netfilter: ebt_log: add net namespace support for ebt_log

Add pernet support to ebt_log by means of the new nf_log_set function added in (30e0c6a netfilter: nf_log: prepare net namespace support for loggers). Since syslog ns has yet not been implemented, we don't want the containers to DDOS host's syslogd. So only enable ebt_log only from init_net and wait for syslog ns support. Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
author: Gao feng <gaofeng@cn.fujitsu.com> 2013-03-24 19:50:41 -0400
committer: Pablo Neira Ayuso <pablo@netfilter.org> 2013-04-05 14:57:27 -0400
commit: 7d2789246cc9423d66d903f992d13a022710592a (patch)
tree: 211354c39c1467fdca88dc7593227e194b62f140 /net
parent: 30e0c6a6bee24db0166b7ca709277cd693e179f2 (diff)
1 files changed, 35 insertions, 2 deletions
diff --git a/net/bridge/netfilter/ebt_log.c b/net/bridge/netfilter/ebt_log.c
index 08e5ea5ec4ed..9878eb8204c5 100644
--- a/net/bridge/netfilter/ebt_log.c
+++ b/net/bridge/netfilter/ebt_log.c
@@ -78,6 +78,11 @@ ebt_log_packet(u_int8_t pf, unsigned int hooknum,
   const char *prefix)
 {
        unsigned int bitmask;
+        struct net *net = dev_net(in ? in : out);
+        /* FIXME: Disabled from containers until syslog ns is supported */
+        if (!net_eq(net, &init_net))
+                return;
        spin_lock_bh(&ebt_log_lock);
        printk(KERN_SOH "%c%s IN=%s OUT=%s MAC source = %pM MAC dest = %pM proto = 0x%04x",
@@ -207,19 +212,47 @@ static struct nf_logger ebt_log_logger __read_mostly = {
        .me             = THIS_MODULE,
 };
+static int __net_init ebt_log_net_init(struct net *net)
+{
+        nf_log_set(net, NFPROTO_BRIDGE, &ebt_log_logger);
+        return 0;
+}
+static void __net_exit ebt_log_net_fini(struct net *net)
+{
+        nf_log_unset(net, &ebt_log_logger);
+}
+static struct pernet_operations ebt_log_net_ops = {
+        .init = ebt_log_net_init,
+        .exit = ebt_log_net_fini,
+};
 static int __init ebt_log_init(void)
 {
        int ret;
+        ret = register_pernet_subsys(&ebt_log_net_ops);
+        if (ret < 0)
+                goto err_pernet;
        ret = xt_register_target(&ebt_log_tg_reg);
        if (ret < 0)
-                return ret;
+                goto err_target;
        nf_log_register(NFPROTO_BRIDGE, &ebt_log_logger);
-        return 0;
+        return ret;
+err_target:
+        unregister_pernet_subsys(&ebt_log_net_ops);
+err_pernet:
+        return ret;
 }
 static void __exit ebt_log_fini(void)
 {
+        unregister_pernet_subsys(&ebt_log_net_ops);
        nf_log_unregister(&ebt_log_logger);
        xt_unregister_target(&ebt_log_tg_reg);
 }
author	Gao feng <gaofeng@cn.fujitsu.com>	2013-03-24 19:50:41 -0400
committer	Pablo Neira Ayuso <pablo@netfilter.org>	2013-04-05 14:57:27 -0400
commit	7d2789246cc9423d66d903f992d13a022710592a (patch)
tree	211354c39c1467fdca88dc7593227e194b62f140 /net
parent	30e0c6a6bee24db0166b7ca709277cd693e179f2 (diff)

diff --git a/net/bridge/netfilter/ebt_log.c b/net/bridge/netfilter/ebt_log.c index 08e5ea5ec4ed..9878eb8204c5 100644 --- a/net/bridge/netfilter/ebt_log.c +++ b/net/bridge/netfilter/ebt_log.c
@@ -78,6 +78,11 @@ ebt_log_packet(u_int8_t pf, unsigned int hooknum,
78	const char *prefix)	78	const char *prefix)
79	{	79	{
80	unsigned int bitmask;	80	unsigned int bitmask;
		81	struct net *net = dev_net(in ? in : out);
		82
		83	/* FIXME: Disabled from containers until syslog ns is supported */
		84	if (!net_eq(net, &init_net))
		85	return;
81		86
82	spin_lock_bh(&ebt_log_lock);	87	spin_lock_bh(&ebt_log_lock);
83	printk(KERN_SOH "%c%s IN=%s OUT=%s MAC source = %pM MAC dest = %pM proto = 0x%04x",	88	printk(KERN_SOH "%c%s IN=%s OUT=%s MAC source = %pM MAC dest = %pM proto = 0x%04x",
@@ -207,19 +212,47 @@ static struct nf_logger ebt_log_logger __read_mostly = {
207	.me = THIS_MODULE,	212	.me = THIS_MODULE,
208	};	213	};
209		214
		215	static int __net_init ebt_log_net_init(struct net *net)
		216	{
		217	nf_log_set(net, NFPROTO_BRIDGE, &ebt_log_logger);
		218	return 0;
		219	}
		220
		221	static void __net_exit ebt_log_net_fini(struct net *net)
		222	{
		223	nf_log_unset(net, &ebt_log_logger);
		224	}
		225
		226	static struct pernet_operations ebt_log_net_ops = {
		227	.init = ebt_log_net_init,
		228	.exit = ebt_log_net_fini,
		229	};
		230
210	static int __init ebt_log_init(void)	231	static int __init ebt_log_init(void)
211	{	232	{
212	int ret;	233	int ret;
213		234
		235	ret = register_pernet_subsys(&ebt_log_net_ops);
		236	if (ret < 0)
		237	goto err_pernet;
		238
214	ret = xt_register_target(&ebt_log_tg_reg);	239	ret = xt_register_target(&ebt_log_tg_reg);
215	if (ret < 0)	240	if (ret < 0)
216	return ret;	241	goto err_target;
		242
217	nf_log_register(NFPROTO_BRIDGE, &ebt_log_logger);	243	nf_log_register(NFPROTO_BRIDGE, &ebt_log_logger);
218	return 0;	244
		245	return ret;
		246
		247	err_target:
		248	unregister_pernet_subsys(&ebt_log_net_ops);
		249	err_pernet:
		250	return ret;
219	}	251	}
220		252
221	static void __exit ebt_log_fini(void)	253	static void __exit ebt_log_fini(void)
222	{	254	{
		255	unregister_pernet_subsys(&ebt_log_net_ops);
223	nf_log_unregister(&ebt_log_logger);	256	nf_log_unregister(&ebt_log_logger);
224	xt_unregister_target(&ebt_log_tg_reg);	257	xt_unregister_target(&ebt_log_tg_reg);
225	}	258	}