diff options
| author | Harald Welte <laforge@netfilter.org> | 2005-08-09 22:58:27 -0400 |
|---|---|---|
| committer | David S. Miller <davem@sunset.davemloft.net> | 2005-08-29 18:38:07 -0400 |
| commit | 608c8e4f7b6e61cc783283e9dff8a465a5ad59bb (patch) | |
| tree | 55ca8bed99789cd6af07f6cc6ee99b0cf718a611 /net/ipv4 | |
| parent | 838ab6364956d9bdcefe84712de1621cf20a40b3 (diff) | |
[NETFILTER]: Extend netfilter logging API
This patch is in preparation to nfnetlink_log:
- loggers now have to register struct nf_logger instead of nf_logfn
- nf_log_unregister() replaced by nf_log_unregister_pf() and
nf_log_unregister_logger()
- add comment to ip[6]t_LOG.h to assure nobody redefines flags
- add /proc/net/netfilter/nf_log to tell user which logger is currently
registered for which address family
- if user has configured logging, but no logging backend (logger) is
available, always spit a message to syslog, not just the first time.
- split ip[6]t_LOG.c into two parts:
Backend: Always try to register as logger for the respective address family
Frontend: Always log via nf_log_packet() API
- modify all users of nf_log_packet() to accomodate additional argument
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/ipv4')
| -rw-r--r-- | net/ipv4/netfilter/ip_conntrack_proto_icmp.c | 8 | ||||
| -rw-r--r-- | net/ipv4/netfilter/ip_conntrack_proto_tcp.c | 21 | ||||
| -rw-r--r-- | net/ipv4/netfilter/ip_conntrack_proto_udp.c | 6 | ||||
| -rw-r--r-- | net/ipv4/netfilter/ipt_LOG.c | 86 | ||||
| -rw-r--r-- | net/ipv4/netfilter/ipt_ULOG.c | 33 |
5 files changed, 90 insertions, 64 deletions
diff --git a/net/ipv4/netfilter/ip_conntrack_proto_icmp.c b/net/ipv4/netfilter/ip_conntrack_proto_icmp.c index 3f90cb9979ac..838d1d69b36e 100644 --- a/net/ipv4/netfilter/ip_conntrack_proto_icmp.c +++ b/net/ipv4/netfilter/ip_conntrack_proto_icmp.c | |||
| @@ -217,7 +217,7 @@ icmp_error(struct sk_buff *skb, enum ip_conntrack_info *ctinfo, | |||
| 217 | icmph = skb_header_pointer(skb, skb->nh.iph->ihl*4, sizeof(_ih), &_ih); | 217 | icmph = skb_header_pointer(skb, skb->nh.iph->ihl*4, sizeof(_ih), &_ih); |
| 218 | if (icmph == NULL) { | 218 | if (icmph == NULL) { |
| 219 | if (LOG_INVALID(IPPROTO_ICMP)) | 219 | if (LOG_INVALID(IPPROTO_ICMP)) |
| 220 | nf_log_packet(PF_INET, 0, skb, NULL, NULL, | 220 | nf_log_packet(PF_INET, 0, skb, NULL, NULL, NULL, |
| 221 | "ip_ct_icmp: short packet "); | 221 | "ip_ct_icmp: short packet "); |
| 222 | return -NF_ACCEPT; | 222 | return -NF_ACCEPT; |
| 223 | } | 223 | } |
| @@ -231,13 +231,13 @@ icmp_error(struct sk_buff *skb, enum ip_conntrack_info *ctinfo, | |||
| 231 | if (!(u16)csum_fold(skb->csum)) | 231 | if (!(u16)csum_fold(skb->csum)) |
| 232 | break; | 232 | break; |
| 233 | if (LOG_INVALID(IPPROTO_ICMP)) | 233 | if (LOG_INVALID(IPPROTO_ICMP)) |
| 234 | nf_log_packet(PF_INET, 0, skb, NULL, NULL, | 234 | nf_log_packet(PF_INET, 0, skb, NULL, NULL, NULL, |
| 235 | "ip_ct_icmp: bad HW ICMP checksum "); | 235 | "ip_ct_icmp: bad HW ICMP checksum "); |
| 236 | return -NF_ACCEPT; | 236 | return -NF_ACCEPT; |
