diff options
| author | Harald Welte <laforge@netfilter.org> | 2005-08-09 22:58:27 -0400 |
|---|---|---|
| committer | David S. Miller <davem@sunset.davemloft.net> | 2005-08-29 18:38:07 -0400 |
| commit | 608c8e4f7b6e61cc783283e9dff8a465a5ad59bb (patch) | |
| tree | 55ca8bed99789cd6af07f6cc6ee99b0cf718a611 /include | |
| parent | 838ab6364956d9bdcefe84712de1621cf20a40b3 (diff) | |
[NETFILTER]: Extend netfilter logging API
This patch is in preparation to nfnetlink_log:
- loggers now have to register struct nf_logger instead of nf_logfn
- nf_log_unregister() replaced by nf_log_unregister_pf() and
nf_log_unregister_logger()
- add comment to ip[6]t_LOG.h to assure nobody redefines flags
- add /proc/net/netfilter/nf_log to tell user which logger is currently
registered for which address family
- if user has configured logging, but no logging backend (logger) is
available, always spit a message to syslog, not just the first time.
- split ip[6]t_LOG.c into two parts:
Backend: Always try to register as logger for the respective address family
Frontend: Always log via nf_log_packet() API
- modify all users of nf_log_packet() to accomodate additional argument
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'include')
| -rw-r--r-- | include/linux/netfilter.h | 48 | ||||
| -rw-r--r-- | include/linux/netfilter_ipv4/ipt_LOG.h | 1 | ||||
| -rw-r--r-- | include/linux/netfilter_ipv6/ip6t_LOG.h | 1 |
3 files changed, 47 insertions, 3 deletions
diff --git a/include/linux/netfilter.h b/include/linux/netfilter.h index 711e05f33d68..815583af06c2 100644 --- a/include/linux/netfilter.h +++ b/include/linux/netfilter.h | |||
| @@ -114,15 +114,51 @@ void nf_unregister_sockopt(struct nf_sockopt_ops *reg); | |||
| 114 | 114 | ||
| 115 | extern struct list_head nf_hooks[NPROTO][NF_MAX_HOOKS]; | 115 | extern struct list_head nf_hooks[NPROTO][NF_MAX_HOOKS]; |
| 116 | 116 | ||
| 117 | typedef void nf_logfn(unsigned int hooknum, | 117 | /* those NF_LOG_* defines and struct nf_loginfo are legacy definitios that will |
| 118 | * disappear once iptables is replaced with pkttables. Please DO NOT use them | ||
| 119 | * for any new code! */ | ||
| 120 | #define NF_LOG_TCPSEQ 0x01 /* Log TCP sequence numbers */ | ||
| 121 | #define NF_LOG_TCPOPT 0x02 /* Log TCP options */ | ||
| 122 | #define NF_LOG_IPOPT 0x04 /* Log IP options */ | ||
| 123 | #define NF_LOG_UID 0x08 /* Log UID owning local socket */ | ||
| 124 | #define NF_LOG_MASK 0x0f | ||
| 125 | |||
| 126 | #define NF_LOG_TYPE_LOG 0x01 | ||
| 127 | #define NF_LOG_TYPE_ULOG 0x02 | ||
| 128 | |||
| 129 | struct nf_loginfo { | ||
| 130 | u_int8_t type; | ||
| 131 | union { | ||
| 132 | struct { | ||
| 133 | u_int32_t copy_len; | ||
| 134 | u_int16_t group; | ||
| 135 | u_int16_t qthreshold; | ||
| 136 | } ulog; | ||
| 137 | struct { | ||
| 138 | u_int8_t level; | ||
| 139 | u_int8_t logflags; | ||
| 140 | } log; | ||
| 141 | } u; | ||
| 142 | }; | ||
| 143 | |||
| 144 | typedef void nf_logfn(unsigned int pf, | ||
| 145 | unsigned int hooknum, | ||
| 118 | const struct sk_buff *skb, | 146 | const struct sk_buff *skb, |
| 119 | const struct net_device *in, | 147 | const struct net_device *in, |
| 120 | const struct net_device *out, | 148 | const struct net_device *out, |
| 149 | const struct nf_loginfo *li, | ||
| 121 | const char *prefix); | 150 | const char *prefix); |
| 122 | 151 | ||
| 152 | struct nf_logger { | ||
| 153 | struct module *me; | ||
| 154 | nf_logfn *logfn; | ||
| 155 | char *name; | ||
| 156 | }; | ||
| 157 | |||
| 123 | /* Function to register/unregister log function. */ | 158 | /* Function to register/unregister log function. */ |
