl(eh->spi));
0501 break;
0502 }
0503
0504 default:
0505 nf_log_buf_add(m, "PROTO=%u ", ih->protocol);
0506 }
0507
0508
0509 if ((logflags & NF_LOG_UID) && !iphoff)
0510 nf_log_dump_sk_uid_gid(net, m, skb->sk);
0511
0512
0513 if (!iphoff && skb->mark)
0514 nf_log_buf_add(m, "MARK=0x%x ", skb->mark);
0515
0516
0517
0518
0519
0520
0521
0522
0523
0524
0525
0526
0527
0528
0529 }
0530
0531 static noinline_for_stack void
0532 dump_ipv6_packet(struct net *net, struct nf_log_buf *m,
0533 const struct nf_loginfo *info,
0534 const struct sk_buff *skb, unsigned int ip6hoff,
0535 int recurse)
0536 {
0537 const struct ipv6hdr *ih;
0538 unsigned int hdrlen = 0;
0539 unsigned int logflags;
0540 struct ipv6hdr _ip6h;
0541 unsigned int ptr;
0542 u8 currenthdr;
0543 int fragment;
0544
0545 if (info->type == NF_LOG_TYPE_LOG)
0546 logflags = info->u.log.logflags;
0547 else
0548 logflags = NF_LOG_DEFAULT_MASK;
0549
0550 ih = skb_header_pointer(skb, ip6hoff, sizeof(_ip6h), &_ip6h);
0551 if (!ih) {
0552 nf_log_buf_add(m, "TRUNCATED");
0553 return;
0554 }
0555
0556
0557 nf_log_buf_add(m, "SRC=%pI6 DST=%pI6 ", &ih->saddr, &ih->daddr);
0558
0559
0560 nf_log_buf_add(m, "LEN=%zu TC=%u HOPLIMIT=%u FLOWLBL=%u ",
0561 ntohs(ih->payload_len) + sizeof(struct ipv6hdr),
0562 (ntohl(*(__be32 *)ih) & 0x0ff00000) >> 20,
0563 ih->hop_limit,
0564 (ntohl(*(__be32 *)ih) & 0x000fffff));
0565
0566 fragment = 0;
0567 ptr = ip6hoff + sizeof(struct ipv6hdr);
0568 currenthdr = ih->nexthdr;
0569 while (currenthdr != NEXTHDR_NONE && nf_ip6_ext_hdr(currenthdr)) {
0570 struct ipv6_opt_hdr _hdr;
0571 const struct ipv6_opt_hdr *hp;
0572
0573 hp = skb_header_pointer(skb, ptr, sizeof(_hdr), &_hdr);
0574 if (!hp) {
0575 nf_log_buf_add(m, "TRUNCATED");
0576 return;
0577 }
0578
0579
0580 if (logflags & NF_LOG_IPOPT)
0581 nf_log_buf_add(m, "OPT ( ");
0582
0583 switch (currenthdr) {
0584 case IPPROTO_FRAGMENT: {
0585 struct frag_hdr _fhdr;
0586 const struct frag_hdr *fh;
0587
0588 nf_log_buf_add(m, "FRAG:");
0589 fh = skb_header_pointer(skb, ptr, sizeof(_fhdr),
0590 &_fhdr);
0591 if (!fh) {
0592 nf_log_buf_add(m, "TRUNCATED ");
0593 return;
0594 }
0595
0596
0597 nf_log_buf_add(m, "%u ", ntohs(fh->frag_off) & 0xFFF8);
0598
0599
0600 if (fh->frag_off & htons(0x0001))
0601 nf_log_buf_add(m, "INCOMPLETE ");
0602
0603 nf_log_buf_add(m, "ID:%08x ",
0604 ntohl(fh->identification));
0605
0606 if (ntohs(fh->frag_off) & 0xFFF8)
0607 fragment = 1;
0608
0609 hdrlen = 8;
0610 break;
0611 }
0612 case IPPROTO_DSTOPTS:
0613 case IPPROTO_ROUTING:
0614 case IPPROTO_HOPOPTS:
0615 if (fragment) {
0616 if (logflags & NF_LOG_IPOPT)
0617 nf_log_buf_add(m, ")");
0618 return;
0619 }
0620 hdrlen = ipv6_optlen(hp);
0621 break;
0622
0623 case IPPROTO_AH:
0624 if (logflags & NF_LOG_IPOPT) {
0625 struct ip_auth_hdr _ahdr;
0626 const struct ip_auth_hdr *ah;
