aboutsummaryrefslogtreecommitdiffstats
path: root/net
diff options
context:
space:
mode:
authorPatrick McHardy <kaber@trash.net>2006-11-28 20:35:38 -0500
committerDavid S. Miller <davem@sunset.davemloft.net>2006-12-03 00:31:31 -0500
commitbaf7b1e11282127e068d149825cccec002091d61 (patch)
tree33eae4a25dad2666e5b51bffb76d5c7d2db725c2 /net
parent39b46fc6f0d1161a5585cd8af7b3a05e8118ab7e (diff)
[NETFILTER]: x_tables: add NFLOG target
Add new NFLOG target to allow use of nfnetlink_log for both IPv4 and IPv6. Currently we have two (unsupported by userspace) hacks in the LOG and ULOG targets to optionally call to the nflog API. They lack a few features, namely the IPv4 and IPv6 LOG targets can not specify a number of arguments related to nfnetlink_log, while the ULOG target is only available for IPv4. Remove those hacks and add a clean way to use nfnetlink_log. Signed-off-by: Patrick McHardy <kaber@trash.net>
Diffstat (limited to 'net')
-rw-r--r--net/ipv4/netfilter/ipt_LOG.c9
-rw-r--r--net/ipv6/netfilter/ip6t_LOG.c9
-rw-r--r--net/netfilter/Kconfig11
-rw-r--r--net/netfilter/Makefile1
-rw-r--r--net/netfilter/xt_NFLOG.c86
5 files changed, 102 insertions, 14 deletions
diff --git a/net/ipv4/netfilter/ipt_LOG.c b/net/ipv4/netfilter/ipt_LOG.c
index 46eee64a11f6..c96de16fefae 100644
--- a/net/ipv4/netfilter/ipt_LOG.c
+++ b/net/ipv4/netfilter/ipt_LOG.c
@@ -430,13 +430,8 @@ ipt_log_target(struct sk_buff **pskb,
430 li.u.log.level = loginfo->level; 430 li.u.log.level = loginfo->level;
431 li.u.log.logflags = loginfo->logflags; 431 li.u.log.logflags = loginfo->logflags;
432 432
433 if (loginfo->logflags & IPT_LOG_NFLOG) 433 ipt_log_packet(PF_INET, hooknum, *pskb, in, out, &li,
434 nf_log_packet(PF_INET, hooknum, *pskb, in, out, &li, 434 loginfo->prefix);
435 "%s", loginfo->prefix);
436 else
437 ipt_log_packet(PF_INET, hooknum, *pskb, in, out, &li,
438 loginfo->prefix);
439
440 return IPT_CONTINUE; 435 return IPT_CONTINUE;
441} 436}
442 437
diff --git a/net/ipv6/netfilter/ip6t_LOG.c b/net/ipv6/netfilter/ip6t_LOG.c
index f4857cf97f05..33b1faa90d74 100644
--- a/net/ipv6/netfilter/ip6t_LOG.c
+++ b/net/ipv6/netfilter/ip6t_LOG.c
@@ -440,13 +440,8 @@ ip6t_log_target(struct sk_buff **pskb,
440 li.u.log.level = loginfo->level; 440 li.u.log.level = loginfo->level;
441 li.u.log.logflags = loginfo->logflags; 441 li.u.log.logflags = loginfo->logflags;
442 442
443 if (loginfo->logflags & IP6T_LOG_NFLOG) 443 ip6t_log_packet(PF_INET6, hooknum, *pskb, in, out, &li,
444 nf_log_packet(PF_INET6, hooknum, *pskb, in, out, &li, 444 loginfo->prefix);
445 "%s", loginfo->prefix);
446 else
447 ip6t_log_packet(PF_INET6, hooknum, *pskb, in, out, &li,
448 loginfo->prefix);
449
450 return IP6T_CONTINUE; 445 return IP6T_CONTINUE;
451} 446}
452 447
diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index 7e6125467c12..d191dacead5e 100644
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@@ -184,6 +184,17 @@ config NETFILTER_XT_TARGET_NFQUEUE
184 184
185 To compile it as a module, choose M here. If unsure, say N. 185 To compile it as a module, choose M here. If unsure, say N.
186 186
187config NETFILTER_XT_TARGET_NFLOG
188 tristate '"NFLOG" target support'
189 depends on NETFILTER_XTABLES
190 help
191 This option enables the NFLOG target, which allows to LOG
192 messages through the netfilter logging API, which can use
193 either the old LOG target, the old ULOG target or nfnetlink_log
194 as backend.
