aboutsummaryrefslogtreecommitdiffstats
path: root/net/ipv6
diff options
context:
space:
mode:
authorRichard Weinberger <richard@nod.at>2012-02-10 17:10:52 -0500
committerPablo Neira Ayuso <pablo@netfilter.org>2012-03-07 11:40:49 -0500
commit6939c33a757bd006c5e0b8b5fd429fc587a4d0f4 (patch)
treec635fa7ceeb8a1a80540b45cf9e059ccb98ecdb1 /net/ipv6
parent544d5c7d9f4d1ec4f170bc5bcc522012cb7704bc (diff)
netfilter: merge ipt_LOG and ip6_LOG into xt_LOG
ipt_LOG and ip6_LOG have a lot of common code, merge them to reduce duplicate code. Signed-off-by: Richard Weinberger <richard@nod.at> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'net/ipv6')
-rw-r--r--net/ipv6/netfilter/Kconfig9
-rw-r--r--net/ipv6/netfilter/Makefile1
-rw-r--r--net/ipv6/netfilter/ip6t_LOG.c527
3 files changed, 0 insertions, 537 deletions
diff --git a/net/ipv6/netfilter/Kconfig b/net/ipv6/netfilter/Kconfig
index 9a68fb5b9e77..d33cddd16fbb 100644
--- a/net/ipv6/netfilter/Kconfig
+++ b/net/ipv6/netfilter/Kconfig
@@ -154,15 +154,6 @@ config IP6_NF_TARGET_HL
154 (e.g. when running oldconfig). It selects 154 (e.g. when running oldconfig). It selects
155 CONFIG_NETFILTER_XT_TARGET_HL. 155 CONFIG_NETFILTER_XT_TARGET_HL.
156 156
157config IP6_NF_TARGET_LOG
158 tristate "LOG target support"
159 default m if NETFILTER_ADVANCED=n
160 help
161 This option adds a `LOG' target, which allows you to create rules in
162 any iptables table which records the packet header to the syslog.
163
164 To compile it as a module, choose M here. If unsure, say N.
165
166config IP6_NF_FILTER 157config IP6_NF_FILTER
167 tristate "Packet filtering" 158 tristate "Packet filtering"
168 default m if NETFILTER_ADVANCED=n 159 default m if NETFILTER_ADVANCED=n
diff --git a/net/ipv6/netfilter/Makefile b/net/ipv6/netfilter/Makefile
index 2eaed96db02c..d4dfd0a21097 100644
--- a/net/ipv6/netfilter/Makefile
+++ b/net/ipv6/netfilter/Makefile
@@ -31,5 +31,4 @@ obj-$(CONFIG_IP6_NF_MATCH_RPFILTER) += ip6t_rpfilter.o
31obj-$(CONFIG_IP6_NF_MATCH_RT) += ip6t_rt.o 31obj-$(CONFIG_IP6_NF_MATCH_RT) += ip6t_rt.o
32 32
33# targets 33# targets
34obj-$(CONFIG_IP6_NF_TARGET_LOG) += ip6t_LOG.o
35obj-$(CONFIG_IP6_NF_TARGET_REJECT) += ip6t_REJECT.o 34obj-$(CONFIG_IP6_NF_TARGET_REJECT) += ip6t_REJECT.o
diff --git a/net/ipv6/netfilter/ip6t_LOG.c b/net/ipv6/netfilter/ip6t_LOG.c
deleted file mode 100644
index e6af8d72f26b..000000000000
--- a/net/ipv6/netfilter/ip6t_LOG.c
+++ /dev/null
@@ -1,527 +0,0 @@
1/*
2 * This is a module which is used for logging packets.
3 */
4
5/* (C) 2001 Jan Rekorajski <baggins@pld.org.pl>
6 * (C) 2002-2004 Netfilter Core Team <coreteam@netfilter.org>
7 *
8 * This program is free software; you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License version 2 as
10 * published by the Free Software Foundation.