0627
0628
0629 nf_log_buf_add(m, "AH ");
0630
0631 if (fragment) {
0632 nf_log_buf_add(m, ")");
0633 return;
0634 }
0635
0636 ah = skb_header_pointer(skb, ptr, sizeof(_ahdr),
0637 &_ahdr);
0638 if (!ah) {
0639
0640 nf_log_buf_add(m, "INCOMPLETE [%u bytes] )",
0641 skb->len - ptr);
0642 return;
0643 }
0644
0645
0646 nf_log_buf_add(m, "SPI=0x%x ", ntohl(ah->spi));
0647 }
0648
0649 hdrlen = ipv6_authlen(hp);
0650 break;
0651 case IPPROTO_ESP:
0652 if (logflags & NF_LOG_IPOPT) {
0653 struct ip_esp_hdr _esph;
0654 const struct ip_esp_hdr *eh;
0655
0656
0657 nf_log_buf_add(m, "ESP ");
0658
0659 if (fragment) {
0660 nf_log_buf_add(m, ")");
0661 return;
0662 }
0663
0664
0665 eh = skb_header_pointer(skb, ptr, sizeof(_esph),
0666 &_esph);
0667 if (!eh) {
0668 nf_log_buf_add(m, "INCOMPLETE [%u bytes] )",
0669 skb->len - ptr);
0670 return;
0671 }
0672
0673
0674 nf_log_buf_add(m, "SPI=0x%x )",
0675 ntohl(eh->spi));
0676 }
0677 return;
0678 default:
0679
0680 nf_log_buf_add(m, "Unknown Ext Hdr %u", currenthdr);
0681 return;
0682 }
0683 if (logflags & NF_LOG_IPOPT)
0684 nf_log_buf_add(m, ") ");
0685
0686 currenthdr = hp->nexthdr;
0687 ptr += hdrlen;
0688 }
0689
0690 switch (currenthdr) {
0691 case IPPROTO_TCP:
0692 if (nf_log_dump_tcp_header(m, skb, currenthdr, fragment,
0693 ptr, logflags))
0694 return;
0695 break;
0696 case IPPROTO_UDP:
0697 case IPPROTO_UDPLITE:
0698 if (nf_log_dump_udp_header(m, skb, currenthdr, fragment, ptr))
0699 return;
0700 break;
0701 case IPPROTO_ICMPV6: {
0702 struct icmp6hdr _icmp6h;
0703 const struct icmp6hdr *ic;
0704
0705
0706 nf_log_buf_add(m, "PROTO=ICMPv6 ");
0707
0708 if (fragment)
0709 break;
0710
0711
0712 ic = skb_header_pointer(skb, ptr, sizeof(_icmp6h), &_icmp6h);
0713 if (!ic) {
0714 nf_log_buf_add(m, "INCOMPLETE [%u bytes] ",
0715 skb->len - ptr);
0716 return;
0717 }
0718
0719
0720 nf_log_buf_add(m, "TYPE=%u CODE=%u ",
0721 ic->icmp6_type, ic->icmp6_code);
0722
0723 switch (ic->icmp6_type) {
0724 case ICMPV6_ECHO_REQUEST:
0725 case ICMPV6_ECHO_REPLY:
0726
0727 nf_log_buf_add(m, "ID=%u SEQ=%u ",
0728 ntohs(ic->icmp6_identifier),
0729 ntohs(ic->icmp6_sequence));
0730 break;
0731 case ICMPV6_MGM_QUERY:
0732 case ICMPV6_MGM_REPORT:
0733 case ICMPV6_MGM_REDUCTION:
0734 break;
0735
0736 case ICMPV6_PARAMPROB:
0737
0738 nf_log_buf_add(m, "POINTER=%08x ",
0739 ntohl(ic->icmp6_pointer));
0740 fallthrough;
0741 case ICMPV6_DEST_UNREACH:
0742 case ICMPV6_PKT_TOOBIG:
0743 case ICMPV6_TIME_EXCEED:
0744
0745 if (recurse) {
0746 nf_log_buf_add(m, "[");
0747 dump_ipv6_packet(net, m, info, skb,
0748 ptr + sizeof(_icmp6h), 0);
0749 nf_log_buf_add(m, "] ");
0750 }
0751
0752
0753 if (ic->icmp6_type == ICMPV6_PKT_TOOBIG) {
0754 nf_log_buf_add(m, "MTU=%u ",
0755 ntohl(ic->icmp6_mtu));
0756 }
0757 }
0758 break;
0759 }
0760