| 237 | case CHECKSUM_NONE: | 237 | case CHECKSUM_NONE: |
| 238 | if ((u16)csum_fold(skb_checksum(skb, 0, skb->len, 0))) { | 238 | if ((u16)csum_fold(skb_checksum(skb, 0, skb->len, 0))) { |
| 239 | if (LOG_INVALID(IPPROTO_ICMP)) | 239 | if (LOG_INVALID(IPPROTO_ICMP)) |
| 240 | nf_log_packet(PF_INET, 0, skb, NULL, NULL, | 240 | nf_log_packet(PF_INET, 0, skb, NULL, NULL, NULL, |
| 241 | "ip_ct_icmp: bad ICMP checksum "); | 241 | "ip_ct_icmp: bad ICMP checksum "); |
| 242 | return -NF_ACCEPT; | 242 | return -NF_ACCEPT; |
| 243 | } | 243 | } |
| @@ -254,7 +254,7 @@ checksum_skipped: | |||
| 254 | */ | 254 | */ |
| 255 | if (icmph->type > NR_ICMP_TYPES) { | 255 | if (icmph->type > NR_ICMP_TYPES) { |
| 256 | if (LOG_INVALID(IPPROTO_ICMP)) | 256 | if (LOG_INVALID(IPPROTO_ICMP)) |
| 257 | nf_log_packet(PF_INET, 0, skb, NULL, NULL, | 257 | nf_log_packet(PF_INET, 0, skb, NULL, NULL, NULL, |
| 258 | "ip_ct_icmp: invalid ICMP type "); | 258 | "ip_ct_icmp: invalid ICMP type "); |
| 259 | return -NF_ACCEPT; | 259 | return -NF_ACCEPT; |
| 260 | } | 260 | } |
diff --git a/net/ipv4/netfilter/ip_conntrack_proto_tcp.c b/net/ipv4/netfilter/ip_conntrack_proto_tcp.c index c2bce22d4031..f23ef1f88c46 100644 --- a/net/ipv4/netfilter/ip_conntrack_proto_tcp.c +++ b/net/ipv4/netfilter/ip_conntrack_proto_tcp.c | |||
| @@ -716,7 +716,7 @@ static int tcp_in_window(struct ip_ct_tcp *state, | |||
| 716 | res = 1; | 716 | res = 1; |
| 717 | } else { | 717 | } else { |
| 718 | if (LOG_INVALID(IPPROTO_TCP)) | 718 | if (LOG_INVALID(IPPROTO_TCP)) |
| 719 | nf_log_packet(PF_INET, 0, skb, NULL, NULL, | 719 | nf_log_packet(PF_INET, 0, skb, NULL, NULL, NULL, |
| 720 | "ip_ct_tcp: %s ", | 720 | "ip_ct_tcp: %s ", |
| 721 | before(seq, sender->td_maxend + 1) ? | 721 | before(seq, sender->td_maxend + 1) ? |
| 722 | after(end, sender->td_end - receiver->td_maxwin - 1) ? | 722 | after(end, sender->td_end - receiver->td_maxwin - 1) ? |
| @@ -815,7 +815,7 @@ static int tcp_error(struct sk_buff *skb, | |||
| 815 | sizeof(_tcph), &_tcph); | 815 | sizeof(_tcph), &_tcph); |
| 816 | if (th == NULL) { | 816 | if (th == NULL) { |
| 817 | if (LOG_INVALID(IPPROTO_TCP)) | 817 | if (LOG_INVALID(IPPROTO_TCP)) |
| 818 | nf_log_packet(PF_INET, 0, skb, NULL, NULL, | 818 | nf_log_packet(PF_INET, 0, skb, NULL, NULL, NULL, |
| 819 | "ip_ct_tcp: short packet "); | 819 | "ip_ct_tcp: short packet "); |
| 820 | return -NF_ACCEPT; | 820 | return -NF_ACCEPT; |
| 821 | } | 821 | } |
| @@ -823,7 +823,7 @@ static int tcp_error(struct sk_buff *skb, | |||
| 823 | /* Not whole TCP header or malformed packet */ | 823 | /* Not whole TCP header or malformed packet */ |
| 824 | if (th->doff*4 < sizeof(struct tcphdr) || tcplen < th->doff*4) { | 824 | if (th->doff*4 < sizeof(struct tcphdr) || tcplen < th->doff*4) { |
| 825 | if (LOG_INVALID(IPPROTO_TCP)) | 825 | if (LOG_INVALID(IPPROTO_TCP)) |
| 826 | nf_log_packet(PF_INET, 0, skb, NULL, NULL, | 826 | nf_log_packet(PF_INET, 0, skb, NULL, NULL, NULL, |
| 827 | "ip_ct_tcp: truncated/malformed packet "); | 827 | "ip_ct_tcp: truncated/malformed packet "); |
