Commit 30e0c6a6 authored by Gao feng's avatar Gao feng Committed by Pablo Neira Ayuso

netfilter: nf_log: prepare net namespace support for loggers

This patch adds netns support to nf_log and it prepares netns
support for existing loggers. It is composed of four major
changes.

1) nf_log_register has been split to two functions: nf_log_register
   and nf_log_set. The new nf_log_register is used to globally
   register the nf_logger and nf_log_set is used for enabling
   pernet support from nf_loggers.

   Per netns is not yet complete after this patch, it comes in
   separate follow up patches.

2) Add net as a parameter of nf_log_bind_pf. Per netns is not
   yet complete after this patch, it only allows to bind the
   nf_logger to the protocol family from init_net and it skips
   other cases.

3) Adapt all nf_log_packet callers to pass netns as parameter.
   After this patch, this function only works for init_net.

4) Make the sysctl net/netfilter/nf_log pernet.
Signed-off-by: default avatarGao feng <gaofeng@cn.fujitsu.com>
Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
parent f3c1a44a
...@@ -49,12 +49,18 @@ struct nf_logger { ...@@ -49,12 +49,18 @@ struct nf_logger {
int nf_log_register(u_int8_t pf, struct nf_logger *logger); int nf_log_register(u_int8_t pf, struct nf_logger *logger);
void nf_log_unregister(struct nf_logger *logger); void nf_log_unregister(struct nf_logger *logger);
int nf_log_bind_pf(u_int8_t pf, const struct nf_logger *logger); void nf_log_set(struct net *net, u_int8_t pf,
void nf_log_unbind_pf(u_int8_t pf); const struct nf_logger *logger);
void nf_log_unset(struct net *net, const struct nf_logger *logger);
int nf_log_bind_pf(struct net *net, u_int8_t pf,
const struct nf_logger *logger);
void nf_log_unbind_pf(struct net *net, u_int8_t pf);
/* Calls the registered backend logging function */ /* Calls the registered backend logging function */
__printf(7, 8) __printf(8, 9)
void nf_log_packet(u_int8_t pf, void nf_log_packet(struct net *net,
u_int8_t pf,
unsigned int hooknum, unsigned int hooknum,
const struct sk_buff *skb, const struct sk_buff *skb,
const struct net_device *in, const struct net_device *in,
......
...@@ -2,10 +2,17 @@ ...@@ -2,10 +2,17 @@
#define __NETNS_NETFILTER_H #define __NETNS_NETFILTER_H
#include <linux/proc_fs.h> #include <linux/proc_fs.h>
#include <linux/netfilter.h>
struct nf_logger;
struct netns_nf { struct netns_nf {
#if defined CONFIG_PROC_FS #if defined CONFIG_PROC_FS
struct proc_dir_entry *proc_netfilter; struct proc_dir_entry *proc_netfilter;
#endif
const struct nf_logger __rcu *nf_loggers[NFPROTO_NUMPROTO];
#ifdef CONFIG_SYSCTL
struct ctl_table_header *nf_log_dir_header;
#endif #endif
}; };
#endif #endif
...@@ -176,17 +176,18 @@ ebt_log_tg(struct sk_buff *skb, const struct xt_action_param *par) ...@@ -176,17 +176,18 @@ ebt_log_tg(struct sk_buff *skb, const struct xt_action_param *par)
{ {
const struct ebt_log_info *info = par->targinfo; const struct ebt_log_info *info = par->targinfo;
struct nf_loginfo li; struct nf_loginfo li;
struct net *net = dev_net(par->in ? par->in : par->out);
li.type = NF_LOG_TYPE_LOG; li.type = NF_LOG_TYPE_LOG;
li.u.log.level = info->loglevel; li.u.log.level = info->loglevel;
li.u.log.logflags = info->bitmask; li.u.log.logflags = info->bitmask;
if (info->bitmask & EBT_LOG_NFLOG) if (info->bitmask & EBT_LOG_NFLOG)
nf_log_packet(NFPROTO_BRIDGE, par->hooknum, skb, par->in, nf_log_packet(net, NFPROTO_BRIDGE, par->hooknum, skb,
par->out, &li, "%s", info->prefix); par->in, par->out, &li, "%s", info->prefix);
else else
ebt_log_packet(NFPROTO_BRIDGE, par->hooknum, skb, par->in, ebt_log_packet(NFPROTO_BRIDGE, par->hooknum, skb, par->in,
par->out, &li, info->prefix); par->out, &li, info->prefix);
return EBT_CONTINUE; return EBT_CONTINUE;
} }
......
