Commit db3187ae authored by Florian Westphal's avatar Florian Westphal Committed by Pablo Neira Ayuso

netfilter: nf_log_ipv4: rename to nf_log_syslog

Netfilter has multiple log modules:
 nf_log_arp
 nf_log_bridge
 nf_log_ipv4
 nf_log_ipv6
 nf_log_netdev
 nfnetlink_log
 nf_log_common

With the exception of nfnetlink_log (packet is sent to userspace for
dissection/logging), all of them log to the kernel ringbuffer.

This is the first part of a series to merge all modules except
nfnetlink_log into a single module: nf_log_syslog.

This allows to reduce code.  After the series, only two log modules remain:
nfnetlink_log and nf_log_syslog. The latter provides the same
functionality as the old per-af log modules.

This renames nf_log_ipv4 to nf_log_syslog.
Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
parent cda1893e
...@@ -81,7 +81,10 @@ config NF_LOG_ARP ...@@ -81,7 +81,10 @@ config NF_LOG_ARP
config NF_LOG_IPV4 config NF_LOG_IPV4
tristate "IPv4 packet logging" tristate "IPv4 packet logging"
default m if NETFILTER_ADVANCED=n default m if NETFILTER_ADVANCED=n
select NF_LOG_COMMON select NF_LOG_SYSLOG
help
This is a backwards-compat option for the user's convenience
(e.g. when running oldconfig). It selects CONFIG_NF_LOG_SYSLOG.
config NF_REJECT_IPV4 config NF_REJECT_IPV4
tristate "IPv4 packet rejection" tristate "IPv4 packet rejection"
......
...@@ -11,7 +11,6 @@ obj-$(CONFIG_NF_TPROXY_IPV4) += nf_tproxy_ipv4.o ...@@ -11,7 +11,6 @@ obj-$(CONFIG_NF_TPROXY_IPV4) += nf_tproxy_ipv4.o
# logging # logging
obj-$(CONFIG_NF_LOG_ARP) += nf_log_arp.o obj-$(CONFIG_NF_LOG_ARP) += nf_log_arp.o
obj-$(CONFIG_NF_LOG_IPV4) += nf_log_ipv4.o
# reject # reject
obj-$(CONFIG_NF_REJECT_IPV4) += nf_reject_ipv4.o obj-$(CONFIG_NF_REJECT_IPV4) += nf_reject_ipv4.o
......
...@@ -78,6 +78,18 @@ config NF_LOG_NETDEV ...@@ -78,6 +78,18 @@ config NF_LOG_NETDEV
tristate "Netdev packet logging" tristate "Netdev packet logging"
select NF_LOG_COMMON select NF_LOG_COMMON
config NF_LOG_SYSLOG
tristate "Syslog packet logging"
default m if NETFILTER_ADVANCED=n
select NF_LOG_COMMON
help
This option enable support for packet logging via syslog.
It supports IPv4 and common transport protocols such as TCP and UDP.
This is a simpler but less flexible logging method compared to
CONFIG_NETFILTER_NETLINK_LOG.
If both are enabled the backend to use can be configured at run-time
by means of per-address-family sysctl tunables.
if NF_CONNTRACK if NF_CONNTRACK
config NETFILTER_CONNCOUNT config NETFILTER_CONNCOUNT
tristate tristate
...@@ -923,7 +935,7 @@ config NETFILTER_XT_TARGET_LED ...@@ -923,7 +935,7 @@ config NETFILTER_XT_TARGET_LED
config NETFILTER_XT_TARGET_LOG config NETFILTER_XT_TARGET_LOG
tristate "LOG target support" tristate "LOG target support"
select NF_LOG_COMMON select NF_LOG_COMMON
select NF_LOG_IPV4 select NF_LOG_SYSLOG
select NF_LOG_IPV6 if IP6_NF_IPTABLES select NF_LOG_IPV6 if IP6_NF_IPTABLES
default m if NETFILTER_ADVANCED=n default m if NETFILTER_ADVANCED=n
help help
......
...@@ -50,6 +50,7 @@ nf_nat-y := nf_nat_core.o nf_nat_proto.o nf_nat_helper.o ...@@ -50,6 +50,7 @@ nf_nat-y := nf_nat_core.o nf_nat_proto.o nf_nat_helper.o
# generic transport layer logging # generic transport layer logging
obj-$(CONFIG_NF_LOG_COMMON) += nf_log_common.o obj-$(CONFIG_NF_LOG_COMMON) += nf_log_common.o
obj-$(CONFIG_NF_LOG_SYSLOG) += nf_log_syslog.o
# packet logging for netdev family # packet logging for netdev family
obj-$(CONFIG_NF_LOG_NETDEV) += nf_log_netdev.o obj-$(CONFIG_NF_LOG_NETDEV) += nf_log_netdev.o
......
