5 files changed, 114 insertions, 43 deletions
diff --git a/net/bridge/netfilter/Kconfig b/net/bridge/netfilter/Kconfig
index 3a76ac7b7141..4ce0b313f72c 100644
--- a/net/bridge/netfilter/Kconfig
+++ b/net/bridge/netfilter/Kconfig
@@ -14,6 +14,9 @@ config NFT_BRIDGE_META
        help
          Add support for bridge dedicated meta key.
+config NF_LOG_BRIDGE
+        tristate "Bridge packet logging"
 endif # NF_TABLES_BRIDGE
 menuconfig BRIDGE_NF_EBTABLES
diff --git a/net/bridge/netfilter/Makefile b/net/bridge/netfilter/Makefile
index 6f2f3943d66f..1f78ea0d90e4 100644
--- a/net/bridge/netfilter/Makefile
+++ b/net/bridge/netfilter/Makefile
@@ -5,6 +5,9 @@
 obj-$(CONFIG_NF_TABLES_BRIDGE) += nf_tables_bridge.o
 obj-$(CONFIG_NFT_BRIDGE_META)  += nft_meta_bridge.o
+# packet logging
+obj-$(CONFIG_NF_LOG_BRIDGE) += nf_log_bridge.o
 obj-$(CONFIG_BRIDGE_NF_EBTABLES) += ebtables.o
 # tables
diff --git a/net/bridge/netfilter/ebt_log.c b/net/bridge/netfilter/ebt_log.c
index 0577477aacd8..17f2e4bc2a29 100644
--- a/net/bridge/netfilter/ebt_log.c
+++ b/net/bridge/netfilter/ebt_log.c
@@ -186,6 +186,10 @@ ebt_log_tg(struct sk_buff *skb, const struct xt_action_param *par)
        li.u.log.level = info->loglevel;
        li.u.log.logflags = info->bitmask;
+        /* Remember that we have to use ebt_log_packet() not to break backward
+         * compatibility. We cannot use the default bridge packet logger via
+         * nf_log_packet() with NFT_LOG_TYPE_LOG here. --Pablo
+         */
        if (info->bitmask & EBT_LOG_NFLOG)
                nf_log_packet(net, NFPROTO_BRIDGE, par->hooknum, skb,
                              par->in, par->out, &li, "%s", info->prefix);
@@ -205,55 +209,13 @@ static struct xt_target ebt_log_tg_reg __read_mostly = {
        .me             = THIS_MODULE,
 };
-static struct nf_logger ebt_log_logger __read_mostly = {
-        .name           = "ebt_log",
-        .type           = NF_LOG_TYPE_LOG,
-        .logfn          = &ebt_log_packet,
-        .me             = THIS_MODULE,
-};
-static int __net_init ebt_log_net_init(struct net *net)
-{
-        nf_log_set(net, NFPROTO_BRIDGE, &ebt_log_logger);
-        return 0;
-}
-static void __net_exit ebt_log_net_fini(struct net *net)
-{
-        nf_log_unset(net, &ebt_log_logger);
-}
-static struct pernet_operations ebt_log_net_ops = {
-        .init = ebt_log_net_init,
-        .exit = ebt_log_net_fini,
-};
 static int __init ebt_log_init(void)
 {
-        int ret;
+        return xt_register_target(&ebt_log_tg_reg);
-        ret = register_pernet_subsys(&ebt_log_net_ops);
-        if (ret < 0)
-                goto err_pernet;
-        ret = xt_register_target(&ebt_log_tg_reg);
-        if (ret < 0)
-                goto err_target;
-        nf_log_register(NFPROTO_BRIDGE, &ebt_log_logger);
-        return ret;
-err_target:
-        unregister_pernet_subsys(&ebt_log_net_ops);
-err_pernet:
-        return ret;
 }
 static void __exit ebt_log_fini(void)
 {
-        unregister_pernet_subsys(&ebt_log_net_ops);
-        nf_log_unregister(&ebt_log_logger);
        xt_unregister_target(&ebt_log_tg_reg);
 }
diff --git a/net/bridge/netfilter/nf_log_bridge.c b/net/bridge/netfilter/nf_log_bridge.c
new file mode 100644
index 000000000000..5d9953a90929
--- /dev/null
+++ b/net/bridge/netfilter/nf_log_bridge.c
@@ -0,0 +1,96 @@
+/*
+ * (C) 2014 by Pablo Neira Ayuso <pablo@netfilter.org>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ */
+#include <linux/module.h>
+#include <linux/spinlock.h>
+#include <linux/skbuff.h>
+#include <linux/if_bridge.h>
+#include <linux/ip.h>
+#include <net/route.h>
+#include <linux/netfilter.h>
+#include <net/netfilter/nf_log.h>
+static void nf_log_bridge_packet(struct net *net, u_int8_t pf,
+                                 unsigned int hooknum,
+                                 const struct sk_buff *skb,
+                                 const struct net_device *in,
+                                 const struct net_device *out,
+                                 const struct nf_loginfo *loginfo,
+                                 const char *prefix)
+{
+        switch (eth_hdr(skb)->h_proto) {
+        case htons(ETH_P_IP):
+                nf_log_packet(net, NFPROTO_IPV4, hooknum, skb, in, out,
+                              loginfo, "%s", prefix);
+                break;
+        case htons(ETH_P_IPV6):
+                nf_log_packet(net, NFPROTO_IPV6, hooknum, skb, in, out,
+                              loginfo, "%s", prefix);
+                break;
+        case htons(ETH_P_ARP):
+        case htons(ETH_P_RARP):
+                nf_log_packet(net, NFPROTO_ARP, hooknum, skb, in, out,
+                              loginfo, "%s", prefix);
+                break;
+        }
+}
+static struct nf_logger nf_bridge_logger __read_mostly = {
+        .name           = "nf_log_bridge",
+        .type           = NF_LOG_TYPE_LOG,
+        .logfn          = nf_log_bridge_packet,
+        .me             = THIS_MODULE,
+};
+static int __net_init nf_log_bridge_net_init(struct net *net)
+{
+        nf_log_set(net, NFPROTO_BRIDGE, &nf_bridge_logger);
+        return 0;
+}
+static void __net_exit nf_log_bridge_net_exit(struct net *net)
+{
+        nf_log_unset(net, &nf_bridge_logger);
+}
+static struct pernet_operations nf_log_bridge_net_ops = {
+        .init = nf_log_bridge_net_init,
+        .exit = nf_log_bridge_net_exit,
+};
+static int __init nf_log_bridge_init(void)
+{
+        int ret;
+        /* Request to load the real packet loggers. */
+        nf_logger_request_module(NFPROTO_IPV4, NF_LOG_TYPE_LOG);
+        nf_logger_request_module(NFPROTO_IPV6, NF_LOG_TYPE_LOG);
+        nf_logger_request_module(NFPROTO_ARP, NF_LOG_TYPE_LOG);
+        ret = register_pernet_subsys(&nf_log_bridge_net_ops);
+        if (ret < 0)
+                return ret;
+        nf_log_register(NFPROTO_BRIDGE, &nf_bridge_logger);
+        return 0;
+}
+static void __exit nf_log_bridge_exit(void)
+{
+        unregister_pernet_subsys(&nf_log_bridge_net_ops);
+        nf_log_unregister(&nf_bridge_logger);
+}
+module_init(nf_log_bridge_init);
+module_exit(nf_log_bridge_exit);
+MODULE_AUTHOR("Pablo Neira Ayuso <pablo@netfilter.org>");
+MODULE_DESCRIPTION("Netfilter bridge packet logging");
+MODULE_LICENSE("GPL");
+MODULE_ALIAS_NF_LOGGER(AF_BRIDGE, 0);
diff --git a/net/netfilter/nf_log.c b/net/netfilter/nf_log.c
index 0b2161c689e0..daad6022c689 100644
--- a/net/netfilter/nf_log.c
+++ b/net/netfilter/nf_log.c
@@ -132,6 +132,13 @@ void nf_log_unbind_pf(struct net *net, u_int8_t pf)
 }
 EXPORT_SYMBOL(nf_log_unbind_pf);
+void nf_logger_request_module(int pf, enum nf_log_type type)
+{
+        if (loggers[pf][type] == NULL)
+                request_module("nf-logger-%u-%u", pf, type);
+}
+EXPORT_SYMBOL_GPL(nf_logger_request_module);
 int nf_logger_find_get(int pf, enum nf_log_type type)
 {
        struct nf_logger *logger;

diff --git a/net/bridge/netfilter/Kconfig b/net/bridge/netfilter/Kconfig index 3a76ac7b7141..4ce0b313f72c 100644 --- a/net/bridge/netfilter/Kconfig +++ b/net/bridge/netfilter/Kconfig
@@ -14,6 +14,9 @@ config NFT_BRIDGE_META
14	help	14	help
15	Add support for bridge dedicated meta key.	15	Add support for bridge dedicated meta key.
16		16
		17	config NF_LOG_BRIDGE
		18	tristate "Bridge packet logging"
		19
17	endif # NF_TABLES_BRIDGE	20	endif # NF_TABLES_BRIDGE
18		21
19	menuconfig BRIDGE_NF_EBTABLES	22	menuconfig BRIDGE_NF_EBTABLES


diff --git a/net/bridge/netfilter/Makefile b/net/bridge/netfilter/Makefile index 6f2f3943d66f..1f78ea0d90e4 100644 --- a/net/bridge/netfilter/Makefile +++ b/net/bridge/netfilter/Makefile
@@ -5,6 +5,9 @@
5	obj-$(CONFIG_NF_TABLES_BRIDGE) += nf_tables_bridge.o	5	obj-$(CONFIG_NF_TABLES_BRIDGE) += nf_tables_bridge.o
6	obj-$(CONFIG_NFT_BRIDGE_META) += nft_meta_bridge.o	6	obj-$(CONFIG_NFT_BRIDGE_META) += nft_meta_bridge.o
7		7
		8	# packet logging
		9	obj-$(CONFIG_NF_LOG_BRIDGE) += nf_log_bridge.o
		10
8	obj-$(CONFIG_BRIDGE_NF_EBTABLES) += ebtables.o	11	obj-$(CONFIG_BRIDGE_NF_EBTABLES) += ebtables.o
9		12
10	# tables	13	# tables


diff --git a/net/bridge/netfilter/ebt_log.c b/net/bridge/netfilter/ebt_log.c index 0577477aacd8..17f2e4bc2a29 100644 --- a/net/bridge/netfilter/ebt_log.c +++ b/net/bridge/netfilter/ebt_log.c
@@ -186,6 +186,10 @@ ebt_log_tg(struct sk_buff skb, const struct xt_action_param par)
186	li.u.log.level = info->loglevel;	186	li.u.log.level = info->loglevel;
187	li.u.log.logflags = info->bitmask;	187	li.u.log.logflags = info->bitmask;
188		188
		189	/* Remember that we have to use ebt_log_packet() not to break backward
		190	* compatibility. We cannot use the default bridge packet logger via
		191	* nf_log_packet() with NFT_LOG_TYPE_LOG here. --Pablo
		192	*/
189	if (info->bitmask & EBT_LOG_NFLOG)	193	if (info->bitmask & EBT_LOG_NFLOG)
190	nf_log_packet(net, NFPROTO_BRIDGE, par->hooknum, skb,	194	nf_log_packet(net, NFPROTO_BRIDGE, par->hooknum, skb,
191	par->in, par->out, &li, "%s", info->prefix);	195	par->in, par->out, &li, "%s", info->prefix);
@@ -205,55 +209,13 @@ static struct xt_target ebt_log_tg_reg __read_mostly = {
205	.me = THIS_MODULE,	209	.me = THIS_MODULE,
206	};	210	};
207		211
208	static struct nf_logger ebt_log_logger __read_mostly = {
209	.name = "ebt_log",
210	.type = NF_LOG_TYPE_LOG,
211	.logfn = &ebt_log_packet,
212	.me = THIS_MODULE,
213	};
214
215	static int __net_init ebt_log_net_init(struct net *net)
216	{
217	nf_log_set(net, NFPROTO_BRIDGE, &ebt_log_logger);
218	return 0;
219	}
220
221	static void __net_exit ebt_log_net_fini(struct net *net)
222	{
223	nf_log_unset(net, &ebt_log_logger);
224	}
225
226	static struct pernet_operations ebt_log_net_ops = {
227	.init = ebt_log_net_init,
228	.exit = ebt_log_net_fini,
229	};
230
231	static int __init ebt_log_init(void)	212	static int __init ebt_log_init(void)
232	{	213	{
233	int ret;	214	return xt_register_target(&ebt_log_tg_reg);
234
235	ret = register_pernet_subsys(&ebt_log_net_ops);
236	if (ret < 0)
237	goto err_pernet;
238
239	ret = xt_register_target(&ebt_log_tg_reg);
240	if (ret < 0)
241	goto err_target;
242
243	nf_log_register(NFPROTO_BRIDGE, &ebt_log_logger);
244
245	return ret;
246
247	err_target:
248	unregister_pernet_subsys(&ebt_log_net_ops);
249	err_pernet:
250	return ret;
251	}	215	}
252		216
253	static void __exit ebt_log_fini(void)	217	static void __exit ebt_log_fini(void)
254	{	218	{
255	unregister_pernet_subsys(&ebt_log_net_ops);
256	nf_log_unregister(&ebt_log_logger);
257	xt_unregister_target(&ebt_log_tg_reg);	219	xt_unregister_target(&ebt_log_tg_reg);
258	}	220	}
259		221


diff --git a/net/bridge/netfilter/nf_log_bridge.c b/net/bridge/netfilter/nf_log_bridge.c new file mode 100644 index 000000000000..5d9953a90929 --- /dev/null +++ b/net/bridge/netfilter/nf_log_bridge.c
@@ -0,0 +1,96 @@
		1	/*
		2	* (C) 2014 by Pablo Neira Ayuso <pablo@netfilter.org>
		3	*
		4	* This program is free software; you can redistribute it and/or modify
		5	* it under the terms of the GNU General Public License version 2 as
		6	* published by the Free Software Foundation.
		7	*/
		8
		9	#include <linux/module.h>
		10	#include <linux/spinlock.h>
		11	#include <linux/skbuff.h>
		12	#include <linux/if_bridge.h>
		13	#include <linux/ip.h>
		14	#include <net/route.h>
		15
		16	#include <linux/netfilter.h>
		17	#include <net/netfilter/nf_log.h>
		18
		19	static void nf_log_bridge_packet(struct net *net, u_int8_t pf,
		20	unsigned int hooknum,
		21	const struct sk_buff *skb,
		22	const struct net_device *in,
		23	const struct net_device *out,
		24	const struct nf_loginfo *loginfo,
		25	const char *prefix)
		26	{
		27	switch (eth_hdr(skb)->h_proto) {
		28	case htons(ETH_P_IP):
		29	nf_log_packet(net, NFPROTO_IPV4, hooknum, skb, in, out,
		30	loginfo, "%s", prefix);
		31	break;
		32	case htons(ETH_P_IPV6):
		33	nf_log_packet(net, NFPROTO_IPV6, hooknum, skb, in, out,
		34	loginfo, "%s", prefix);
		35	break;
		36	case htons(ETH_P_ARP):
		37	case htons(ETH_P_RARP):
		38	nf_log_packet(net, NFPROTO_ARP, hooknum, skb, in, out,
		39	loginfo, "%s", prefix);
		40	break;
		41	}
		42	}
		43
		44	static struct nf_logger nf_bridge_logger __read_mostly = {
		45	.name = "nf_log_bridge",
		46	.type = NF_LOG_TYPE_LOG,
		47	.logfn = nf_log_bridge_packet,
		48	.me = THIS_MODULE,
		49	};
		50
		51	static int __net_init nf_log_bridge_net_init(struct net *net)
		52	{
		53	nf_log_set(net, NFPROTO_BRIDGE, &nf_bridge_logger);
		54	return 0;
		55	}
		56
		57	static void __net_exit nf_log_bridge_net_exit(struct net *net)
		58	{
		59	nf_log_unset(net, &nf_bridge_logger);
		60	}
		61
		62	static struct pernet_operations nf_log_bridge_net_ops = {
		63	.init = nf_log_bridge_net_init,
		64	.exit = nf_log_bridge_net_exit,
		65	};
		66
		67	static int __init nf_log_bridge_init(void)
		68	{
		69	int ret;
		70
		71	/* Request to load the real packet loggers. */
		72	nf_logger_request_module(NFPROTO_IPV4, NF_LOG_TYPE_LOG);
		73	nf_logger_request_module(NFPROTO_IPV6, NF_LOG_TYPE_LOG);
		74	nf_logger_request_module(NFPROTO_ARP, NF_LOG_TYPE_LOG);
		75
		76	ret = register_pernet_subsys(&nf_log_bridge_net_ops);
		77	if (ret < 0)
		78	return ret;
		79
		80	nf_log_register(NFPROTO_BRIDGE, &nf_bridge_logger);
		81	return 0;
		82	}
		83
		84	static void __exit nf_log_bridge_exit(void)
		85	{
		86	unregister_pernet_subsys(&nf_log_bridge_net_ops);
		87	nf_log_unregister(&nf_bridge_logger);
		88	}
		89
		90	module_init(nf_log_bridge_init);
		91	module_exit(nf_log_bridge_exit);
		92
		93	MODULE_AUTHOR("Pablo Neira Ayuso <pablo@netfilter.org>");
		94	MODULE_DESCRIPTION("Netfilter bridge packet logging");
		95	MODULE_LICENSE("GPL");
		96	MODULE_ALIAS_NF_LOGGER(AF_BRIDGE, 0);


diff --git a/net/netfilter/nf_log.c b/net/netfilter/nf_log.c index 0b2161c689e0..daad6022c689 100644 --- a/net/netfilter/nf_log.c +++ b/net/netfilter/nf_log.c
@@ -132,6 +132,13 @@ void nf_log_unbind_pf(struct net *net, u_int8_t pf)
132	}	132	}
133	EXPORT_SYMBOL(nf_log_unbind_pf);	133	EXPORT_SYMBOL(nf_log_unbind_pf);
134		134
		135	void nf_logger_request_module(int pf, enum nf_log_type type)
		136	{
		137	if (loggers[pf][type] == NULL)
		138	request_module("nf-logger-%u-%u", pf, type);
		139	}
		140	EXPORT_SYMBOL_GPL(nf_logger_request_module);
		141
135	int nf_logger_find_get(int pf, enum nf_log_type type)	142	int nf_logger_find_get(int pf, enum nf_log_type type)
136	{	143	{
137	struct nf_logger *logger;	144	struct nf_logger *logger;