[NETFILTER]: x_tables: add NFLOG target

Add new NFLOG target to allow use of nfnetlink_log for both IPv4 and IPv6. Currently we have two (unsupported by userspace) hacks in the LOG and ULOG targets to optionally call to the nflog API. They lack a few features, namely the IPv4 and IPv6 LOG targets can not specify a number of arguments related to nfnetlink_log, while the ULOG target is only available for IPv4. Remove those hacks and add a clean way to use nfnetlink_log. Signed-off-by: Patrick McHardy <kaber@trash.net>
author: Patrick McHardy <kaber@trash.net> 2006-11-28 20:35:38 -0500
committer: David S. Miller <davem@sunset.davemloft.net> 2006-12-03 00:31:31 -0500
commit: baf7b1e11282127e068d149825cccec002091d61 (patch)
tree: 33eae4a25dad2666e5b51bffb76d5c7d2db725c2
parent: 39b46fc6f0d1161a5585cd8af7b3a05e8118ab7e (diff)
9 files changed, 123 insertions, 16 deletions
diff --git a/include/linux/netfilter/Kbuild b/include/linux/netfilter/Kbuild
index e379a2d89ea0..6328175a1c3a 100644
--- a/include/linux/netfilter/Kbuild
+++ b/include/linux/netfilter/Kbuild
@@ -22,6 +22,7 @@ header-y += xt_mark.h
 header-y += xt_MARK.h
 header-y += xt_multiport.h
 header-y += xt_NFQUEUE.h
+header-y += xt_NFLOG.h
 header-y += xt_pkttype.h
 header-y += xt_policy.h
 header-y += xt_realm.h
diff --git a/include/linux/netfilter/xt_NFLOG.h b/include/linux/netfilter/xt_NFLOG.h
new file mode 100644
index 000000000000..cdcd0ed58f7a
--- /dev/null
+++ b/include/linux/netfilter/xt_NFLOG.h
@@ -0,0 +1,18 @@
+#ifndef _XT_NFLOG_TARGET
+#define _XT_NFLOG_TARGET
+#define XT_NFLOG_DEFAULT_GROUP          0x1
+#define XT_NFLOG_DEFAULT_THRESHOLD      1
+#define XT_NFLOG_MASK                   0x0
+struct xt_nflog_info {
+        u_int32_t       len;
+        u_int16_t       group;
+        u_int16_t       threshold;
+        u_int16_t       flags;
+        u_int16_t       pad;
+        char            prefix[64];
+};
+#endif /* _XT_NFLOG_TARGET */
diff --git a/include/linux/netfilter_ipv4/ipt_LOG.h b/include/linux/netfilter_ipv4/ipt_LOG.h
index 892f9a33fea8..90fa6525ef9c 100644
--- a/include/linux/netfilter_ipv4/ipt_LOG.h
+++ b/include/linux/netfilter_ipv4/ipt_LOG.h
@@ -6,7 +6,7 @@
 #define IPT_LOG_TCPOPT          0x02    /* Log TCP options */
 #define IPT_LOG_IPOPT           0x04    /* Log IP options */
 #define IPT_LOG_UID             0x08    /* Log UID owning local socket */
-#define IPT_LOG_NFLOG           0x10    /* Log using nf_log backend */
+#define IPT_LOG_NFLOG           0x10    /* Unsupported, don't reuse */
 #define IPT_LOG_MASK            0x1f
 struct ipt_log_info {
diff --git a/include/linux/netfilter_ipv6/ip6t_LOG.h b/include/linux/netfilter_ipv6/ip6t_LOG.h
index 060c1a1c6c60..0d0119b0458c 100644
--- a/include/linux/netfilter_ipv6/ip6t_LOG.h
+++ b/include/linux/netfilter_ipv6/ip6t_LOG.h
@@ -6,7 +6,7 @@
 #define IP6T_LOG_TCPOPT         0x02    /* Log TCP options */
 #define IP6T_LOG_IPOPT          0x04    /* Log IP options */
 #define IP6T_LOG_UID            0x08    /* Log UID owning local socket */