...@@ -32,13 +32,14 @@ static const struct nf_loginfo default_loginfo = { ...@@ -32,13 +32,14 @@ static const struct nf_loginfo default_loginfo = {
}; };
/* One level of recursion won't kill us */ /* One level of recursion won't kill us */
static void dump_ipv4_packet(struct net *net, struct nf_log_buf *m, static noinline_for_stack void
const struct nf_loginfo *info, dump_ipv4_packet(struct net *net, struct nf_log_buf *m,
const struct sk_buff *skb, unsigned int iphoff) const struct nf_loginfo *info,
const struct sk_buff *skb, unsigned int iphoff)
{ {
struct iphdr _iph;
const struct iphdr *ih; const struct iphdr *ih;
unsigned int logflags; unsigned int logflags;
struct iphdr _iph;
if (info->type == NF_LOG_TYPE_LOG) if (info->type == NF_LOG_TYPE_LOG)
logflags = info->u.log.logflags; logflags = info->u.log.logflags;
...@@ -46,14 +47,15 @@ static void dump_ipv4_packet(struct net *net, struct nf_log_buf *m, ...@@ -46,14 +47,15 @@ static void dump_ipv4_packet(struct net *net, struct nf_log_buf *m,
logflags = NF_LOG_DEFAULT_MASK; logflags = NF_LOG_DEFAULT_MASK;
ih = skb_header_pointer(skb, iphoff, sizeof(_iph), &_iph); ih = skb_header_pointer(skb, iphoff, sizeof(_iph), &_iph);
if (ih == NULL) { if (!ih) {
nf_log_buf_add(m, "TRUNCATED"); nf_log_buf_add(m, "TRUNCATED");
return; return;
} }
/* Important fields: /* Important fields:
* TOS, len, DF/MF, fragment offset, TTL, src, dst, options. */ * TOS, len, DF/MF, fragment offset, TTL, src, dst, options.
/* Max length: 40 "SRC=255.255.255.255 DST=255.255.255.255 " */ * Max length: 40 "SRC=255.255.255.255 DST=255.255.255.255 "
*/
nf_log_buf_add(m, "SRC=%pI4 DST=%pI4 ", &ih->saddr, &ih->daddr); nf_log_buf_add(m, "SRC=%pI4 DST=%pI4 ", &ih->saddr, &ih->daddr);
/* Max length: 46 "LEN=65535 TOS=0xFF PREC=0xFF TTL=255 ID=65535 " */ /* Max length: 46 "LEN=65535 TOS=0xFF PREC=0xFF TTL=255 ID=65535 " */
...@@ -75,14 +77,14 @@ static void dump_ipv4_packet(struct net *net, struct nf_log_buf *m, ...@@ -75,14 +77,14 @@ static void dump_ipv4_packet(struct net *net, struct nf_log_buf *m,
if ((logflags & NF_LOG_IPOPT) && if ((logflags & NF_LOG_IPOPT) &&
ih->ihl * 4 > sizeof(struct iphdr)) { ih->ihl * 4 > sizeof(struct iphdr)) {
const unsigned char *op;
unsigned char _opt[4 * 15 - sizeof(struct iphdr)]; unsigned char _opt[4 * 15 - sizeof(struct iphdr)];
const unsigned char *op;
unsigned int i, optsize; unsigned int i, optsize;
optsize = ih->ihl * 4 - sizeof(struct iphdr); optsize = ih->ihl * 4 - sizeof(struct iphdr);
op = skb_header_pointer(skb, iphoff+sizeof(_iph), op = skb_header_pointer(skb, iphoff + sizeof(_iph),
optsize, _opt); optsize, _opt);
if (op == NULL) { if (!op) {
nf_log_buf_add(m, "TRUNCATED"); nf_log_buf_add(m, "TRUNCATED");
return; return;
} }
...@@ -98,36 +100,31 @@ static void dump_ipv4_packet(struct net *net, struct nf_log_buf *m, ...@@ -98,36 +100,31 @@ static void dump_ipv4_packet(struct net *net, struct nf_log_buf *m,
case IPPROTO_TCP: case IPPROTO_TCP:
if (nf_log_dump_tcp_header(m, skb, ih->protocol, if (nf_log_dump_tcp_header(m, skb, ih->protocol,
