search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Linux 6.14-rc1
[linux.git] / net / netfilter / nf_log_syslog.c
blob58402226045e84b7134b3c8a33919b5ea1f22f12
1 // SPDX-License-Identifier: GPL-2.0-only
2 /* (C) 1999-2001 Paul `Rusty' Russell
3 * (C) 2002-2004 Netfilter Core Team <coreteam@netfilter.org>
4 */
5
6 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
7
8 #include <linux/kernel.h>
9 #include <linux/module.h>
10 #include <linux/spinlock.h>
11 #include <linux/skbuff.h>
12 #include <linux/if_arp.h>
13 #include <linux/ip.h>
14 #include <net/ipv6.h>
15 #include <net/icmp.h>
16 #include <net/udp.h>
17 #include <net/tcp.h>
18 #include <net/route.h>
19
20 #include <linux/netfilter.h>
21 #include <linux/netfilter_bridge.h>
22 #include <linux/netfilter_ipv6.h>
23 #include <linux/netfilter/xt_LOG.h>
24 #include <net/netfilter/nf_log.h>
25
26 static const struct nf_loginfo default_loginfo = {
27 .type = NF_LOG_TYPE_LOG,
28 .u = {
29 .log = {
30 .level = LOGLEVEL_NOTICE,
31 .logflags = NF_LOG_DEFAULT_MASK,
32 },
33 },
34 };
35
36 struct arppayload {
37 unsigned char mac_src[ETH_ALEN];
38 unsigned char ip_src[4];
39 unsigned char mac_dst[ETH_ALEN];
40 unsigned char ip_dst[4];
41 };
42
43 /* Guard against containers flooding syslog. */
44 static bool nf_log_allowed(const struct net *net)
45 {
46 return net_eq(net, &init_net) || sysctl_nf_log_all_netns;
47 }
48
49 static void nf_log_dump_vlan(struct nf_log_buf *m, const struct sk_buff *skb)
50 {
51 u16 vid;
52
53 if (!skb_vlan_tag_present(skb))
54 return;
55
56 vid = skb_vlan_tag_get(skb);
57 nf_log_buf_add(m, "VPROTO=%04x VID=%u ", ntohs(skb->vlan_proto), vid);
58 }
59 static void noinline_for_stack
60 dump_arp_packet(struct nf_log_buf *m,
61 const struct nf_loginfo *info,
62 const struct sk_buff *skb, unsigned int nhoff)
63 {
64 const struct arppayload *ap;
65 struct arppayload _arpp;
66 const struct arphdr *ah;
67 unsigned int logflags;
68 struct arphdr _arph;
69
70 ah = skb_header_pointer(skb, nhoff, sizeof(_arph), &_arph);
71 if (!ah) {
72 nf_log_buf_add(m, "TRUNCATED");
73 return;
74 }
75
76 if (info->type == NF_LOG_TYPE_LOG)
77 logflags = info->u.log.logflags;
78 else
79 logflags = NF_LOG_DEFAULT_MASK;
80
81 if (logflags & NF_LOG_MACDECODE) {
82 nf_log_buf_add(m, "MACSRC=%pM MACDST=%pM ",
83 eth_hdr(skb)->h_source, eth_hdr(skb)->h_dest);
84 nf_log_dump_vlan(m, skb);
85 nf_log_buf_add(m, "MACPROTO=%04x ",
86 ntohs(eth_hdr(skb)->h_proto));
87 }
88
89 nf_log_buf_add(m, "ARP HTYPE=%d PTYPE=0x%04x OPCODE=%d",
90 ntohs(ah->ar_hrd), ntohs(ah->ar_pro), ntohs(ah->ar_op));
91 /* If it's for Ethernet and the lengths are OK, then log the ARP
92 * payload.
93 */
94 if (ah->ar_hrd != htons(ARPHRD_ETHER) ||
95 ah->ar_hln != ETH_ALEN ||
96 ah->ar_pln != sizeof(__be32))
97 return;
98
99 ap = skb_header_pointer(skb, nhoff + sizeof(_arph), sizeof(_arpp), &_arpp);
100 if (!ap) {
101 nf_log_buf_add(m, " INCOMPLETE [%zu bytes]",
102 skb->len - sizeof(_arph));
103 return;
104 }
105 nf_log_buf_add(m, " MACSRC=%pM IPSRC=%pI4 MACDST=%pM IPDST=%pI4",
106 ap->mac_src, ap->ip_src, ap->mac_dst, ap->ip_dst);
107 }
108
109 static void
110 nf_log_dump_packet_common(struct nf_log_buf *m, u8 pf,
111 unsigned int hooknum, const struct sk_buff *skb,
112 const struct net_device *in,
113 const struct net_device *out,
114 const struct nf_loginfo *loginfo, const char *prefix,
115 struct net *net)
116 {
117 const struct net_device *physoutdev __maybe_unused;
118 const struct net_device *physindev __maybe_unused;
119
120 nf_log_buf_add(m, KERN_SOH "%c%sIN=%s OUT=%s ",
121 '0' + loginfo->u.log.level, prefix,
122 in ? in->name : "",
123 out ? out->name : "");
124 #if IS_ENABLED(CONFIG_BRIDGE_NETFILTER)