-#define IP6T_LOG_NFLOG          0x10    /* Log using nf_log backend */
+#define IP6T_LOG_NFLOG          0x10    /* Unsupported, don't use */
 #define IP6T_LOG_MASK           0x1f
 struct ip6t_log_info {
diff --git a/net/ipv4/netfilter/ipt_LOG.c b/net/ipv4/netfilter/ipt_LOG.c
index 46eee64a11f6..c96de16fefae 100644
--- a/net/ipv4/netfilter/ipt_LOG.c
+++ b/net/ipv4/netfilter/ipt_LOG.c
@@ -430,13 +430,8 @@ ipt_log_target(struct sk_buff **pskb,
        li.u.log.level = loginfo->level;
        li.u.log.logflags = loginfo->logflags;
-        if (loginfo->logflags & IPT_LOG_NFLOG)
+        ipt_log_packet(PF_INET, hooknum, *pskb, in, out, &li,
-                nf_log_packet(PF_INET, hooknum, *pskb, in, out, &li,
+                       loginfo->prefix);
-                              "%s", loginfo->prefix);
-        else
-                ipt_log_packet(PF_INET, hooknum, *pskb, in, out, &li,
-                               loginfo->prefix);
        return IPT_CONTINUE;
 }
diff --git a/net/ipv6/netfilter/ip6t_LOG.c b/net/ipv6/netfilter/ip6t_LOG.c
index f4857cf97f05..33b1faa90d74 100644
--- a/net/ipv6/netfilter/ip6t_LOG.c
+++ b/net/ipv6/netfilter/ip6t_LOG.c
@@ -440,13 +440,8 @@ ip6t_log_target(struct sk_buff **pskb,
        li.u.log.level = loginfo->level;
        li.u.log.logflags = loginfo->logflags;
-        if (loginfo->logflags & IP6T_LOG_NFLOG)
+        ip6t_log_packet(PF_INET6, hooknum, *pskb, in, out, &li,
-                nf_log_packet(PF_INET6, hooknum, *pskb, in, out, &li,
+                        loginfo->prefix);
-                              "%s", loginfo->prefix);
-        else
-                ip6t_log_packet(PF_INET6, hooknum, *pskb, in, out, &li,
-                                loginfo->prefix);
        return IP6T_CONTINUE;
 }
diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index 7e6125467c12..d191dacead5e 100644
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@@ -184,6 +184,17 @@ config NETFILTER_XT_TARGET_NFQUEUE
          To compile it as a module, choose M here.  If unsure, say N.
+config NETFILTER_XT_TARGET_NFLOG
+        tristate '"NFLOG" target support'
+        depends on NETFILTER_XTABLES
+        help
+          This option enables the NFLOG target, which allows to LOG
+          messages through the netfilter logging API, which can use
+          either the old LOG target, the old ULOG target or nfnetlink_log
+          as backend.
+          To compile it as a module, choose M here.  If unsure, say N.
 config NETFILTER_XT_TARGET_NOTRACK
        tristate  '"NOTRACK" target support'
        depends on NETFILTER_XTABLES
diff --git a/net/netfilter/Makefile b/net/netfilter/Makefile
index f85811bfcfe5..7f0089c584bf 100644
--- a/net/netfilter/Makefile
+++ b/net/netfilter/Makefile
@@ -31,6 +31,7 @@ obj-$(CONFIG_NETFILTER_XT_TARGET_CONNMARK) += xt_CONNMARK.o
 obj-$(CONFIG_NETFILTER_XT_TARGET_DSCP) += xt_DSCP.o
 obj-$(CONFIG_NETFILTER_XT_TARGET_MARK) += xt_MARK.o
 obj-$(CONFIG_NETFILTER_XT_TARGET_NFQUEUE) += xt_NFQUEUE.o
+obj-$(CONFIG_NETFILTER_XT_TARGET_NFLOG) += xt_NFLOG.o
 obj-$(CONFIG_NETFILTER_XT_TARGET_NOTRACK) += xt_NOTRACK.o