195
196 To compile it as a module, choose M here. If unsure, say N.
197
187config NETFILTER_XT_TARGET_NOTRACK 198config NETFILTER_XT_TARGET_NOTRACK
188 tristate '"NOTRACK" target support' 199 tristate '"NOTRACK" target support'
189 depends on NETFILTER_XTABLES 200 depends on NETFILTER_XTABLES
diff --git a/net/netfilter/Makefile b/net/netfilter/Makefile
index f85811bfcfe5..7f0089c584bf 100644
--- a/net/netfilter/Makefile
+++ b/net/netfilter/Makefile
@@ -31,6 +31,7 @@ obj-$(CONFIG_NETFILTER_XT_TARGET_CONNMARK) += xt_CONNMARK.o
31obj-$(CONFIG_NETFILTER_XT_TARGET_DSCP) += xt_DSCP.o 31obj-$(CONFIG_NETFILTER_XT_TARGET_DSCP) += xt_DSCP.o
32obj-$(CONFIG_NETFILTER_XT_TARGET_MARK) += xt_MARK.o 32obj-$(CONFIG_NETFILTER_XT_TARGET_MARK) += xt_MARK.o
33obj-$(CONFIG_NETFILTER_XT_TARGET_NFQUEUE) += xt_NFQUEUE.o 33obj-$(CONFIG_NETFILTER_XT_TARGET_NFQUEUE) += xt_NFQUEUE.o
34obj-$(CONFIG_NETFILTER_XT_TARGET_NFLOG) += xt_NFLOG.o
34obj-$(CONFIG_NETFILTER_XT_TARGET_NOTRACK) += xt_NOTRACK.o 35obj-$(CONFIG_NETFILTER_XT_TARGET_NOTRACK) += xt_NOTRACK.o
35obj-$(CONFIG_NETFILTER_XT_TARGET_SECMARK) += xt_SECMARK.o 36obj-$(CONFIG_NETFILTER_XT_TARGET_SECMARK) += xt_SECMARK.o
36obj-$(CONFIG_NETFILTER_XT_TARGET_CONNSECMARK) += xt_CONNSECMARK.o 37obj-$(CONFIG_NETFILTER_XT_TARGET_CONNSECMARK) += xt_CONNSECMARK.o
diff --git a/net/netfilter/xt_NFLOG.c b/net/netfilter/xt_NFLOG.c
new file mode 100644
index 000000000000..901ed7abaa1b
--- /dev/null
+++ b/net/netfilter/xt_NFLOG.c
@@ -0,0 +1,86 @@
1/*
2 * Copyright (c) 2006 Patrick McHardy <kaber@trash.net>
3 *
4 * This program is free software; you can redistribute it and/or modify
5 * it under the terms of the GNU General Public License version 2 as
6 * published by the Free Software Foundation.
7 */
8
9#include <linux/module.h>
10#include <linux/init.h>
11#include <linux/skbuff.h>
12
13#include <linux/netfilter/x_tables.h>
14#include <linux/netfilter/xt_NFLOG.h>
15
16MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
17MODULE_DESCRIPTION("x_tables NFLOG target");
18MODULE_LICENSE("GPL");
19MODULE_ALIAS("ipt_NFLOG");
20MODULE_ALIAS("ip6t_NFLOG");
21
22static unsigned int
23nflog_target(struct sk_buff **pskb,
24 const struct net_device *in, const struct net_device *out,
25 unsigned int hooknum, const struct xt_target *target,
26 const void *targinfo)
27{
28 const struct xt_nflog_info *info = targinfo;
29 struct nf_loginfo li;
30
31 li.type = NF_LOG_TYPE_ULOG;
32 li.u.ulog.copy_len = info->len;
33 li.u.ulog.group = info->group;
34 li.u.ulog.qthreshold = info->threshold;
35
36 nf_log_packet(target->family, hooknum, *pskb, in, out, &li,
37 "%s", info->prefix);
38 return XT_CONTINUE;
39}
40
41static int
42nflog_checkentry(const char *tablename, const void *entry,
43 const struct xt_target *target, void *targetinfo,
44 unsigned int hookmask)
45{
46 struct xt_nflog_info *info = targetinfo;
47
48 if (info->flags & ~XT_NFLOG_MASK)
49 return 0;
50 if (info->prefix[sizeof(info->prefix) - 1] != '\0')
51 return 0;
52 return 1;
53}
54
55static struct xt_target xt_nflog_target[] = {
56 {
57 .name = "NFLOG",
58 .family = AF_INET,
59 .checkentry = nflog_checkentry,
60 .target = nflog_target,
61 .targetsize = sizeof(struct xt_nflog_info),
62 .me = THIS_MODULE,
63 },
64 {
65 .name = "NFLOG",
66 .family = AF_INET6,
67 .checkentry = nflog_checkentry,
68 .target = nflog_target,
69 .targetsize = sizeof(struct xt_nflog_info),
70 .me = THIS_MODULE,
71 },
72};
73
74static int __init xt_nflog_init(void)
75{
76 return xt_register_targets(xt_nflog_target,
77 ARRAY_SIZE(xt_nflog_target));
78}
79
80static void __exit xt_nflog_fini(void)
81{
82 xt_unregister_targets(xt_nflog_target, ARRAY_SIZE(xt_nflog_target));
83}
84
85module_init(xt_nflog_init);
86module_exit(xt_nflog_fini);