ntohs(ih->frag_off) & IP_OFFSET, ntohs(ih->frag_off) & IP_OFFSET,
iphoff+ih->ihl*4, logflags)) iphoff + ih->ihl * 4, logflags))
return; return;
break; break;
case IPPROTO_UDP: case IPPROTO_UDP:
case IPPROTO_UDPLITE: case IPPROTO_UDPLITE:
if (nf_log_dump_udp_header(m, skb, ih->protocol, if (nf_log_dump_udp_header(m, skb, ih->protocol,
ntohs(ih->frag_off) & IP_OFFSET, ntohs(ih->frag_off) & IP_OFFSET,
iphoff+ih->ihl*4)) iphoff + ih->ihl * 4))
return; return;
break; break;
case IPPROTO_ICMP: { case IPPROTO_ICMP: {
struct icmphdr _icmph; static const size_t required_len[NR_ICMP_TYPES + 1] = {
[ICMP_ECHOREPLY] = 4,
[ICMP_DEST_UNREACH] = 8 + sizeof(struct iphdr),
[ICMP_SOURCE_QUENCH] = 8 + sizeof(struct iphdr),
[ICMP_REDIRECT] = 8 + sizeof(struct iphdr),
[ICMP_ECHO] = 4,
[ICMP_TIME_EXCEEDED] = 8 + sizeof(struct iphdr),
[ICMP_PARAMETERPROB] = 8 + sizeof(struct iphdr),
[ICMP_TIMESTAMP] = 20,
[ICMP_TIMESTAMPREPLY] = 20,
[ICMP_ADDRESS] = 12,
[ICMP_ADDRESSREPLY] = 12 };
const struct icmphdr *ich; const struct icmphdr *ich;
static const size_t required_len[NR_ICMP_TYPES+1] struct icmphdr _icmph;
= { [ICMP_ECHOREPLY] = 4,
[ICMP_DEST_UNREACH]
= 8 + sizeof(struct iphdr),
[ICMP_SOURCE_QUENCH]
= 8 + sizeof(struct iphdr),
[ICMP_REDIRECT]
= 8 + sizeof(struct iphdr),
[ICMP_ECHO] = 4,
[ICMP_TIME_EXCEEDED]
= 8 + sizeof(struct iphdr),
[ICMP_PARAMETERPROB]
= 8 + sizeof(struct iphdr),
[ICMP_TIMESTAMP] = 20,
[ICMP_TIMESTAMPREPLY] = 20,
[ICMP_ADDRESS] = 12,
[ICMP_ADDRESSREPLY] = 12 };
/* Max length: 11 "PROTO=ICMP " */ /* Max length: 11 "PROTO=ICMP " */
nf_log_buf_add(m, "PROTO=ICMP "); nf_log_buf_add(m, "PROTO=ICMP ");
...@@ -138,9 +135,9 @@ static void dump_ipv4_packet(struct net *net, struct nf_log_buf *m, ...@@ -138,9 +135,9 @@ static void dump_ipv4_packet(struct net *net, struct nf_log_buf *m,
/* Max length: 25 "INCOMPLETE [65535 bytes] " */ /* Max length: 25 "INCOMPLETE [65535 bytes] " */
ich = skb_header_pointer(skb, iphoff + ih->ihl * 4, ich = skb_header_pointer(skb, iphoff + ih->ihl * 4,
sizeof(_icmph), &_icmph); sizeof(_icmph), &_icmph);
if (ich == NULL) { if (!ich) {
nf_log_buf_add(m, "INCOMPLETE [%u bytes] ", nf_log_buf_add(m, "INCOMPLETE [%u bytes] ",
skb->len - iphoff - ih->ihl*4); skb->len - iphoff - ih->ihl * 4);
break; break;
} }
...@@ -150,9 +147,9 @@ static void dump_ipv4_packet(struct net *net, struct nf_log_buf *m, ...@@ -150,9 +147,9 @@ static void dump_ipv4_packet(struct net *net, struct nf_log_buf *m,
/* Max length: 25 "INCOMPLETE [65535 bytes] " */ /* Max length: 25 "INCOMPLETE [65535 bytes] " */
if (ich->type <= NR_ICMP_TYPES && if (ich->type <= NR_ICMP_TYPES &&
required_len[ich->type] && required_len[ich->type] &&
skb->len-iphoff-ih->ihl*4 < required_len[ich->type]) { skb->len - iphoff - ih->ihl * 4 < required_len[ich->type]) {
nf_log_buf_add(m, "INCOMPLETE [%u bytes] ", nf_log_buf_add(m, "INCOMPLETE [%u bytes] ",
skb->len - iphoff - ih->ihl*4); skb->len - iphoff - ih->ihl * 4);
break; break;
} }