 obj-$(CONFIG_NETFILTER_XT_TARGET_SECMARK) += xt_SECMARK.o
 obj-$(CONFIG_NETFILTER_XT_TARGET_CONNSECMARK) += xt_CONNSECMARK.o
diff --git a/net/netfilter/xt_NFLOG.c b/net/netfilter/xt_NFLOG.c
new file mode 100644
index 000000000000..901ed7abaa1b
--- /dev/null
+++ b/net/netfilter/xt_NFLOG.c
@@ -0,0 +1,86 @@
+/*
+ * Copyright (c) 2006 Patrick McHardy <kaber@trash.net>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ */
+#include <linux/module.h>
+#include <linux/init.h>
+#include <linux/skbuff.h>
+#include <linux/netfilter/x_tables.h>
+#include <linux/netfilter/xt_NFLOG.h>
+MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
+MODULE_DESCRIPTION("x_tables NFLOG target");
+MODULE_LICENSE("GPL");
+MODULE_ALIAS("ipt_NFLOG");
+MODULE_ALIAS("ip6t_NFLOG");
+static unsigned int
+nflog_target(struct sk_buff **pskb,
+             const struct net_device *in, const struct net_device *out,
+             unsigned int hooknum, const struct xt_target *target,
+             const void *targinfo)
+{
+        const struct xt_nflog_info *info = targinfo;
+        struct nf_loginfo li;
+        li.type              = NF_LOG_TYPE_ULOG;
+        li.u.ulog.copy_len   = info->len;
+        li.u.ulog.group      = info->group;
+        li.u.ulog.qthreshold = info->threshold;
+        nf_log_packet(target->family, hooknum, *pskb, in, out, &li,
+                      "%s", info->prefix);
+        return XT_CONTINUE;
+}
+static int
+nflog_checkentry(const char *tablename, const void *entry,
+                 const struct xt_target *target, void *targetinfo,
+                 unsigned int hookmask)
+{
+        struct xt_nflog_info *info = targetinfo;
+        if (info->flags & ~XT_NFLOG_MASK)
+                return 0;
+        if (info->prefix[sizeof(info->prefix) - 1] != '\0')
+                return 0;
+        return 1;
+}
+static struct xt_target xt_nflog_target[] = {
+        {
+                .name           = "NFLOG",
+                .family         = AF_INET,
+                .checkentry     = nflog_checkentry,
+                .target         = nflog_target,
+                .targetsize     = sizeof(struct xt_nflog_info),
+                .me             = THIS_MODULE,
+        },
+        {
+                .name           = "NFLOG",
+                .family         = AF_INET6,
+                .checkentry     = nflog_checkentry,
+                .target         = nflog_target,
+                .targetsize     = sizeof(struct xt_nflog_info),
+                .me             = THIS_MODULE,
+        },
+};
+static int __init xt_nflog_init(void)
+{
+        return xt_register_targets(xt_nflog_target,
+                                   ARRAY_SIZE(xt_nflog_target));
+}
+static void __exit xt_nflog_fini(void)
+{
+        xt_unregister_targets(xt_nflog_target, ARRAY_SIZE(xt_nflog_target));
+}
+module_init(xt_nflog_init);
+module_exit(xt_nflog_fini);
author	Patrick McHardy <kaber@trash.net>	2006-11-28 20:35:38 -0500
committer	David S. Miller <davem@sunset.davemloft.net>	2006-12-03 00:31:31 -0500