0761 default:
0762 nf_log_buf_add(m, "PROTO=%u ", currenthdr);
0763 }
0764
0765
0766 if ((logflags & NF_LOG_UID) && recurse)
0767 nf_log_dump_sk_uid_gid(net, m, skb->sk);
0768
0769
0770 if (recurse && skb->mark)
0771 nf_log_buf_add(m, "MARK=0x%x ", skb->mark);
0772 }
0773
0774 static void dump_mac_header(struct nf_log_buf *m,
0775 const struct nf_loginfo *info,
0776 const struct sk_buff *skb)
0777 {
0778 struct net_device *dev = skb->dev;
0779 unsigned int logflags = 0;
0780
0781 if (info->type == NF_LOG_TYPE_LOG)
0782 logflags = info->u.log.logflags;
0783
0784 if (!(logflags & NF_LOG_MACDECODE))
0785 goto fallback;
0786
0787 switch (dev->type) {
0788 case ARPHRD_ETHER:
0789 nf_log_buf_add(m, "MACSRC=%pM MACDST=%pM ",
0790 eth_hdr(skb)->h_source, eth_hdr(skb)->h_dest);
0791 nf_log_dump_vlan(m, skb);
0792 nf_log_buf_add(m, "MACPROTO=%04x ",
0793 ntohs(eth_hdr(skb)->h_proto));
0794 return;
0795 default:
0796 break;
0797 }
0798
0799 fallback:
0800 nf_log_buf_add(m, "MAC=");
0801 if (dev->hard_header_len &&
0802 skb->mac_header != skb->network_header) {
0803 const unsigned char *p = skb_mac_header(skb);
0804 unsigned int i;
0805
0806 if (dev->type == ARPHRD_SIT) {
0807 p -= ETH_HLEN;
0808
0809 if (p < skb->head)
0810 p = NULL;
0811 }
0812
0813 if (p) {
0814 nf_log_buf_add(m, "%02x", *p++);
0815 for (i = 1; i < dev->hard_header_len; i++)
0816 nf_log_buf_add(m, ":%02x", *p++);
0817 }
0818
0819 if (dev->type == ARPHRD_SIT) {
0820 const struct iphdr *iph =
0821 (struct iphdr *)skb_mac_header(skb);
0822
0823 nf_log_buf_add(m, " TUNNEL=%pI4->%pI4", &iph->saddr,
0824 &iph->daddr);
0825 }
0826 }
0827 nf_log_buf_add(m, " ");
0828 }
0829
0830 static void nf_log_ip_packet(struct net *net, u_int8_t pf,
0831 unsigned int hooknum, const struct sk_buff *skb,
0832 const struct net_device *in,
0833 const struct net_device *out,
0834 const struct nf_loginfo *loginfo,
0835 const char *prefix)
0836 {
0837 struct nf_log_buf *m;
0838
0839 if (!nf_log_allowed(net))
0840 return;
0841
0842 m = nf_log_buf_open();
0843
0844 if (!loginfo)
0845 loginfo = &default_loginfo;
0846
0847 nf_log_dump_packet_common(m, pf, hooknum, skb, in,
0848 out, loginfo, prefix);
0849
0850 if (in)
0851 dump_mac_header(m, loginfo, skb);
0852
0853 dump_ipv4_packet(net, m, loginfo, skb, skb_network_offset(skb));
0854
0855 nf_log_buf_close(m);
0856 }
0857
0858 static struct nf_logger nf_ip_logger __read_mostly = {
0859 .name = "nf_log_ipv4",
0860 .type = NF_LOG_TYPE_LOG,
0861 .logfn = nf_log_ip_packet,
0862 .me = THIS_MODULE,
0863 };
0864
0865 static void nf_log_ip6_packet(struct net *net, u_int8_t pf,
0866 unsigned int hooknum, const struct sk_buff *skb,
0867 const struct net_device *in,
0868 const struct net_device *out,
0869 const struct nf_loginfo *loginfo,
0870 const char *prefix)
0871 {
0872 struct nf_log_buf *m;