11 */
12#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
13#include <linux/module.h>
14#include <linux/skbuff.h>
15#include <linux/if_arp.h>
16#include <linux/ip.h>
17#include <linux/spinlock.h>
18#include <linux/icmpv6.h>
19#include <net/udp.h>
20#include <net/tcp.h>
21#include <net/ipv6.h>
22#include <linux/netfilter.h>
23#include <linux/netfilter/x_tables.h>
24#include <linux/netfilter_ipv6/ip6_tables.h>
25#include <net/netfilter/nf_log.h>
26#include <net/netfilter/xt_log.h>
27
28MODULE_AUTHOR("Jan Rekorajski <baggins@pld.org.pl>");
29MODULE_DESCRIPTION("Xtables: IPv6 packet logging to syslog");
30MODULE_LICENSE("GPL");
31
32struct in_device;
33#include <net/route.h>
34#include <linux/netfilter_ipv6/ip6t_LOG.h>
35
36/* One level of recursion won't kill us */
37static void dump_packet(struct sbuff *m,
38 const struct nf_loginfo *info,
39 const struct sk_buff *skb, unsigned int ip6hoff,
40 int recurse)
41{
42 u_int8_t currenthdr;
43 int fragment;
44 struct ipv6hdr _ip6h;
45 const struct ipv6hdr *ih;
46 unsigned int ptr;
47 unsigned int hdrlen = 0;
48 unsigned int logflags;
49
50 if (info->type == NF_LOG_TYPE_LOG)
51 logflags = info->u.log.logflags;
52 else
53 logflags = NF_LOG_MASK;
54
55 ih = skb_header_pointer(skb, ip6hoff, sizeof(_ip6h), &_ip6h);
56 if (ih == NULL) {
57 sb_add(m, "TRUNCATED");
58 return;
59 }
60
61 /* Max length: 88 "SRC=0000.0000.0000.0000.0000.0000.0000.0000 DST=0000.0000.0000.0000.0000.0000.0000.0000 " */
62 sb_add(m, "SRC=%pI6 DST=%pI6 ", &ih->saddr, &ih->daddr);
63
64 /* Max length: 44 "LEN=65535 TC=255 HOPLIMIT=255 FLOWLBL=FFFFF " */
65 sb_add(m, "LEN=%Zu TC=%u HOPLIMIT=%u FLOWLBL=%u ",
66 ntohs(ih->payload_len) + sizeof(struct ipv6hdr),
67 (ntohl(*(__be32 *)ih) & 0x0ff00000) >> 20,
68 ih->hop_limit,
69 (ntohl(*(__be32 *)ih) & 0x000fffff));
70
71 fragment = 0;
72 ptr = ip6hoff + sizeof(struct ipv6hdr);
73 currenthdr = ih->nexthdr;
74 while (currenthdr != NEXTHDR_NONE && ip6t_ext_hdr(currenthdr)) {
75 struct ipv6_opt_hdr _hdr;
76 const struct ipv6_opt_hdr *hp;
77
78 hp = skb_header_pointer(skb, ptr, sizeof(_hdr), &_hdr);
79 if (hp == NULL) {
80 sb_add(m, "TRUNCATED");
81 return;
82 }
83
84 /* Max length: 48 "OPT (...) " */
85 if (logflags & IP6T_LOG_IPOPT)
86 sb_add(m, "OPT ( ");
87
88 switch (currenthdr) {
89 case IPPROTO_FRAGMENT: {
90 struct frag_hdr _fhdr;
91 const struct frag_hdr *fh;
92
93 sb_add(m, "FRAG:");
94 fh = skb_header_pointer(skb, ptr, sizeof(_fhdr),
95 &_fhdr);
96 if (fh == NULL) {
97 sb_add(m, "TRUNCATED ");
98 return;
99 }
100
101 /* Max length: 6 "65535 " */
102 sb_add(m, "%u ", ntohs(fh->frag_off) & 0xFFF8);
