1 // SPDX-License-Identifier: GPL-2.0-only
2 /* (C) 1999-2001 Paul `Rusty' Russell
3  * (C) 2002-2004 Netfilter Core Team <coreteam@netfilter.org>
4  */
5 
6 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
7 
8 #include <linux/kernel.h>
9 #include <linux/module.h>
10 #include <linux/spinlock.h>
11 #include <linux/skbuff.h>
12 #include <linux/if_arp.h>
13 #include <linux/ip.h>
14 #include <net/ipv6.h>
15 #include <net/icmp.h>
16 #include <net/udp.h>
17 #include <net/tcp.h>
18 #include <net/route.h>
19 
20 #include <linux/netfilter.h>
21 #include <linux/netfilter_bridge.h>
22 #include <linux/netfilter_ipv6.h>
23 #include <linux/netfilter/xt_LOG.h>
24 #include <net/netfilter/nf_log.h>
25 
26 static const struct nf_loginfo default_loginfo = {
27 	.type	= NF_LOG_TYPE_LOG,
28 	.u = {
29 		.log = {
30 			.level	  = LOGLEVEL_NOTICE,
31 			.logflags = NF_LOG_DEFAULT_MASK,
32 		},
33 	},
34 };
35 
36 struct arppayload {
37 	unsigned char mac_src[ETH_ALEN];
38 	unsigned char ip_src[4];
39 	unsigned char mac_dst[ETH_ALEN];
40 	unsigned char ip_dst[4];
41 };
42 
43 /* Guard against containers flooding syslog. */
nf_log_allowed(const struct net * net)44 static bool nf_log_allowed(const struct net *net)
45 {
46 	return net_eq(net, &init_net) || sysctl_nf_log_all_netns;
47 }
48 
nf_log_dump_vlan(struct nf_log_buf * m,const struct sk_buff * skb)49 static void nf_log_dump_vlan(struct nf_log_buf *m, const struct sk_buff *skb)
50 {
51 	u16 vid;
52 
53 	if (!skb_vlan_tag_present(skb))
54 		return;
55 
56 	vid = skb_vlan_tag_get(skb);
57 	nf_log_buf_add(m, "VPROTO=%04x VID=%u ", ntohs(skb->vlan_proto), vid);
58 }
59 static void noinline_for_stack
dump_arp_packet(struct nf_log_buf * m,const struct nf_loginfo * info,const struct sk_buff * skb,unsigned int nhoff)60 dump_arp_packet(struct nf_log_buf *m,
61 		const struct nf_loginfo *info,
62 		const struct sk_buff *skb, unsigned int nhoff)
63 {
64 	const struct arppayload *ap;
65 	struct arppayload _arpp;
66 	const struct arphdr *ah;
67 	unsigned int logflags;
68 	struct arphdr _arph;
69 
70 	ah = skb_header_pointer(skb, nhoff, sizeof(_arph), &_arph);
71 	if (!ah) {
72 		nf_log_buf_add(m, "TRUNCATED");
73 		return;
74 	}
75 
76 	if (info->type == NF_LOG_TYPE_LOG)
77 		logflags = info->u.log.logflags;
78 	else
79 		logflags = NF_LOG_DEFAULT_MASK;
80 
81 	if (logflags & NF_LOG_MACDECODE) {
82 		nf_log_buf_add(m, "MACSRC=%pM MACDST=%pM ",
83 			       eth_hdr(skb)->h_source, eth_hdr(skb)->h_dest);
84 		nf_log_dump_vlan(m, skb);
85 		nf_log_buf_add(m, "MACPROTO=%04x ",
86 			       ntohs(eth_hdr(skb)->h_proto));
87 	}
88 
89 	nf_log_buf_add(m, "ARP HTYPE=%d PTYPE=0x%04x OPCODE=%d",
90 		       ntohs(ah->ar_hrd), ntohs(ah->ar_pro), ntohs(ah->ar_op));
91 	/* If it's for Ethernet and the lengths are OK, then log the ARP
92 	 * payload.
93 	 */
94 	if (ah->ar_hrd != htons(ARPHRD_ETHER) ||
95 	    ah->ar_hln != ETH_ALEN ||
96 	    ah->ar_pln != sizeof(__be32))
97 		return;
98 
99 	ap = skb_header_pointer(skb, nhoff + sizeof(_arph), sizeof(_arpp), &_arpp);
100 	if (!ap) {
101 		nf_log_buf_add(m, " INCOMPLETE [%zu bytes]",
102 			       skb->len - sizeof(_arph));
103 		return;
104 	}
105 	nf_log_buf_add(m, " MACSRC=%pM IPSRC=%pI4 MACDST=%pM IPDST=%pI4",
106 		       ap->mac_src, ap->ip_src, ap->mac_dst, ap->ip_dst);
107 }
108 
109 static void
nf_log_dump_packet_common(struct nf_log_buf * m,u8 pf,unsigned int hooknum,const struct sk_buff * skb,const struct net_device * in,const struct net_device * out,const struct nf_loginfo * loginfo,const char * prefix,struct net * net)110 nf_log_dump_packet_common(struct nf_log_buf *m, u8 pf,
111 			  unsigned int hooknum, const struct sk_buff *skb,
112 			  const struct net_device *in,
113 			  const struct net_device *out,
114 			  const struct nf_loginfo *loginfo, const char *prefix,
115 			  struct net *net)
116 {
117 	const struct net_device *physoutdev __maybe_unused;
118 	const struct net_device *physindev __maybe_unused;
119 
120 	nf_log_buf_add(m, KERN_SOH "%c%sIN=%s OUT=%s ",
121 		       '0' + loginfo->u.log.level, prefix,
122 			in ? in->name : "",
123 			out ? out->name : "");
124 #if IS_ENABLED(CONFIG_BRIDGE_NETFILTER)
125 	physindev = nf_bridge_get_physindev(skb, net);
126 	if (physindev && in != physindev)
127 		nf_log_buf_add(m, "PHYSIN=%s ", physindev->name);
128 	physoutdev = nf_bridge_get_physoutdev(skb);
129 	if (physoutdev && out != physoutdev)
130 		nf_log_buf_add(m, "PHYSOUT=%s ", physoutdev->name);
131 #endif
132 }
133 
nf_log_arp_packet(struct net * net,u_int8_t pf,unsigned int hooknum,const struct sk_buff * skb,const struct net_device * in,const struct net_device * out,const struct nf_loginfo * loginfo,const char * prefix)134 static void nf_log_arp_packet(struct net *net, u_int8_t pf,
135 			      unsigned int hooknum, const struct sk_buff *skb,
136 			      const struct net_device *in,
137 			      const struct net_device *out,
138 			      const struct nf_loginfo *loginfo,
139 			      const char *prefix)
140 {
141 	struct nf_log_buf *m;
142 
143 	if (!nf_log_allowed(net))
144 		return;
145 
146 	m = nf_log_buf_open();
147 
148 	if (!loginfo)
149 		loginfo = &default_loginfo;
150 
151 	nf_log_dump_packet_common(m, pf, hooknum, skb, in, out, loginfo,
152 				  prefix, net);
153 	dump_arp_packet(m, loginfo, skb, skb_network_offset(skb));
154 
155 	nf_log_buf_close(m);
156 }
157 
158 static struct nf_logger nf_arp_logger __read_mostly = {
159 	.name		= "nf_log_arp",
160 	.type		= NF_LOG_TYPE_LOG,
161 	.logfn		= nf_log_arp_packet,
162 	.me		= THIS_MODULE,
163 };
164 
nf_log_dump_sk_uid_gid(struct net * net,struct nf_log_buf * m,struct sock * sk)165 static void nf_log_dump_sk_uid_gid(struct net *net, struct nf_log_buf *m,
166 				   struct sock *sk)
167 {
168 	if (!sk || !sk_fullsock(sk) || !net_eq(net, sock_net(sk)))
169 		return;
170 
171 	read_lock_bh(&sk->sk_callback_lock);
172 	if (sk->sk_socket && sk->sk_socket->file) {
173 		const struct cred *cred = sk->sk_socket->file->f_cred;
174 
175 		nf_log_buf_add(m, "UID=%u GID=%u ",
176 			       from_kuid_munged(&init_user_ns, cred->fsuid),
177 			       from_kgid_munged(&init_user_ns, cred->fsgid));
178 	}
179 	read_unlock_bh(&sk->sk_callback_lock);
180 }
181 
182 static noinline_for_stack int
nf_log_dump_tcp_header(struct nf_log_buf * m,const struct sk_buff * skb,u8 proto,int fragment,unsigned int offset,unsigned int logflags)183 nf_log_dump_tcp_header(struct nf_log_buf *m,
184 		       const struct sk_buff *skb,
185 		       u8 proto, int fragment,
186 		       unsigned int offset,
187 		       unsigned int logflags)
188 {
189 	struct tcphdr _tcph;
190 	const struct tcphdr *th;
191 
192 	/* Max length: 10 "PROTO=TCP " */
193 	nf_log_buf_add(m, "PROTO=TCP ");
194 
195 	if (fragment)
196 		return 0;
197 
198 	/* Max length: 25 "INCOMPLETE [65535 bytes] " */
199 	th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
200 	if (!th) {
201 		nf_log_buf_add(m, "INCOMPLETE [%u bytes] ", skb->len - offset);
202 		return 1;
203 	}
204 
205 	/* Max length: 20 "SPT=65535 DPT=65535 " */
206 	nf_log_buf_add(m, "SPT=%u DPT=%u ",
207 		       ntohs(th->source), ntohs(th->dest));
208 	/* Max length: 30 "SEQ=4294967295 ACK=4294967295 " */
209 	if (logflags & NF_LOG_TCPSEQ) {
210 		nf_log_buf_add(m, "SEQ=%u ACK=%u ",
211 			       ntohl(th->seq), ntohl(th->ack_seq));
212 	}
213 
214 	/* Max length: 13 "WINDOW=65535 " */
215 	nf_log_buf_add(m, "WINDOW=%u ", ntohs(th->window));
216 	/* Max length: 9 "RES=0x3C " */
217 	nf_log_buf_add(m, "RES=0x%02x ", (u_int8_t)(ntohl(tcp_flag_word(th) &
218 					    TCP_RESERVED_BITS) >> 22));
219 	/* Max length: 32 "CWR ECE URG ACK PSH RST SYN FIN " */
220 	if (th->cwr)
221 		nf_log_buf_add(m, "CWR ");
222 	if (th->ece)
223 		nf_log_buf_add(m, "ECE ");
224 	if (th->urg)
225 		nf_log_buf_add(m, "URG ");
226 	if (th->ack)
227 		nf_log_buf_add(m, "ACK ");
228 	if (th->psh)
229 		nf_log_buf_add(m, "PSH ");
230 	if (th->rst)
231 		nf_log_buf_add(m, "RST ");
232 	if (th->syn)
233 		nf_log_buf_add(m, "SYN ");
234 	if (th->fin)
235 		nf_log_buf_add(m, "FIN ");
236 	/* Max length: 11 "URGP=65535 " */
237 	nf_log_buf_add(m, "URGP=%u ", ntohs(th->urg_ptr));
238 
239 	if ((logflags & NF_LOG_TCPOPT) && th->doff * 4 > sizeof(struct tcphdr)) {
240 		unsigned int optsize = th->doff * 4 - sizeof(struct tcphdr);
241 		u8 _opt[60 - sizeof(struct tcphdr)];
242 		unsigned int i;
243 		const u8 *op;
244 
245 		op = skb_header_pointer(skb, offset + sizeof(struct tcphdr),
246 					optsize, _opt);
247 		if (!op) {
248 			nf_log_buf_add(m, "OPT (TRUNCATED)");
249 			return 1;
250 		}
251 
252 		/* Max length: 127 "OPT (" 15*4*2chars ") " */
253 		nf_log_buf_add(m, "OPT (");
254 		for (i = 0; i < optsize; i++)
255 			nf_log_buf_add(m, "%02X", op[i]);
256 
257 		nf_log_buf_add(m, ") ");
258 	}
259 
260 	return 0;
261 }
262 
263 static noinline_for_stack int
nf_log_dump_udp_header(struct nf_log_buf * m,const struct sk_buff * skb,u8 proto,int fragment,unsigned int offset)264 nf_log_dump_udp_header(struct nf_log_buf *m,
265 		       const struct sk_buff *skb,
266 		       u8 proto, int fragment,
267 		       unsigned int offset)
268 {
269 	struct udphdr _udph;
270 	const struct udphdr *uh;
271 
272 	if (proto == IPPROTO_UDP)
273 		/* Max length: 10 "PROTO=UDP "     */
274 		nf_log_buf_add(m, "PROTO=UDP ");
275 	else	/* Max length: 14 "PROTO=UDPLITE " */
276 		nf_log_buf_add(m, "PROTO=UDPLITE ");
277 
278 	if (fragment)
279 		goto out;
280 
281 	/* Max length: 25 "INCOMPLETE [65535 bytes] " */
282 	uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
283 	if (!uh) {
284 		nf_log_buf_add(m, "INCOMPLETE [%u bytes] ", skb->len - offset);
285 
286 		return 1;
287 	}
288 
289 	/* Max length: 20 "SPT=65535 DPT=65535 " */
290 	nf_log_buf_add(m, "SPT=%u DPT=%u LEN=%u ",
291 		       ntohs(uh->source), ntohs(uh->dest), ntohs(uh->len));
292 
293 out:
294 	return 0;
295 }
296 
297 /* One level of recursion won't kill us */
298 static noinline_for_stack void
dump_ipv4_packet(struct net * net,struct nf_log_buf * m,const struct nf_loginfo * info,const struct sk_buff * skb,unsigned int iphoff)299 dump_ipv4_packet(struct net *net, struct nf_log_buf *m,
300 		 const struct nf_loginfo *info,
301 		 const struct sk_buff *skb, unsigned int iphoff)
302 {
303 	const struct iphdr *ih;
304 	unsigned int logflags;
305 	struct iphdr _iph;
306 
307 	if (info->type == NF_LOG_TYPE_LOG)
308 		logflags = info->u.log.logflags;
309 	else
310 		logflags = NF_LOG_DEFAULT_MASK;
311 
312 	ih = skb_header_pointer(skb, iphoff, sizeof(_iph), &_iph);
313 	if (!ih) {
314 		nf_log_buf_add(m, "TRUNCATED");
315 		return;
316 	}
317 
318 	/* Important fields:
319 	 * TOS, len, DF/MF, fragment offset, TTL, src, dst, options.
320 	 * Max length: 40 "SRC=255.255.255.255 DST=255.255.255.255 "
321 	 */
322 	nf_log_buf_add(m, "SRC=%pI4 DST=%pI4 ", &ih->saddr, &ih->daddr);
323 
324 	/* Max length: 46 "LEN=65535 TOS=0xFF PREC=0xFF TTL=255 ID=65535 " */
325 	nf_log_buf_add(m, "LEN=%u TOS=0x%02X PREC=0x%02X TTL=%u ID=%u ",
326 		       iph_totlen(skb, ih), ih->tos & IPTOS_TOS_MASK,
327 		       ih->tos & IPTOS_PREC_MASK, ih->ttl, ntohs(ih->id));
328 
329 	/* Max length: 6 "CE DF MF " */
330 	if (ntohs(ih->frag_off) & IP_CE)
331 		nf_log_buf_add(m, "CE ");
332 	if (ntohs(ih->frag_off) & IP_DF)
333 		nf_log_buf_add(m, "DF ");
334 	if (ntohs(ih->frag_off) & IP_MF)
335 		nf_log_buf_add(m, "MF ");
336 
337 	/* Max length: 11 "FRAG:65535 " */
338 	if (ntohs(ih->frag_off) & IP_OFFSET)
339 		nf_log_buf_add(m, "FRAG:%u ", ntohs(ih->frag_off) & IP_OFFSET);
340 
341 	if ((logflags & NF_LOG_IPOPT) &&
342 	    ih->ihl * 4 > sizeof(struct iphdr)) {
343 		unsigned char _opt[4 * 15 - sizeof(struct iphdr)];
344 		const unsigned char *op;
345 		unsigned int i, optsize;
346 
347 		optsize = ih->ihl * 4 - sizeof(struct iphdr);
348 		op = skb_header_pointer(skb, iphoff + sizeof(_iph),
349 					optsize, _opt);
350 		if (!op) {
351 			nf_log_buf_add(m, "TRUNCATED");
352 			return;
353 		}
354 
355 		/* Max length: 127 "OPT (" 15*4*2chars ") " */
356 		nf_log_buf_add(m, "OPT (");
357 		for (i = 0; i < optsize; i++)
358 			nf_log_buf_add(m, "%02X", op[i]);
359 		nf_log_buf_add(m, ") ");
360 	}
361 
362 	switch (ih->protocol) {
363 	case IPPROTO_TCP:
364 		if (nf_log_dump_tcp_header(m, skb, ih->protocol,
365 					   ntohs(ih->frag_off) & IP_OFFSET,
366 					   iphoff + ih->ihl * 4, logflags))
367 			return;
368 		break;
369 	case IPPROTO_UDP:
370 	case IPPROTO_UDPLITE:
371 		if (nf_log_dump_udp_header(m, skb, ih->protocol,
372 					   ntohs(ih->frag_off) & IP_OFFSET,
373 					   iphoff + ih->ihl * 4))
374 			return;
375 		break;
376 	case IPPROTO_ICMP: {
377 		static const size_t required_len[NR_ICMP_TYPES + 1] = {
378 			[ICMP_ECHOREPLY] = 4,
379 			[ICMP_DEST_UNREACH] = 8 + sizeof(struct iphdr),
380 			[ICMP_SOURCE_QUENCH] = 8 + sizeof(struct iphdr),
381 			[ICMP_REDIRECT] = 8 + sizeof(struct iphdr),
382 			[ICMP_ECHO] = 4,
383 			[ICMP_TIME_EXCEEDED] = 8 + sizeof(struct iphdr),
384 			[ICMP_PARAMETERPROB] = 8 + sizeof(struct iphdr),
385 			[ICMP_TIMESTAMP] = 20,
386 			[ICMP_TIMESTAMPREPLY] = 20,
387 			[ICMP_ADDRESS] = 12,
388 			[ICMP_ADDRESSREPLY] = 12 };
389 		const struct icmphdr *ich;
390 		struct icmphdr _icmph;
391 
392 		/* Max length: 11 "PROTO=ICMP " */
393 		nf_log_buf_add(m, "PROTO=ICMP ");
394 
395 		if (ntohs(ih->frag_off) & IP_OFFSET)
396 			break;
397 
398 		/* Max length: 25 "INCOMPLETE [65535 bytes] " */
399 		ich = skb_header_pointer(skb, iphoff + ih->ihl * 4,
400 					 sizeof(_icmph), &_icmph);
401 		if (!ich) {
402 			nf_log_buf_add(m, "INCOMPLETE [%u bytes] ",
403 				       skb->len - iphoff - ih->ihl * 4);
404 			break;
405 		}
406 
407 		/* Max length: 18 "TYPE=255 CODE=255 " */
408 		nf_log_buf_add(m, "TYPE=%u CODE=%u ", ich->type, ich->code);
409 
410 		/* Max length: 25 "INCOMPLETE [65535 bytes] " */
411 		if (ich->type <= NR_ICMP_TYPES &&
412 		    required_len[ich->type] &&
413 		    skb->len - iphoff - ih->ihl * 4 < required_len[ich->type]) {
414 			nf_log_buf_add(m, "INCOMPLETE [%u bytes] ",
415 				       skb->len - iphoff - ih->ihl * 4);
416 			break;
417 		}
418 
419 		switch (ich->type) {
420 		case ICMP_ECHOREPLY:
421 		case ICMP_ECHO:
422 			/* Max length: 19 "ID=65535 SEQ=65535 " */
423 			nf_log_buf_add(m, "ID=%u SEQ=%u ",
424 				       ntohs(ich->un.echo.id),
425 				       ntohs(ich->un.echo.sequence));
426 			break;
427 
428 		case ICMP_PARAMETERPROB:
429 			/* Max length: 14 "PARAMETER=255 " */
430 			nf_log_buf_add(m, "PARAMETER=%u ",
431 				       ntohl(ich->un.gateway) >> 24);
432 			break;
433 		case ICMP_REDIRECT:
434 			/* Max length: 24 "GATEWAY=255.255.255.255 " */
435 			nf_log_buf_add(m, "GATEWAY=%pI4 ", &ich->un.gateway);
436 			fallthrough;
437 		case ICMP_DEST_UNREACH:
438 		case ICMP_SOURCE_QUENCH:
439 		case ICMP_TIME_EXCEEDED:
440 			/* Max length: 3+maxlen */
441 			if (!iphoff) { /* Only recurse once. */
442 				nf_log_buf_add(m, "[");
443 				dump_ipv4_packet(net, m, info, skb,
444 						 iphoff + ih->ihl * 4 + sizeof(_icmph));
445 				nf_log_buf_add(m, "] ");
446 			}
447 
448 			/* Max length: 10 "MTU=65535 " */
449 			if (ich->type == ICMP_DEST_UNREACH &&
450 			    ich->code == ICMP_FRAG_NEEDED) {
451 				nf_log_buf_add(m, "MTU=%u ",
452 					       ntohs(ich->un.frag.mtu));
453 			}
454 		}
455 		break;
456 	}
457 	/* Max Length */
458 	case IPPROTO_AH: {
459 		const struct ip_auth_hdr *ah;
460 		struct ip_auth_hdr _ahdr;
461 
462 		if (ntohs(ih->frag_off) & IP_OFFSET)
463 			break;
464 
465 		/* Max length: 9 "PROTO=AH " */
466 		nf_log_buf_add(m, "PROTO=AH ");
467 
468 		/* Max length: 25 "INCOMPLETE [65535 bytes] " */
469 		ah = skb_header_pointer(skb, iphoff + ih->ihl * 4,
470 					sizeof(_ahdr), &_ahdr);
471 		if (!ah) {
472 			nf_log_buf_add(m, "INCOMPLETE [%u bytes] ",
473 				       skb->len - iphoff - ih->ihl * 4);
474 			break;
475 		}
476 
477 		/* Length: 15 "SPI=0xF1234567 " */
478 		nf_log_buf_add(m, "SPI=0x%x ", ntohl(ah->spi));
479 		break;
480 	}
481 	case IPPROTO_ESP: {
482 		const struct ip_esp_hdr *eh;
483 		struct ip_esp_hdr _esph;
484 
485 		/* Max length: 10 "PROTO=ESP " */
486 		nf_log_buf_add(m, "PROTO=ESP ");
487 
488 		if (ntohs(ih->frag_off) & IP_OFFSET)
489 			break;
490 
491 		/* Max length: 25 "INCOMPLETE [65535 bytes] " */
492 		eh = skb_header_pointer(skb, iphoff + ih->ihl * 4,
493 					sizeof(_esph), &_esph);
494 		if (!eh) {
495 			nf_log_buf_add(m, "INCOMPLETE [%u bytes] ",
496 				       skb->len - iphoff - ih->ihl * 4);
497 			break;
498 		}
499 
500 		/* Length: 15 "SPI=0xF1234567 " */
501 		nf_log_buf_add(m, "SPI=0x%x ", ntohl(eh->spi));
502 		break;
503 	}
504 	/* Max length: 10 "PROTO 255 " */
505 	default:
506 		nf_log_buf_add(m, "PROTO=%u ", ih->protocol);
507 	}
508 
509 	/* Max length: 15 "UID=4294967295 " */
510 	if ((logflags & NF_LOG_UID) && !iphoff)
511 		nf_log_dump_sk_uid_gid(net, m, skb->sk);
512 
513 	/* Max length: 16 "MARK=0xFFFFFFFF " */
514 	if (!iphoff && skb->mark)
515 		nf_log_buf_add(m, "MARK=0x%x ", skb->mark);
516 
517 	/* Proto    Max log string length */
518 	/* IP:	    40+46+6+11+127 = 230 */
519 	/* TCP:     10+max(25,20+30+13+9+32+11+127) = 252 */
520 	/* UDP:     10+max(25,20) = 35 */
521 	/* UDPLITE: 14+max(25,20) = 39 */
522 	/* ICMP:    11+max(25, 18+25+max(19,14,24+3+n+10,3+n+10)) = 91+n */
523 	/* ESP:     10+max(25)+15 = 50 */
524 	/* AH:	    9+max(25)+15 = 49 */
525 	/* unknown: 10 */
526 
527 	/* (ICMP allows recursion one level deep) */
528 	/* maxlen =  IP + ICMP +  IP + max(TCP,UDP,ICMP,unknown) */
529 	/* maxlen = 230+   91  + 230 + 252 = 803 */
530 }
531 
532 static noinline_for_stack void
dump_ipv6_packet(struct net * net,struct nf_log_buf * m,const struct nf_loginfo * info,const struct sk_buff * skb,unsigned int ip6hoff,int recurse)533 dump_ipv6_packet(struct net *net, struct nf_log_buf *m,
534 		 const struct nf_loginfo *info,
535 		 const struct sk_buff *skb, unsigned int ip6hoff,
536 		 int recurse)
537 {
538 	const struct ipv6hdr *ih;
539 	unsigned int hdrlen = 0;
540 	unsigned int logflags;
541 	struct ipv6hdr _ip6h;
542 	unsigned int ptr;
543 	u8 currenthdr;
544 	int fragment;
545 
546 	if (info->type == NF_LOG_TYPE_LOG)
547 		logflags = info->u.log.logflags;
548 	else
549 		logflags = NF_LOG_DEFAULT_MASK;
550 
551 	ih = skb_header_pointer(skb, ip6hoff, sizeof(_ip6h), &_ip6h);
552 	if (!ih) {
553 		nf_log_buf_add(m, "TRUNCATED");
554 		return;
555 	}
556 
557 	/* Max length: 88 "SRC=0000.0000.0000.0000.0000.0000.0000.0000 DST=0000.0000.0000.0000.0000.0000.0000.0000 " */
558 	nf_log_buf_add(m, "SRC=%pI6 DST=%pI6 ", &ih->saddr, &ih->daddr);
559 
560 	/* Max length: 44 "LEN=65535 TC=255 HOPLIMIT=255 FLOWLBL=FFFFF " */
561 	nf_log_buf_add(m, "LEN=%zu TC=%u HOPLIMIT=%u FLOWLBL=%u ",
562 		       ntohs(ih->payload_len) + sizeof(struct ipv6hdr),
563 		       (ntohl(*(__be32 *)ih) & 0x0ff00000) >> 20,
564 		       ih->hop_limit,
565 		       (ntohl(*(__be32 *)ih) & 0x000fffff));
566 
567 	fragment = 0;
568 	ptr = ip6hoff + sizeof(struct ipv6hdr);
569 	currenthdr = ih->nexthdr;
570 	while (currenthdr != NEXTHDR_NONE && nf_ip6_ext_hdr(currenthdr)) {
571 		struct ipv6_opt_hdr _hdr;
572 		const struct ipv6_opt_hdr *hp;
573 
574 		hp = skb_header_pointer(skb, ptr, sizeof(_hdr), &_hdr);
575 		if (!hp) {
576 			nf_log_buf_add(m, "TRUNCATED");
577 			return;
578 		}
579 
580 		/* Max length: 48 "OPT (...) " */
581 		if (logflags & NF_LOG_IPOPT)
582 			nf_log_buf_add(m, "OPT ( ");
583 
584 		switch (currenthdr) {
585 		case IPPROTO_FRAGMENT: {
586 			struct frag_hdr _fhdr;
587 			const struct frag_hdr *fh;
588 
589 			nf_log_buf_add(m, "FRAG:");
590 			fh = skb_header_pointer(skb, ptr, sizeof(_fhdr),
591 						&_fhdr);
592 			if (!fh) {
593 				nf_log_buf_add(m, "TRUNCATED ");
594 				return;
595 			}
596 
597 			/* Max length: 6 "65535 " */
598 			nf_log_buf_add(m, "%u ", ntohs(fh->frag_off) & 0xFFF8);
599 
600 			/* Max length: 11 "INCOMPLETE " */
601 			if (fh->frag_off & htons(0x0001))
602 				nf_log_buf_add(m, "INCOMPLETE ");
603 
604 			nf_log_buf_add(m, "ID:%08x ",
605 				       ntohl(fh->identification));
606 
607 			if (ntohs(fh->frag_off) & 0xFFF8)
608 				fragment = 1;
609 
610 			hdrlen = 8;
611 			break;
612 		}
613 		case IPPROTO_DSTOPTS:
614 		case IPPROTO_ROUTING:
615 		case IPPROTO_HOPOPTS:
616 			if (fragment) {
617 				if (logflags & NF_LOG_IPOPT)
618 					nf_log_buf_add(m, ")");
619 				return;
620 			}
621 			hdrlen = ipv6_optlen(hp);
622 			break;
623 		/* Max Length */
624 		case IPPROTO_AH:
625 			if (logflags & NF_LOG_IPOPT) {
626 				struct ip_auth_hdr _ahdr;
627 				const struct ip_auth_hdr *ah;
628 
629 				/* Max length: 3 "AH " */
630 				nf_log_buf_add(m, "AH ");
631 
632 				if (fragment) {
633 					nf_log_buf_add(m, ")");
634 					return;
635 				}
636 
637 				ah = skb_header_pointer(skb, ptr, sizeof(_ahdr),
638 							&_ahdr);
639 				if (!ah) {
640 					/* Max length: 26 "INCOMPLETE [65535 bytes] )" */
641 					nf_log_buf_add(m, "INCOMPLETE [%u bytes] )",
642 						       skb->len - ptr);
643 					return;
644 				}
645 
646 				/* Length: 15 "SPI=0xF1234567 */
647 				nf_log_buf_add(m, "SPI=0x%x ", ntohl(ah->spi));
648 			}
649 
650 			hdrlen = ipv6_authlen(hp);
651 			break;
652 		case IPPROTO_ESP:
653 			if (logflags & NF_LOG_IPOPT) {
654 				struct ip_esp_hdr _esph;
655 				const struct ip_esp_hdr *eh;
656 
657 				/* Max length: 4 "ESP " */
658 				nf_log_buf_add(m, "ESP ");
659 
660 				if (fragment) {
661 					nf_log_buf_add(m, ")");
662 					return;
663 				}
664 
665 				/* Max length: 26 "INCOMPLETE [65535 bytes] )" */
666 				eh = skb_header_pointer(skb, ptr, sizeof(_esph),
667 							&_esph);
668 				if (!eh) {
669 					nf_log_buf_add(m, "INCOMPLETE [%u bytes] )",
670 						       skb->len - ptr);
671 					return;
672 				}
673 
674 				/* Length: 16 "SPI=0xF1234567 )" */
675 				nf_log_buf_add(m, "SPI=0x%x )",
676 					       ntohl(eh->spi));
677 			}
678 			return;
679 		default:
680 			/* Max length: 20 "Unknown Ext Hdr 255" */
681 			nf_log_buf_add(m, "Unknown Ext Hdr %u", currenthdr);
682 			return;
683 		}
684 		if (logflags & NF_LOG_IPOPT)
685 			nf_log_buf_add(m, ") ");
686 
687 		currenthdr = hp->nexthdr;
688 		ptr += hdrlen;
689 	}
690 
691 	switch (currenthdr) {
692 	case IPPROTO_TCP:
693 		if (nf_log_dump_tcp_header(m, skb, currenthdr, fragment,
694 					   ptr, logflags))
695 			return;
696 		break;
697 	case IPPROTO_UDP:
698 	case IPPROTO_UDPLITE:
699 		if (nf_log_dump_udp_header(m, skb, currenthdr, fragment, ptr))
700 			return;
701 		break;
702 	case IPPROTO_ICMPV6: {
703 		struct icmp6hdr _icmp6h;
704 		const struct icmp6hdr *ic;
705 
706 		/* Max length: 13 "PROTO=ICMPv6 " */
707 		nf_log_buf_add(m, "PROTO=ICMPv6 ");
708 
709 		if (fragment)
710 			break;
711 
712 		/* Max length: 25 "INCOMPLETE [65535 bytes] " */
713 		ic = skb_header_pointer(skb, ptr, sizeof(_icmp6h), &_icmp6h);
714 		if (!ic) {
715 			nf_log_buf_add(m, "INCOMPLETE [%u bytes] ",
716 				       skb->len - ptr);
717 			return;
718 		}
719 
720 		/* Max length: 18 "TYPE=255 CODE=255 " */
721 		nf_log_buf_add(m, "TYPE=%u CODE=%u ",
722 			       ic->icmp6_type, ic->icmp6_code);
723 
724 		switch (ic->icmp6_type) {
725 		case ICMPV6_ECHO_REQUEST:
726 		case ICMPV6_ECHO_REPLY:
727 			/* Max length: 19 "ID=65535 SEQ=65535 " */
728 			nf_log_buf_add(m, "ID=%u SEQ=%u ",
729 				       ntohs(ic->icmp6_identifier),
730 				       ntohs(ic->icmp6_sequence));
731 			break;
732 		case ICMPV6_MGM_QUERY:
733 		case ICMPV6_MGM_REPORT:
734 		case ICMPV6_MGM_REDUCTION:
735 			break;
736 
737 		case ICMPV6_PARAMPROB:
738 			/* Max length: 17 "POINTER=ffffffff " */
739 			nf_log_buf_add(m, "POINTER=%08x ",
740 				       ntohl(ic->icmp6_pointer));
741 			fallthrough;
742 		case ICMPV6_DEST_UNREACH:
743 		case ICMPV6_PKT_TOOBIG:
744 		case ICMPV6_TIME_EXCEED:
745 			/* Max length: 3+maxlen */
746 			if (recurse) {
747 				nf_log_buf_add(m, "[");
748 				dump_ipv6_packet(net, m, info, skb,
749 						 ptr + sizeof(_icmp6h), 0);
750 				nf_log_buf_add(m, "] ");
751 			}
752 
753 			/* Max length: 10 "MTU=65535 " */
754 			if (ic->icmp6_type == ICMPV6_PKT_TOOBIG) {
755 				nf_log_buf_add(m, "MTU=%u ",
756 					       ntohl(ic->icmp6_mtu));
757 			}
758 		}
759 		break;
760 	}
761 	/* Max length: 10 "PROTO=255 " */
762 	default:
763 		nf_log_buf_add(m, "PROTO=%u ", currenthdr);
764 	}
765 
766 	/* Max length: 15 "UID=4294967295 " */
767 	if ((logflags & NF_LOG_UID) && recurse)
768 		nf_log_dump_sk_uid_gid(net, m, skb->sk);
769 
770 	/* Max length: 16 "MARK=0xFFFFFFFF " */
771 	if (recurse && skb->mark)
772 		nf_log_buf_add(m, "MARK=0x%x ", skb->mark);
773 }
774 
dump_mac_header(struct nf_log_buf * m,const struct nf_loginfo * info,const struct sk_buff * skb)775 static void dump_mac_header(struct nf_log_buf *m,
776 			    const struct nf_loginfo *info,
777 			    const struct sk_buff *skb)
778 {
779 	struct net_device *dev = skb->dev;
780 	unsigned int logflags = 0;
781 
782 	if (info->type == NF_LOG_TYPE_LOG)
783 		logflags = info->u.log.logflags;
784 
785 	if (!(logflags & NF_LOG_MACDECODE))
786 		goto fallback;
787 
788 	switch (dev->type) {
789 	case ARPHRD_ETHER:
790 		nf_log_buf_add(m, "MACSRC=%pM MACDST=%pM ",
791 			       eth_hdr(skb)->h_source, eth_hdr(skb)->h_dest);
792 		nf_log_dump_vlan(m, skb);
793 		nf_log_buf_add(m, "MACPROTO=%04x ",
794 			       ntohs(eth_hdr(skb)->h_proto));
795 		return;
796 	default:
797 		break;
798 	}
799 
800 fallback:
801 	nf_log_buf_add(m, "MAC=");
802 	if (dev->hard_header_len &&
803 	    skb->mac_header != skb->network_header) {
804 		const unsigned char *p = skb_mac_header(skb);
805 		unsigned int i;
806 
807 		if (dev->type == ARPHRD_SIT) {
808 			p -= ETH_HLEN;
809 
810 			if (p < skb->head)
811 				p = NULL;
812 		}
813 
814 		if (p) {
815 			nf_log_buf_add(m, "%02x", *p++);
816 			for (i = 1; i < dev->hard_header_len; i++)
817 				nf_log_buf_add(m, ":%02x", *p++);
818 		}
819 
820 		if (dev->type == ARPHRD_SIT) {
821 			const struct iphdr *iph =
822 				(struct iphdr *)skb_mac_header(skb);
823 
824 			nf_log_buf_add(m, " TUNNEL=%pI4->%pI4", &iph->saddr,
825 				       &iph->daddr);
826 		}
827 	}
828 	nf_log_buf_add(m, " ");
829 }
830 
nf_log_ip_packet(struct net * net,u_int8_t pf,unsigned int hooknum,const struct sk_buff * skb,const struct net_device * in,const struct net_device * out,const struct nf_loginfo * loginfo,const char * prefix)831 static void nf_log_ip_packet(struct net *net, u_int8_t pf,
832 			     unsigned int hooknum, const struct sk_buff *skb,
833 			     const struct net_device *in,
834 			     const struct net_device *out,
835 			     const struct nf_loginfo *loginfo,
836 			     const char *prefix)
837 {
838 	struct nf_log_buf *m;
839 
840 	if (!nf_log_allowed(net))
841 		return;
842 
843 	m = nf_log_buf_open();
844 
845 	if (!loginfo)
846 		loginfo = &default_loginfo;
847 
848 	nf_log_dump_packet_common(m, pf, hooknum, skb, in,
849 				  out, loginfo, prefix, net);
850 
851 	if (in)
852 		dump_mac_header(m, loginfo, skb);
853 
854 	dump_ipv4_packet(net, m, loginfo, skb, skb_network_offset(skb));
855 
856 	nf_log_buf_close(m);
857 }
858 
859 static struct nf_logger nf_ip_logger __read_mostly = {
860 	.name		= "nf_log_ipv4",
861 	.type		= NF_LOG_TYPE_LOG,
862 	.logfn		= nf_log_ip_packet,
863 	.me		= THIS_MODULE,
864 };
865 
nf_log_ip6_packet(struct net * net,u_int8_t pf,unsigned int hooknum,const struct sk_buff * skb,const struct net_device * in,const struct net_device * out,const struct nf_loginfo * loginfo,const char * prefix)866 static void nf_log_ip6_packet(struct net *net, u_int8_t pf,
867 			      unsigned int hooknum, const struct sk_buff *skb,
868 			      const struct net_device *in,
869 			      const struct net_device *out,
870 			      const struct nf_loginfo *loginfo,
871 			      const char *prefix)
872 {
873 	struct nf_log_buf *m;
874 
875 	if (!nf_log_allowed(net))
876 		return;
877 
878 	m = nf_log_buf_open();
879 
880 	if (!loginfo)
881 		loginfo = &default_loginfo;
882 
883 	nf_log_dump_packet_common(m, pf, hooknum, skb, in, out,
884 				  loginfo, prefix, net);
885 
886 	if (in)
887 		dump_mac_header(m, loginfo, skb);
888 
889 	dump_ipv6_packet(net, m, loginfo, skb, skb_network_offset(skb), 1);
890 
891 	nf_log_buf_close(m);
892 }
893 
894 static struct nf_logger nf_ip6_logger __read_mostly = {
895 	.name		= "nf_log_ipv6",
896 	.type		= NF_LOG_TYPE_LOG,
897 	.logfn		= nf_log_ip6_packet,
898 	.me		= THIS_MODULE,
899 };
900 
nf_log_unknown_packet(struct net * net,u_int8_t pf,unsigned int hooknum,const struct sk_buff * skb,const struct net_device * in,const struct net_device * out,const struct nf_loginfo * loginfo,const char * prefix)901 static void nf_log_unknown_packet(struct net *net, u_int8_t pf,
902 				  unsigned int hooknum,
903 				  const struct sk_buff *skb,
904 				  const struct net_device *in,
905 				  const struct net_device *out,
906 				  const struct nf_loginfo *loginfo,
907 				  const char *prefix)
908 {
909 	struct nf_log_buf *m;
910 
911 	if (!nf_log_allowed(net))
912 		return;
913 
914 	m = nf_log_buf_open();
915 
916 	if (!loginfo)
917 		loginfo = &default_loginfo;
918 
919 	nf_log_dump_packet_common(m, pf, hooknum, skb, in, out, loginfo,
920 				  prefix, net);
921 
922 	dump_mac_header(m, loginfo, skb);
923 
924 	nf_log_buf_close(m);
925 }
926 
nf_log_netdev_packet(struct net * net,u_int8_t pf,unsigned int hooknum,const struct sk_buff * skb,const struct net_device * in,const struct net_device * out,const struct nf_loginfo * loginfo,const char * prefix)927 static void nf_log_netdev_packet(struct net *net, u_int8_t pf,
928 				 unsigned int hooknum,
929 				 const struct sk_buff *skb,
930 				 const struct net_device *in,
931 				 const struct net_device *out,
932 				 const struct nf_loginfo *loginfo,
933 				 const char *prefix)
934 {
935 	switch (skb->protocol) {
936 	case htons(ETH_P_IP):
937 		nf_log_ip_packet(net, pf, hooknum, skb, in, out, loginfo, prefix);
938 		break;
939 	case htons(ETH_P_IPV6):
940 		nf_log_ip6_packet(net, pf, hooknum, skb, in, out, loginfo, prefix);
941 		break;
942 	case htons(ETH_P_ARP):
943 	case htons(ETH_P_RARP):
944 		nf_log_arp_packet(net, pf, hooknum, skb, in, out, loginfo, prefix);
945 		break;
946 	default:
947 		nf_log_unknown_packet(net, pf, hooknum, skb,
948 				      in, out, loginfo, prefix);
949 		break;
950 	}
951 }
952 
953 static struct nf_logger nf_netdev_logger __read_mostly = {
954 	.name		= "nf_log_netdev",
955 	.type		= NF_LOG_TYPE_LOG,
956 	.logfn		= nf_log_netdev_packet,
957 	.me		= THIS_MODULE,
958 };
959 
960 static struct nf_logger nf_bridge_logger __read_mostly = {
961 	.name		= "nf_log_bridge",
962 	.type		= NF_LOG_TYPE_LOG,
963 	.logfn		= nf_log_netdev_packet,
964 	.me		= THIS_MODULE,
965 };
966 
nf_log_syslog_net_init(struct net * net)967 static int __net_init nf_log_syslog_net_init(struct net *net)
968 {
969 	int ret = nf_log_set(net, NFPROTO_IPV4, &nf_ip_logger);
970 
971 	if (ret)
972 		return ret;
973 
974 	ret = nf_log_set(net, NFPROTO_ARP, &nf_arp_logger);
975 	if (ret)
976 		goto err1;
977 
978 	ret = nf_log_set(net, NFPROTO_IPV6, &nf_ip6_logger);
979 	if (ret)
980 		goto err2;
981 
982 	ret = nf_log_set(net, NFPROTO_NETDEV, &nf_netdev_logger);
983 	if (ret)
984 		goto err3;
985 
986 	ret = nf_log_set(net, NFPROTO_BRIDGE, &nf_bridge_logger);
987 	if (ret)
988 		goto err4;
989 	return 0;
990 err4:
991 	nf_log_unset(net, &nf_netdev_logger);
992 err3:
993 	nf_log_unset(net, &nf_ip6_logger);
994 err2:
995 	nf_log_unset(net, &nf_arp_logger);
996 err1:
997 	nf_log_unset(net, &nf_ip_logger);
998 	return ret;
999 }
1000 
nf_log_syslog_net_exit(struct net * net)1001 static void __net_exit nf_log_syslog_net_exit(struct net *net)
1002 {
1003 	nf_log_unset(net, &nf_ip_logger);
1004 	nf_log_unset(net, &nf_arp_logger);
1005 	nf_log_unset(net, &nf_ip6_logger);
1006 	nf_log_unset(net, &nf_netdev_logger);
1007 	nf_log_unset(net, &nf_bridge_logger);
1008 }
1009 
1010 static struct pernet_operations nf_log_syslog_net_ops = {
1011 	.init = nf_log_syslog_net_init,
1012 	.exit = nf_log_syslog_net_exit,
1013 };
1014 
nf_log_syslog_init(void)1015 static int __init nf_log_syslog_init(void)
1016 {
1017 	int ret;
1018 
1019 	ret = register_pernet_subsys(&nf_log_syslog_net_ops);
1020 	if (ret < 0)
1021 		return ret;
1022 
1023 	ret = nf_log_register(NFPROTO_IPV4, &nf_ip_logger);
1024 	if (ret < 0)
1025 		goto err1;
1026 
1027 	ret = nf_log_register(NFPROTO_ARP, &nf_arp_logger);
1028 	if (ret < 0)
1029 		goto err2;
1030 
1031 	ret = nf_log_register(NFPROTO_IPV6, &nf_ip6_logger);
1032 	if (ret < 0)
1033 		goto err3;
1034 
1035 	ret = nf_log_register(NFPROTO_NETDEV, &nf_netdev_logger);
1036 	if (ret < 0)
1037 		goto err4;
1038 
1039 	ret = nf_log_register(NFPROTO_BRIDGE, &nf_bridge_logger);
1040 	if (ret < 0)
1041 		goto err5;
1042 
1043 	return 0;
1044 err5:
1045 	nf_log_unregister(&nf_netdev_logger);
1046 err4:
1047 	nf_log_unregister(&nf_ip6_logger);
1048 err3:
1049 	nf_log_unregister(&nf_arp_logger);
1050 err2:
1051 	nf_log_unregister(&nf_ip_logger);
1052 err1:
1053 	pr_err("failed to register logger\n");
1054 	unregister_pernet_subsys(&nf_log_syslog_net_ops);
1055 	return ret;
1056 }
1057 
nf_log_syslog_exit(void)1058 static void __exit nf_log_syslog_exit(void)
1059 {
1060 	unregister_pernet_subsys(&nf_log_syslog_net_ops);
1061 	nf_log_unregister(&nf_ip_logger);
1062 	nf_log_unregister(&nf_arp_logger);
1063 	nf_log_unregister(&nf_ip6_logger);
1064 	nf_log_unregister(&nf_netdev_logger);
1065 	nf_log_unregister(&nf_bridge_logger);
1066 }
1067 
1068 module_init(nf_log_syslog_init);
1069 module_exit(nf_log_syslog_exit);
1070 
1071 MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>");
1072 MODULE_DESCRIPTION("Netfilter syslog packet logging");
1073 MODULE_LICENSE("GPL");
1074 MODULE_ALIAS("nf_log_arp");
1075 MODULE_ALIAS("nf_log_bridge");
1076 MODULE_ALIAS("nf_log_ipv4");
1077 MODULE_ALIAS("nf_log_ipv6");
1078 MODULE_ALIAS("nf_log_netdev");
1079 MODULE_ALIAS_NF_LOGGER(AF_BRIDGE, 0);
1080 MODULE_ALIAS_NF_LOGGER(AF_INET, 0);
1081 MODULE_ALIAS_NF_LOGGER(3, 0);
1082 MODULE_ALIAS_NF_LOGGER(5, 0); /* NFPROTO_NETDEV */
1083 MODULE_ALIAS_NF_LOGGER(AF_INET6, 0);
1084