1
2
3
4
5
6
7
8
9#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
10
11#include <linux/kernel.h>
12#include <linux/module.h>
13#include <linux/spinlock.h>
14#include <linux/skbuff.h>
15#include <linux/if_arp.h>
16#include <linux/ip.h>
17#include <net/ipv6.h>
18#include <net/icmp.h>
19#include <net/udp.h>
20#include <net/tcp.h>
21#include <net/route.h>
22
23#include <linux/netfilter.h>
24#include <linux/netfilter/xt_LOG.h>
25#include <net/netfilter/nf_log.h>
26
27static const struct nf_loginfo default_loginfo = {
28 .type = NF_LOG_TYPE_LOG,
29 .u = {
30 .log = {
31 .level = LOGLEVEL_NOTICE,
32 .logflags = NF_LOG_DEFAULT_MASK,
33 },
34 },
35};
36
37
38static void dump_ipv4_packet(struct nf_log_buf *m,
39 const struct nf_loginfo *info,
40 const struct sk_buff *skb, unsigned int iphoff)
41{
42 struct iphdr _iph;
43 const struct iphdr *ih;
44 unsigned int logflags;
45
46 if (info->type == NF_LOG_TYPE_LOG)
47 logflags = info->u.log.logflags;
48 else
49 logflags = NF_LOG_DEFAULT_MASK;
50
51 ih = skb_header_pointer(skb, iphoff, sizeof(_iph), &_iph);
52 if (ih == NULL) {
53 nf_log_buf_add(m, "TRUNCATED");
54 return;
55 }
56
57
58
59
60 nf_log_buf_add(m, "SRC=%pI4 DST=%pI4 ", &ih->saddr, &ih->daddr);
61
62
63 nf_log_buf_add(m, "LEN=%u TOS=0x%02X PREC=0x%02X TTL=%u ID=%u ",
64 ntohs(ih->tot_len), ih->tos & IPTOS_TOS_MASK,
65 ih->tos & IPTOS_PREC_MASK, ih->ttl, ntohs(ih->id));
66
67
68 if (ntohs(ih->frag_off) & IP_CE)
69 nf_log_buf_add(m, "CE ");
70 if (ntohs(ih->frag_off) & IP_DF)
71 nf_log_buf_add(m, "DF ");
72 if (ntohs(ih->frag_off) & IP_MF)
73 nf_log_buf_add(m, "MF ");
74
75
76 if (ntohs(ih->frag_off) & IP_OFFSET)
77 nf_log_buf_add(m, "FRAG:%u ", ntohs(ih->frag_off) & IP_OFFSET);
78
79 if ((logflags & NF_LOG_IPOPT) &&
80 ih->ihl * 4 > sizeof(struct iphdr)) {
81 const unsigned char *op;
82 unsigned char _opt[4 * 15 - sizeof(struct iphdr)];
83 unsigned int i, optsize;
84
85 optsize = ih->ihl * 4 - sizeof(struct iphdr);
86 op = skb_header_pointer(skb, iphoff+sizeof(_iph),
87 optsize, _opt);
88 if (op == NULL) {
89 nf_log_buf_add(m, "TRUNCATED");
90 return;
91 }
92
93
94 nf_log_buf_add(m, "OPT (");
95 for (i = 0; i < optsize; i++)
96 nf_log_buf_add(m, "%02X", op[i]);
97 nf_log_buf_add(m, ") ");
98 }
99
100 switch (ih->protocol) {
101 case IPPROTO_TCP:
102 if (nf_log_dump_tcp_header(m, skb, ih->protocol,
103 ntohs(ih->frag_off) & IP_OFFSET,
104 iphoff+ih->ihl*4, logflags))
105 return;
106 break;
107 case IPPROTO_UDP:
108 case IPPROTO_UDPLITE:
109 if (nf_log_dump_udp_header(m, skb, ih->protocol,
110 ntohs(ih->frag_off) & IP_OFFSET,
111 iphoff+ih->ihl*4))
112 return;
113 break;
114 case IPPROTO_ICMP: {
115 struct icmphdr _icmph;
116 const struct icmphdr *ich;
117 static const size_t required_len[NR_ICMP_TYPES+1]
118 = { [ICMP_ECHOREPLY] = 4,
119 [ICMP_DEST_UNREACH]
120 = 8 + sizeof(struct iphdr),
121 [ICMP_SOURCE_QUENCH]
122 = 8 + sizeof(struct iphdr),
123 [ICMP_REDIRECT]
124 = 8 + sizeof(struct iphdr),
125 [ICMP_ECHO] = 4,