0873
0874 if (!nf_log_allowed(net))
0875 return;
0876
0877 m = nf_log_buf_open();
0878
0879 if (!loginfo)
0880 loginfo = &default_loginfo;
0881
0882 nf_log_dump_packet_common(m, pf, hooknum, skb, in, out,
0883 loginfo, prefix);
0884
0885 if (in)
0886 dump_mac_header(m, loginfo, skb);
0887
0888 dump_ipv6_packet(net, m, loginfo, skb, skb_network_offset(skb), 1);
0889
0890 nf_log_buf_close(m);
0891 }
0892
0893 static struct nf_logger nf_ip6_logger __read_mostly = {
0894 .name = "nf_log_ipv6",
0895 .type = NF_LOG_TYPE_LOG,
0896 .logfn = nf_log_ip6_packet,
0897 .me = THIS_MODULE,
0898 };
0899
0900 static void nf_log_unknown_packet(struct net *net, u_int8_t pf,
0901 unsigned int hooknum,
0902 const struct sk_buff *skb,
0903 const struct net_device *in,
0904 const struct net_device *out,
0905 const struct nf_loginfo *loginfo,
0906 const char *prefix)
0907 {
0908 struct nf_log_buf *m;
0909
0910 if (!nf_log_allowed(net))
0911 return;
0912
0913 m = nf_log_buf_open();
0914
0915 if (!loginfo)
0916 loginfo = &default_loginfo;
0917
0918 nf_log_dump_packet_common(m, pf, hooknum, skb, in, out, loginfo,
0919 prefix);
0920
0921 dump_mac_header(m, loginfo, skb);
0922
0923 nf_log_buf_close(m);
0924 }
0925
0926 static void nf_log_netdev_packet(struct net *net, u_int8_t pf,
0927 unsigned int hooknum,
0928 const struct sk_buff *skb,
0929 const struct net_device *in,
0930 const struct net_device *out,
0931 const struct nf_loginfo *loginfo,
0932 const char *prefix)
0933 {
0934 switch (skb->protocol) {
0935 case htons(ETH_P_IP):
0936 nf_log_ip_packet(net, pf, hooknum, skb, in, out, loginfo, prefix);
0937 break;
0938 case htons(ETH_P_IPV6):
0939 nf_log_ip6_packet(net, pf, hooknum, skb, in, out, loginfo, prefix);
0940 break;
0941 case htons(ETH_P_ARP):
0942 case htons(ETH_P_RARP):
0943 nf_log_arp_packet(net, pf, hooknum, skb, in, out, loginfo, prefix);
0944 break;
0945 default:
0946 nf_log_unknown_packet(net, pf, hooknum, skb,
0947 in, out, loginfo, prefix);
0948 break;
0949 }
0950 }
0951
0952 static struct nf_logger nf_netdev_logger __read_mostly = {
0953 .name = "nf_log_netdev",
0954 .type = NF_LOG_TYPE_LOG,
0955 .logfn = nf_log_netdev_packet,
0956 .me = THIS_MODULE,
0957 };
0958
0959 static struct nf_logger nf_bridge_logger __read_mostly = {
0960 .name = "nf_log_bridge",
0961 .type = NF_LOG_TYPE_LOG,
0962 .logfn = nf_log_netdev_packet,
0963 .me = THIS_MODULE,
0964 };
0965
0966 static int __net_init nf_log_syslog_net_init(struct net *net)
0967 {
0968 int ret = nf_log_set(net, NFPROTO_IPV4, &nf_ip_logger);
0969
0970 if (ret)
0971 return ret;
0972
0973 ret = nf_log_set(net, NFPROTO_ARP, &nf_arp_logger);
0974 if (ret)
0975 goto err1;
0976
0977 ret = nf_log_set(net, NFPROTO_IPV6, &nf_ip6_logger);
0978 if (ret)
0979 goto err2;
0980
0981 ret = nf_log_set(net, NFPROTO_NETDEV, &nf_netdev_logger);