| 828 | return -NF_ACCEPT; | 828 | return -NF_ACCEPT; |
| 829 | } | 829 | } |
| @@ -840,7 +840,7 @@ static int tcp_error(struct sk_buff *skb, | |||
| 840 | skb->ip_summed == CHECKSUM_HW ? skb->csum | 840 | skb->ip_summed == CHECKSUM_HW ? skb->csum |
| 841 | : skb_checksum(skb, iph->ihl*4, tcplen, 0))) { | 841 | : skb_checksum(skb, iph->ihl*4, tcplen, 0))) { |
| 842 | if (LOG_INVALID(IPPROTO_TCP)) | 842 | if (LOG_INVALID(IPPROTO_TCP)) |
| 843 | nf_log_packet(PF_INET, 0, skb, NULL, NULL, | 843 | nf_log_packet(PF_INET, 0, skb, NULL, NULL, NULL, |
| 844 | "ip_ct_tcp: bad TCP checksum "); | 844 | "ip_ct_tcp: bad TCP checksum "); |
| 845 | return -NF_ACCEPT; | 845 | return -NF_ACCEPT; |
| 846 | } | 846 | } |
| @@ -849,7 +849,7 @@ static int tcp_error(struct sk_buff *skb, | |||
| 849 | tcpflags = (((u_int8_t *)th)[13] & ~(TH_ECE|TH_CWR)); | 849 | tcpflags = (((u_int8_t *)th)[13] & ~(TH_ECE|TH_CWR)); |
| 850 | if (!tcp_valid_flags[tcpflags]) { | 850 | if (!tcp_valid_flags[tcpflags]) { |
| 851 | if (LOG_INVALID(IPPROTO_TCP)) | 851 | if (LOG_INVALID(IPPROTO_TCP)) |
| 852 | nf_log_packet(PF_INET, 0, skb, NULL, NULL, | 852 | nf_log_packet(PF_INET, 0, skb, NULL, NULL, NULL, |
| 853 | "ip_ct_tcp: invalid TCP flag combination "); | 853 | "ip_ct_tcp: invalid TCP flag combination "); |
| 854 | return -NF_ACCEPT; | 854 | return -NF_ACCEPT; |
| 855 | } | 855 | } |
| @@ -897,8 +897,9 @@ static int tcp_packet(struct ip_conntrack *conntrack, | |||
| 897 | */ | 897 | */ |
| 898 | write_unlock_bh(&tcp_lock); | 898 | write_unlock_bh(&tcp_lock); |
| 899 | if (LOG_INVALID(IPPROTO_TCP)) | 899 | if (LOG_INVALID(IPPROTO_TCP)) |
| 900 | nf_log_packet(PF_INET, 0, skb, NULL, NULL, | 900 | nf_log_packet(PF_INET, 0, skb, NULL, NULL, |
| 901 | "ip_ct_tcp: killing out of sync session "); | 901 | NULL, "ip_ct_tcp: " |
| 902 | "killing out of sync session "); | ||
| 902 | if (del_timer(&conntrack->timeout)) | 903 | if (del_timer(&conntrack->timeout)) |
| 903 | conntrack->timeout.function((unsigned long) | 904 | conntrack->timeout.function((unsigned long) |
| 904 | conntrack); | 905 | conntrack); |
| @@ -912,7 +913,7 @@ static int tcp_packet(struct ip_conntrack *conntrack, | |||
| 912 | 913 | ||
| 913 | write_unlock_bh(&tcp_lock); | 914 | write_unlock_bh(&tcp_lock); |
| 914 | if (LOG_INVALID(IPPROTO_TCP)) | 915 | if (LOG_INVALID(IPPROTO_TCP)) |
| 915 | nf_log_packet(PF_INET, 0, skb, NULL, NULL, | 916 | nf_log_packet(PF_INET, 0, skb, NULL, NULL, NULL, |
| 916 | "ip_ct_tcp: invalid packet ignored "); | 917 | "ip_ct_tcp: invalid packet ignored "); |
| 917 | return NF_ACCEPT; | 918 | return NF_ACCEPT; |
| 918 | case TCP_CONNTRACK_MAX: | 919 | case TCP_CONNTRACK_MAX: |
| @@ -922,7 +923,7 @@ static int tcp_packet(struct ip_conntrack *conntrack, | |||
| 922 | old_state); | 923 | old_state); |
| 923 | write_unlock_bh(&tcp_lock); | 924 | write_unlock_bh(&tcp_lock); |
| 924 | if (LOG_INVALID(IPPROTO_TCP)) | 925 | if (LOG_INVALID(IPPROTO_TCP)) |
| 925 | nf_log_packet(PF_INET, 0, skb, NULL, NULL, | 926 | nf_log_packet(PF_INET, 0, skb, NULL, NULL, NULL, |
| 926 | "ip_ct_tcp: invalid state "); | 927 | "ip_ct_tcp: invalid state "); |
| 927 | return -NF_ACCEPT; | 928 | return -NF_ACCEPT; |
| 928 | case TCP_CONNTRACK_SYN_SENT: | 929 | case TCP_CONNTRACK_SYN_SENT: |
| @@ -943,7 +944,7 @@ static int tcp_packet(struct ip_conntrack *conntrack, | |||
| 943 | write_unlock_bh(&tcp_lock); | 944 | write_unlock_bh(&tcp_lock); |
| 944 | if (LOG_INVALID(IPPROTO_TCP)) | 945 | if (LOG_INVALID(IPPROTO_TCP)) |
| 945 | nf_log_packet(PF_INET, 0, skb, NULL, NULL, | 946 | nf_log_packet(PF_INET, 0, skb, NULL, NULL, |
| 946 | "ip_ct_tcp: invalid SYN"); | 947 | NULL, "ip_ct_tcp: invalid SYN"); |
| 947 | return -NF_ACCEPT; | 948 | return -NF_ACCEPT; |
| 948 | } | 949 | } |
| 949 | case TCP_CONNTRACK_CLOSE: | 950 | case TCP_CONNTRACK_CLOSE: |
diff --git a/net/ipv4/netfilter/ip_conntrack_proto_udp.c b/net/ipv4/netfilter/ip_conntrack_proto_udp.c index 14130169cbfd..f2dcac7c7660 100644 --- a/net/ipv4/netfilter/ip_conntrack_proto_udp.c +++ b/net/ipv4/netfilter/ip_conntrack_proto_udp.c | |||
| @@ -98,7 +98,7 @@ static int udp_error(struct sk_buff *skb, enum ip_conntrack_info *ctinfo, | |||
| 98 | hdr = skb_header_pointer(skb, iph->ihl*4, sizeof(_hdr), &_hdr); | 98 | hdr = skb_header_pointer(skb, iph->ihl*4, sizeof(_hdr), &_hdr); |
| 99 | if (hdr == NULL) { | 99 | if (hdr == NULL) { |
| 100 | if (LOG_INVALID(IPPROTO_UDP)) | 100 | if (LOG_INVALID(IPPROTO_UDP)) |
| 101 | nf_log_packet(PF_INET, 0, skb, NULL, NULL, | 101 | nf_log_packet(PF_INET, 0, skb, NULL, NULL, NULL, |
| 102 | "ip_ct_udp: short packet "); | 102 | "ip_ct_udp: short packet "); |
| 103 | return -NF_ACCEPT; | 103 | return -NF_ACCEPT; |
| 104 | } | 104 | } |
| @@ -106,7 +106,7 @@ static int udp_error(struct sk_buff *skb, enum ip_conntrack_info *ctinfo, | |||
| 106 | /* Truncated/malformed packets */ | 106 | /* Truncated/malformed packets */ |
| 107 | if (ntohs(hdr->len) > udplen || ntohs(hdr->len) < sizeof(*hdr)) { | 107 | if (ntohs(hdr->len) > udplen || ntohs(hdr->len) < sizeof(*hdr)) { |
| 108 | if (LOG_INVALID(IPPROTO_UDP)) | 108 | if (LOG_INVALID(IPPROTO_UDP)) |
| 109 | nf_log_packet(PF_INET, 0, skb, NULL, NULL, | 109 | nf_log_packet(PF_INET, 0, skb, NULL, NULL, NULL, |
| 110 | "ip_ct_udp: truncated/malformed packet "); | 110 | "ip_ct_udp: truncated/malformed packet "); |
| 111 | return -NF_ACCEPT; | 111 | return -NF_ACCEPT; |
| 112 | } | 112 | } |
| @@ -126,7 +126,7 @@ static int udp_error(struct sk_buff *skb, enum ip_conntrack_info *ctinfo, | |||
| 126 | skb->ip_summed == CHECKSUM_HW ? skb->csum | 126 | skb->ip_summed == CHECKSUM_HW ? skb->csum |
| 127 | : skb_checksum(skb, iph->ihl*4, udplen, 0))) { | 127 | : skb_checksum(skb, iph->ihl*4, udplen, 0))) { |
| 128 | if (LOG_INVALID(IPPROTO_UDP)) | 128 | if (LOG_INVALID(IPPROTO_UDP)) |
| 129 | nf_log_packet(PF_INET, 0, skb, NULL, NULL, | 129 | nf_log_packet(PF_INET, 0, skb, NULL, NULL, NULL, |
| 130 | "ip_ct_udp: bad UDP checksum "); | 130 | "ip_ct_udp: bad UDP checksum "); |
| 131 | return -NF_ACCEPT; | 131 | return -NF_ACCEPT; |
| 132 | } | 132 | } |
diff --git a/net/ipv4/netfilter/ipt_LOG.c b/net/ipv4/netfilter/ipt_LOG.c index ef08733d26da..92ed050fac69 100644 --- a/net/ipv4/netfilter/ipt_LOG.c +++ b/net/ipv4/netfilter/ipt_LOG.c | |||
| @@ -27,10 +27,6 @@ MODULE_LICENSE("GPL"); | |||
| 27 | MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>"); | 27 | MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>"); |
| 28 | MODULE_DESCRIPTION("iptables syslog logging module"); | 28 | MODULE_DESCRIPTION("iptables syslog logging module"); |
| 29 | 29 | ||
| 30 | static unsigned int nflog = 1; | ||
| 31 | module_param(nflog, int, 0400); | ||
| 32 | MODULE_PARM_DESC(nflog, "register as internal netfilter logging module"); | ||
| 33 | |||
| 34 | #if 0 | 30 | #if 0 |
| 35 | #define DEBUGP printk | 31 | #define DEBUGP printk |
| 36 | #else | 32 | #else |
| @@ -41,11 +37,17 @@ MODULE_PARM_DESC(nflog, "register as internal netfilter logging module"); | |||
| 41 | static DEFINE_SPINLOCK(log_lock); | 37 | static DEFINE_SPINLOCK(log_lock); |
| 42 | 38 | ||
| 43 | /* One level of recursion won't kill us */ | 39 | /* One level of recursion won't kill us */ |
| 44 | static void dump_packet(const struct ipt_log_info *info, | 40 | static void dump_packet(const struct nf_loginfo *info, |
| 45 | const struct sk_buff *skb, | 41 | const struct sk_buff *skb, |
| 46 | unsigned int iphoff) | 42 | unsigned int iphoff) |
| 47 | { | 43 | { |
| 48 | struct iphdr _iph, *ih; | 44 | struct iphdr _iph, *ih; |
| 45 | unsigned int logflags; | ||
| 46 | |||
| 47 | if (info->type == NF_LOG_TYPE_LOG) | ||
| 48 | logflags = info->u.log.logflags; | ||
| 49 | else | ||
| 50 | logflags = NF_LOG_MASK; | ||
| 49 | 51 | ||
| 50 | ih = skb_header_pointer(skb, iphoff, sizeof(_iph), &_iph); | 52 | ih = skb_header_pointer(skb, iphoff, sizeof(_iph), &_iph); |
| 51 | if (ih == NULL) { | 53 | if (ih == NULL) { |
| @@ -76,7 +78,7 @@ static void dump_packet(const struct ipt_log_info *info, | |||
| 76 | if (ntohs(ih->frag_off) & IP_OFFSET) | 78 | if (ntohs(ih->frag_off) & IP_OFFSET) |
| 77 | printk("FRAG:%u ", ntohs(ih->frag_off) & IP_OFFSET); | 79 | printk("FRAG:%u ", ntohs(ih->frag_off) & IP_OFFSET); |
| 78 | 80 | ||
| 79 | if ((info->logflags & IPT_LOG_IPOPT) | 81 | if ((logflags & IPT_LOG_IPOPT) |
| 80 | && ih->ihl * 4 > sizeof(struct iphdr)) { | 82 | && ih->ihl * 4 > sizeof(struct iphdr)) { |
| 81 | unsigned char _opt[4 * 15 - sizeof(struct iphdr)], *op; | 83 | unsigned char _opt[4 * 15 - sizeof(struct iphdr)], *op; |
| 82 | unsigned int i, optsize; | 84 | unsigned int i, optsize; |
| @@ -119,7 +121,7 @@ static void dump_packet(const struct ipt_log_info *info, | |||
| 119 | printk("SPT=%u DPT=%u ", | 121 | printk("SPT=%u DPT=%u ", |
| 120 | ntohs(th->source), ntohs(th->dest)); | 122 | ntohs(th->source), ntohs(th->dest)); |
| 121 | /* Max length: 30 "SEQ=4294967295 ACK=4294967295 " */ | 123 | /* Max length: 30 "SEQ=4294967295 ACK=4294967295 " */ |
| 122 | if (info->logflags & IPT_LOG_TCPSEQ) | 124 | if (logflags & IPT_LOG_TCPSEQ) |
| 123 | printk("SEQ=%u ACK=%u ", | 125 | printk("SEQ=%u ACK=%u ", |
| 124 | ntohl(th->seq), ntohl(th->ack_seq)); | 126 | ntohl(th->seq), ntohl(th->ack_seq)); |
| 125 | /* Max length: 13 "WINDOW=65535 " */ | 127 | /* Max length: 13 "WINDOW=65535 " */ |
| @@ -146,7 +148,7 @@ static void dump_packet(const struct ipt_log_info *info, | |||
| 146 | /* Max length: 11 "URGP=65535 " */ | 148 | /* Max length: 11 "URGP=65535 " */ |
| 147 | printk("URGP=%u ", ntohs(th->urg_ptr)); | 149 | printk("URGP=%u ", ntohs(th->urg_ptr)); |
| 148 | 150 | ||
| 149 | if ((info->logflags & IPT_LOG_TCPOPT) | 151 | if ((logflags & IPT_LOG_TCPOPT) |
| 150 | && th->doff * 4 > sizeof(struct tcphdr)) { | 152 | && th->doff * 4 > sizeof(struct tcphdr)) { |
| 151 | unsigned char _opt[4 * 15 - sizeof(struct tcphdr)]; | 153 | unsigned char _opt[4 * 15 - sizeof(struct tcphdr)]; |
| 152 | unsigned char *op; | 154 | unsigned char *op; |
| @@ -328,7 +330,7 @@ static void dump_packet(const struct ipt_log_info *info, | |||
| 328 | } | 330 | } |
| 329 | 331 | ||
| 330 | /* Max length: 15 "UID=4294967295 " */ | 332 | /* Max length: 15 "UID=4294967295 " */ |
| 331 | if ((info->logflags & IPT_LOG_UID) && !iphoff && skb->sk) { | 333 | if ((logflags & IPT_LOG_UID) && !iphoff && skb->sk) { |
| 332 | read_lock_bh(&skb->sk->sk_callback_lock); | 334 | read_lock_bh(&skb->sk->sk_callback_lock); |
| 333 | if (skb->sk->sk_socket && skb->sk->sk_socket->file) | 335 | if (skb->sk->sk_socket && skb->sk->sk_socket->file) |
| 334 | printk("UID=%u ", skb->sk->sk_socket->file->f_uid); | 336 | printk("UID=%u ", skb->sk->sk_socket->file->f_uid); |
| @@ -349,19 +351,31 @@ static void dump_packet(const struct ipt_log_info *info, | |||
| 349 | /* maxlen = 230+ 91 + 230 + 252 = 803 */ | 351 | /* maxlen = 230+ 91 + 230 + 252 = 803 */ |
| 350 | } | 352 | } |
| 351 | 353 | ||
| 354 | struct nf_loginfo default_loginfo = { | ||
| 355 | .type = NF_LOG_TYPE_LOG, | ||
| 356 | .u = { | ||
| 357 | .log = { | ||
| 358 | .level = 0, | ||
| 359 | .logflags = NF_LOG_MASK, | ||
| 360 | }, | ||
| 361 | }, | ||
| 362 | }; | ||
| 363 | |||
| 352 | static void | 364 | static void |
| 353 | ipt_log_packet(unsigned int hooknum, | 365 | ipt_log_packet(unsigned int pf, |
| 366 | unsigned int hooknum, | ||
| 354 | const struct sk_buff *skb, | 367 | const struct sk_buff *skb, |
| 355 | const struct net_device *in, | 368 | const struct net_device *in, |
| 356 | const struct net_device *out, | 369 | const struct net_device *out, |
| 357 | const struct ipt_log_info *loginfo, | 370 | const struct nf_loginfo *loginfo, |
| 358 | const char *level_string, | ||
| 359 | const char *prefix) | 371 | const char *prefix) |
| 360 | { | 372 | { |
| 373 | if (!loginfo) | ||
| 374 | loginfo = &default_loginfo; | ||
| 375 | |||
| 361 | spin_lock_bh(&log_lock); | 376 | spin_lock_bh(&log_lock); |
| 362 | printk(level_string); | 377 | printk("<%d>%sIN=%s OUT=%s ", loginfo->u.log.level, |
| 363 | printk("%sIN=%s OUT=%s ", | 378 | prefix, |
| 364 | prefix == NULL ? loginfo->prefix : prefix, | ||
| 365 | in ? in->name : "", | 379 | in ? in->name : "", |
| 366 | out ? out->name : ""); | 380 | out ? out->name : ""); |
| 367 | #ifdef CONFIG_BRIDGE_NETFILTER | 381 | #ifdef CONFIG_BRIDGE_NETFILTER |
| @@ -405,28 +419,15 @@ ipt_log_target(struct sk_buff **pskb, | |||
| 405 | void *userinfo) | 419 | void *userinfo) |
| 406 | { | 420 | { |
| 407 | const struct ipt_log_info *loginfo = targinfo; | 421 | const struct ipt_log_info *loginfo = targinfo; |
| 408 | char level_string[4] = "< >"; | 422 | struct nf_loginfo li; |
| 409 | 423 | ||
| 410 | level_string[1] = '0' + (loginfo->level % 8); | 424 | li.type = NF_LOG_TYPE_LOG; |
| 411 | ipt_log_packet(hooknum, *pskb, in, out, loginfo, level_string, NULL); | 425 | li.u.log.level = loginfo->level; |
| 426 | li.u.log.logflags = loginfo->logflags; | ||
| 412 | 427 | ||
| 413 | return IPT_CONTINUE; | 428 | nf_log_packet(PF_INET, hooknum, *pskb, in, out, &li, loginfo->prefix); |
| 414 | } | ||
| 415 | 429 | ||
| 416 | static void | 430 | return IPT_CONTINUE; |
| 417 | ipt_logfn(unsigned int hooknum, | ||
| 418 | const struct sk_buff *skb, | ||
| 419 | const struct net_device *in, | ||
| 420 | const struct net_device *out, | ||
| 421 | const char *prefix) | ||
| 422 | { | ||
| 423 | struct ipt_log_info loginfo = { | ||
| 424 | .level = 0, | ||
| 425 | .logflags = IPT_LOG_MASK, | ||
| 426 | .prefix = "" | ||
| 427 | }; | ||
| 428 | |||
| 429 | ipt_log_packet(hooknum, skb, in, out, &loginfo, KERN_WARNING, prefix); | ||
| 430 | } | 431 | } |
| 431 | 432 | ||
| 432 | static int ipt_log_checkentry(const char *tablename, | 433 | static int ipt_log_checkentry(const char *tablename, |
| @@ -464,20 +465,29 @@ static struct ipt_target ipt_log_reg = { | |||
| 464 | .me = THIS_MODULE, | 465 | .me = THIS_MODULE, |
| 465 | }; | 466 | }; |
| 466 | 467 | ||
| 468 | static struct nf_logger ipt_log_logger ={ | ||
| 469 | .name = "ipt_LOG", | ||
| 470 | .logfn = &ipt_log_packet, | ||
| 471 | .me = THIS_MODULE, | ||
| 472 | }; | ||
| 473 | |||
| 467 | static int __init init(void) | 474 | static int __init init(void) |
| 468 | { | 475 | { |
| 469 | if (ipt_register_target(&ipt_log_reg)) | 476 | if (ipt_register_target(&ipt_log_reg)) |
| 470 | return -EINVAL; | 477 | return -EINVAL; |
| 471 | if (nflog) | 478 | if (nf_log_register(PF_INET, &ipt_log_logger) < 0) { |
| 472 | nf_log_register(PF_INET, &ipt_logfn); | 479 | printk(KERN_WARNING "ipt_LOG: not logging via system console " |
| 480 | "since somebody else already registered for PF_INET\n"); | ||
| 481 | /* we cannot make module load fail here, since otherwise | ||
| 482 | * iptables userspace would abort */ | ||
| 483 | } | ||
| 473 | 484 | ||
| 474 | return 0; | 485 | return 0; |
| 475 | } | 486 | } |
| 476 | 487 | ||
| 477 | static void __exit fini(void) | 488 | static void __exit fini(void) |
| 478 | { | 489 | { |
| 479 | if (nflog) | 490 | nf_log_unregister_logger(&ipt_log_logger); |
| 480 | nf_log_unregister(PF_INET, &ipt_logfn); | ||
| 481 | ipt_unregister_target(&ipt_log_reg); | 491 | ipt_unregister_target(&ipt_log_reg); |
| 482 | } | 492 | } |
| 483 | 493 | ||
diff --git a/net/ipv4/netfilter/ipt_ULOG.c b/net/ipv4/netfilter/ipt_ULOG.c index 4ea8371ab270..b86f06ec9762 100644 --- a/net/ipv4/netfilter/ipt_ULOG.c +++ b/net/ipv4/netfilter/ipt_ULOG.c | |||
| @@ -304,18 +304,27 @@ static unsigned int ipt_ulog_target(struct sk_buff **pskb, | |||
| 304 | return IPT_CONTINUE; | 304 | return IPT_CONTINUE; |
| 305 | } | 305 | } |
| 306 | 306 | ||
| 307 | static void ipt_logfn(unsigned int hooknum, | 307 | static void ipt_logfn(unsigned int pf, |
| 308 | unsigned int hooknum, | ||
| 308 | const struct sk_buff *skb, | 309 | const struct sk_buff *skb, |
| 309 | const struct net_device *in, | 310 | const struct net_device *in, |
| 310 | const struct net_device *out, | 311 | const struct net_device *out, |
| 312 | const struct nf_loginfo *li, | ||
| 311 | const char *prefix) | 313 | const char *prefix) |
| 312 | { | 314 | { |
| 313 | struct ipt_ulog_info loginfo = { | 315 | struct ipt_ulog_info loginfo; |
| 314 | .nl_group = ULOG_DEFAULT_NLGROUP, | 316 | |
| 315 | .copy_range = 0, | 317 | if (!li || li->type != NF_LOG_TYPE_ULOG) { |
| 316 | .qthreshold = ULOG_DEFAULT_QTHRESHOLD, | 318 | loginfo.nl_group = ULOG_DEFAULT_NLGROUP; |
| 317 | .prefix = "" | 319 | loginfo.copy_range = 0; |
| 318 | }; | 320 | loginfo.qthreshold = ULOG_DEFAULT_QTHRESHOLD; |
| 321 | loginfo.prefix[0] = '\0'; | ||
| 322 | } else { | ||
| 323 | loginfo.nl_group = li->u.ulog.group; | ||
| 324 | loginfo.copy_range = li->u.ulog.copy_len; | ||
| 325 | loginfo.qthreshold = li->u.ulog.qthreshold; | ||
| 326 | strlcpy(loginfo.prefix, prefix, sizeof(loginfo.prefix)); | ||
| 327 | } | ||
| 319 | 328 | ||
| 320 | ipt_ulog_packet(hooknum, skb, in, out, &loginfo, prefix); | 329 | ipt_ulog_packet(hooknum, skb, in, out, &loginfo, prefix); |
| 321 | } | 330 | } |
| @@ -355,6 +364,12 @@ static struct ipt_target ipt_ulog_reg = { | |||
| 355 | .me = THIS_MODULE, | 364 | .me = THIS_MODULE, |
| 356 | }; | 365 | }; |
| 357 | 366 | ||
| 367 | static struct nf_logger ipt_ulog_logger = { | ||
| 368 | .name = "ipt_ULOG", | ||
| 369 | .logfn = &ipt_logfn, | ||
| 370 | .me = THIS_MODULE, | ||
| 371 | }; | ||
| 372 | |||
| 358 | static int __init init(void) | 373 | static int __init init(void) |
| 359 | { | 374 | { |
| 360 | int i; | 375 | int i; |
| @@ -382,7 +397,7 @@ static int __init init(void) | |||
| 382 | return -EINVAL; | 397 | return -EINVAL; |
| 383 | } | 398 | } |
| 384 | if (nflog) | 399 | if (nflog) |
| 385 | nf_log_register(PF_INET, &ipt_logfn); | 400 | nf_log_register(PF_INET, &ipt_ulog_logger); |
| 386 | 401 | ||
| 387 | return 0; | 402 | return 0; |
| 388 | } | 403 | } |
| @@ -395,7 +410,7 @@ static void __exit fini(void) | |||
| 395 | DEBUGP("ipt_ULOG: cleanup_module\n"); | 410 | DEBUGP("ipt_ULOG: cleanup_module\n"); |
| 396 | 411 | ||
| 397 | if (nflog) | 412 | if (nflog) |
| 398 | nf_log_unregister(PF_INET, &ipt_logfn); | 413 | nf_log_unregister_logger(&ipt_ulog_logger); |
| 399 | ipt_unregister_target(&ipt_ulog_reg); | 414 | ipt_unregister_target(&ipt_ulog_reg); |
| 400 | sock_release(nflognl->sk_socket); | 415 | sock_release(nflognl->sk_socket); |
| 401 | 416 | ||