103
104 /* Max length: 11 "INCOMPLETE " */
105 if (fh->frag_off & htons(0x0001))
106 sb_add(m, "INCOMPLETE ");
107
108 sb_add(m, "ID:%08x ", ntohl(fh->identification));
109
110 if (ntohs(fh->frag_off) & 0xFFF8)
111 fragment = 1;
112
113 hdrlen = 8;
114
115 break;
116 }
117 case IPPROTO_DSTOPTS:
118 case IPPROTO_ROUTING:
119 case IPPROTO_HOPOPTS:
120 if (fragment) {
121 if (logflags & IP6T_LOG_IPOPT)
122 sb_add(m, ")");
123 return;
124 }
125 hdrlen = ipv6_optlen(hp);
126 break;
127 /* Max Length */
128 case IPPROTO_AH:
129 if (logflags & IP6T_LOG_IPOPT) {
130 struct ip_auth_hdr _ahdr;
131 const struct ip_auth_hdr *ah;
132
133 /* Max length: 3 "AH " */
134 sb_add(m, "AH ");
135
136 if (fragment) {
137 sb_add(m, ")");
138 return;
139 }
140
141 ah = skb_header_pointer(skb, ptr, sizeof(_ahdr),
142 &_ahdr);
143 if (ah == NULL) {
144 /*
145 * Max length: 26 "INCOMPLETE [65535
146 * bytes] )"
147 */
148 sb_add(m, "INCOMPLETE [%u bytes] )",
149 skb->len - ptr);
150 return;
151 }
152
153 /* Length: 15 "SPI=0xF1234567 */
154 sb_add(m, "SPI=0x%x ", ntohl(ah->spi));
155
156 }
157
158 hdrlen = (hp->hdrlen+2)<<2;
159 break;
160 case IPPROTO_ESP:
161 if (logflags & IP6T_LOG_IPOPT) {
162 struct ip_esp_hdr _esph;
163 const struct ip_esp_hdr *eh;
164
165 /* Max length: 4 "ESP " */
166 sb_add(m, "ESP ");
167
168 if (fragment) {
169 sb_add(m, ")");
170 return;
171 }
172
173 /*
174 * Max length: 26 "INCOMPLETE [65535 bytes] )"
175 */
176 eh = skb_header_pointer(skb, ptr, sizeof(_esph),
177 &_esph);
178 if (eh == NULL) {
179 sb_add(m, "INCOMPLETE [%u bytes] )",
180 skb->len - ptr);
181 return;
182 }
183
184 /* Length: 16 "SPI=0xF1234567 )" */
185 sb_add(m, "SPI=0x%x )", ntohl(eh->spi) );
186
187 }
188 return;
189 default:
190 /* Max length: 20 "Unknown Ext Hdr 255" */
191 sb_add(m, "Unknown Ext Hdr %u", currenthdr);
192 return;
193 }
194 if (logflags & IP6T_LOG_IPOPT)
195 sb_add(m, ") ");
196
197 currenthdr = hp->nexthdr;
198 ptr += hdrlen;
199 }
200
201 switch (currenthdr) {
202 case IPPROTO_TCP: {
203 struct tcphdr _tcph;
204 const struct tcphdr *th;
205
206 /* Max length: 10 "PROTO=TCP " */
207 sb_add(m, "PROTO=TCP ");
208
209 if (fragment)
210 break;
211
212 /* Max length: 25 "INCOMPLETE [65535 bytes] " */
213 th = skb_header_pointer(skb, ptr, sizeof(_tcph), &_tcph);
214 if (th == NULL) {
215 sb_add(m, "INCOMPLETE [%u bytes] ", skb->len - ptr);
216 return;
217 }
218
219 /* Max length: 20 "SPT=65535 DPT=65535 " */
220 sb_add(m, "SPT=%u DPT=%u ",
221 ntohs(th->source), ntohs(th->dest));
222 /* Max length: 30 "SEQ=4294967295 ACK=4294967295 " */
223 if (logflags & IP6T_LOG_TCPSEQ)
224 sb_add(m, "SEQ=%u ACK=%u ",
225 ntohl(th->seq), ntohl(th->ack_seq));
226 /* Max length: 13 "WINDOW=65535 " */
227 sb_add(m, "WINDOW=%u ", ntohs(th->window));
228 /* Max length: 9 "RES=0x3C " */
229 sb_add(m, "RES=0x%02x ", (u_int8_t)(ntohl(tcp_flag_word(th) & TCP_RESERVED_BITS) >> 22));
230 /* Max length: 32 "CWR ECE URG ACK PSH RST SYN FIN " */
231 if (th->cwr)
232 sb_add(m, "CWR ");
233 if (th->ece)
234 sb_add(m, "ECE ");
235 if (th->urg)
236 sb_add(m, "URG ");
237 if (th->ack)
238 sb_add(m, "ACK ");
239 if (th->psh)
240 sb_add(m, "PSH ");
241 if (th->rst)
242 sb_add(m, "RST ");
243 if (th->syn)
244 sb_add(m, "SYN ");
245 if (th->fin)
246 sb_add(m, "FIN ");
247 /* Max length: 11 "URGP=65535 " */
248 sb_add(m, "URGP=%u ", ntohs(th->urg_ptr));
249
250 if ((logflags & IP6T_LOG_TCPOPT) &&
251 th->doff * 4 > sizeof(struct tcphdr)) {
252 u_int8_t _opt[60 - sizeof(struct tcphdr)];
253 const u_int8_t *op;
254 unsigned int i;
255 unsigned int optsize = th->doff * 4
256 - sizeof(struct tcphdr);
257
258 op = skb_header_pointer(skb,
259 ptr + sizeof(struct tcphdr),
260 optsize, _opt);
261 if (op == NULL) {
262 sb_add(m, "OPT (TRUNCATED)");
263 return;
264 }
265
266 /* Max length: 127 "OPT (" 15*4*2chars ") " */
267 sb_add(m, "OPT (");
268 for (i =0; i < optsize; i++)
269 sb_add(m, "%02X", op[i]);
270 sb_add(m, ") ");
271 }
272 break;
273 }
274 case IPPROTO_UDP:
275 case IPPROTO_UDPLITE: {
276 struct udphdr _udph;
277 const struct udphdr *uh;
278
279 if (currenthdr == IPPROTO_UDP)
280 /* Max length: 10 "PROTO=UDP " */
281 sb_add(m, "PROTO=UDP " );
282 else /* Max length: 14 "PROTO=UDPLITE " */
283 sb_add(m, "PROTO=UDPLITE ");
284
285 if (fragment)
286 break;
287
288 /* Max length: 25 "INCOMPLETE [65535 bytes] " */
289 uh = skb_header_pointer(skb, ptr, sizeof(_udph), &_udph);
290 if (uh == NULL) {
291 sb_add(m, "INCOMPLETE [%u bytes] ", skb->len - ptr);
292 return;
293 }
294
295 /* Max length: 20 "SPT=65535 DPT=65535 " */
296 sb_add(m, "SPT=%u DPT=%u LEN=%u ",
297 ntohs(uh->source), ntohs(uh->dest),
298 ntohs(uh->len));
299 break;
300 }
301 case IPPROTO_ICMPV6: {
302 struct icmp6hdr _icmp6h;
303 const struct icmp6hdr *ic;
304
305 /* Max length: 13 "PROTO=ICMPv6 " */
306 sb_add(m, "PROTO=ICMPv6 ");
307
308 if (fragment)
309 break;
310
311 /* Max length: 25 "INCOMPLETE [65535 bytes] " */
312 ic = skb_header_pointer(skb, ptr, sizeof(_icmp6h), &_icmp6h);
313 if (ic == NULL) {
314 sb_add(m, "INCOMPLETE [%u bytes] ", skb->len - ptr);
315 return;
316 }
317
318 /* Max length: 18 "TYPE=255 CODE=255 " */
319 sb_add(m, "TYPE=%u CODE=%u ", ic->icmp6_type, ic->icmp6_code);
320