...@@ -24,14 +24,15 @@ ebt_nflog_tg(struct sk_buff *skb, const struct xt_action_param *par) ...@@ -24,14 +24,15 @@ ebt_nflog_tg(struct sk_buff *skb, const struct xt_action_param *par)
{ {
const struct ebt_nflog_info *info = par->targinfo; const struct ebt_nflog_info *info = par->targinfo;
struct nf_loginfo li; struct nf_loginfo li;
struct net *net = dev_net(par->in ? par->in : par->out);
li.type = NF_LOG_TYPE_ULOG; li.type = NF_LOG_TYPE_ULOG;
li.u.ulog.copy_len = info->len; li.u.ulog.copy_len = info->len;
li.u.ulog.group = info->group; li.u.ulog.group = info->group;
li.u.ulog.qthreshold = info->threshold; li.u.ulog.qthreshold = info->threshold;
nf_log_packet(PF_BRIDGE, par->hooknum, skb, par->in, par->out, nf_log_packet(net, PF_BRIDGE, par->hooknum, skb, par->in,
&li, "%s", info->prefix); par->out, &li, "%s", info->prefix);
return EBT_CONTINUE; return EBT_CONTINUE;
} }
......
...@@ -258,6 +258,7 @@ static void trace_packet(const struct sk_buff *skb, ...@@ -258,6 +258,7 @@ static void trace_packet(const struct sk_buff *skb,
const char *hookname, *chainname, *comment; const char *hookname, *chainname, *comment;
const struct ipt_entry *iter; const struct ipt_entry *iter;
unsigned int rulenum = 0; unsigned int rulenum = 0;
struct net *net = dev_net(in ? in : out);
table_base = private->entries[smp_processor_id()]; table_base = private->entries[smp_processor_id()];
root = get_entry(table_base, private->hook_entry[hook]); root = get_entry(table_base, private->hook_entry[hook]);
...@@ -270,7 +271,7 @@ static void trace_packet(const struct sk_buff *skb, ...@@ -270,7 +271,7 @@ static void trace_packet(const struct sk_buff *skb,
&chainname, &comment, &rulenum) != 0) &chainname, &comment, &rulenum) != 0)
break; break;
nf_log_packet(AF_INET, hook, skb, in, out, &trace_loginfo, nf_log_packet(net, AF_INET, hook, skb, in, out, &trace_loginfo,
"TRACE: %s:%s:%s:%u ", "TRACE: %s:%s:%s:%u ",
tablename, chainname, comment, rulenum); tablename, chainname, comment, rulenum);
} }
......
...@@ -187,8 +187,8 @@ icmp_error(struct net *net, struct nf_conn *tmpl, ...@@ -187,8 +187,8 @@ icmp_error(struct net *net, struct nf_conn *tmpl,
icmph = skb_header_pointer(skb, ip_hdrlen(skb), sizeof(_ih), &_ih); icmph = skb_header_pointer(skb, ip_hdrlen(skb), sizeof(_ih), &_ih);
if (icmph == NULL) { if (icmph == NULL) {
if (LOG_INVALID(net, IPPROTO_ICMP)) if (LOG_INVALID(net, IPPROTO_ICMP))
nf_log_packet(PF_INET, 0, skb, NULL, NULL, NULL, nf_log_packet(net, PF_INET, 0, skb, NULL, NULL,
"nf_ct_icmp: short packet "); NULL, "nf_ct_icmp: short packet ");
return -NF_ACCEPT; return -NF_ACCEPT;
} }
...@@ -196,7 +196,7 @@ icmp_error(struct net *net, struct nf_conn *tmpl, ...@@ -196,7 +196,7 @@ icmp_error(struct net *net, struct nf_conn *tmpl,
if (net->ct.sysctl_checksum && hooknum == NF_INET_PRE_ROUTING && if (net->ct.sysctl_checksum && hooknum == NF_INET_PRE_ROUTING &&
nf_ip_checksum(skb, hooknum, dataoff, 0)) { nf_ip_checksum(skb, hooknum, dataoff, 0)) {
if (LOG_INVALID(net, IPPROTO_ICMP)) if (LOG_INVALID(net, IPPROTO_ICMP))
nf_log_packet(PF_INET, 0, skb, NULL, NULL, NULL, nf_log_packet(net, PF_INET, 0, skb, NULL, NULL, NULL,
"nf_ct_icmp: bad HW ICMP checksum "); "nf_ct_icmp: bad HW ICMP checksum ");
return -NF_ACCEPT; return -NF_ACCEPT;
} }
...@@ -209,7 +209,7 @@ icmp_error(struct net *net, struct nf_conn *tmpl, ...@@ -209,7 +209,7 @@ icmp_error(struct net *net, struct nf_conn *tmpl,
*/ */
if (icmph->type > NR_ICMP_TYPES) { if (icmph->type > NR_ICMP_TYPES) {
if (LOG_INVALID(net, IPPROTO_ICMP)) if (LOG_INVALID(net, IPPROTO_ICMP))
nf_log_packet(PF_INET, 0, skb, NULL, NULL, NULL, nf_log_packet(net, PF_INET, 0, skb, NULL, NULL, NULL,
"nf_ct_icmp: invalid ICMP type "); "nf_ct_icmp: invalid ICMP type ");
return -NF_ACCEPT; return -NF_ACCEPT;
} }
......