126 [ICMP_TIME_EXCEEDED]
127 = 8 + sizeof(struct iphdr),
128 [ICMP_PARAMETERPROB]
129 = 8 + sizeof(struct iphdr),
130 [ICMP_TIMESTAMP] = 20,
131 [ICMP_TIMESTAMPREPLY] = 20,
132 [ICMP_ADDRESS] = 12,
133 [ICMP_ADDRESSREPLY] = 12 };
134
135
136 nf_log_buf_add(m, "PROTO=ICMP ");
137
138 if (ntohs(ih->frag_off) & IP_OFFSET)
139 break;
140
141
142 ich = skb_header_pointer(skb, iphoff + ih->ihl * 4,
143 sizeof(_icmph), &_icmph);
144 if (ich == NULL) {
145 nf_log_buf_add(m, "INCOMPLETE [%u bytes] ",
146 skb->len - iphoff - ih->ihl*4);
147 break;
148 }
149
150
151 nf_log_buf_add(m, "TYPE=%u CODE=%u ", ich->type, ich->code);
152
153
154 if (ich->type <= NR_ICMP_TYPES &&
155 required_len[ich->type] &&
156 skb->len-iphoff-ih->ihl*4 < required_len[ich->type]) {
157 nf_log_buf_add(m, "INCOMPLETE [%u bytes] ",
158 skb->len - iphoff - ih->ihl*4);
159 break;
160 }
161
162 switch (ich->type) {
163 case ICMP_ECHOREPLY:
164 case ICMP_ECHO:
165
166 nf_log_buf_add(m, "ID=%u SEQ=%u ",
167 ntohs(ich->un.echo.id),
168 ntohs(ich->un.echo.sequence));
169 break;
170
171 case ICMP_PARAMETERPROB:
172
173 nf_log_buf_add(m, "PARAMETER=%u ",
174 ntohl(ich->un.gateway) >> 24);
175 break;
176 case ICMP_REDIRECT:
177
178 nf_log_buf_add(m, "GATEWAY=%pI4 ", &ich->un.gateway);
179
180 case ICMP_DEST_UNREACH:
181 case ICMP_SOURCE_QUENCH:
182 case ICMP_TIME_EXCEEDED:
183
184 if (!iphoff) {
185 nf_log_buf_add(m, "[");
186 dump_ipv4_packet(m, info, skb,
187 iphoff + ih->ihl*4+sizeof(_icmph));
188 nf_log_buf_add(m, "] ");
189 }
190
191
192 if (ich->type == ICMP_DEST_UNREACH &&
193 ich->code == ICMP_FRAG_NEEDED) {
194 nf_log_buf_add(m, "MTU=%u ",
195 ntohs(ich->un.frag.mtu));
196 }
197 }
198 break;
199 }
200
201 case IPPROTO_AH: {
202 struct ip_auth_hdr _ahdr;
203 const struct ip_auth_hdr *ah;
204
205 if (ntohs(ih->frag_off) & IP_OFFSET)
206 break;
207
208
209 nf_log_buf_add(m, "PROTO=AH ");
210
211
212 ah = skb_header_pointer(skb, iphoff+ih->ihl*4,
213 sizeof(_ahdr), &_ahdr);
214 if (ah == NULL) {
215 nf_log_buf_add(m, "INCOMPLETE [%u bytes] ",
216 skb->len - iphoff - ih->ihl*4);
217 break;
218 }
219
220
221 nf_log_buf_add(m, "SPI=0x%x ", ntohl(ah->spi));
222 break;
223 }
224 case IPPROTO_ESP: {
225 struct ip_esp_hdr _esph;
226 const struct ip_esp_hdr *eh;
227
228
229 nf_log_buf_add(m, "PROTO=ESP ");
230
231 if (ntohs(ih->frag_off) & IP_OFFSET)
232 break;
233
234
235 eh = skb_header_pointer(skb, iphoff+ih->ihl*4,
236 sizeof(_esph), &_esph);
237 if (eh == NULL) {
238 nf_log_buf_add(m, "INCOMPLETE [%u bytes] ",
239 skb->len - iphoff - ih->ihl*4);
240 break;
241 }
242
243
244 nf_log_buf_add(m, "SPI=0x%x ", ntohl(eh->spi));
245 break;
246 }
247
248 default:
249 nf_log_buf_add(m, "PROTO=%u ", ih->protocol);
250 }
251
252
253 if ((logflags & NF_LOG_UID) && !iphoff)
254 nf_log_dump_sk_uid_gid(m, skb->sk);
255
256
257 if (!iphoff && skb->mark)
258 nf_log_buf_add(m, "MARK=0x%x ", skb->mark);
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273}
274
275static void dump_ipv4_mac_header(struct nf_log_buf *m,