321 switch (ic->icmp6_type) {
322 case ICMPV6_ECHO_REQUEST:
323 case ICMPV6_ECHO_REPLY:
324 /* Max length: 19 "ID=65535 SEQ=65535 " */
325 sb_add(m, "ID=%u SEQ=%u ",
326 ntohs(ic->icmp6_identifier),
327 ntohs(ic->icmp6_sequence));
328 break;
329 case ICMPV6_MGM_QUERY:
330 case ICMPV6_MGM_REPORT:
331 case ICMPV6_MGM_REDUCTION:
332 break;
333
334 case ICMPV6_PARAMPROB:
335 /* Max length: 17 "POINTER=ffffffff " */
336 sb_add(m, "POINTER=%08x ", ntohl(ic->icmp6_pointer));
337 /* Fall through */
338 case ICMPV6_DEST_UNREACH:
339 case ICMPV6_PKT_TOOBIG:
340 case ICMPV6_TIME_EXCEED:
341 /* Max length: 3+maxlen */
342 if (recurse) {
343 sb_add(m, "[");
344 dump_packet(m, info, skb,
345 ptr + sizeof(_icmp6h), 0);
346 sb_add(m, "] ");
347 }
348
349 /* Max length: 10 "MTU=65535 " */
350 if (ic->icmp6_type == ICMPV6_PKT_TOOBIG)
351 sb_add(m, "MTU=%u ", ntohl(ic->icmp6_mtu));
352 }
353 break;
354 }
355 /* Max length: 10 "PROTO=255 " */
356 default:
357 sb_add(m, "PROTO=%u ", currenthdr);
358 }
359
360 /* Max length: 15 "UID=4294967295 " */
361 if ((logflags & IP6T_LOG_UID) && recurse && skb->sk) {
362 read_lock_bh(&skb->sk->sk_callback_lock);
363 if (skb->sk->sk_socket && skb->sk->sk_socket->file)
364 sb_add(m, "UID=%u GID=%u ",
365 skb->sk->sk_socket->file->f_cred->fsuid,
366 skb->sk->sk_socket->file->f_cred->fsgid);
367 read_unlock_bh(&skb->sk->sk_callback_lock);
368 }
369
370 /* Max length: 16 "MARK=0xFFFFFFFF " */
371 if (!recurse && skb->mark)
372 sb_add(m, "MARK=0x%x ", skb->mark);
373}
374
375static void dump_mac_header(struct sbuff *m,
376 const struct nf_loginfo *info,
377 const struct sk_buff *skb)
378{
379 struct net_device *dev = skb->dev;
380 unsigned int logflags = 0;
381
382 if (info->type == NF_LOG_TYPE_LOG)
383 logflags = info->u.log.logflags;
384
385 if (!(logflags & IP6T_LOG_MACDECODE))
386 goto fallback;
387
388 switch (dev->type) {
389 case ARPHRD_ETHER:
390 sb_add(m, "MACSRC=%pM MACDST=%pM MACPROTO=%04x ",
391 eth_hdr(skb)->h_source, eth_hdr(skb)->h_dest,
392 ntohs(eth_hdr(skb)->h_proto));
393 return;
394 default:
395 break;
396 }
397
398fallback:
399 sb_add(m, "MAC=");
400 if (dev->hard_header_len &&
401 skb->mac_header != skb->network_header) {
402 const unsigned char *p = skb_mac_header(skb);
403 unsigned int len = dev->hard_header_len;
404 unsigned int i;
405
406 if (dev->type == ARPHRD_SIT &&
407 (p -= ETH_HLEN) < skb->head)
408 p = NULL;
409
410 if (p != NULL) {
411 sb_add(m, "%02x", *p++);
412 for (i = 1; i < len; i++)
413 sb_add(m, ":%02x", *p++);
414 }
415 sb_add(m, " ");
416
417 if (dev->type == ARPHRD_SIT) {
418 const struct iphdr *iph =