| 124 | int nf_log_register(int pf, nf_logfn *logfn); | 159 | int nf_log_register(int pf, struct nf_logger *logger); |
| 125 | void nf_log_unregister(int pf, nf_logfn *logfn); | 160 | void nf_log_unregister_pf(int pf); |
| 161 | void nf_log_unregister_logger(struct nf_logger *logger); | ||
| 126 | 162 | ||
| 127 | /* Calls the registered backend logging function */ | 163 | /* Calls the registered backend logging function */ |
| 128 | void nf_log_packet(int pf, | 164 | void nf_log_packet(int pf, |
| @@ -130,6 +166,7 @@ void nf_log_packet(int pf, | |||
| 130 | const struct sk_buff *skb, | 166 | const struct sk_buff *skb, |
| 131 | const struct net_device *in, | 167 | const struct net_device *in, |
| 132 | const struct net_device *out, | 168 | const struct net_device *out, |
| 169 | struct nf_loginfo *li, | ||
| 133 | const char *fmt, ...); | 170 | const char *fmt, ...); |
| 134 | 171 | ||
| 135 | /* Activate hook; either okfn or kfree_skb called, unless a hook | 172 | /* Activate hook; either okfn or kfree_skb called, unless a hook |
| @@ -221,6 +258,11 @@ struct nf_queue_rerouter { | |||
| 221 | extern int nf_register_queue_rerouter(int pf, struct nf_queue_rerouter *rer); | 258 | extern int nf_register_queue_rerouter(int pf, struct nf_queue_rerouter *rer); |
| 222 | extern int nf_unregister_queue_rerouter(int pf); | 259 | extern int nf_unregister_queue_rerouter(int pf); |
| 223 | 260 | ||
| 261 | #ifdef CONFIG_PROC_FS | ||
| 262 | #include <linux/proc_fs.h> | ||
| 263 | extern struct proc_dir_entry *proc_net_netfilter; | ||
| 264 | #endif | ||
| 265 | |||
| 224 | #else /* !CONFIG_NETFILTER */ | 266 | #else /* !CONFIG_NETFILTER */ |
| 225 | #define NF_HOOK(pf, hook, skb, indev, outdev, okfn) (okfn)(skb) | 267 | #define NF_HOOK(pf, hook, skb, indev, outdev, okfn) (okfn)(skb) |
| 226 | static inline void nf_ct_attach(struct sk_buff *new, struct sk_buff *skb) {} | 268 | static inline void nf_ct_attach(struct sk_buff *new, struct sk_buff *skb) {} |
diff --git a/include/linux/netfilter_ipv4/ipt_LOG.h b/include/linux/netfilter_ipv4/ipt_LOG.h index d25f782e57d1..22d16177319b 100644 --- a/include/linux/netfilter_ipv4/ipt_LOG.h +++ b/include/linux/netfilter_ipv4/ipt_LOG.h | |||
| @@ -1,6 +1,7 @@ | |||
| 1 | #ifndef _IPT_LOG_H | 1 | #ifndef _IPT_LOG_H |
| 2 | #define _IPT_LOG_H | 2 | #define _IPT_LOG_H |
| 3 | 3 | ||
| 4 | /* make sure not to change this without changing netfilter.h:NF_LOG_* (!) */ | ||
| 4 | #define IPT_LOG_TCPSEQ 0x01 /* Log TCP sequence numbers */ | 5 | #define IPT_LOG_TCPSEQ 0x01 /* Log TCP sequence numbers */ |
| 5 | #define IPT_LOG_TCPOPT 0x02 /* Log TCP options */ | 6 | #define IPT_LOG_TCPOPT 0x02 /* Log TCP options */ |
| 6 | #define IPT_LOG_IPOPT 0x04 /* Log IP options */ | 7 | #define IPT_LOG_IPOPT 0x04 /* Log IP options */ |
diff --git a/include/linux/netfilter_ipv6/ip6t_LOG.h b/include/linux/netfilter_ipv6/ip6t_LOG.h index 42996a43bb39..9008ff5c40ae 100644 --- a/include/linux/netfilter_ipv6/ip6t_LOG.h +++ b/include/linux/netfilter_ipv6/ip6t_LOG.h | |||
| @@ -1,6 +1,7 @@ | |||
| 1 | #ifndef _IP6T_LOG_H | 1 | #ifndef _IP6T_LOG_H |
| 2 | #define _IP6T_LOG_H | 2 | #define _IP6T_LOG_H |
| 3 | 3 | ||
| 4 | /* make sure not to change this without changing netfilter.h:NF_LOG_* (!) */ | ||
| 4 | #define IP6T_LOG_TCPSEQ 0x01 /* Log TCP sequence numbers */ | 5 | #define IP6T_LOG_TCPSEQ 0x01 /* Log TCP sequence numbers */ |
| 5 | #define IP6T_LOG_TCPOPT 0x02 /* Log TCP options */ | 6 | #define IP6T_LOG_TCPOPT 0x02 /* Log TCP options */ |
| 6 | #define IP6T_LOG_IPOPT 0x04 /* Log IP options */ | 7 | #define IP6T_LOG_IPOPT 0x04 /* Log IP options */ |