...@@ -284,6 +284,7 @@ static void trace_packet(const struct sk_buff *skb, ...@@ -284,6 +284,7 @@ static void trace_packet(const struct sk_buff *skb,
const char *hookname, *chainname, *comment; const char *hookname, *chainname, *comment;
const struct ip6t_entry *iter; const struct ip6t_entry *iter;
unsigned int rulenum = 0; unsigned int rulenum = 0;
struct net *net = dev_net(in ? in : out);
table_base = private->entries[smp_processor_id()]; table_base = private->entries[smp_processor_id()];
root = get_entry(table_base, private->hook_entry[hook]); root = get_entry(table_base, private->hook_entry[hook]);
...@@ -296,7 +297,7 @@ static void trace_packet(const struct sk_buff *skb, ...@@ -296,7 +297,7 @@ static void trace_packet(const struct sk_buff *skb,
&chainname, &comment, &rulenum) != 0) &chainname, &comment, &rulenum) != 0)
break; break;
nf_log_packet(AF_INET6, hook, skb, in, out, &trace_loginfo, nf_log_packet(net, AF_INET6, hook, skb, in, out, &trace_loginfo,
"TRACE: %s:%s:%s:%u ", "TRACE: %s:%s:%s:%u ",
tablename, chainname, comment, rulenum); tablename, chainname, comment, rulenum);
} }
......
...@@ -131,7 +131,8 @@ static bool icmpv6_new(struct nf_conn *ct, const struct sk_buff *skb, ...@@ -131,7 +131,8 @@ static bool icmpv6_new(struct nf_conn *ct, const struct sk_buff *skb,
type + 128); type + 128);
nf_ct_dump_tuple_ipv6(&ct->tuplehash[0].tuple); nf_ct_dump_tuple_ipv6(&ct->tuplehash[0].tuple);
if (LOG_INVALID(nf_ct_net(ct), IPPROTO_ICMPV6)) if (LOG_INVALID(nf_ct_net(ct), IPPROTO_ICMPV6))
nf_log_packet(PF_INET6, 0, skb, NULL, NULL, NULL, nf_log_packet(nf_ct_net(ct), PF_INET6, 0, skb, NULL,
NULL, NULL,
"nf_ct_icmpv6: invalid new with type %d ", "nf_ct_icmpv6: invalid new with type %d ",
type + 128); type + 128);
return false; return false;
...@@ -203,7 +204,7 @@ icmpv6_error(struct net *net, struct nf_conn *tmpl, ...@@ -203,7 +204,7 @@ icmpv6_error(struct net *net, struct nf_conn *tmpl,
icmp6h = skb_header_pointer(skb, dataoff, sizeof(_ih), &_ih); icmp6h = skb_header_pointer(skb, dataoff, sizeof(_ih), &_ih);
if (icmp6h == NULL) { if (icmp6h == NULL) {
if (LOG_INVALID(net, IPPROTO_ICMPV6)) if (LOG_INVALID(net, IPPROTO_ICMPV6))
nf_log_packet(PF_INET6, 0, skb, NULL, NULL, NULL, nf_log_packet(net, PF_INET6, 0, skb, NULL, NULL, NULL,
"nf_ct_icmpv6: short packet "); "nf_ct_icmpv6: short packet ");
return -NF_ACCEPT; return -NF_ACCEPT;
} }
...@@ -211,7 +212,7 @@ icmpv6_error(struct net *net, struct nf_conn *tmpl, ...@@ -211,7 +212,7 @@ icmpv6_error(struct net *net, struct nf_conn *tmpl,
if (net->ct.sysctl_checksum && hooknum == NF_INET_PRE_ROUTING && if (net->ct.sysctl_checksum && hooknum == NF_INET_PRE_ROUTING &&
nf_ip6_checksum(skb, hooknum, dataoff, IPPROTO_ICMPV6)) { nf_ip6_checksum(skb, hooknum, dataoff, IPPROTO_ICMPV6)) {
if (LOG_INVALID(net, IPPROTO_ICMPV6)) if (LOG_INVALID(net, IPPROTO_ICMPV6))
nf_log_packet(PF_INET6, 0, skb, NULL, NULL, NULL, nf_log_packet(net, PF_INET6, 0, skb, NULL, NULL, NULL,
"nf_ct_icmpv6: ICMPv6 checksum failed "); "nf_ct_icmpv6: ICMPv6 checksum failed ");
return -NF_ACCEPT; return -NF_ACCEPT;
} }
......