276 const struct nf_loginfo *info,
277 const struct sk_buff *skb)
278{
279 struct net_device *dev = skb->dev;
280 unsigned int logflags = 0;
281
282 if (info->type == NF_LOG_TYPE_LOG)
283 logflags = info->u.log.logflags;
284
285 if (!(logflags & NF_LOG_MACDECODE))
286 goto fallback;
287
288 switch (dev->type) {
289 case ARPHRD_ETHER:
290 nf_log_buf_add(m, "MACSRC=%pM MACDST=%pM MACPROTO=%04x ",
291 eth_hdr(skb)->h_source, eth_hdr(skb)->h_dest,
292 ntohs(eth_hdr(skb)->h_proto));
293 return;
294 default:
295 break;
296 }
297
298fallback:
299 nf_log_buf_add(m, "MAC=");
300 if (dev->hard_header_len &&
301 skb->mac_header != skb->network_header) {
302 const unsigned char *p = skb_mac_header(skb);
303 unsigned int i;
304
305 nf_log_buf_add(m, "%02x", *p++);
306 for (i = 1; i < dev->hard_header_len; i++, p++)
307 nf_log_buf_add(m, ":%02x", *p);
308 }
309 nf_log_buf_add(m, " ");
310}
311
312static void nf_log_ip_packet(struct net *net, u_int8_t pf,
313 unsigned int hooknum, const struct sk_buff *skb,
314 const struct net_device *in,
315 const struct net_device *out,
316 const struct nf_loginfo *loginfo,
317 const char *prefix)
318{
319 struct nf_log_buf *m;
320
321
322 if (!net_eq(net, &init_net) && !sysctl_nf_log_all_netns)
323 return;
324
325 m = nf_log_buf_open();
326
327 if (!loginfo)
328 loginfo = &default_loginfo;
329
330 nf_log_dump_packet_common(m, pf, hooknum, skb, in,
331 out, loginfo, prefix);
332
333 if (in != NULL)
334 dump_ipv4_mac_header(m, loginfo, skb);
335
336 dump_ipv4_packet(m, loginfo, skb, 0);
337
338 nf_log_buf_close(m);
339}
340
341static struct nf_logger nf_ip_logger __read_mostly = {
342 .name = "nf_log_ipv4",
343 .type = NF_LOG_TYPE_LOG,
344 .logfn = nf_log_ip_packet,
345 .me = THIS_MODULE,
346};
347
348static int __net_init nf_log_ipv4_net_init(struct net *net)
349{
350 return nf_log_set(net, NFPROTO_IPV4, &nf_ip_logger);
351}
352
353static void __net_exit nf_log_ipv4_net_exit(struct net *net)
354{
355 nf_log_unset(net, &nf_ip_logger);
356}
357
358static struct pernet_operations nf_log_ipv4_net_ops = {
359 .init = nf_log_ipv4_net_init,
360 .exit = nf_log_ipv4_net_exit,
361};
362
363static int __init nf_log_ipv4_init(void)
364{
365 int ret;
366
367 ret = register_pernet_subsys(&nf_log_ipv4_net_ops);
368 if (ret < 0)
369 return ret;
370
371 ret = nf_log_register(NFPROTO_IPV4, &nf_ip_logger);
372 if (ret < 0) {
373 pr_err("failed to register logger\n");
374 goto err1;
375 }
376
377 return 0;
378
379err1:
380 unregister_pernet_subsys(&nf_log_ipv4_net_ops);
381 return ret;
382}
383
384static void __exit nf_log_ipv4_exit(void)
385{
386 unregister_pernet_subsys(&nf_log_ipv4_net_ops);
387 nf_log_unregister(&nf_ip_logger);
388}
389
390module_init(nf_log_ipv4_init);
391module_exit(nf_log_ipv4_exit);
392
393MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>");
394MODULE_DESCRIPTION("Netfilter IPv4 packet logging");
395MODULE_LICENSE("GPL");
396MODULE_ALIAS_NF_LOGGER(AF_INET, 0);
397