125 physindev = nf_bridge_get_physindev(skb, net);
126 if (physindev && in != physindev)
127 nf_log_buf_add(m, "PHYSIN=%s ", physindev->name);
128 physoutdev = nf_bridge_get_physoutdev(skb);
129 if (physoutdev && out != physoutdev)
130 nf_log_buf_add(m, "PHYSOUT=%s ", physoutdev->name);
131 #endif
132 }
133
134 static void nf_log_arp_packet(struct net *net, u_int8_t pf,
135 unsigned int hooknum, const struct sk_buff *skb,
136 const struct net_device *in,
137 const struct net_device *out,
138 const struct nf_loginfo *loginfo,
139 const char *prefix)
140 {
141 struct nf_log_buf *m;
142
143 if (!nf_log_allowed(net))
144 return;
145
146 m = nf_log_buf_open();
147
148 if (!loginfo)
149 loginfo = &default_loginfo;
150
151 nf_log_dump_packet_common(m, pf, hooknum, skb, in, out, loginfo,
152 prefix, net);
153 dump_arp_packet(m, loginfo, skb, skb_network_offset(skb));
154
155 nf_log_buf_close(m);
156 }
157
158 static struct nf_logger nf_arp_logger __read_mostly = {
159 .name = "nf_log_arp",
160 .type = NF_LOG_TYPE_LOG,
161 .logfn = nf_log_arp_packet,
162 .me = THIS_MODULE,
163 };
164
165 static void nf_log_dump_sk_uid_gid(struct net *net, struct nf_log_buf *m,
166 struct sock *sk)
167 {
168 if (!sk || !sk_fullsock(sk) || !net_eq(net, sock_net(sk)))
169 return;
170
171 read_lock_bh(&sk->sk_callback_lock);
172 if (sk->sk_socket && sk->sk_socket->file) {
173 const struct cred *cred = sk->sk_socket->file->f_cred;
174
175 nf_log_buf_add(m, "UID=%u GID=%u ",
176 from_kuid_munged(&init_user_ns, cred->fsuid),
177 from_kgid_munged(&init_user_ns, cred->fsgid));
178 }
179 read_unlock_bh(&sk->sk_callback_lock);
180 }
181
182 static noinline_for_stack int
183 nf_log_dump_tcp_header(struct nf_log_buf *m,
184 const struct sk_buff *skb,
185 u8 proto, int fragment,
186 unsigned int offset,
187 unsigned int logflags)
188 {
189 struct tcphdr _tcph;
190 const struct tcphdr *th;
191
192 /* Max length: 10 "PROTO=TCP " */
193 nf_log_buf_add(m, "PROTO=TCP ");
194
195 if (fragment)
196 return 0;
197
198 /* Max length: 25 "INCOMPLETE [65535 bytes] " */
199 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
200 if (!th) {
201 nf_log_buf_add(m, "INCOMPLETE [%u bytes] ", skb->len - offset);
202 return 1;
203 }
204
205 /* Max length: 20 "SPT=65535 DPT=65535 " */
206 nf_log_buf_add(m, "SPT=%u DPT=%u ",
207 ntohs(th->source), ntohs(th->dest));
208 /* Max length: 30 "SEQ=4294967295 ACK=4294967295 " */
209 if (logflags & NF_LOG_TCPSEQ) {
210 nf_log_buf_add(m, "SEQ=%u ACK=%u ",
211 ntohl(th->seq), ntohl(th->ack_seq));
212 }
213
214 /* Max length: 13 "WINDOW=65535 " */
215 nf_log_buf_add(m, "WINDOW=%u ", ntohs(th->window));
216 /* Max length: 9 "RES=0x3C " */
217 nf_log_buf_add(m, "RES=0x%02x ", (u_int8_t)(ntohl(tcp_flag_word(th) &
218 TCP_RESERVED_BITS) >> 22));
219 /* Max length: 32 "CWR ECE URG ACK PSH RST SYN FIN " */
220 if (th->cwr)
221 nf_log_buf_add(m, "CWR ");
222 if (th->ece)
223 nf_log_buf_add(m, "ECE ");
224 if (th->urg)
225 nf_log_buf_add(m, "URG ");
226 if (th->ack)
227 nf_log_buf_add(m, "ACK ");
228 if (th->psh)
229 nf_log_buf_add(m, "PSH ");
230 if (th->rst)
231 nf_log_buf_add(m, "RST ");
232 if (th->syn)
233 nf_log_buf_add(m, "SYN ");
234 if (th->fin)
235 nf_log_buf_add(m, "FIN ");
236 /* Max length: 11 "URGP=65535 " */
237 nf_log_buf_add(m, "URGP=%u ", ntohs(th->urg_ptr));
238
239 if ((logflags & NF_LOG_TCPOPT) && th->doff * 4 > sizeof(struct tcphdr)) {
240 unsigned int optsize = th->doff * 4 - sizeof(struct tcphdr);
241 u8 _opt[60 - sizeof(struct tcphdr)];
242 unsigned int i;
243 const u8 *op;
244
245 op = skb_header_pointer(skb, offset + sizeof(struct tcphdr),
246 optsize, _opt);
247 if (!op) {
248 nf_log_buf_add(m, "OPT (TRUNCATED)");
249 return 1;
250 }
251
252 /* Max length: 127 "OPT (" 15*4*2chars ") " */
253 nf_log_buf_add(m, "OPT (");
254 for (i = 0; i < optsize; i++)
255 nf_log_buf_add(m, "%02X", op[i]);
256
257 nf_log_buf_add(m, ") ");
258 }
259
260 return 0;
261 }
262
263 static noinline_for_stack int
264 nf_log_dump_udp_header(struct nf_log_buf *m,
265 const struct sk_buff *skb,
266 u8 proto, int fragment,
267 unsigned int offset)
268 {
269 struct udphdr _udph;
270 const struct udphdr *uh;
271
272 if (proto == IPPROTO_UDP)
273 /* Max length: 10 "PROTO=UDP " */
274 nf_log_buf_add(m, "PROTO=UDP ");
275 else /* Max length: 14 "PROTO=UDPLITE " */
276 nf_log_buf_add(m, "PROTO=UDPLITE ");
277
278 if (fragment)
279 goto out;
280
281 /* Max length: 25 "INCOMPLETE [65535 bytes] " */
282 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
283 if (!uh) {
284 nf_log_buf_add(m, "INCOMPLETE [%u bytes] ", skb->len - offset);
285
286 return 1;
287 }
288
289 /* Max length: 20 "SPT=65535 DPT=65535 " */
290 nf_log_buf_add(m, "SPT=%u DPT=%u LEN=%u ",
291 ntohs(uh->source), ntohs(uh->dest), ntohs(uh->len));
292
293 out:
294 return 0;
295 }
296
297 /* One level of recursion won't kill us */
298 static noinline_for_stack void
299 dump_ipv4_packet(struct net *net, struct nf_log_buf *m,
300 const struct nf_loginfo *info,
301 const struct sk_buff *skb, unsigned int iphoff)
302 {
303 const struct iphdr *ih;
304 unsigned int logflags;
305 struct iphdr _iph;
306
307 if (info->type == NF_LOG_TYPE_LOG)
308 logflags = info->u.log.logflags;
309 else
310 logflags = NF_LOG_DEFAULT_MASK;
311
312 ih = skb_header_pointer(skb, iphoff, sizeof(_iph), &_iph);
313 if (!ih) {
314 nf_log_buf_add(m, "TRUNCATED");
315 return;
316 }
317
318 /* Important fields:
319 * TOS, len, DF/MF, fragment offset, TTL, src, dst, options.
320 * Max length: 40 "SRC=255.255.255.255 DST=255.255.255.255 "
321 */
322 nf_log_buf_add(m, "SRC=%pI4 DST=%pI4 ", &ih->saddr, &ih->daddr);
323
324 /* Max length: 46 "LEN=65535 TOS=0xFF PREC=0xFF TTL=255 ID=65535 " */
325 nf_log_buf_add(m, "LEN=%u TOS=0x%02X PREC=0x%02X TTL=%u ID=%u ",
326 iph_totlen(skb, ih), ih->tos & IPTOS_TOS_MASK,
327 ih->tos & IPTOS_PREC_MASK, ih->ttl, ntohs(ih->id));
328
329 /* Max length: 6 "CE DF MF " */
330 if (ntohs(ih->frag_off) & IP_CE)
331 nf_log_buf_add(m, "CE ");
332 if (ntohs(ih->frag_off) & IP_DF)
333 nf_log_buf_add(m, "DF ");
334 if (ntohs(ih->frag_off) & IP_MF)
335 nf_log_buf_add(m, "MF ");
336
337 /* Max length: 11 "FRAG:65535 " */
338 if (ntohs(ih->frag_off) & IP_OFFSET)
339 nf_log_buf_add(m, "FRAG:%u ", ntohs(ih->frag_off) & IP_OFFSET);
340
341 if ((logflags & NF_LOG_IPOPT) &&
342 ih->ihl * 4 > sizeof(struct iphdr)) {
343 unsigned char _opt[4 * 15 - sizeof(struct iphdr)];
344 const unsigned char *op;
345 unsigned int i, optsize;
346
347 optsize = ih->ihl * 4 - sizeof(struct iphdr);
348 op = skb_header_pointer(skb, iphoff + sizeof(_iph),
349 optsize, _opt);
350 if (!op) {
351 nf_log_buf_add(m, "TRUNCATED");
352 return;
353 }
354
355 /* Max length: 127 "OPT (" 15*4*2chars ") " */
356 nf_log_buf_add(m, "OPT (");
357 for (i = 0; i < optsize; i++)
358 nf_log_buf_add(m, "%02X", op[i]);
359 nf_log_buf_add(m, ") ");
360 }
361
362 switch (ih->protocol) {
363 case IPPROTO_TCP:
364 if (nf_log_dump_tcp_header(m, skb, ih->protocol,
365 ntohs(ih->frag_off) & IP_OFFSET,
366 iphoff + ih->ihl * 4, logflags))
367 return;
368 break;
369 case IPPROTO_UDP:
370 case IPPROTO_UDPLITE:
371 if (nf_log_dump_udp_header(m, skb, ih->protocol,
372 ntohs(ih->frag_off) & IP_OFFSET,
373 iphoff + ih->ihl * 4))
374 return;
375 break;
376 case IPPROTO_ICMP: {
377 static const size_t required_len[NR_ICMP_TYPES + 1] = {
378 [ICMP_ECHOREPLY] = 4,
379 [ICMP_DEST_UNREACH] = 8 + sizeof(struct iphdr),
380 [ICMP_SOURCE_QUENCH] = 8 + sizeof(struct iphdr),
381 [ICMP_REDIRECT] = 8 + sizeof(struct iphdr),
382 [ICMP_ECHO] = 4,
383 [ICMP_TIME_EXCEEDED] = 8 + sizeof(struct iphdr),
384 [ICMP_PARAMETERPROB] = 8 + sizeof(struct iphdr),
385 [ICMP_TIMESTAMP] = 20,
386 [ICMP_TIMESTAMPREPLY] = 20,
387 [ICMP_ADDRESS] = 12,
388 [ICMP_ADDRESSREPLY] = 12 };
389 const struct icmphdr *ich;
390 struct icmphdr _icmph;
391
392 /* Max length: 11 "PROTO=ICMP " */
393 nf_log_buf_add(m, "PROTO=ICMP ");
394
395 if (ntohs(ih->frag_off) & IP_OFFSET)
396 break;
397
398 /* Max length: 25 "INCOMPLETE [65535 bytes] " */
399 ich = skb_header_pointer(skb, iphoff + ih->ihl * 4,
400 sizeof(_icmph), &_icmph);
401 if (!ich) {
402 nf_log_buf_add(m, "INCOMPLETE [%u bytes] ",
403 skb->len - iphoff - ih->ihl * 4);
404 break;
405 }
406
407 /* Max length: 18 "TYPE=255 CODE=255 " */
408 nf_log_buf_add(m, "TYPE=%u CODE=%u ", ich->type, ich->code);
409
410 /* Max length: 25 "INCOMPLETE [65535 bytes] " */
411 if (ich->type <= NR_ICMP_TYPES &&
412 required_len[ich->type] &&
413 skb->len - iphoff - ih->ihl * 4 < required_len[ich->type]) {
414 nf_log_buf_add(m, "INCOMPLETE [%u bytes] ",
415 skb->len - iphoff - ih->ihl * 4);
416 break;
417 }
418
419 switch (ich->type) {
420 case ICMP_ECHOREPLY:
421 case ICMP_ECHO:
422 /* Max length: 19 "ID=65535 SEQ=65535 " */
423 nf_log_buf_add(m, "ID=%u SEQ=%u ",
424 ntohs(ich->un.echo.id),
425 ntohs(ich->un.echo.sequence));
426 break;
427
428 case ICMP_PARAMETERPROB:
429 /* Max length: 14 "PARAMETER=255 " */
430 nf_log_buf_add(m, "PARAMETER=%u ",
431 ntohl(ich->un.gateway) >> 24);
432 break;
433 case ICMP_REDIRECT:
434 /* Max length: 24 "GATEWAY=255.255.255.255 " */
435 nf_log_buf_add(m, "GATEWAY=%pI4 ", &ich->un.gateway);
436 fallthrough;
437 case ICMP_DEST_UNREACH:
438 case ICMP_SOURCE_QUENCH:
439 case ICMP_TIME_EXCEEDED:
440 /* Max length: 3+maxlen */
441 if (!iphoff) { /* Only recurse once. */
442 nf_log_buf_add(m, "[");
443 dump_ipv4_packet(net, m, info, skb,
444 iphoff + ih->ihl * 4 + sizeof(_icmph));
445 nf_log_buf_add(m, "] ");
446 }
447
448 /* Max length: 10 "MTU=65535 " */
449 if (ich->type == ICMP_DEST_UNREACH &&
450 ich->code == ICMP_FRAG_NEEDED) {
451 nf_log_buf_add(m, "MTU=%u ",
452 ntohs(ich->un.frag.mtu));
453 }
454 }
455 break;
456 }
457 /* Max Length */
458 case IPPROTO_AH: {
459 const struct ip_auth_hdr *ah;
460 struct ip_auth_hdr _ahdr;
461
462 if (ntohs(ih->frag_off) & IP_OFFSET)
463 break;
464
465 /* Max length: 9 "PROTO=AH " */
466 nf_log_buf_add(m, "PROTO=AH ");
467
468 /* Max length: 25 "INCOMPLETE [65535 bytes] " */
469 ah = skb_header_pointer(skb, iphoff + ih->ihl * 4,
470 sizeof(_ahdr), &_ahdr);
471 if (!ah) {
472 nf_log_buf_add(m, "INCOMPLETE [%u bytes] ",
473 skb->len - iphoff - ih->ihl * 4);
474 break;
475 }
476
477 /* Length: 15 "SPI=0xF1234567 " */
478 nf_log_buf_add(m, "SPI=0x%x ", ntohl(ah->spi));
479 break;
480 }
481 case IPPROTO_ESP: {
482 const struct ip_esp_hdr *eh;
483 struct ip_esp_hdr _esph;
484
485 /* Max length: 10 "PROTO=ESP " */
486 nf_log_buf_add(m, "PROTO=ESP ");
487
488 if (ntohs(ih->frag_off) & IP_OFFSET)
489 break;
490
491 /* Max length: 25 "INCOMPLETE [65535 bytes] " */
492 eh = skb_header_pointer(skb, iphoff + ih->ihl * 4,
493 sizeof(_esph), &_esph);
494 if (!eh) {
495 nf_log_buf_add(m, "INCOMPLETE [%u bytes] ",
496 skb->len - iphoff - ih->ihl * 4);
497 break;
498 }
499
500 /* Length: 15 "SPI=0xF1234567 " */
501 nf_log_buf_add(m, "SPI=0x%x ", ntohl(eh->spi));
502 break;
503 }
504 /* Max length: 10 "PROTO 255 " */
505 default:
506 nf_log_buf_add(m, "PROTO=%u ", ih->protocol);
507 }
508
509 /* Max length: 15 "UID=4294967295 " */
510 if ((logflags & NF_LOG_UID) && !iphoff)
511 nf_log_dump_sk_uid_gid(net, m, skb->sk);
512
513 /* Max length: 16 "MARK=0xFFFFFFFF " */
514 if (!iphoff && skb->mark)
515 nf_log_buf_add(m, "MARK=0x%x ", skb->mark);
516
517 /* Proto Max log string length */
518 /* IP: 40+46+6+11+127 = 230 */
519 /* TCP: 10+max(25,20+30+13+9+32+11+127) = 252 */
520 /* UDP: 10+max(25,20) = 35 */
521 /* UDPLITE: 14+max(25,20) = 39 */
522 /* ICMP: 11+max(25, 18+25+max(19,14,24+3+n+10,3+n+10)) = 91+n */
523 /* ESP: 10+max(25)+15 = 50 */
524 /* AH: 9+max(25)+15 = 49 */
525 /* unknown: 10 */
526
527 /* (ICMP allows recursion one level deep) */
528 /* maxlen = IP + ICMP + IP + max(TCP,UDP,ICMP,unknown) */
529 /* maxlen = 230+ 91 + 230 + 252 = 803 */
530 }
531
532 static noinline_for_stack void
533 dump_ipv6_packet(struct net *net, struct nf_log_buf *m,
534 const struct nf_loginfo *info,
535 const struct sk_buff *skb, unsigned int ip6hoff,
536 int recurse)
537 {
538 const struct ipv6hdr *ih;
539 unsigned int hdrlen = 0;
540 unsigned int logflags;
541 struct ipv6hdr _ip6h;
542 unsigned int ptr;
543 u8 currenthdr;
544 int fragment;
545
546 if (info->type == NF_LOG_TYPE_LOG)
547 logflags = info->u.log.logflags;
548 else
549 logflags = NF_LOG_DEFAULT_MASK;
550
551 ih = skb_header_pointer(skb, ip6hoff, sizeof(_ip6h), &_ip6h);
552 if (!ih) {
553 nf_log_buf_add(m, "TRUNCATED");
554 return;
555 }
556
557 /* Max length: 88 "SRC=0000.0000.0000.0000.0000.0000.0000.0000 DST=0000.0000.0000.0000.0000.0000.0000.0000 " */
558 nf_log_buf_add(m, "SRC=%pI6 DST=%pI6 ", &ih->saddr, &ih->daddr);
559
560 /* Max length: 44 "LEN=65535 TC=255 HOPLIMIT=255 FLOWLBL=FFFFF " */
561 nf_log_buf_add(m, "LEN=%zu TC=%u HOPLIMIT=%u FLOWLBL=%u ",
562 ntohs(ih->payload_len) + sizeof(struct ipv6hdr),
563 (ntohl(*(__be32 *)ih) & 0x0ff00000) >> 20,
564 ih->hop_limit,
565 (ntohl(*(__be32 *)ih) & 0x000fffff));
566
567 fragment = 0;
568 ptr = ip6hoff + sizeof(struct ipv6hdr);
569 currenthdr = ih->nexthdr;
570 while (currenthdr != NEXTHDR_NONE && nf_ip6_ext_hdr(currenthdr)) {
571 struct ipv6_opt_hdr _hdr;
572 const struct ipv6_opt_hdr *hp;
573
574 hp = skb_header_pointer(skb, ptr, sizeof(_hdr), &_hdr);
575 if (!hp) {
576 nf_log_buf_add(m, "TRUNCATED");
577 return;
578 }
579
580 /* Max length: 48 "OPT (...) " */
581 if (logflags & NF_LOG_IPOPT)
582 nf_log_buf_add(m, "OPT ( ");
583
584 switch (currenthdr) {
585 case IPPROTO_FRAGMENT: {
586 struct frag_hdr _fhdr;
587 const struct frag_hdr *fh;
588
589 nf_log_buf_add(m, "FRAG:");
590 fh = skb_header_pointer(skb, ptr, sizeof(_fhdr),
591 &_fhdr);
592 if (!fh) {
593 nf_log_buf_add(m, "TRUNCATED ");
594 return;
595 }
596
597 /* Max length: 6 "65535 " */
598 nf_log_buf_add(m, "%u ", ntohs(fh->frag_off) & 0xFFF8);
599
600 /* Max length: 11 "INCOMPLETE " */
601 if (fh->frag_off & htons(0x0001))
602 nf_log_buf_add(m, "INCOMPLETE ");
603
604 nf_log_buf_add(m, "ID:%08x ",
605 ntohl(fh->identification));
606
607 if (ntohs(fh->frag_off) & 0xFFF8)
608 fragment = 1;
609
610 hdrlen = 8;
611 break;
612 }
613 case IPPROTO_DSTOPTS:
614 case IPPROTO_ROUTING:
615 case IPPROTO_HOPOPTS:
616 if (fragment) {
617 if (logflags & NF_LOG_IPOPT)
618 nf_log_buf_add(m, ")");
619 return;
620 }
621 hdrlen = ipv6_optlen(hp);
622 break;
623 /* Max Length */
624 case IPPROTO_AH:
625 if (logflags & NF_LOG_IPOPT) {
626 struct ip_auth_hdr _ahdr;
627 const struct ip_auth_hdr *ah;
628
629 /* Max length: 3 "AH " */
630 nf_log_buf_add(m, "AH ");
631
632 if (fragment) {
633 nf_log_buf_add(m, ")");
634 return;
635 }
636
637 ah = skb_header_pointer(skb, ptr, sizeof(_ahdr),
638 &_ahdr);
639 if (!ah) {
640 /* Max length: 26 "INCOMPLETE [65535 bytes] )" */
641 nf_log_buf_add(m, "INCOMPLETE [%u bytes] )",
642 skb->len - ptr);
643 return;
644 }
645
646 /* Length: 15 "SPI=0xF1234567 */
647 nf_log_buf_add(m, "SPI=0x%x ", ntohl(ah->spi));
648 }
649
650 hdrlen = ipv6_authlen(hp);
651 break;
652 case IPPROTO_ESP:
653 if (logflags & NF_LOG_IPOPT) {
654 struct ip_esp_hdr _esph;
655 const struct ip_esp_hdr *eh;
656
657 /* Max length: 4 "ESP " */
658 nf_log_buf_add(m, "ESP ");
659
660 if (fragment) {
661 nf_log_buf_add(m, ")");
662 return;
663 }
664
665 /* Max length: 26 "INCOMPLETE [65535 bytes] )" */
666 eh = skb_header_pointer(skb, ptr, sizeof(_esph),
667 &_esph);
668 if (!eh) {
669 nf_log_buf_add(m, "INCOMPLETE [%u bytes] )",
670 skb->len - ptr);
671 return;
672 }
673
674 /* Length: 16 "SPI=0xF1234567 )" */
675 nf_log_buf_add(m, "SPI=0x%x )",
676 ntohl(eh->spi));
677 }
678 return;
679 default:
680 /* Max length: 20 "Unknown Ext Hdr 255" */
681 nf_log_buf_add(m, "Unknown Ext Hdr %u", currenthdr);
682 return;
683 }
684 if (logflags & NF_LOG_IPOPT)
685 nf_log_buf_add(m, ") ");
686
687 currenthdr = hp->nexthdr;
688 ptr += hdrlen;
689 }
690
691 switch (currenthdr) {
692 case IPPROTO_TCP:
693 if (nf_log_dump_tcp_header(m, skb, currenthdr, fragment,
694 ptr, logflags))
695 return;
696 break;
697 case IPPROTO_UDP:
698 case IPPROTO_UDPLITE:
699 if (nf_log_dump_udp_header(m, skb, currenthdr, fragment, ptr))
700 return;
701 break;
702 case IPPROTO_ICMPV6: {
703 struct icmp6hdr _icmp6h;
704 const struct icmp6hdr *ic;
705
706 /* Max length: 13 "PROTO=ICMPv6 " */
707 nf_log_buf_add(m, "PROTO=ICMPv6 ");
708
709 if (fragment)
710 break;
711
712 /* Max length: 25 "INCOMPLETE [65535 bytes] " */
713 ic = skb_header_pointer(skb, ptr, sizeof(_icmp6h), &_icmp6h);
714 if (!ic) {
715 nf_log_buf_add(m, "INCOMPLETE [%u bytes] ",
716 skb->len - ptr);
717 return;
718 }
719
720 /* Max length: 18 "TYPE=255 CODE=255 " */
721 nf_log_buf_add(m, "TYPE=%u CODE=%u ",
722 ic->icmp6_type, ic->icmp6_code);
723
724 switch (ic->icmp6_type) {
725 case ICMPV6_ECHO_REQUEST:
726 case ICMPV6_ECHO_REPLY:
727 /* Max length: 19 "ID=65535 SEQ=65535 " */
728 nf_log_buf_add(m, "ID=%u SEQ=%u ",
729 ntohs(ic->icmp6_identifier),
730 ntohs(ic->icmp6_sequence));
731 break;
732 case ICMPV6_MGM_QUERY:
733 case ICMPV6_MGM_REPORT:
734 case ICMPV6_MGM_REDUCTION:
735 break;
736
737 case ICMPV6_PARAMPROB:
738 /* Max length: 17 "POINTER=ffffffff " */
739 nf_log_buf_add(m, "POINTER=%08x ",
740 ntohl(ic->icmp6_pointer));
741 fallthrough;
742 case ICMPV6_DEST_UNREACH:
743 case ICMPV6_PKT_TOOBIG:
744 case ICMPV6_TIME_EXCEED:
745 /* Max length: 3+maxlen */
746 if (recurse) {
747 nf_log_buf_add(m, "[");
748 dump_ipv6_packet(net, m, info, skb,
749 ptr + sizeof(_icmp6h), 0);
750 nf_log_buf_add(m, "] ");
751 }
752
753 /* Max length: 10 "MTU=65535 " */
754 if (ic->icmp6_type == ICMPV6_PKT_TOOBIG) {
755 nf_log_buf_add(m, "MTU=%u ",
756 ntohl(ic->icmp6_mtu));
757 }
758 }
759 break;
760 }
761 /* Max length: 10 "PROTO=255 " */
762 default:
763 nf_log_buf_add(m, "PROTO=%u ", currenthdr);
764 }
765
766 /* Max length: 15 "UID=4294967295 " */
767 if ((logflags & NF_LOG_UID) && recurse)
768 nf_log_dump_sk_uid_gid(net, m, skb->sk);
769
770 /* Max length: 16 "MARK=0xFFFFFFFF " */
771 if (recurse && skb->mark)
772 nf_log_buf_add(m, "MARK=0x%x ", skb->mark);
773 }
774
775 static void dump_mac_header(struct nf_log_buf *m,
776 const struct nf_loginfo *info,
777 const struct sk_buff *skb)
778 {
779 struct net_device *dev = skb->dev;
780 unsigned int logflags = 0;
781
782 if (info->type == NF_LOG_TYPE_LOG)
783 logflags = info->u.log.logflags;
784
785 if (!(logflags & NF_LOG_MACDECODE))
786 goto fallback;
787
788 switch (dev->type) {
789 case ARPHRD_ETHER:
790 nf_log_buf_add(m, "MACSRC=%pM MACDST=%pM ",
791 eth_hdr(skb)->h_source, eth_hdr(skb)->h_dest);
792 nf_log_dump_vlan(m, skb);
793 nf_log_buf_add(m, "MACPROTO=%04x ",