0982 if (ret)
0983 goto err3;
0984
0985 ret = nf_log_set(net, NFPROTO_BRIDGE, &nf_bridge_logger);
0986 if (ret)
0987 goto err4;
0988 return 0;
0989 err4:
0990 nf_log_unset(net, &nf_netdev_logger);
0991 err3:
0992 nf_log_unset(net, &nf_ip6_logger);
0993 err2:
0994 nf_log_unset(net, &nf_arp_logger);
0995 err1:
0996 nf_log_unset(net, &nf_ip_logger);
0997 return ret;
0998 }
0999
1000 static void __net_exit nf_log_syslog_net_exit(struct net *net)
1001 {
1002 nf_log_unset(net, &nf_ip_logger);
1003 nf_log_unset(net, &nf_arp_logger);
1004 nf_log_unset(net, &nf_ip6_logger);
1005 nf_log_unset(net, &nf_netdev_logger);
1006 nf_log_unset(net, &nf_bridge_logger);
1007 }
1008
1009 static struct pernet_operations nf_log_syslog_net_ops = {
1010 .init = nf_log_syslog_net_init,
1011 .exit = nf_log_syslog_net_exit,
1012 };
1013
1014 static int __init nf_log_syslog_init(void)
1015 {
1016 int ret;
1017
1018 ret = register_pernet_subsys(&nf_log_syslog_net_ops);
1019 if (ret < 0)
1020 return ret;
1021
1022 ret = nf_log_register(NFPROTO_IPV4, &nf_ip_logger);
1023 if (ret < 0)
1024 goto err1;
1025
1026 ret = nf_log_register(NFPROTO_ARP, &nf_arp_logger);
1027 if (ret < 0)
1028 goto err2;
1029
1030 ret = nf_log_register(NFPROTO_IPV6, &nf_ip6_logger);
1031 if (ret < 0)
1032 goto err3;
1033
1034 ret = nf_log_register(NFPROTO_NETDEV, &nf_netdev_logger);
1035 if (ret < 0)
1036 goto err4;
1037
1038 ret = nf_log_register(NFPROTO_BRIDGE, &nf_bridge_logger);
1039 if (ret < 0)
1040 goto err5;
1041
1042 return 0;
1043 err5:
1044 nf_log_unregister(&nf_netdev_logger);
1045 err4:
1046 nf_log_unregister(&nf_ip6_logger);
1047 err3:
1048 nf_log_unregister(&nf_arp_logger);
1049 err2:
1050 nf_log_unregister(&nf_ip_logger);
1051 err1:
1052 pr_err("failed to register logger\n");
1053 unregister_pernet_subsys(&nf_log_syslog_net_ops);
1054 return ret;
1055 }
1056
1057 static void __exit nf_log_syslog_exit(void)
1058 {
1059 unregister_pernet_subsys(&nf_log_syslog_net_ops);
1060 nf_log_unregister(&nf_ip_logger);
1061 nf_log_unregister(&nf_arp_logger);
1062 nf_log_unregister(&nf_ip6_logger);
1063 nf_log_unregister(&nf_netdev_logger);
1064 nf_log_unregister(&nf_bridge_logger);
1065 }
1066
1067 module_init(nf_log_syslog_init);
1068 module_exit(nf_log_syslog_exit);
1069
1070 MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>");
1071 MODULE_DESCRIPTION("Netfilter syslog packet logging");
1072 MODULE_LICENSE("GPL");
1073 MODULE_ALIAS("nf_log_arp");
1074 MODULE_ALIAS("nf_log_bridge");
1075 MODULE_ALIAS("nf_log_ipv4");
1076 MODULE_ALIAS("nf_log_ipv6");
1077 MODULE_ALIAS("nf_log_netdev");
1078 MODULE_ALIAS_NF_LOGGER(AF_BRIDGE, 0);
1079 MODULE_ALIAS_NF_LOGGER(AF_INET, 0);
1080 MODULE_ALIAS_NF_LOGGER(3, 0);
1081 MODULE_ALIAS_NF_LOGGER(5, 0);
1082 MODULE_ALIAS_NF_LOGGER(AF_INET6, 0);