...@@ -353,7 +353,7 @@ void nf_ct_helper_log(struct sk_buff *skb, const struct nf_conn *ct, ...@@ -353,7 +353,7 @@ void nf_ct_helper_log(struct sk_buff *skb, const struct nf_conn *ct,
/* rcu_read_lock()ed by nf_hook_slow */ /* rcu_read_lock()ed by nf_hook_slow */
helper = rcu_dereference(help->helper); helper = rcu_dereference(help->helper);
nf_log_packet(nf_ct_l3num(ct), 0, skb, NULL, NULL, NULL, nf_log_packet(nf_ct_net(ct), nf_ct_l3num(ct), 0, skb, NULL, NULL, NULL,
"nf_ct_%s: dropping packet: %pV ", helper->name, &vaf); "nf_ct_%s: dropping packet: %pV ", helper->name, &vaf);
va_end(args); va_end(args);
......
...@@ -456,7 +456,8 @@ static bool dccp_new(struct nf_conn *ct, const struct sk_buff *skb, ...@@ -456,7 +456,8 @@ static bool dccp_new(struct nf_conn *ct, const struct sk_buff *skb,
out_invalid: out_invalid:
if (LOG_INVALID(net, IPPROTO_DCCP)) if (LOG_INVALID(net, IPPROTO_DCCP))
nf_log_packet(nf_ct_l3num(ct), 0, skb, NULL, NULL, NULL, msg); nf_log_packet(net, nf_ct_l3num(ct), 0, skb, NULL, NULL,
NULL, msg);
return false; return false;
} }
...@@ -542,13 +543,13 @@ static int dccp_packet(struct nf_conn *ct, const struct sk_buff *skb, ...@@ -542,13 +543,13 @@ static int dccp_packet(struct nf_conn *ct, const struct sk_buff *skb,
spin_unlock_bh(&ct->lock); spin_unlock_bh(&ct->lock);
if (LOG_INVALID(net, IPPROTO_DCCP)) if (LOG_INVALID(net, IPPROTO_DCCP))
nf_log_packet(pf, 0, skb, NULL, NULL, NULL, nf_log_packet(net, pf, 0, skb, NULL, NULL, NULL,
"nf_ct_dccp: invalid packet ignored "); "nf_ct_dccp: invalid packet ignored ");
return NF_ACCEPT; return NF_ACCEPT;
case CT_DCCP_INVALID: case CT_DCCP_INVALID:
spin_unlock_bh(&ct->lock); spin_unlock_bh(&ct->lock);
if (LOG_INVALID(net, IPPROTO_DCCP)) if (LOG_INVALID(net, IPPROTO_DCCP))
nf_log_packet(pf, 0, skb, NULL, NULL, NULL, nf_log_packet(net, pf, 0, skb, NULL, NULL, NULL,
"nf_ct_dccp: invalid state transition "); "nf_ct_dccp: invalid state transition ");
return -NF_ACCEPT; return -NF_ACCEPT;
} }
...@@ -613,7 +614,7 @@ static int dccp_error(struct net *net, struct nf_conn *tmpl, ...@@ -613,7 +614,7 @@ static int dccp_error(struct net *net, struct nf_conn *tmpl,
out_invalid: out_invalid:
if (LOG_INVALID(net, IPPROTO_DCCP)) if (LOG_INVALID(net, IPPROTO_DCCP))
nf_log_packet(pf, 0, skb, NULL, NULL, NULL, msg); nf_log_packet(net, pf, 0, skb, NULL, NULL, NULL, msg);
return -NF_ACCEPT; return -NF_ACCEPT;
} }
......
...@@ -720,7 +720,7 @@ static bool tcp_in_window(const struct nf_conn *ct, ...@@ -720,7 +720,7 @@ static bool tcp_in_window(const struct nf_conn *ct,
tn->tcp_be_liberal) tn->tcp_be_liberal)
res = true; res = true;
if (!res && LOG_INVALID(net, IPPROTO_TCP)) if (!res && LOG_INVALID(net, IPPROTO_TCP))
nf_log_packet(pf, 0, skb, NULL, NULL, NULL, nf_log_packet(net, pf, 0, skb, NULL, NULL, NULL,
"nf_ct_tcp: %s ", "nf_ct_tcp: %s ",
before(seq, sender->td_maxend + 1) ? before(seq, sender->td_maxend + 1) ?
after(end, sender->td_end - receiver->td_maxwin - 1) ? after(end, sender->td_end - receiver->td_maxwin - 1) ?
...@@ -772,7 +772,7 @@ static int tcp_error(struct net *net, struct nf_conn *tmpl, ...@@ -772,7 +772,7 @@ static int tcp_error(struct net *net, struct nf_conn *tmpl,
th = skb_header_pointer(skb, dataoff, sizeof(_tcph), &_tcph); th = skb_header_pointer(skb, dataoff, sizeof(_tcph), &_tcph);
if (th == NULL) { if (th == NULL) {
if (LOG_INVALID(net, IPPROTO_TCP)) if (LOG_INVALID(net, IPPROTO_TCP))
nf_log_packet(pf, 0, skb, NULL, NULL, NULL, nf_log_packet(net, pf, 0, skb, NULL, NULL, NULL,
"nf_ct_tcp: short packet "); "nf_ct_tcp: short packet ");
return -NF_ACCEPT; return -NF_ACCEPT;
} }
...@@ -780,7 +780,7 @@ static int tcp_error(struct net *net, struct nf_conn *tmpl, ...@@ -780,7 +780,7 @@ static int tcp_error(struct net *net, struct nf_conn *tmpl,
/* Not whole TCP header or malformed packet */ /* Not whole TCP header or malformed packet */
if (th->doff*4 < sizeof(struct tcphdr) || tcplen < th->doff*4) { if (th->doff*4 < sizeof(struct tcphdr) || tcplen < th->doff*4) {
if (LOG_INVALID(net, IPPROTO_TCP)) if (LOG_INVALID(net, IPPROTO_TCP))
nf_log_packet(pf, 0, skb, NULL, NULL, NULL, nf_log_packet(net, pf, 0, skb, NULL, NULL, NULL,
"nf_ct_tcp: truncated/malformed packet "); "nf_ct_tcp: truncated/malformed packet ");
return -NF_ACCEPT; return -NF_ACCEPT;
} }
...@@ -793,7 +793,7 @@ static int tcp_error(struct net *net, struct nf_conn *tmpl, ...@@ -793,7 +793,7 @@ static int tcp_error(struct net *net, struct nf_conn *tmpl,
if (net->ct.sysctl_checksum && hooknum == NF_INET_PRE_ROUTING && if (net->ct.sysctl_checksum && hooknum == NF_INET_PRE_ROUTING &&
nf_checksum(skb, hooknum, dataoff, IPPROTO_TCP, pf)) { nf_checksum(skb, hooknum, dataoff, IPPROTO_TCP, pf)) {
if (LOG_INVALID(net, IPPROTO_TCP)) if (LOG_INVALID(net, IPPROTO_TCP))
nf_log_packet(pf, 0, skb, NULL, NULL, NULL, nf_log_packet(net, pf, 0, skb, NULL, NULL, NULL,
"nf_ct_tcp: bad TCP checksum "); "nf_ct_tcp: bad TCP checksum ");
return -NF_ACCEPT; return -NF_ACCEPT;
} }
...@@ -802,7 +802,7 @@ static int tcp_error(struct net *net, struct nf_conn *tmpl, ...@@ -802,7 +802,7 @@ static int tcp_error(struct net *net, struct nf_conn *tmpl,
tcpflags = (tcp_flag_byte(th) & ~(TCPHDR_ECE|TCPHDR_CWR|TCPHDR_PSH)); tcpflags = (tcp_flag_byte(th) & ~(TCPHDR_ECE|TCPHDR_CWR|TCPHDR_PSH));
if (!tcp_valid_flags[tcpflags]) { if (!tcp_valid_flags[tcpflags]) {
if (LOG_INVALID(net, IPPROTO_TCP)) if (LOG_INVALID(net, IPPROTO_TCP))
nf_log_packet(pf, 0, skb, NULL, NULL, NULL, nf_log_packet(net, pf, 0, skb, NULL, NULL, NULL,
"nf_ct_tcp: invalid TCP flag combination "); "nf_ct_tcp: invalid TCP flag combination ");
return -NF_ACCEPT; return -NF_ACCEPT;
} }
...@@ -949,7 +949,7 @@ static int tcp_packet(struct nf_conn *ct, ...@@ -949,7 +949,7 @@ static int tcp_packet(struct nf_conn *ct,
} }
spin_unlock_bh(&ct->lock); spin_unlock_bh(&ct->lock);
if (LOG_INVALID(net, IPPROTO_TCP)) if (LOG_INVALID(net, IPPROTO_TCP))
nf_log_packet(pf, 0, skb, NULL, NULL, NULL, nf_log_packet(net, pf, 0, skb, NULL, NULL, NULL,
"nf_ct_tcp: invalid packet ignored in " "nf_ct_tcp: invalid packet ignored in "
"state %s ", tcp_conntrack_names[old_state]); "state %s ", tcp_conntrack_names[old_state]);
return NF_ACCEPT; return NF_ACCEPT;
...@@ -959,7 +959,7 @@ static int tcp_packet(struct nf_conn *ct, ...@@ -959,7 +959,7 @@ static int tcp_packet(struct nf_conn *ct,
dir, get_conntrack_index(th), old_state); dir, get_conntrack_index(th), old_state);
spin_unlock_bh(&ct->lock); spin_unlock_bh(&ct->lock);
if (LOG_INVALID(net, IPPROTO_TCP)) if (LOG_INVALID(net, IPPROTO_TCP))
nf_log_packet(pf, 0, skb, NULL, NULL, NULL, nf_log_packet(net, pf, 0, skb, NULL, NULL, NULL,
"nf_ct_tcp: invalid state "); "nf_ct_tcp: invalid state ");
return -NF_ACCEPT; return -NF_ACCEPT;
case TCP_CONNTRACK_CLOSE: case TCP_CONNTRACK_CLOSE:
...@@ -969,8 +969,8 @@ static int tcp_packet(struct nf_conn *ct, ...@@ -969,8 +969,8 @@ static int tcp_packet(struct nf_conn *ct,
/* Invalid RST */ /* Invalid RST */
spin_unlock_bh(&ct->lock); spin_unlock_bh(&ct->lock);
if (LOG_INVALID(net, IPPROTO_TCP)) if (LOG_INVALID(net, IPPROTO_TCP))
nf_log_packet(pf, 0, skb, NULL, NULL, NULL, nf_log_packet(net, pf, 0, skb, NULL, NULL,
"nf_ct_tcp: invalid RST "); NULL, "nf_ct_tcp: invalid RST ");
return -NF_ACCEPT; return -NF_ACCEPT;
} }
if (index == TCP_RST_SET if (index == TCP_RST_SET
......
...@@ -119,7 +119,7 @@ static int udp_error(struct net *net, struct nf_conn *tmpl, struct sk_buff *skb, ...@@ -119,7 +119,7 @@ static int udp_error(struct net *net, struct nf_conn *tmpl, struct sk_buff *skb,
hdr = skb_header_pointer(skb, dataoff, sizeof(_hdr), &_hdr); hdr = skb_header_pointer(skb, dataoff, sizeof(_hdr), &_hdr);
if (hdr == NULL) { if (hdr == NULL) {
if (LOG_INVALID(net, IPPROTO_UDP)) if (LOG_INVALID(net, IPPROTO_UDP))
nf_log_packet(pf, 0, skb, NULL, NULL, NULL, nf_log_packet(net, pf, 0, skb, NULL, NULL, NULL,
"nf_ct_udp: short packet "); "nf_ct_udp: short packet ");
return -NF_ACCEPT; return -NF_ACCEPT;
} }
...@@ -127,7 +127,7 @@ static int udp_error(struct net *net, struct nf_conn *tmpl, struct sk_buff *skb, ...@@ -127,7 +127,7 @@ static int udp_error(struct net *net, struct nf_conn *tmpl, struct sk_buff *skb,
/* Truncated/malformed packets */ /* Truncated/malformed packets */
if (ntohs(hdr->len) > udplen || ntohs(hdr->len) < sizeof(*hdr)) { if (ntohs(hdr->len) > udplen || ntohs(hdr->len) < sizeof(*hdr)) {
if (LOG_INVALID(net, IPPROTO_UDP)) if (LOG_INVALID(net, IPPROTO_UDP))
nf_log_packet(pf, 0, skb, NULL, NULL, NULL, nf_log_packet(net, pf, 0, skb, NULL, NULL, NULL,
"nf_ct_udp: truncated/malformed packet "); "nf_ct_udp: truncated/malformed packet ");
return -NF_ACCEPT; return -NF_ACCEPT;
} }
