1 // SPDX-License-Identifier: GPL-2.0-only 2 /* (C) 1999-2001 Paul `Rusty' Russell 3 * (C) 2002-2004 Netfilter Core Team <coreteam@netfilter.org> 4 */ 5 6 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt 7 8 #include <linux/kernel.h> 9 #include <linux/module.h> 10 #include <linux/spinlock.h> 11 #include <linux/skbuff.h> 12 #include <linux/if_arp.h> 13 #include <linux/ip.h> 14 #include <net/ipv6.h> 15 #include <net/icmp.h> 16 #include <net/udp.h> 17 #include <net/tcp.h> 18 #include <net/route.h> 19 20 #include <linux/netfilter.h> 21 #include <linux/netfilter_bridge.h> 22 #include <linux/netfilter_ipv6.h> 23 #include <linux/netfilter/xt_LOG.h> 24 #include <net/netfilter/nf_log.h> 25 26 static const struct nf_loginfo default_loginfo = { 27 .type = NF_LOG_TYPE_LOG, 28 .u = { 29 .log = { 30 .level = LOGLEVEL_NOTICE, 31 .logflags = NF_LOG_DEFAULT_MASK, 32 }, 33 }, 34 }; 35 36 struct arppayload { 37 unsigned char mac_src[ETH_ALEN]; 38 unsigned char ip_src[4]; 39 unsigned char mac_dst[ETH_ALEN]; 40 unsigned char ip_dst[4]; 41 }; 42 43 /* Guard against containers flooding syslog. */ nf_log_allowed(const struct net * net)44 static bool nf_log_allowed(const struct net *net) 45 { 46 return net_eq(net, &init_net) || sysctl_nf_log_all_netns; 47 } 48 nf_log_dump_vlan(struct nf_log_buf * m,const struct sk_buff * skb)49 static void nf_log_dump_vlan(struct nf_log_buf *m, const struct sk_buff *skb) 50 { 51 u16 vid; 52 53 if (!skb_vlan_tag_present(skb)) 54 return; 55 56 vid = skb_vlan_tag_get(skb); 57 nf_log_buf_add(m, "VPROTO=%04x VID=%u ", ntohs(skb->vlan_proto), vid); 58 } 59 static void noinline_for_stack dump_arp_packet(struct nf_log_buf * m,const struct nf_loginfo * info,const struct sk_buff * skb,unsigned int nhoff)60 dump_arp_packet(struct nf_log_buf *m, 61 const struct nf_loginfo *info, 62 const struct sk_buff *skb, unsigned int nhoff) 63 { 64 const struct arppayload *ap; 65 struct arppayload _arpp; 66 const struct arphdr *ah; 67 unsigned int logflags; 68 struct arphdr _arph; 69 70 ah = skb_header_pointer(skb, nhoff, sizeof(_arph), &_arph); 71 if (!ah) { 72 nf_log_buf_add(m, "TRUNCATED"); 73 return; 74 } 75 76 if (info->type == NF_LOG_TYPE_LOG) 77 logflags = info->u.log.logflags; 78 else 79 logflags = NF_LOG_DEFAULT_MASK; 80 81 if (logflags & NF_LOG_MACDECODE) { 82 nf_log_buf_add(m, "MACSRC=%pM MACDST=%pM ", 83 eth_hdr(skb)->h_source, eth_hdr(skb)->h_dest); 84 nf_log_dump_vlan(m, skb); 85 nf_log_buf_add(m, "MACPROTO=%04x ", 86 ntohs(eth_hdr(skb)->h_proto)); 87 } 88 89 nf_log_buf_add(m, "ARP HTYPE=%d PTYPE=0x%04x OPCODE=%d", 90 ntohs(ah->ar_hrd), ntohs(ah->ar_pro), ntohs(ah->ar_op)); 91 /* If it's for Ethernet and the lengths are OK, then log the ARP 92 * payload. 93 */ 94 if (ah->ar_hrd != htons(ARPHRD_ETHER) || 95 ah->ar_hln != ETH_ALEN || 96 ah->ar_pln != sizeof(__be32)) 97 return; 98 99 ap = skb_header_pointer(skb, nhoff + sizeof(_arph), sizeof(_arpp), &_arpp); 100 if (!ap) { 101 nf_log_buf_add(m, " INCOMPLETE [%zu bytes]", 102 skb->len - sizeof(_arph)); 103 return; 104 } 105 nf_log_buf_add(m, " MACSRC=%pM IPSRC=%pI4 MACDST=%pM IPDST=%pI4", 106 ap->mac_src, ap->ip_src, ap->mac_dst, ap->ip_dst); 107 } 108 109 static void nf_log_dump_packet_common(struct nf_log_buf * m,u8 pf,unsigned int hooknum,const struct sk_buff * skb,const struct net_device * in,const struct net_device * out,const struct nf_loginfo * loginfo,const char * prefix,struct net * net)110 nf_log_dump_packet_common(struct nf_log_buf *m, u8 pf, 111 unsigned int hooknum, const struct sk_buff *skb, 112 const struct net_device *in, 113 const struct net_device *out, 114 const struct nf_loginfo *loginfo, const char *prefix, 115 struct net *net) 116 { 117 const struct net_device *physoutdev __maybe_unused; 118 const struct net_device *physindev __maybe_unused; 119 120 nf_log_buf_add(m, KERN_SOH "%c%sIN=%s OUT=%s ", 121 '0' + loginfo->u.log.level, prefix, 122 in ? in->name : "", 123 out ? out->name : ""); 124 #if IS_ENABLED(CONFIG_BRIDGE_NETFILTER) 