commit	baf7b1e11282127e068d149825cccec002091d61 (patch)
tree	33eae4a25dad2666e5b51bffb76d5c7d2db725c2
parent	39b46fc6f0d1161a5585cd8af7b3a05e8118ab7e (diff)

diff --git a/include/linux/netfilter/Kbuild b/include/linux/netfilter/Kbuild index e379a2d89ea0..6328175a1c3a 100644 --- a/include/linux/netfilter/Kbuild +++ b/include/linux/netfilter/Kbuild
@@ -22,6 +22,7 @@ header-y += xt_mark.h
22	header-y += xt_MARK.h	22	header-y += xt_MARK.h
23	header-y += xt_multiport.h	23	header-y += xt_multiport.h
24	header-y += xt_NFQUEUE.h	24	header-y += xt_NFQUEUE.h
		25	header-y += xt_NFLOG.h
25	header-y += xt_pkttype.h	26	header-y += xt_pkttype.h
26	header-y += xt_policy.h	27	header-y += xt_policy.h
27	header-y += xt_realm.h	28	header-y += xt_realm.h


diff --git a/include/linux/netfilter/xt_NFLOG.h b/include/linux/netfilter/xt_NFLOG.h new file mode 100644 index 000000000000..cdcd0ed58f7a --- /dev/null +++ b/include/linux/netfilter/xt_NFLOG.h
@@ -0,0 +1,18 @@
		1	#ifndef _XT_NFLOG_TARGET
		2	#define _XT_NFLOG_TARGET
		3
		4	#define XT_NFLOG_DEFAULT_GROUP 0x1
		5	#define XT_NFLOG_DEFAULT_THRESHOLD 1
		6
		7	#define XT_NFLOG_MASK 0x0
		8
		9	struct xt_nflog_info {
		10	u_int32_t len;
		11	u_int16_t group;
		12	u_int16_t threshold;
		13	u_int16_t flags;
		14	u_int16_t pad;
		15	char prefix[64];
		16	};
		17
		18	#endif /* _XT_NFLOG_TARGET */


diff --git a/include/linux/netfilter_ipv4/ipt_LOG.h b/include/linux/netfilter_ipv4/ipt_LOG.h index 892f9a33fea8..90fa6525ef9c 100644 --- a/include/linux/netfilter_ipv4/ipt_LOG.h +++ b/include/linux/netfilter_ipv4/ipt_LOG.h
@@ -6,7 +6,7 @@
6	#define IPT_LOG_TCPOPT 0x02 /* Log TCP options */	6	#define IPT_LOG_TCPOPT 0x02 /* Log TCP options */
7	#define IPT_LOG_IPOPT 0x04 /* Log IP options */	7	#define IPT_LOG_IPOPT 0x04 /* Log IP options */
8	#define IPT_LOG_UID 0x08 /* Log UID owning local socket */	8	#define IPT_LOG_UID 0x08 /* Log UID owning local socket */
9	#define IPT_LOG_NFLOG 0x10 /* Log using nf_log backend */	9	#define IPT_LOG_NFLOG 0x10 /* Unsupported, don't reuse */
10	#define IPT_LOG_MASK 0x1f	10	#define IPT_LOG_MASK 0x1f
11		11
12	struct ipt_log_info {	12	struct ipt_log_info {


diff --git a/include/linux/netfilter_ipv6/ip6t_LOG.h b/include/linux/netfilter_ipv6/ip6t_LOG.h index 060c1a1c6c60..0d0119b0458c 100644 --- a/include/linux/netfilter_ipv6/ip6t_LOG.h +++ b/include/linux/netfilter_ipv6/ip6t_LOG.h
@@ -6,7 +6,7 @@
6	#define IP6T_LOG_TCPOPT 0x02 /* Log TCP options */	6	#define IP6T_LOG_TCPOPT 0x02 /* Log TCP options */
7	#define IP6T_LOG_IPOPT 0x04 /* Log IP options */	7	#define IP6T_LOG_IPOPT 0x04 /* Log IP options */
8	#define IP6T_LOG_UID 0x08 /* Log UID owning local socket */	8	#define IP6T_LOG_UID 0x08 /* Log UID owning local socket */
9	#define IP6T_LOG_NFLOG 0x10 /* Log using nf_log backend */	9	#define IP6T_LOG_NFLOG 0x10 /* Unsupported, don't use */
10	#define IP6T_LOG_MASK 0x1f	10	#define IP6T_LOG_MASK 0x1f
11		11
12	struct ip6t_log_info {	12	struct ip6t_log_info {


diff --git a/net/ipv4/netfilter/ipt_LOG.c b/net/ipv4/netfilter/ipt_LOG.c index 46eee64a11f6..c96de16fefae 100644 --- a/net/ipv4/netfilter/ipt_LOG.c +++ b/net/ipv4/netfilter/ipt_LOG.c