...@@ -181,7 +178,7 @@ static void dump_ipv4_packet(struct net *net, struct nf_log_buf *m, ...@@ -181,7 +178,7 @@ static void dump_ipv4_packet(struct net *net, struct nf_log_buf *m,
if (!iphoff) { /* Only recurse once. */ if (!iphoff) { /* Only recurse once. */
nf_log_buf_add(m, "["); nf_log_buf_add(m, "[");
dump_ipv4_packet(net, m, info, skb, dump_ipv4_packet(net, m, info, skb,
iphoff + ih->ihl*4+sizeof(_icmph)); iphoff + ih->ihl * 4 + sizeof(_icmph));
nf_log_buf_add(m, "] "); nf_log_buf_add(m, "] ");
} }
...@@ -196,8 +193,8 @@ static void dump_ipv4_packet(struct net *net, struct nf_log_buf *m, ...@@ -196,8 +193,8 @@ static void dump_ipv4_packet(struct net *net, struct nf_log_buf *m,
} }
/* Max Length */ /* Max Length */
case IPPROTO_AH: { case IPPROTO_AH: {
struct ip_auth_hdr _ahdr;
const struct ip_auth_hdr *ah; const struct ip_auth_hdr *ah;
struct ip_auth_hdr _ahdr;
if (ntohs(ih->frag_off) & IP_OFFSET) if (ntohs(ih->frag_off) & IP_OFFSET)
break; break;
...@@ -206,11 +203,11 @@ static void dump_ipv4_packet(struct net *net, struct nf_log_buf *m, ...@@ -206,11 +203,11 @@ static void dump_ipv4_packet(struct net *net, struct nf_log_buf *m,
nf_log_buf_add(m, "PROTO=AH "); nf_log_buf_add(m, "PROTO=AH ");
/* Max length: 25 "INCOMPLETE [65535 bytes] " */ /* Max length: 25 "INCOMPLETE [65535 bytes] " */
ah = skb_header_pointer(skb, iphoff+ih->ihl*4, ah = skb_header_pointer(skb, iphoff + ih->ihl * 4,
sizeof(_ahdr), &_ahdr); sizeof(_ahdr), &_ahdr);
if (ah == NULL) { if (!ah) {
nf_log_buf_add(m, "INCOMPLETE [%u bytes] ", nf_log_buf_add(m, "INCOMPLETE [%u bytes] ",
skb->len - iphoff - ih->ihl*4); skb->len - iphoff - ih->ihl * 4);
break; break;
} }
...@@ -219,8 +216,8 @@ static void dump_ipv4_packet(struct net *net, struct nf_log_buf *m, ...@@ -219,8 +216,8 @@ static void dump_ipv4_packet(struct net *net, struct nf_log_buf *m,
break; break;
} }
case IPPROTO_ESP: { case IPPROTO_ESP: {
struct ip_esp_hdr _esph;
const struct ip_esp_hdr *eh; const struct ip_esp_hdr *eh;
struct ip_esp_hdr _esph;
/* Max length: 10 "PROTO=ESP " */ /* Max length: 10 "PROTO=ESP " */
nf_log_buf_add(m, "PROTO=ESP "); nf_log_buf_add(m, "PROTO=ESP ");
...@@ -229,11 +226,11 @@ static void dump_ipv4_packet(struct net *net, struct nf_log_buf *m, ...@@ -229,11 +226,11 @@ static void dump_ipv4_packet(struct net *net, struct nf_log_buf *m,
break; break;
/* Max length: 25 "INCOMPLETE [65535 bytes] " */ /* Max length: 25 "INCOMPLETE [65535 bytes] " */
eh = skb_header_pointer(skb, iphoff+ih->ihl*4, eh = skb_header_pointer(skb, iphoff + ih->ihl * 4,
sizeof(_esph), &_esph); sizeof(_esph), &_esph);
if (eh == NULL) { if (!eh) {
nf_log_buf_add(m, "INCOMPLETE [%u bytes] ", nf_log_buf_add(m, "INCOMPLETE [%u bytes] ",
skb->len - iphoff - ih->ihl*4); skb->len - iphoff - ih->ihl * 4);
break; break;
} }
...@@ -270,8 +267,8 @@ static void dump_ipv4_packet(struct net *net, struct nf_log_buf *m, ...@@ -270,8 +267,8 @@ static void dump_ipv4_packet(struct net *net, struct nf_log_buf *m,
} }
static void dump_ipv4_mac_header(struct nf_log_buf *m, static void dump_ipv4_mac_header(struct nf_log_buf *m,