794 ntohs(eth_hdr(skb)->h_proto));
795 return;
796 default:
797 break;
798 }
799
800 fallback:
801 nf_log_buf_add(m, "MAC=");
802 if (dev->hard_header_len &&
803 skb->mac_header != skb->network_header) {
804 const unsigned char *p = skb_mac_header(skb);
805 unsigned int i;
806
807 if (dev->type == ARPHRD_SIT) {
808 p -= ETH_HLEN;
809
810 if (p < skb->head)
811 p = NULL;
812 }
813
814 if (p) {
815 nf_log_buf_add(m, "%02x", *p++);
816 for (i = 1; i < dev->hard_header_len; i++)
817 nf_log_buf_add(m, ":%02x", *p++);
818 }
819
820 if (dev->type == ARPHRD_SIT) {
821 const struct iphdr *iph =
822 (struct iphdr *)skb_mac_header(skb);
823
824 nf_log_buf_add(m, " TUNNEL=%pI4->%pI4", &iph->saddr,
825 &iph->daddr);
826 }
827 }
828 nf_log_buf_add(m, " ");
829 }
830
831 static void nf_log_ip_packet(struct net *net, u_int8_t pf,
832 unsigned int hooknum, const struct sk_buff *skb,
833 const struct net_device *in,
834 const struct net_device *out,
835 const struct nf_loginfo *loginfo,
836 const char *prefix)
837 {
838 struct nf_log_buf *m;
839
840 if (!nf_log_allowed(net))
841 return;
842
843 m = nf_log_buf_open();
844
845 if (!loginfo)
846 loginfo = &default_loginfo;
847
848 nf_log_dump_packet_common(m, pf, hooknum, skb, in,
849 out, loginfo, prefix, net);
850
851 if (in)
852 dump_mac_header(m, loginfo, skb);
853
854 dump_ipv4_packet(net, m, loginfo, skb, skb_network_offset(skb));
855
856 nf_log_buf_close(m);
857 }
858
859 static struct nf_logger nf_ip_logger __read_mostly = {
860 .name = "nf_log_ipv4",
861 .type = NF_LOG_TYPE_LOG,
862 .logfn = nf_log_ip_packet,
863 .me = THIS_MODULE,
864 };
865
866 static void nf_log_ip6_packet(struct net *net, u_int8_t pf,
867 unsigned int hooknum, const struct sk_buff *skb,
868 const struct net_device *in,
869 const struct net_device *out,
870 const struct nf_loginfo *loginfo,
871 const char *prefix)
872 {
873 struct nf_log_buf *m;
874
875 if (!nf_log_allowed(net))
876 return;
877
878 m = nf_log_buf_open();
879
880 if (!loginfo)
881 loginfo = &default_loginfo;
882
883 nf_log_dump_packet_common(m, pf, hooknum, skb, in, out,
884 loginfo, prefix, net);
885
886 if (in)
887 dump_mac_header(m, loginfo, skb);
888
889 dump_ipv6_packet(net, m, loginfo, skb, skb_network_offset(skb), 1);
890
891 nf_log_buf_close(m);
892 }
893
894 static struct nf_logger nf_ip6_logger __read_mostly = {
895 .name = "nf_log_ipv6",
896 .type = NF_LOG_TYPE_LOG,
897 .logfn = nf_log_ip6_packet,
898 .me = THIS_MODULE,
899 };
900
901 static void nf_log_unknown_packet(struct net *net, u_int8_t pf,
902 unsigned int hooknum,
903 const struct sk_buff *skb,
904 const struct net_device *in,
905 const struct net_device *out,
906 const struct nf_loginfo *loginfo,
907 const char *prefix)
908 {
909 struct nf_log_buf *m;
910
911 if (!nf_log_allowed(net))
912 return;
913
914 m = nf_log_buf_open();
915
916 if (!loginfo)
917 loginfo = &default_loginfo;
918
919 nf_log_dump_packet_common(m, pf, hooknum, skb, in, out, loginfo,
920 prefix, net);
921
922 dump_mac_header(m, loginfo, skb);
923
924 nf_log_buf_close(m);
925 }
926
927 static void nf_log_netdev_packet(struct net *net, u_int8_t pf,
928 unsigned int hooknum,
929 const struct sk_buff *skb,
930 const struct net_device *in,
931 const struct net_device *out,
932 const struct nf_loginfo *loginfo,
933 const char *prefix)
934 {
935 switch (skb->protocol) {
936 case htons(ETH_P_IP):
937 nf_log_ip_packet(net, pf, hooknum, skb, in, out, loginfo, prefix);
938 break;
939 case htons(ETH_P_IPV6):
940 nf_log_ip6_packet(net, pf, hooknum, skb, in, out, loginfo, prefix);
941 break;
942 case htons(ETH_P_ARP):
943 case htons(ETH_P_RARP):
944 nf_log_arp_packet(net, pf, hooknum, skb, in, out, loginfo, prefix);
945 break;
946 default:
947 nf_log_unknown_packet(net, pf, hooknum, skb,
948 in, out, loginfo, prefix);
949 break;
950 }
951 }
952
953 static struct nf_logger nf_netdev_logger __read_mostly = {
954 .name = "nf_log_netdev",
955 .type = NF_LOG_TYPE_LOG,
956 .logfn = nf_log_netdev_packet,
957 .me = THIS_MODULE,
958 };
959
960 static struct nf_logger nf_bridge_logger __read_mostly = {
961 .name = "nf_log_bridge",
962 .type = NF_LOG_TYPE_LOG,
963 .logfn = nf_log_netdev_packet,
964 .me = THIS_MODULE,
965 };
966
967 static int __net_init nf_log_syslog_net_init(struct net *net)
968 {
969 int ret = nf_log_set(net, NFPROTO_IPV4, &nf_ip_logger);
970
971 if (ret)
972 return ret;
973
974 ret = nf_log_set(net, NFPROTO_ARP, &nf_arp_logger);
975 if (ret)
976 goto err1;
977
978 ret = nf_log_set(net, NFPROTO_IPV6, &nf_ip6_logger);
979 if (ret)
980 goto err2;
981
982 ret = nf_log_set(net, NFPROTO_NETDEV, &nf_netdev_logger);
983 if (ret)
984 goto err3;
985
986 ret = nf_log_set(net, NFPROTO_BRIDGE, &nf_bridge_logger);
987 if (ret)
988 goto err4;
989 return 0;
990 err4:
991 nf_log_unset(net, &nf_netdev_logger);
992 err3:
993 nf_log_unset(net, &nf_ip6_logger);
994 err2:
995 nf_log_unset(net, &nf_arp_logger);
996 err1:
997 nf_log_unset(net, &nf_ip_logger);
998 return ret;
999 }
1000
1001 static void __net_exit nf_log_syslog_net_exit(struct net *net)
1002 {
1003 nf_log_unset(net, &nf_ip_logger);
1004 nf_log_unset(net, &nf_arp_logger);
1005 nf_log_unset(net, &nf_ip6_logger);
1006 nf_log_unset(net, &nf_netdev_logger);
1007 nf_log_unset(net, &nf_bridge_logger);
1008 }
1009
1010 static struct pernet_operations nf_log_syslog_net_ops = {
1011 .init = nf_log_syslog_net_init,
1012 .exit = nf_log_syslog_net_exit,
1013 };
1014
1015 static int __init nf_log_syslog_init(void)
1016 {
1017 int ret;
1018
1019 ret = register_pernet_subsys(&nf_log_syslog_net_ops);
1020 if (ret < 0)
1021 return ret;
1022
1023 ret = nf_log_register(NFPROTO_IPV4, &nf_ip_logger);
1024 if (ret < 0)
1025 goto err1;
1026
1027 ret = nf_log_register(NFPROTO_ARP, &nf_arp_logger);
1028 if (ret < 0)
1029 goto err2;
1030
1031 ret = nf_log_register(NFPROTO_IPV6, &nf_ip6_logger);
1032 if (ret < 0)
1033 goto err3;
1034
1035 ret = nf_log_register(NFPROTO_NETDEV, &nf_netdev_logger);
1036 if (ret < 0)
1037 goto err4;
1038
1039 ret = nf_log_register(NFPROTO_BRIDGE, &nf_bridge_logger);
1040 if (ret < 0)
1041 goto err5;
1042
1043 return 0;
1044 err5:
1045 nf_log_unregister(&nf_netdev_logger);
1046 err4:
1047 nf_log_unregister(&nf_ip6_logger);
1048 err3:
1049 nf_log_unregister(&nf_arp_logger);
1050 err2:
1051 nf_log_unregister(&nf_ip_logger);
1052 err1:
1053 pr_err("failed to register logger\n");
1054 unregister_pernet_subsys(&nf_log_syslog_net_ops);
1055 return ret;
1056 }
1057
1058 static void __exit nf_log_syslog_exit(void)
1059 {
1060 unregister_pernet_subsys(&nf_log_syslog_net_ops);
1061 nf_log_unregister(&nf_ip_logger);
1062 nf_log_unregister(&nf_arp_logger);
1063 nf_log_unregister(&nf_ip6_logger);
1064 nf_log_unregister(&nf_netdev_logger);
1065 nf_log_unregister(&nf_bridge_logger);
1066 }
1067
1068 module_init(nf_log_syslog_init);
1069 module_exit(nf_log_syslog_exit);
1070
1071 MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>");
1072 MODULE_DESCRIPTION("Netfilter syslog packet logging");
1073 MODULE_LICENSE("GPL");
1074 MODULE_ALIAS("nf_log_arp");
1075 MODULE_ALIAS("nf_log_bridge");
1076 MODULE_ALIAS("nf_log_ipv4");
1077 MODULE_ALIAS("nf_log_ipv6");
1078 MODULE_ALIAS("nf_log_netdev");
1079 MODULE_ALIAS_NF_LOGGER(AF_BRIDGE, 0);
1080 MODULE_ALIAS_NF_LOGGER(AF_INET, 0);
1081 MODULE_ALIAS_NF_LOGGER(3, 0);
1082 MODULE_ALIAS_NF_LOGGER(5, 0); /* NFPROTO_NETDEV */
1083 MODULE_ALIAS_NF_LOGGER(AF_INET6, 0);
Linux Kernel