125 physindev = nf_bridge_get_physindev(skb, net); 126 if (physindev && in != physindev) 127 nf_log_buf_add(m, "PHYSIN=%s ", physindev->name); 128 physoutdev = nf_bridge_get_physoutdev(skb); 129 if (physoutdev && out != physoutdev) 130 nf_log_buf_add(m, "PHYSOUT=%s ", physoutdev->name); 131 #endif 132 } 133 nf_log_arp_packet(struct net * net,u_int8_t pf,unsigned int hooknum,const struct sk_buff * skb,const struct net_device * in,const struct net_device * out,const struct nf_loginfo * loginfo,const char * prefix)134 static void nf_log_arp_packet(struct net *net, u_int8_t pf, 135 unsigned int hooknum, const struct sk_buff *skb, 136 const struct net_device *in, 137 const struct net_device *out, 138 const struct nf_loginfo *loginfo, 139 const char *prefix) 140 { 141 struct nf_log_buf *m; 142 143 if (!nf_log_allowed(net)) 144 return; 145 146 m = nf_log_buf_open(); 147 148 if (!loginfo) 149 loginfo = &default_loginfo; 150 151 nf_log_dump_packet_common(m, pf, hooknum, skb, in, out, loginfo, 152 prefix, net); 153 dump_arp_packet(m, loginfo, skb, skb_network_offset(skb)); 154 155 nf_log_buf_close(m); 156 } 157 158 static struct nf_logger nf_arp_logger __read_mostly = { 159 .name = "nf_log_arp", 160 .type = NF_LOG_TYPE_LOG, 161 .logfn = nf_log_arp_packet, 162 .me = THIS_MODULE, 163 }; 164 nf_log_dump_sk_uid_gid(struct net * net,struct nf_log_buf * m,struct sock * sk)165 static void nf_log_dump_sk_uid_gid(struct net *net, struct nf_log_buf *m, 166 struct sock *sk) 167 { 168 if (!sk || !sk_fullsock(sk) || !net_eq(net, sock_net(sk))) 169 return; 170 171 read_lock_bh(&sk->sk_callback_lock); 172 if (sk->sk_socket && sk->sk_socket->file) { 173 const struct cred *cred = sk->sk_socket->file->f_cred; 174 175 nf_log_buf_add(m, "UID=%u GID=%u ", 176 from_kuid_munged(&init_user_ns, cred->fsuid), 177 from_kgid_munged(&init_user_ns, cred->fsgid)); 178 } 179 read_unlock_bh(&sk->sk_callback_lock); 180 } 181 182 static noinline_for_stack int nf_log_dump_tcp_header(struct nf_log_buf * m,const struct sk_buff * skb,u8 proto,int fragment,unsigned int offset,unsigned int logflags)183 nf_log_dump_tcp_header(struct nf_log_buf *m, 184 const struct sk_buff *skb, 185 u8 proto, int fragment, 186 unsigned int offset, 187 unsigned int logflags) 188 { 189 struct tcphdr _tcph; 190 const struct tcphdr *th; 191 192 /* Max length: 10 "PROTO=TCP " */ 193 nf_log_buf_add(m, "PROTO=TCP "); 194 195 if (fragment) 196 return 0; 197 198 /* Max length: 25 "INCOMPLETE [65535 bytes] " */ 199 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph); 200 if (!th) { 201 nf_log_buf_add(m, "INCOMPLETE [%u bytes] ", skb->len - offset); 202 return 1; 203 } 204 205 /* Max length: 20 "SPT=65535 DPT=65535 " */ 206 nf_log_buf_add(m, "SPT=%u DPT=%u ", 207 ntohs(th->source), ntohs(th->dest)); 208 /* Max length: 30 "SEQ=4294967295 ACK=4294967295 " */ 209 if (logflags & NF_LOG_TCPSEQ) { 210 nf_log_buf_add(m, "SEQ=%u ACK=%u ", 211 ntohl(th->seq), ntohl(th->ack_seq)); 212 } 213 214 /* Max length: 13 "WINDOW=65535 " */ 215 nf_log_buf_add(m, "WINDOW=%u ", ntohs(th->window)); 216 /* Max length: 9 "RES=0x3C " */ 217 nf_log_buf_add(m, "RES=0x%02x ", (u_int8_t)(ntohl(tcp_flag_word(th) & 218 TCP_RESERVED_BITS) >> 22)); 219 /* Max length: 32 "CWR ECE URG ACK PSH RST SYN FIN " */ 220 if (th->cwr) 221 nf_log_buf_add(m, "CWR "); 222 if (th->ece) 223 nf_log_buf_add(m, "ECE "); 224 if (th->urg) 225 nf_log_buf_add(m, "URG "); 226 if (th->ack) 227 nf_log_buf_add(m, "ACK "); 228 if (th->psh) 229 nf_log_buf_add(m, "PSH "); 230 if (th->rst) 231 nf_log_buf_add(m, "RST "); 232 if (th->syn) 233 nf_log_buf_add(m, "SYN "); 234 if (th->fin) 235 nf_log_buf_add(m, "FIN "); 236 /* Max length: 11 "URGP=65535 " */ 237 nf_log_buf_add(m, "URGP=%u ", ntohs(th->urg_ptr)); 238 239 if ((logflags & NF_LOG_TCPOPT) && th->doff * 4 > sizeof(struct tcphdr)) { 240 unsigned int optsize = th->doff * 4 - sizeof(struct tcphdr); 241 u8 _opt[60 - sizeof(struct tcphdr)]; 242 unsigned int i; 243 const u8 *op; 244 245 op = skb_header_pointer(skb, offset + sizeof(struct tcphdr), 246 optsize, _opt); 247 if (!op) { 248 nf_log_buf_add(m, "OPT (TRUNCATED)"); 249 return 1; 250 } 251 252 /* Max length: 127 "OPT (" 15*4*2chars ") " */ 253 nf_log_buf_add(m, "OPT ("); 254 for (i = 0; i < optsize; i++) 255 nf_log_buf_add(m, "%02X", op[i]); 256 257 nf_log_buf_add(m, ") "); 258 } 259 260 return 0; 261 } 262 263 static noinline_for_stack int nf_log_dump_udp_header(struct nf_log_buf * m,const struct sk_buff * skb,u8 proto,int fragment,unsigned int offset)264 nf_log_dump_udp_header(struct nf_log_buf *m, 265 const struct sk_buff *skb, 266 u8 proto, int fragment, 267 unsigned int offset) 268 { 269 struct udphdr _udph; 270 const struct udphdr *uh; 271 272 if (proto == IPPROTO_UDP) 273 /* Max length: 10 "PROTO=UDP " */ 274 nf_log_buf_add(m, "PROTO=UDP "); 275 else /* Max length: 14 "PROTO=UDPLITE " */ 276 nf_log_buf_add(m, "PROTO=UDPLITE "); 277 278 if (fragment) 279 goto out; 280 281 /* Max length: 25 "INCOMPLETE [65535 bytes] " */ 282 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph); 283 if (!uh) { 284 nf_log_buf_add(m, "INCOMPLETE [%u bytes] ", skb->len - offset); 285 286 return 1; 287 } 288 289 /* Max length: 20 "SPT=65535 DPT=65535 " */ 290 nf_log_buf_add(m, "SPT=%u DPT=%u LEN=%u ", 291 ntohs(uh->source), ntohs(uh->dest), ntohs(uh->len)); 292 293 out: 294 return 0; 295 } 296 297 /* One level of recursion won't kill us */ 298 static noinline_for_stack void dump_ipv4_packet(struct net * net,struct nf_log_buf * m,const struct nf_loginfo * info,const struct sk_buff * skb,unsigned int iphoff)299 dump_ipv4_packet(struct net *net, struct nf_log_buf *m, 300 const struct nf_loginfo *info, 301 const struct sk_buff *skb, unsigned int iphoff) 302 { 303 const struct iphdr *ih; 304 unsigned int logflags; 305 struct iphdr _iph; 306 307 if (info->type == NF_LOG_TYPE_LOG) 308 logflags = info->u.log.logflags; 309 else 310 logflags = NF_LOG_DEFAULT_MASK; 311 312 ih = skb_header_pointer(skb, iphoff, sizeof(_iph), &_iph); 313 if (!ih) { 314 nf_log_buf_add(m, "TRUNCATED"); 315 return; 316 } 317 318 /* Important fields: 319 * TOS, len, DF/MF, fragment offset, TTL, src, dst, options. 320 * Max length: 40 "SRC=255.255.255.255 DST=255.255.255.255 " 321 */ 322 nf_log_buf_add(m, "SRC=%pI4 DST=%pI4 ", &ih->saddr, &ih->daddr); 323 324 /* Max length: 46 "LEN=65535 TOS=0xFF PREC=0xFF TTL=255 ID=65535 " */ 325 nf_log_buf_add(m, "LEN=%u TOS=0x%02X PREC=0x%02X TTL=%u ID=%u ", 326 iph_totlen(skb, ih), ih->tos & IPTOS_TOS_MASK, 327 ih->tos & IPTOS_PREC_MASK, ih->ttl, ntohs(ih->id)); 328 329 /* Max length: 6 "CE DF MF " */ 330 if (ntohs(ih->frag_off) & IP_CE) 331 nf_log_buf_add(m, "CE "); 332 if (ntohs(ih->frag_off) & IP_DF) 333 nf_log_buf_add(m, "DF "); 334 if (ntohs(ih->frag_off) & IP_MF) 335 nf_log_buf_add(m, "MF "); 336 337 /* Max length: 11 "FRAG:65535 " */ 338 if (ntohs(ih->frag_off) & IP_OFFSET) 339 nf_log_buf_add(m, "FRAG:%u ", ntohs(ih->frag_off) & IP_OFFSET); 340 341 if ((logflags & NF_LOG_IPOPT) && 342 ih->ihl * 4 > sizeof(struct iphdr)) { 343 unsigned char _opt[4 * 15 - sizeof(struct iphdr)]; 344 const unsigned char *op; 345 unsigned int i, optsize; 346 347 optsize = ih->ihl * 4 - sizeof(struct iphdr); 348 op = skb_header_pointer(skb, iphoff + sizeof(_iph), 349 optsize, _opt); 350 if (!op) { 351 nf_log_buf_add(m, "TRUNCATED"); 352 return; 353 } 354 355 /* Max length: 127 "OPT (" 15*4*2chars ") " */ 356 nf_log_buf_add(m, "OPT ("); 357 for (i = 0; i < optsize; i++) 358 nf_log_buf_add(m, "%02X", op[i]); 359 nf_log_buf_add(m, ") "); 360 } 361 362 switch (ih->protocol) { 363 case IPPROTO_TCP: 364 if (nf_log_dump_tcp_header(m, skb, ih->protocol, 365 ntohs(ih->frag_off) & IP_OFFSET, 366 iphoff + ih->ihl * 4, logflags)) 367 return; 368 break; 369 case IPPROTO_UDP: 370 case IPPROTO_UDPLITE: 371 if (nf_log_dump_udp_header(m, skb, ih->protocol, 372 ntohs(ih->frag_off) & IP_OFFSET, 373 iphoff + ih->ihl * 4)) 374 return; 375 break; 376 case IPPROTO_ICMP: { 377 static const size_t required_len[NR_ICMP_TYPES + 1] = { 378 [ICMP_ECHOREPLY] = 4, 379 [ICMP_DEST_UNREACH] = 8 + sizeof(struct iphdr), 380 [ICMP_SOURCE_QUENCH] = 8 + sizeof(struct iphdr), 381 [ICMP_REDIRECT] = 8 + sizeof(struct iphdr), 382 [ICMP_ECHO] = 4, 383 [ICMP_TIME_EXCEEDED] = 8 + sizeof(struct iphdr), 384 [ICMP_PARAMETERPROB] = 8 + sizeof(struct iphdr), 385 [ICMP_TIMESTAMP] = 20, 386 [ICMP_TIMESTAMPREPLY] = 20, 387 [ICMP_ADDRESS] = 12, 388 [ICMP_ADDRESSREPLY] = 12 }; 389 const struct icmphdr *ich; 390 struct icmphdr _icmph; 391 392 /* Max length: 11 "PROTO=ICMP " */ 393 nf_log_buf_add(m, "PROTO=ICMP "); 394 395 if (ntohs(ih->frag_off) & IP_OFFSET) 396 break; 397 398 /* Max length: 25 "INCOMPLETE [65535 bytes] " */ 399 ich = skb_header_pointer(skb, iphoff + ih->ihl * 4, 400 sizeof(_icmph), &_icmph); 401 if (!ich) { 402 nf_log_buf_add(m, "INCOMPLETE [%u bytes] ", 403 skb->len - iphoff - ih->ihl * 4); 404 break; 405 } 406 407 /* Max length: 18 "TYPE=255 CODE=255 " */ 408 nf_log_buf_add(m, "TYPE=%u CODE=%u ", ich->type, ich->code); 409 410 /* Max length: 25 "INCOMPLETE [65535 bytes] " */ 411 if (ich->type <= NR_ICMP_TYPES && 412 required_len[ich->type] && 413 skb->len - iphoff - ih->ihl * 4 < required_len[ich->type]) { 414 nf_log_buf_add(m, "INCOMPLETE [%u bytes] ", 415 skb->len - iphoff - ih->ihl * 4); 416 break; 417 } 418 419 switch (ich->type) { 420 case ICMP_ECHOREPLY: 421 case ICMP_ECHO: 422 /* Max length: 19 "ID=65535 SEQ=65535 " */ 423 nf_log_buf_add(m, "ID=%u SEQ=%u ", 424 ntohs(ich->un.echo.id), 425 ntohs(ich->un.echo.sequence)); 426 break; 427 428 case ICMP_PARAMETERPROB: 429 /* Max length: 14 "PARAMETER=255 " */ 430 nf_log_buf_add(m, "PARAMETER=%u ", 431 ntohl(ich->un.gateway) >> 24); 432 break; 433 case ICMP_REDIRECT: 434 /* Max length: 24 "GATEWAY=255.255.255.255 " */ 435 nf_log_buf_add(m, "GATEWAY=%pI4 ", &ich->un.gateway); 436 fallthrough; 437 case ICMP_DEST_UNREACH: 438 case ICMP_SOURCE_QUENCH: 439 case ICMP_TIME_EXCEEDED: 440 /* Max length: 3+maxlen */ 441 if (!iphoff) { /* Only recurse once. */ 442 nf_log_buf_add(m, "["); 443 dump_ipv4_packet(net, m, info, skb, 444 iphoff + ih->ihl * 4 + sizeof(_icmph)); 445 nf_log_buf_add(m, "] "); 446 } 447 448 /* Max length: 10 "MTU=65535 " */ 449 if (ich->type == ICMP_DEST_UNREACH && 450 ich->code == ICMP_FRAG_NEEDED) { 451 nf_log_buf_add(m, "MTU=%u ", 452 ntohs(ich->un.frag.mtu)); 453 } 454 } 455 break; 456 } 457 /* Max Length */ 458 case IPPROTO_AH: { 459 const struct ip_auth_hdr *ah; 460 struct ip_auth_hdr _ahdr; 461 462 if (ntohs(ih->frag_off) & IP_OFFSET) 463 break; 464 465 /* Max length: 9 "PROTO=AH " */ 466 nf_log_buf_add(m, "PROTO=AH "); 467 468 /* Max length: 25 "INCOMPLETE [65535 bytes] " */ 469 ah = skb_header_pointer(skb, iphoff + ih->ihl * 4, 470 sizeof(_ahdr), &_ahdr); 471 if (!ah) { 472 nf_log_buf_add(m, "INCOMPLETE [%u bytes] ", 473 skb->len - iphoff - ih->ihl * 4); 474 break; 475 } 476 477 /* Length: 15 "SPI=0xF1234567 " */ 478 nf_log_buf_add(m, "SPI=0x%x ", ntohl(ah->spi)); 479 break; 480 } 481 case IPPROTO_ESP: { 482 const struct ip_esp_hdr *eh; 483 struct ip_esp_hdr _esph; 484 485 /* Max length: 10 "PROTO=ESP " */ 486 nf_log_buf_add(m, "PROTO=ESP "); 487 488 if (ntohs(ih->frag_off) & IP_OFFSET) 489 break; 490 491 /* Max length: 25 "INCOMPLETE [65535 bytes] " */ 492 eh = skb_header_pointer(skb, iphoff + ih->ihl * 4, 493 sizeof(_esph), &_esph); 494 if (!eh) { 495 nf_log_buf_add(m, "INCOMPLETE [%u bytes] ", 496 skb->len - iphoff - ih->ihl * 4); 497 break; 498 } 499 500 /* Length: 15 "SPI=0xF1234567 " */ 501 nf_log_buf_add(m, "SPI=0x%x ", ntohl(eh->spi)); 502 break; 503 } 504 /* Max length: 10 "PROTO 255 " */ 505 default: 506 nf_log_buf_add(m, "PROTO=%u ", ih->protocol); 507 } 508 509 /* Max length: 15 "UID=4294967295 " */ 510 if ((logflags & NF_LOG_UID) && !iphoff) 511 nf_log_dump_sk_uid_gid(net, m, skb->sk); 512 513 /* Max length: 16 "MARK=0xFFFFFFFF " */ 514 if (!iphoff && skb->mark) 515 nf_log_buf_add(m, "MARK=0x%x ", skb->mark); 516 517 /* Proto Max log string length */ 518 /* IP: 40+46+6+11+127 = 230 */ 519 /* TCP: 10+max(25,20+30+13+9+32+11+127) = 252 */ 520 /* UDP: 10+max(25,20) = 35 */ 521 /* UDPLITE: 14+max(25,20) = 39 */ 522 /* ICMP: 11+max(25, 18+25+max(19,14,24+3+n+10,3+n+10)) = 91+n */ 523 /* ESP: 10+max(25)+15 = 50 */ 524 /* AH: 9+max(25)+15 = 49 */ 525 /* unknown: 10 */ 526 527 /* (ICMP allows recursion one level deep) */ 528 /* maxlen = IP + ICMP + IP + max(TCP,UDP,ICMP,unknown) */ 529 /* maxlen = 230+ 91 + 230 + 252 = 803 */ 530 } 531 532 static noinline_for_stack void dump_ipv6_packet(struct net * net,struct nf_log_buf * m,const struct nf_loginfo * info,const struct sk_buff * skb,unsigned int ip6hoff,int recurse)533 dump_ipv6_packet(struct net *net, struct nf_log_buf *m, 534 const struct nf_loginfo *info, 535 const struct sk_buff *skb, unsigned int ip6hoff, 536 int recurse) 537 { 538 const struct ipv6hdr *ih; 539 unsigned int hdrlen = 0; 540 unsigned int logflags; 541 struct ipv6hdr _ip6h; 542 unsigned int ptr; 543 u8 currenthdr; 544 int fragment; 545 546 if (info->type == NF_LOG_TYPE_LOG) 547 logflags = info->u.log.logflags; 548 else 549 logflags = NF_LOG_DEFAULT_MASK; 550 551 ih = skb_header_pointer(skb, ip6hoff, sizeof(_ip6h), &_ip6h); 552 if (!ih) { 553 nf_log_buf_add(m, "TRUNCATED"); 554 return; 555 } 556 557 /* Max length: 88 "SRC=0000.0000.0000.0000.0000.0000.0000.0000 DST=0000.0000.0000.0000.0000.0000.0000.0000 " */ 558 nf_log_buf_add(m, "SRC=%pI6 DST=%pI6 ", &ih->saddr, &ih->daddr); 559 560 /* Max length: 44 "LEN=65535 TC=255 HOPLIMIT=255 FLOWLBL=FFFFF " */ 561 nf_log_buf_add(m, "LEN=%zu TC=%u HOPLIMIT=%u FLOWLBL=%u ", 562 ntohs(ih->payload_len) + sizeof(struct ipv6hdr), 563 (ntohl(*(__be32 *)ih) & 0x0ff00000) >> 20, 564 ih->hop_limit, 565 (ntohl(*(__be32 *)ih) & 0x000fffff)); 566 567 fragment = 0; 568 ptr = ip6hoff + sizeof(struct ipv6hdr); 569 currenthdr = ih->nexthdr; 570 while (currenthdr != NEXTHDR_NONE && nf_ip6_ext_hdr(currenthdr)) { 571 struct ipv6_opt_hdr _hdr; 572 const struct ipv6_opt_hdr *hp; 573 574 hp = skb_header_pointer(skb, ptr, sizeof(_hdr), &_hdr); 575 if (!hp) { 576 nf_log_buf_add(m, "TRUNCATED"); 577 return; 578 } 579 580 /* Max length: 48 "OPT (...) " */ 581 if (logflags & NF_LOG_IPOPT) 582 nf_log_buf_add(m, "OPT ( "); 583 584 switch (currenthdr) { 585 case IPPROTO_FRAGMENT: { 586 struct frag_hdr _fhdr; 587 const struct frag_hdr *fh; 588 589 nf_log_buf_add(m, "FRAG:"); 590 fh = skb_header_pointer(skb, ptr, sizeof(_fhdr), 591 &_fhdr); 592 if (!fh) { 593 nf_log_buf_add(m, "TRUNCATED "); 594 return; 595 } 596 597 /* Max length: 6 "65535 " */ 598 nf_log_buf_add(m, "%u ", ntohs(fh->frag_off) & 0xFFF8); 599 600 /* Max length: 11 "INCOMPLETE " */ 601 if (fh->frag_off & htons(0x0001)) 602 nf_log_buf_add(m, "INCOMPLETE "); 603 604 nf_log_buf_add(m, "ID:%08x ", 605 ntohl(fh->identification)); 606 607 if (ntohs(fh->frag_off) & 0xFFF8) 608 fragment = 1; 609 610 hdrlen = 8; 611 break; 612 } 613 case IPPROTO_DSTOPTS: 614 case IPPROTO_ROUTING: 615 case IPPROTO_HOPOPTS: 616 if (fragment) { 617 if (logflags & NF_LOG_IPOPT) 618 nf_log_buf_add(m, ")"); 619 return; 620 } 621 hdrlen = ipv6_optlen(hp); 622 break; 623 /* Max Length */ 624 case IPPROTO_AH: 625 if (logflags & NF_LOG_IPOPT) { 626 struct ip_auth_hdr _ahdr; 627 const struct ip_auth_hdr *ah; 628 629 /* Max length: 3 "AH " */ 630 nf_log_buf_add(m, "AH "); 631 632 if (fragment) { 633 nf_log_buf_add(m, ")"); 634 return; 635 } 636 637 ah = skb_header_pointer(skb, ptr, sizeof(_ahdr), 638 &_ahdr); 639 if (!ah) { 640 /* Max length: 26 "INCOMPLETE [65535 bytes] )" */ 641 nf_log_buf_add(m, "INCOMPLETE [%u bytes] )", 642 skb->len - ptr); 643 return; 644 } 645 646 /* Length: 15 "SPI=0xF1234567 */ 647 nf_log_buf_add(m, "SPI=0x%x ", ntohl(ah->spi)); 648 } 649 650 hdrlen = ipv6_authlen(hp); 651 break; 652 case IPPROTO_ESP: 653 if (logflags & NF_LOG_IPOPT) { 654 struct ip_esp_hdr _esph; 655 const struct ip_esp_hdr *eh; 656 657 /* Max length: 