const struct nf_loginfo *info, const struct nf_loginfo *info,
const struct sk_buff *skb) const struct sk_buff *skb)
{ {
struct net_device *dev = skb->dev; struct net_device *dev = skb->dev;
unsigned int logflags = 0; unsigned int logflags = 0;
...@@ -329,7 +326,7 @@ static void nf_log_ip_packet(struct net *net, u_int8_t pf, ...@@ -329,7 +326,7 @@ static void nf_log_ip_packet(struct net *net, u_int8_t pf,
nf_log_dump_packet_common(m, pf, hooknum, skb, in, nf_log_dump_packet_common(m, pf, hooknum, skb, in,
out, loginfo, prefix); out, loginfo, prefix);
if (in != NULL) if (in)
dump_ipv4_mac_header(m, loginfo, skb); dump_ipv4_mac_header(m, loginfo, skb);
dump_ipv4_packet(net, m, loginfo, skb, 0); dump_ipv4_packet(net, m, loginfo, skb, 0);
...@@ -344,52 +341,51 @@ static struct nf_logger nf_ip_logger __read_mostly = { ...@@ -344,52 +341,51 @@ static struct nf_logger nf_ip_logger __read_mostly = {
.me = THIS_MODULE, .me = THIS_MODULE,
}; };
static int __net_init nf_log_ipv4_net_init(struct net *net) static int __net_init nf_log_syslog_net_init(struct net *net)
{ {
return nf_log_set(net, NFPROTO_IPV4, &nf_ip_logger); return nf_log_set(net, NFPROTO_IPV4, &nf_ip_logger);
} }
static void __net_exit nf_log_ipv4_net_exit(struct net *net) static void __net_exit nf_log_syslog_net_exit(struct net *net)
{ {
nf_log_unset(net, &nf_ip_logger); nf_log_unset(net, &nf_ip_logger);
} }
static struct pernet_operations nf_log_ipv4_net_ops = { static struct pernet_operations nf_log_syslog_net_ops = {
.init = nf_log_ipv4_net_init, .init = nf_log_syslog_net_init,
.exit = nf_log_ipv4_net_exit, .exit = nf_log_syslog_net_exit,
}; };
static int __init nf_log_ipv4_init(void) static int __init nf_log_syslog_init(void)
{ {
int ret; int ret;
ret = register_pernet_subsys(&nf_log_ipv4_net_ops); ret = register_pernet_subsys(&nf_log_syslog_net_ops);
if (ret < 0) if (ret < 0)
return ret; return ret;
ret = nf_log_register(NFPROTO_IPV4, &nf_ip_logger); ret = nf_log_register(NFPROTO_IPV4, &nf_ip_logger);
if (ret < 0) { if (ret < 0)
pr_err("failed to register logger\n");
goto err1; goto err1;
}
return 0; return 0;
err1: err1:
unregister_pernet_subsys(&nf_log_ipv4_net_ops); unregister_pernet_subsys(&nf_log_syslog_net_ops);
return ret; return ret;
} }
static void __exit nf_log_ipv4_exit(void) static void __exit nf_log_syslog_exit(void)
{ {
unregister_pernet_subsys(&nf_log_ipv4_net_ops); unregister_pernet_subsys(&nf_log_syslog_net_ops);
nf_log_unregister(&nf_ip_logger); nf_log_unregister(&nf_ip_logger);
} }
module_init(nf_log_ipv4_init); module_init(nf_log_syslog_init);
module_exit(nf_log_ipv4_exit); module_exit(nf_log_syslog_exit);
MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>"); MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>");
MODULE_DESCRIPTION("Netfilter IPv4 packet logging"); MODULE_DESCRIPTION("Netfilter syslog packet logging");
MODULE_LICENSE("GPL"); MODULE_LICENSE("GPL");
MODULE_ALIAS("nf_log_ipv4");
MODULE_ALIAS_NF_LOGGER(AF_INET, 0); MODULE_ALIAS_NF_LOGGER(AF_INET, 0);
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment