netfilter: nf_log: prepare net namespace support for loggers

This patch adds netns support to nf_log and it prepares netns
support for existing loggers. It is composed of four major
changes.

1) nf_log_register has been split to two functions: nf_log_register
   and nf_log_set. The new nf_log_register is used to globally
   register the nf_logger and nf_log_set is used for enabling
   pernet support from nf_loggers.

   Per netns is not yet complete after this patch, it comes in
   separate follow up patches.

2) Add net as a parameter of nf_log_bind_pf. Per netns is not
   yet complete after this patch, it only allows to bind the
   nf_logger to the protocol family from init_net and it skips
   other cases.

3) Adapt all nf_log_packet callers to pass netns as parameter.
   After this patch, this function only works for init_net.

4) Make the sysctl net/netfilter/nf_log pernet.

Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

2 files changed, 6 insertions, 5 deletions

diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
index 1b433aac2663..e391db1f056d 100644
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -258,6 +258,7 @@ static void trace_packet(const struct sk_buff *skb,
         const char *hookname, *chainname, *comment;
         const struct ipt_entry *iter;
         unsigned int rulenum = 0;
+        struct net *net = dev_net(in ? in : out);
 
         table_base = private->entries[smp_processor_id()];
         root = get_entry(table_base, private->hook_entry[hook]);
@@ -270,7 +271,7 @@ static void trace_packet(const struct sk_buff *skb,
                     &chainname, &comment, &rulenum) != 0)
                         break;
 
-        nf_log_packet(AF_INET, hook, skb, in, out, &trace_loginfo,
+        nf_log_packet(net, AF_INET, hook, skb, in, out, &trace_loginfo,
                       "TRACE: %s:%s:%s:%u ",
                       tablename, chainname, comment, rulenum);
 }
diff --git a/net/ipv4/netfilter/nf_conntrack_proto_icmp.c b/net/ipv4/netfilter/nf_conntrack_proto_icmp.c
index 5241d997ab75..c2cd63d2d892 100644
--- a/net/ipv4/netfilter/nf_conntrack_proto_icmp.c
+++ b/net/ipv4/netfilter/nf_conntrack_proto_icmp.c
@@ -187,8 +187,8 @@ icmp_error(struct net *net, struct nf_conn *tmpl,
         icmph = skb_header_pointer(skb, ip_hdrlen(skb), sizeof(_ih), &_ih);
         if (icmph == NULL) {
                 if (LOG_INVALID(net, IPPROTO_ICMP))
-                        nf_log_packet(PF_INET, 0, skb, NULL, NULL, NULL,
-                                      "nf_ct_icmp: short packet ");
+                        nf_log_packet(net, PF_INET, 0, skb, NULL, NULL,
+                                      NULL, "nf_ct_icmp: short packet ");
                 return -NF_ACCEPT;
         }
 
@@ -196,7 +196,7 @@ icmp_error(struct net *net, struct nf_conn *tmpl,
         if (net->ct.sysctl_checksum && hooknum == NF_INET_PRE_ROUTING &&
             nf_ip_checksum(skb, hooknum, dataoff, 0)) {
                 if (LOG_INVALID(net, IPPROTO_ICMP))
-                        nf_log_packet(PF_INET, 0, skb, NULL, NULL, NULL,
+                        nf_log_packet(net, PF_INET, 0, skb, NULL, NULL, NULL,
                                       "nf_ct_icmp: bad HW ICMP checksum ");
                 return -NF_ACCEPT;
         }
@@ -209,7 +209,7 @@ icmp_error(struct net *net, struct nf_conn *tmpl,
          */
         if (icmph->type > NR_ICMP_TYPES) {
                 if (LOG_INVALID(net, IPPROTO_ICMP))
-                        nf_log_packet(PF_INET, 0, skb, NULL, NULL, NULL,
+                        nf_log_packet(net, PF_INET, 0, skb, NULL, NULL, NULL,
                                       "nf_ct_icmp: invalid ICMP type ");
                 return -NF_ACCEPT;
         }