4 "ESP " */ 658 nf_log_buf_add(m, "ESP "); 659 660 if (fragment) { 661 nf_log_buf_add(m, ")"); 662 return; 663 } 664 665 /* Max length: 26 "INCOMPLETE [65535 bytes] )" */ 666 eh = skb_header_pointer(skb, ptr, sizeof(_esph), 667 &_esph); 668 if (!eh) { 669 nf_log_buf_add(m, "INCOMPLETE [%u bytes] )", 670 skb->len - ptr); 671 return; 672 } 673 674 /* Length: 16 "SPI=0xF1234567 )" */ 675 nf_log_buf_add(m, "SPI=0x%x )", 676 ntohl(eh->spi)); 677 } 678 return; 679 default: 680 /* Max length: 20 "Unknown Ext Hdr 255" */ 681 nf_log_buf_add(m, "Unknown Ext Hdr %u", currenthdr); 682 return; 683 } 684 if (logflags & NF_LOG_IPOPT) 685 nf_log_buf_add(m, ") "); 686 687 currenthdr = hp->nexthdr; 688 ptr += hdrlen; 689 } 690 691 switch (currenthdr) { 692 case IPPROTO_TCP: 693 if (nf_log_dump_tcp_header(m, skb, currenthdr, fragment, 694 ptr, logflags)) 695 return; 696 break; 697 case IPPROTO_UDP: 698 case IPPROTO_UDPLITE: 699 if (nf_log_dump_udp_header(m, skb, currenthdr, fragment, ptr)) 700 return; 701 break; 702 case IPPROTO_ICMPV6: { 703 struct icmp6hdr _icmp6h; 704 const struct icmp6hdr *ic; 705 706 /* Max length: 13 "PROTO=ICMPv6 " */ 707 nf_log_buf_add(m, "PROTO=ICMPv6 "); 708 709 if (fragment) 710 break; 711 712 /* Max length: 25 "INCOMPLETE [65535 bytes] " */ 713 ic = skb_header_pointer(skb, ptr, sizeof(_icmp6h), &_icmp6h); 714 if (!ic) { 715 nf_log_buf_add(m, "INCOMPLETE [%u bytes] ", 716 skb->len - ptr); 717 return; 718 } 719 720 /* Max length: 18 "TYPE=255 CODE=255 " */ 721 nf_log_buf_add(m, "TYPE=%u CODE=%u ", 722 ic->icmp6_type, ic->icmp6_code); 723 724 switch (ic->icmp6_type) { 725 case ICMPV6_ECHO_REQUEST: 726 case ICMPV6_ECHO_REPLY: 727 /* Max length: 19 "ID=65535 SEQ=65535 " */ 728 nf_log_buf_add(m, "ID=%u SEQ=%u ", 729 ntohs(ic->icmp6_identifier), 730 ntohs(ic->icmp6_sequence)); 731 break; 732 case ICMPV6_MGM_QUERY: 733 case ICMPV6_MGM_REPORT: 734 case ICMPV6_MGM_REDUCTION: 735 break; 736 737 case ICMPV6_PARAMPROB: 738 /* Max length: 17 "POINTER=ffffffff " */ 739 nf_log_buf_add(m, "POINTER=%08x ", 740 ntohl(ic->icmp6_pointer)); 741 fallthrough; 742 case ICMPV6_DEST_UNREACH: 743 case ICMPV6_PKT_TOOBIG: 744 case ICMPV6_TIME_EXCEED: 745 /* Max length: 3+maxlen */ 746 if (recurse) { 747 nf_log_buf_add(m, "["); 748 dump_ipv6_packet(net, m, info, skb, 749 ptr + sizeof(_icmp6h), 0); 750 nf_log_buf_add(m, "] "); 751 } 752 753 /* Max length: 10 "MTU=65535 " */ 754 if (ic->icmp6_type == ICMPV6_PKT_TOOBIG) { 755 nf_log_buf_add(m, "MTU=%u ", 756 ntohl(ic->icmp6_mtu)); 757 } 758 } 759 break; 760 } 761 /* Max length: 10 "PROTO=255 " */ 762 default: 763 nf_log_buf_add(m, "PROTO=%u ", currenthdr); 764 } 765 766 /* Max length: 15 "UID=4294967295 " */ 767 if ((logflags & NF_LOG_UID) && recurse) 768 nf_log_dump_sk_uid_gid(net, m, skb->sk); 769 770 /* Max length: 16 "MARK=0xFFFFFFFF " */ 771 if (recurse && skb->mark) 772 nf_log_buf_add(m, "MARK=0x%x ", skb->mark); 773 } 774 dump_mac_header(struct nf_log_buf * m,const struct nf_loginfo * info,const struct sk_buff * skb)775 static void dump_mac_header(struct nf_log_buf *m, 776 const struct nf_loginfo *info, 777 const struct sk_buff *skb) 778 { 779 struct net_device *dev = skb->dev; 780 unsigned int logflags = 0; 781 782 if (info->type == NF_LOG_TYPE_LOG) 783 logflags = info->u.log.logflags; 784 785 if (!(logflags & NF_LOG_MACDECODE)) 786 goto fallback; 787 788 switch (dev->type) { 789 case ARPHRD_ETHER: 790 nf_log_buf_add(m, "MACSRC=%pM MACDST=%pM ", 791 eth_hdr(skb)->h_source, eth_hdr(skb)->h_dest); 792 nf_log_dump_vlan(m, skb); 793 nf_log_buf_add(m, "MACPROTO=%04x ", 794 ntohs(eth_hdr(skb)->h_proto)); 795 return; 796 default: 797 break; 798 } 799 800 fallback: 801 nf_log_buf_add(m, "MAC="); 802 if (dev->hard_header_len && 803 skb->mac_header != skb->network_header) { 804 const unsigned char *p = skb_mac_header(skb); 805 unsigned int i; 806 807 if (dev->type == ARPHRD_SIT) { 808 p -= ETH_HLEN; 809 810 if (p < skb->head) 811 p = NULL; 812 } 813 814 if (p) { 815 nf_log_buf_add(m, "%02x", *p++); 816 for (i = 1; i < dev->hard_header_len; i++) 817 nf_log_buf_add(m, ":%02x", *p++); 818 } 819 820 if (dev->type == ARPHRD_SIT) { 821 const struct iphdr *iph = 822 (struct iphdr *)skb_mac_header(skb); 823 824 nf_log_buf_add(m, " TUNNEL=%pI4->%pI4", &iph->saddr, 825 &iph->daddr); 826 } 827 } 828 nf_log_buf_add(m, " "); 829 } 830 nf_log_ip_packet(struct net * net,u_int8_t pf,unsigned int hooknum,const struct sk_buff * skb,const struct net_device * in,const struct net_device * out,const struct nf_loginfo * loginfo,const char * prefix)831 static void nf_log_ip_packet(struct net *net, u_int8_t pf, 832 unsigned int hooknum, const struct sk_buff *skb, 833 const struct net_device *in, 834 const struct net_device *out, 835 const struct nf_loginfo *loginfo, 836 const char *prefix) 837 { 838 struct nf_log_buf *m; 839 840 if (!nf_log_allowed(net)) 841 return; 842 843 m = nf_log_buf_open(); 844 845 if (!loginfo) 846 loginfo = &default_loginfo; 847 848 nf_log_dump_packet_common(m, pf, hooknum, skb, in, 849 out, loginfo, prefix, net); 850 851 if (in) 852 dump_mac_header(m, loginfo, skb); 853 854 dump_ipv4_packet(net, m, loginfo, skb, skb_network_offset(skb)); 855 856 nf_log_buf_close(m); 857 } 858 859 static struct nf_logger nf_ip_logger __read_mostly = { 860 .name = "nf_log_ipv4", 861 .type = NF_LOG_TYPE_LOG, 862 .logfn = nf_log_ip_packet, 863 .me = THIS_MODULE, 864 }; 865 nf_log_ip6_packet(struct net * net,u_int8_t pf,unsigned int hooknum,const struct sk_buff * skb,const struct net_device * in,const struct net_device * out,const struct nf_loginfo * loginfo,const char * prefix)866 static void nf_log_ip6_packet(struct net *net, u_int8_t pf, 867 unsigned int hooknum, const struct sk_buff *skb, 868 const struct net_device *in, 869 const struct net_device *out, 870 const struct nf_loginfo *loginfo, 871 const char *prefix) 872 { 873 struct nf_log_buf *m; 874 875 if (!nf_log_allowed(net)) 876 return; 877 878 m = nf_log_buf_open(); 879 880 if (!loginfo) 881 loginfo = &default_loginfo; 882 883 nf_log_dump_packet_common(m, pf, hooknum, skb, in, out, 884 loginfo, prefix, net); 885 886 if (in) 887 dump_mac_header(m, loginfo, skb); 888 889 dump_ipv6_packet(net, m, loginfo, skb, skb_network_offset(skb), 1); 890 891 nf_log_buf_close(m); 892 } 893 894 static struct nf_logger nf_ip6_logger __read_mostly = { 895 .name = "nf_log_ipv6", 896 .type = NF_LOG_TYPE_LOG, 897 .logfn = nf_log_ip6_packet, 898 .me = THIS_MODULE, 899 }; 900 nf_log_unknown_packet(struct net * net,u_int8_t pf,unsigned int hooknum,const struct sk_buff * skb,const struct net_device * in,const struct net_device * out,const struct nf_loginfo * loginfo,const char * prefix)901 static void nf_log_unknown_packet(struct net *net, u_int8_t pf, 902 unsigned int hooknum, 903 const struct sk_buff *skb, 904 const struct net_device *in, 905 const struct net_device *out, 906 const struct nf_loginfo *loginfo, 907 const char *prefix) 908 { 909 struct nf_log_buf *m; 910 911 if (!nf_log_allowed(net)) 912 return; 913 914 m = nf_log_buf_open(); 915 916 if (!loginfo) 917 loginfo = &default_loginfo; 918 919 nf_log_dump_packet_common(m, pf, hooknum, skb, in, out, loginfo, 920 prefix, net); 921 922 dump_mac_header(m, loginfo, skb); 923 924 nf_log_buf_close(m); 925 } 926 nf_log_netdev_packet(struct net * net,u_int8_t pf,unsigned int hooknum,const struct sk_buff * skb,const struct net_device * in,const struct net_device * out,const struct nf_loginfo * loginfo,const char * prefix)927 static void nf_log_netdev_packet(struct net *net, u_int8_t pf, 928 unsigned int hooknum, 929 const struct sk_buff *skb, 930 const struct net_device *in, 931 const struct net_device *out, 932 const struct nf_loginfo *loginfo, 933 const char *prefix) 934 { 935 switch (skb->protocol) { 936 case htons(ETH_P_IP): 937 nf_log_ip_packet(net, pf, hooknum, skb, in, out, loginfo, prefix); 938 break; 939 case htons(ETH_P_IPV6): 940 nf_log_ip6_packet(net, pf, hooknum, skb, in, out, loginfo, prefix); 