@@ -430,13 +430,8 @@ ipt_log_target(struct sk_buff **pskb,
430	li.u.log.level = loginfo->level;	430	li.u.log.level = loginfo->level;
431	li.u.log.logflags = loginfo->logflags;	431	li.u.log.logflags = loginfo->logflags;
432		432
433	if (loginfo->logflags & IPT_LOG_NFLOG)	433	ipt_log_packet(PF_INET, hooknum, *pskb, in, out, &li,
434	nf_log_packet(PF_INET, hooknum, *pskb, in, out, &li,	434	loginfo->prefix);
435	"%s", loginfo->prefix);
436	else
437	ipt_log_packet(PF_INET, hooknum, *pskb, in, out, &li,
438	loginfo->prefix);
439
440	return IPT_CONTINUE;	435	return IPT_CONTINUE;
441	}	436	}
442		437


diff --git a/net/ipv6/netfilter/ip6t_LOG.c b/net/ipv6/netfilter/ip6t_LOG.c index f4857cf97f05..33b1faa90d74 100644 --- a/net/ipv6/netfilter/ip6t_LOG.c +++ b/net/ipv6/netfilter/ip6t_LOG.c
@@ -440,13 +440,8 @@ ip6t_log_target(struct sk_buff **pskb,
440	li.u.log.level = loginfo->level;	440	li.u.log.level = loginfo->level;
441	li.u.log.logflags = loginfo->logflags;	441	li.u.log.logflags = loginfo->logflags;
442		442
443	if (loginfo->logflags & IP6T_LOG_NFLOG)	443	ip6t_log_packet(PF_INET6, hooknum, *pskb, in, out, &li,
444	nf_log_packet(PF_INET6, hooknum, *pskb, in, out, &li,	444	loginfo->prefix);
445	"%s", loginfo->prefix);
446	else
447	ip6t_log_packet(PF_INET6, hooknum, *pskb, in, out, &li,
448	loginfo->prefix);
449
450	return IP6T_CONTINUE;	445	return IP6T_CONTINUE;
451	}	446	}
452		447


diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig index 7e6125467c12..d191dacead5e 100644 --- a/net/netfilter/Kconfig +++ b/net/netfilter/Kconfig
@@ -184,6 +184,17 @@ config NETFILTER_XT_TARGET_NFQUEUE
184		184
185	To compile it as a module, choose M here. If unsure, say N.	185	To compile it as a module, choose M here. If unsure, say N.
186		186
		187	config NETFILTER_XT_TARGET_NFLOG
		188	tristate '"NFLOG" target support'
		189	depends on NETFILTER_XTABLES
		190	help
		191	This option enables the NFLOG target, which allows to LOG
		192	messages through the netfilter logging API, which can use
		193	either the old LOG target, the old ULOG target or nfnetlink_log
		194	as backend.
		195
		196	To compile it as a module, choose M here. If unsure, say N.
		197
187	config NETFILTER_XT_TARGET_NOTRACK	198	config NETFILTER_XT_TARGET_NOTRACK
188	tristate '"NOTRACK" target support'	199	tristate '"NOTRACK" target support'
189	depends on NETFILTER_XTABLES	200	depends on NETFILTER_XTABLES


diff --git a/net/netfilter/Makefile b/net/netfilter/Makefile index f85811bfcfe5..7f0089c584bf 100644 --- a/net/netfilter/Makefile +++ b/net/netfilter/Makefile
@@ -31,6 +31,7 @@ obj-$(CONFIG_NETFILTER_XT_TARGET_CONNMARK) += xt_CONNMARK.o
31	obj-$(CONFIG_NETFILTER_XT_TARGET_DSCP) += xt_DSCP.o	31	obj-$(CONFIG_NETFILTER_XT_TARGET_DSCP) += xt_DSCP.o
32	obj-$(CONFIG_NETFILTER_XT_TARGET_MARK) += xt_MARK.o	32	obj-$(CONFIG_NETFILTER_XT_TARGET_MARK) += xt_MARK.o
33	obj-$(CONFIG_NETFILTER_XT_TARGET_NFQUEUE) += xt_NFQUEUE.o	33	obj-$(CONFIG_NETFILTER_XT_TARGET_NFQUEUE) += xt_NFQUEUE.o
