netfilter: nf_log: prepare net namespace support for loggers

This patch adds netns support to nf_log and it prepares netns
support for existing loggers. It is composed of four major
changes.

1) nf_log_register has been split to two functions: nf_log_register
   and nf_log_set. The new nf_log_register is used to globally
   register the nf_logger and nf_log_set is used for enabling
   pernet support from nf_loggers.

   Per netns is not yet complete after this patch, it comes in
   separate follow up patches.

2) Add net as a parameter of nf_log_bind_pf. Per netns is not
   yet complete after this patch, it only allows to bind the
   nf_logger to the protocol family from init_net and it skips
   other cases.

3) Adapt all nf_log_packet callers to pass netns as parameter.
   After this patch, this function only works for init_net.

4) Make the sysctl net/netfilter/nf_log pernet.

Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

2 files changed, 6 insertions, 4 deletions

diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
index 341b54ade72c..8861b1ef420e 100644
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -284,6 +284,7 @@ static void trace_packet(const struct sk_buff *skb,
         const char *hookname, *chainname, *comment;
         const struct ip6t_entry *iter;
         unsigned int rulenum = 0;
+        struct net *net = dev_net(in ? in : out);
 
         table_base = private->entries[smp_processor_id()];
         root = get_entry(table_base, private->hook_entry[hook]);
@@ -296,7 +297,7 @@ static void trace_packet(const struct sk_buff *skb,
                     &chainname, &comment, &rulenum) != 0)
                         break;
 
-        nf_log_packet(AF_INET6, hook, skb, in, out, &trace_loginfo,
+        nf_log_packet(net, AF_INET6, hook, skb, in, out, &trace_loginfo,
                       "TRACE: %s:%s:%s:%u ",
                       tablename, chainname, comment, rulenum);
 }
diff --git a/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c b/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c
index 24df3dde0076..b3807c5cb888 100644
--- a/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c
+++ b/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c
@@ -131,7 +131,8 @@ static bool icmpv6_new(struct nf_conn *ct, const struct sk_buff *skb,
                          type + 128);
                 nf_ct_dump_tuple_ipv6(&ct->tuplehash[0].tuple);
                 if (LOG_INVALID(nf_ct_net(ct), IPPROTO_ICMPV6))
-                        nf_log_packet(PF_INET6, 0, skb, NULL, NULL, NULL,
+                        nf_log_packet(nf_ct_net(ct), PF_INET6, 0, skb, NULL,
+                                      NULL, NULL,
                                       "nf_ct_icmpv6: invalid new with type %d ",
                                       type + 128);
                 return false;
@@ -203,7 +204,7 @@ icmpv6_error(struct net *net, struct nf_conn *tmpl,
         icmp6h = skb_header_pointer(skb, dataoff, sizeof(_ih), &_ih);
         if (icmp6h == NULL) {
                 if (LOG_INVALID(net, IPPROTO_ICMPV6))
-                nf_log_packet(PF_INET6, 0, skb, NULL, NULL, NULL,
+                        nf_log_packet(net, PF_INET6, 0, skb, NULL, NULL, NULL,
                               "nf_ct_icmpv6: short packet ");
                 return -NF_ACCEPT;
         }
@@ -211,7 +212,7 @@ icmpv6_error(struct net *net, struct nf_conn *tmpl,
         if (net->ct.sysctl_checksum && hooknum == NF_INET_PRE_ROUTING &&
             nf_ip6_checksum(skb, hooknum, dataoff, IPPROTO_ICMPV6)) {
                 if (LOG_INVALID(net, IPPROTO_ICMPV6))
-                        nf_log_packet(PF_INET6, 0, skb, NULL, NULL, NULL,
+                        nf_log_packet(net, PF_INET6, 0, skb, NULL, NULL, NULL,
                                       "nf_ct_icmpv6: ICMPv6 checksum failed ");
                 return -NF_ACCEPT;
         }