941 break; 942 case htons(ETH_P_ARP): 943 case htons(ETH_P_RARP): 944 nf_log_arp_packet(net, pf, hooknum, skb, in, out, loginfo, prefix); 945 break; 946 default: 947 nf_log_unknown_packet(net, pf, hooknum, skb, 948 in, out, loginfo, prefix); 949 break; 950 } 951 } 952 953 static struct nf_logger nf_netdev_logger __read_mostly = { 954 .name = "nf_log_netdev", 955 .type = NF_LOG_TYPE_LOG, 956 .logfn = nf_log_netdev_packet, 957 .me = THIS_MODULE, 958 }; 959 960 static struct nf_logger nf_bridge_logger __read_mostly = { 961 .name = "nf_log_bridge", 962 .type = NF_LOG_TYPE_LOG, 963 .logfn = nf_log_netdev_packet, 964 .me = THIS_MODULE, 965 }; 966 nf_log_syslog_net_init(struct net * net)967 static int __net_init nf_log_syslog_net_init(struct net *net) 968 { 969 int ret = nf_log_set(net, NFPROTO_IPV4, &nf_ip_logger); 970 971 if (ret) 972 return ret; 973 974 ret = nf_log_set(net, NFPROTO_ARP, &nf_arp_logger); 975 if (ret) 976 goto err1; 977 978 ret = nf_log_set(net, NFPROTO_IPV6, &nf_ip6_logger); 979 if (ret) 980 goto err2; 981 982 ret = nf_log_set(net, NFPROTO_NETDEV, &nf_netdev_logger); 983 if (ret) 984 goto err3; 985 986 ret = nf_log_set(net, NFPROTO_BRIDGE, &nf_bridge_logger); 987 if (ret) 988 goto err4; 989 return 0; 990 err4: 991 nf_log_unset(net, &nf_netdev_logger); 992 err3: 993 nf_log_unset(net, &nf_ip6_logger); 994 err2: 995 nf_log_unset(net, &nf_arp_logger); 996 err1: 997 nf_log_unset(net, &nf_ip_logger); 998 return ret; 999 } 1000 nf_log_syslog_net_exit(struct net * net)1001 static void __net_exit nf_log_syslog_net_exit(struct net *net) 1002 { 1003 nf_log_unset(net, &nf_ip_logger); 1004 nf_log_unset(net, &nf_arp_logger); 1005 nf_log_unset(net, &nf_ip6_logger); 1006 nf_log_unset(net, &nf_netdev_logger); 1007 nf_log_unset(net, &nf_bridge_logger); 1008 } 1009 1010 static struct pernet_operations nf_log_syslog_net_ops = { 1011 .init = nf_log_syslog_net_init, 1012 .exit = nf_log_syslog_net_exit, 1013 }; 1014 nf_log_syslog_init(void)1015 static int __init nf_log_syslog_init(void) 1016 { 1017 int ret; 1018 1019 ret = register_pernet_subsys(&nf_log_syslog_net_ops); 1020 if (ret < 0) 1021 return ret; 1022 1023 ret = nf_log_register(NFPROTO_IPV4, &nf_ip_logger); 1024 if (ret < 0) 1025 goto err1; 1026 1027 ret = nf_log_register(NFPROTO_ARP, &nf_arp_logger); 1028 if (ret < 0) 1029 goto err2; 1030 1031 ret = nf_log_register(NFPROTO_IPV6, &nf_ip6_logger); 1032 if (ret < 0) 1033 goto err3; 1034 1035 ret = nf_log_register(NFPROTO_NETDEV, &nf_netdev_logger); 1036 if (ret < 0) 1037 goto err4; 1038 1039 ret = nf_log_register(NFPROTO_BRIDGE, &nf_bridge_logger); 1040 if (ret < 0) 1041 goto err5; 1042 1043 return 0; 1044 err5: 1045 nf_log_unregister(&nf_netdev_logger); 1046 err4: 1047 nf_log_unregister(&nf_ip6_logger); 1048 err3: 1049 nf_log_unregister(&nf_arp_logger); 1050 err2: 1051 nf_log_unregister(&nf_ip_logger); 1052 err1: 1053 pr_err("failed to register logger\n"); 1054 unregister_pernet_subsys(&nf_log_syslog_net_ops); 1055 return ret; 1056 } 1057 nf_log_syslog_exit(void)1058 static void __exit nf_log_syslog_exit(void) 1059 { 1060 unregister_pernet_subsys(&nf_log_syslog_net_ops); 1061 nf_log_unregister(&nf_ip_logger); 1062 nf_log_unregister(&nf_arp_logger); 1063 nf_log_unregister(&nf_ip6_logger); 1064 nf_log_unregister(&nf_netdev_logger); 1065 nf_log_unregister(&nf_bridge_logger); 1066 } 1067 1068 module_init(nf_log_syslog_init); 1069 module_exit(nf_log_syslog_exit); 1070 1071 MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>"); 1072 MODULE_DESCRIPTION("Netfilter syslog packet logging"); 1073 MODULE_LICENSE("GPL"); 1074 MODULE_ALIAS("nf_log_arp"); 1075 MODULE_ALIAS("nf_log_bridge"); 1076 MODULE_ALIAS("nf_log_ipv4"); 1077 MODULE_ALIAS("nf_log_ipv6"); 1078 MODULE_ALIAS("nf_log_netdev"); 1079 MODULE_ALIAS_NF_LOGGER(AF_BRIDGE, 0); 1080 MODULE_ALIAS_NF_LOGGER(AF_INET, 0); 1081 MODULE_ALIAS_NF_LOGGER(3, 0); 1082 MODULE_ALIAS_NF_LOGGER(5, 0); /* NFPROTO_NETDEV */ 1083 MODULE_ALIAS_NF_LOGGER(AF_INET6, 0); 1084