...@@ -143,7 +143,7 @@ static int udp_error(struct net *net, struct nf_conn *tmpl, struct sk_buff *skb, ...@@ -143,7 +143,7 @@ static int udp_error(struct net *net, struct nf_conn *tmpl, struct sk_buff *skb,
if (net->ct.sysctl_checksum && hooknum == NF_INET_PRE_ROUTING && if (net->ct.sysctl_checksum && hooknum == NF_INET_PRE_ROUTING &&
nf_checksum(skb, hooknum, dataoff, IPPROTO_UDP, pf)) { nf_checksum(skb, hooknum, dataoff, IPPROTO_UDP, pf)) {
if (LOG_INVALID(net, IPPROTO_UDP)) if (LOG_INVALID(net, IPPROTO_UDP))
nf_log_packet(pf, 0, skb, NULL, NULL, NULL, nf_log_packet(net, pf, 0, skb, NULL, NULL, NULL,
"nf_ct_udp: bad UDP checksum "); "nf_ct_udp: bad UDP checksum ");
return -NF_ACCEPT; return -NF_ACCEPT;
} }
......
...@@ -131,7 +131,7 @@ static int udplite_error(struct net *net, struct nf_conn *tmpl, ...@@ -131,7 +131,7 @@ static int udplite_error(struct net *net, struct nf_conn *tmpl,
hdr = skb_header_pointer(skb, dataoff, sizeof(_hdr), &_hdr); hdr = skb_header_pointer(skb, dataoff, sizeof(_hdr), &_hdr);
if (hdr == NULL) { if (hdr == NULL) {
if (LOG_INVALID(net, IPPROTO_UDPLITE)) if (LOG_INVALID(net, IPPROTO_UDPLITE))
nf_log_packet(pf, 0, skb, NULL, NULL, NULL, nf_log_packet(net, pf, 0, skb, NULL, NULL, NULL,
"nf_ct_udplite: short packet "); "nf_ct_udplite: short packet ");
return -NF_ACCEPT; return -NF_ACCEPT;
} }
...@@ -141,7 +141,7 @@ static int udplite_error(struct net *net, struct nf_conn *tmpl, ...@@ -141,7 +141,7 @@ static int udplite_error(struct net *net, struct nf_conn *tmpl,
cscov = udplen; cscov = udplen;
else if (cscov < sizeof(*hdr) || cscov > udplen) { else if (cscov < sizeof(*hdr) || cscov > udplen) {
if (LOG_INVALID(net, IPPROTO_UDPLITE)) if (LOG_INVALID(net, IPPROTO_UDPLITE))
nf_log_packet(pf, 0, skb, NULL, NULL, NULL, nf_log_packet(net, pf, 0, skb, NULL, NULL, NULL,
"nf_ct_udplite: invalid checksum coverage "); "nf_ct_udplite: invalid checksum coverage ");
return -NF_ACCEPT; return -NF_ACCEPT;
} }
...@@ -149,7 +149,7 @@ static int udplite_error(struct net *net, struct nf_conn *tmpl, ...@@ -149,7 +149,7 @@ static int udplite_error(struct net *net, struct nf_conn *tmpl,
/* UDPLITE mandates checksums */ /* UDPLITE mandates checksums */
if (!hdr->check) { if (!hdr->check) {
if (LOG_INVALID(net, IPPROTO_UDPLITE)) if (LOG_INVALID(net, IPPROTO_UDPLITE))
nf_log_packet(pf, 0, skb, NULL, NULL, NULL, nf_log_packet(net, pf, 0, skb, NULL, NULL, NULL,
"nf_ct_udplite: checksum missing "); "nf_ct_udplite: checksum missing ");
return -NF_ACCEPT; return -NF_ACCEPT;
} }
...@@ -159,7 +159,7 @@ static int udplite_error(struct net *net, struct nf_conn *tmpl, ...@@ -159,7 +159,7 @@ static int udplite_error(struct net *net, struct nf_conn *tmpl,
nf_checksum_partial(skb, hooknum, dataoff, cscov, IPPROTO_UDP, nf_checksum_partial(skb, hooknum, dataoff, cscov, IPPROTO_UDP,
pf)) { pf)) {
if (LOG_INVALID(net, IPPROTO_UDPLITE)) if (LOG_INVALID(net, IPPROTO_UDPLITE))
nf_log_packet(pf, 0, skb, NULL, NULL, NULL, nf_log_packet(net, pf, 0, skb, NULL, NULL, NULL,
"nf_ct_udplite: bad UDPLite checksum "); "nf_ct_udplite: bad UDPLite checksum ");
return -NF_ACCEPT; return -NF_ACCEPT;
} }
......