419 (struct iphdr *)skb_mac_header(skb);
420 sb_add(m, "TUNNEL=%pI4->%pI4 ", &iph->saddr, &iph->daddr);
421 }
422 } else
423 sb_add(m, " ");
424}
425
426static struct nf_loginfo default_loginfo = {
427 .type = NF_LOG_TYPE_LOG,
428 .u = {
429 .log = {
430 .level = 5,
431 .logflags = NF_LOG_MASK,
432 },
433 },
434};
435
436static void
437ip6t_log_packet(u_int8_t pf,
438 unsigned int hooknum,
439 const struct sk_buff *skb,
440 const struct net_device *in,
441 const struct net_device *out,
442 const struct nf_loginfo *loginfo,
443 const char *prefix)
444{
445 struct sbuff *m = sb_open();
446
447 if (!loginfo)
448 loginfo = &default_loginfo;
449
450 sb_add(m, "<%d>%sIN=%s OUT=%s ", loginfo->u.log.level,
451 prefix,
452 in ? in->name : "",
453 out ? out->name : "");
454
455 if (in != NULL)
456 dump_mac_header(m, loginfo, skb);
457
458 dump_packet(m, loginfo, skb, skb_network_offset(skb), 1);
459
460 sb_close(m);
461}
462
463static unsigned int
464log_tg6(struct sk_buff *skb, const struct xt_action_param *par)
465{
466 const struct ip6t_log_info *loginfo = par->targinfo;
467 struct nf_loginfo li;
468
469 li.type = NF_LOG_TYPE_LOG;
470 li.u.log.level = loginfo->level;
471 li.u.log.logflags = loginfo->logflags;
472
473 ip6t_log_packet(NFPROTO_IPV6, par->hooknum, skb, par->in, par->out,
474 &li, loginfo->prefix);
475 return XT_CONTINUE;
476}
477
478
479static int log_tg6_check(const struct xt_tgchk_param *par)
480{
481 const struct ip6t_log_info *loginfo = par->targinfo;
482
483 if (loginfo->level >= 8) {
484 pr_debug("level %u >= 8\n", loginfo->level);
485 return -EINVAL;
486 }
487 if (loginfo->prefix[sizeof(loginfo->prefix)-1] != '\0') {
488 pr_debug("prefix not null-terminated\n");
489 return -EINVAL;
490 }
491 return 0;
492}
493
494static struct xt_target log_tg6_reg __read_mostly = {
495 .name = "LOG",
496 .family = NFPROTO_IPV6,
497 .target = log_tg6,
498 .targetsize = sizeof(struct ip6t_log_info),
499 .checkentry = log_tg6_check,
500 .me = THIS_MODULE,
501};
502
503static struct nf_logger ip6t_logger __read_mostly = {
504 .name = "ip6t_LOG",
505 .logfn = &ip6t_log_packet,
506 .me = THIS_MODULE,
507};
508
509static int __init log_tg6_init(void)
510{
511 int ret;
512
513 ret = xt_register_target(&log_tg6_reg);
514 if (ret < 0)
515 return ret;
516 nf_log_register(NFPROTO_IPV6, &ip6t_logger);
517 return 0;
518}
519
520static void __exit log_tg6_exit(void)
521{
522 nf_log_unregister(&ip6t_logger);
523 xt_unregister_target(&log_tg6_reg);
524}
525
526module_init(log_tg6_init);
527module_exit(log_tg6_exit);
generated by cgit v1.2.2 (git 2.25.0) at 2025-02-10 13:54:50 -0500