		34	obj-$(CONFIG_NETFILTER_XT_TARGET_NFLOG) += xt_NFLOG.o
34	obj-$(CONFIG_NETFILTER_XT_TARGET_NOTRACK) += xt_NOTRACK.o	35	obj-$(CONFIG_NETFILTER_XT_TARGET_NOTRACK) += xt_NOTRACK.o
35	obj-$(CONFIG_NETFILTER_XT_TARGET_SECMARK) += xt_SECMARK.o	36	obj-$(CONFIG_NETFILTER_XT_TARGET_SECMARK) += xt_SECMARK.o
36	obj-$(CONFIG_NETFILTER_XT_TARGET_CONNSECMARK) += xt_CONNSECMARK.o	37	obj-$(CONFIG_NETFILTER_XT_TARGET_CONNSECMARK) += xt_CONNSECMARK.o


diff --git a/net/netfilter/xt_NFLOG.c b/net/netfilter/xt_NFLOG.c new file mode 100644 index 000000000000..901ed7abaa1b --- /dev/null +++ b/net/netfilter/xt_NFLOG.c
@@ -0,0 +1,86 @@
		1	/*
		2	* Copyright (c) 2006 Patrick McHardy <kaber@trash.net>
		3	*
		4	* This program is free software; you can redistribute it and/or modify
		5	* it under the terms of the GNU General Public License version 2 as
		6	* published by the Free Software Foundation.
		7	*/
		8
		9	#include <linux/module.h>
		10	#include <linux/init.h>
		11	#include <linux/skbuff.h>
		12
		13	#include <linux/netfilter/x_tables.h>
		14	#include <linux/netfilter/xt_NFLOG.h>
		15
		16	MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
		17	MODULE_DESCRIPTION("x_tables NFLOG target");
		18	MODULE_LICENSE("GPL");
		19	MODULE_ALIAS("ipt_NFLOG");
		20	MODULE_ALIAS("ip6t_NFLOG");
		21
		22	static unsigned int
		23	nflog_target(struct sk_buff **pskb,
		24	const struct net_device in, const struct net_device out,
		25	unsigned int hooknum, const struct xt_target *target,
		26	const void *targinfo)
		27	{
		28	const struct xt_nflog_info *info = targinfo;
		29	struct nf_loginfo li;
		30
		31	li.type = NF_LOG_TYPE_ULOG;
		32	li.u.ulog.copy_len = info->len;
		33	li.u.ulog.group = info->group;
		34	li.u.ulog.qthreshold = info->threshold;
		35
		36	nf_log_packet(target->family, hooknum, *pskb, in, out, &li,
		37	"%s", info->prefix);
		38	return XT_CONTINUE;
		39	}
		40
		41	static int
		42	nflog_checkentry(const char tablename, const void entry,
		43	const struct xt_target target, void targetinfo,
		44	unsigned int hookmask)
		45	{
		46	struct xt_nflog_info *info = targetinfo;
		47
		48	if (info->flags & ~XT_NFLOG_MASK)
		49	return 0;
		50	if (info->prefix[sizeof(info->prefix) - 1] != '\0')
		51	return 0;
		52	return 1;
		53	}
		54
		55	static struct xt_target xt_nflog_target[] = {
		56	{
		57	.name = "NFLOG",
		58	.family = AF_INET,
		59	.checkentry = nflog_checkentry,
		60	.target = nflog_target,
		61	.targetsize = sizeof(struct xt_nflog_info),
		62	.me = THIS_MODULE,
		63	},
		64	{
		65	.name = "NFLOG",
		66	.family = AF_INET6,
		67	.checkentry = nflog_checkentry,
		68	.target = nflog_target,
		69	.targetsize = sizeof(struct xt_nflog_info),
		70	.me = THIS_MODULE,
		71	},
		72	};
		73
		74	static int __init xt_nflog_init(void)
		75	{
		76	return xt_register_targets(xt_nflog_target,
		77	ARRAY_SIZE(xt_nflog_target));
		78	}
		79
		80	static void __exit xt_nflog_fini(void)
		81	{
		82	xt_unregister_targets(xt_nflog_target, ARRAY_SIZE(xt_nflog_target));
		83	}
		84
		85	module_init(xt_nflog_init);
		86	module_exit(xt_nflog_fini);