This diff is collapsed.
...@@ -767,6 +767,7 @@ nfulnl_recv_config(struct sock *ctnl, struct sk_buff *skb, ...@@ -767,6 +767,7 @@ nfulnl_recv_config(struct sock *ctnl, struct sk_buff *skb,
u_int16_t group_num = ntohs(nfmsg->res_id); u_int16_t group_num = ntohs(nfmsg->res_id);
struct nfulnl_instance *inst; struct nfulnl_instance *inst;
struct nfulnl_msg_config_cmd *cmd = NULL; struct nfulnl_msg_config_cmd *cmd = NULL;
struct net *net = sock_net(ctnl);
int ret = 0; int ret = 0;
if (nfula[NFULA_CFG_CMD]) { if (nfula[NFULA_CFG_CMD]) {
...@@ -776,9 +777,9 @@ nfulnl_recv_config(struct sock *ctnl, struct sk_buff *skb, ...@@ -776,9 +777,9 @@ nfulnl_recv_config(struct sock *ctnl, struct sk_buff *skb,
/* Commands without queue context */ /* Commands without queue context */
switch (cmd->command) { switch (cmd->command) {
case NFULNL_CFG_CMD_PF_BIND: case NFULNL_CFG_CMD_PF_BIND:
return nf_log_bind_pf(pf, &nfulnl_logger); return nf_log_bind_pf(net, pf, &nfulnl_logger);
case NFULNL_CFG_CMD_PF_UNBIND: case NFULNL_CFG_CMD_PF_UNBIND:
nf_log_unbind_pf(pf); nf_log_unbind_pf(net, pf);
return 0; return 0;
} }
} }
......
...@@ -201,6 +201,7 @@ xt_osf_match_packet(const struct sk_buff *skb, struct xt_action_param *p) ...@@ -201,6 +201,7 @@ xt_osf_match_packet(const struct sk_buff *skb, struct xt_action_param *p)
unsigned char opts[MAX_IPOPTLEN]; unsigned char opts[MAX_IPOPTLEN];
const struct xt_osf_finger *kf; const struct xt_osf_finger *kf;
const struct xt_osf_user_finger *f; const struct xt_osf_user_finger *f;
struct net *net = dev_net(p->in ? p->in : p->out);
if (!info) if (!info)
return false; return false;
...@@ -325,7 +326,7 @@ xt_osf_match_packet(const struct sk_buff *skb, struct xt_action_param *p) ...@@ -325,7 +326,7 @@ xt_osf_match_packet(const struct sk_buff *skb, struct xt_action_param *p)
fcount++; fcount++;
if (info->flags & XT_OSF_LOG) if (info->flags & XT_OSF_LOG)
nf_log_packet(p->family, p->hooknum, skb, nf_log_packet(net, p->family, p->hooknum, skb,
p->in, p->out, NULL, p->in, p->out, NULL,
"%s [%s:%s] : %pI4:%d -> %pI4:%d hops=%d\n", "%s [%s:%s] : %pI4:%d -> %pI4:%d hops=%d\n",
f->genre, f->version, f->subtype, f->genre, f->version, f->subtype,
...@@ -341,7 +342,8 @@ xt_osf_match_packet(const struct sk_buff *skb, struct xt_action_param *p) ...@@ -341,7 +342,8 @@ xt_osf_match_packet(const struct sk_buff *skb, struct xt_action_param *p)
rcu_read_unlock(); rcu_read_unlock();
if (!fcount && (info->flags & XT_OSF_LOG)) if (!fcount && (info->flags & XT_OSF_LOG))
nf_log_packet(p->family, p->hooknum, skb, p->in, p->out, NULL, nf_log_packet(net, p->family, p->hooknum, skb, p->in,
p->out, NULL,
"Remote OS is not known: %pI4:%u -> %pI4:%u\n", "Remote OS is not known: %pI4:%u -> %pI4:%u\n",
&ip->saddr, ntohs(tcp->source), &ip->saddr, ntohs(tcp->source),
&ip->daddr, ntohs(tcp->dest)); &ip->daddr, ntohs(tcp->dest));
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment