nf_log_syslog.c (27418B)
1// SPDX-License-Identifier: GPL-2.0-only 2/* (C) 1999-2001 Paul `Rusty' Russell 3 * (C) 2002-2004 Netfilter Core Team <coreteam@netfilter.org> 4 */ 5 6#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt 7 8#include <linux/kernel.h> 9#include <linux/module.h> 10#include <linux/spinlock.h> 11#include <linux/skbuff.h> 12#include <linux/if_arp.h> 13#include <linux/ip.h> 14#include <net/ipv6.h> 15#include <net/icmp.h> 16#include <net/udp.h> 17#include <net/tcp.h> 18#include <net/route.h> 19 20#include <linux/netfilter.h> 21#include <linux/netfilter_bridge.h> 22#include <linux/netfilter_ipv6.h> 23#include <linux/netfilter/xt_LOG.h> 24#include <net/netfilter/nf_log.h> 25 26static const struct nf_loginfo default_loginfo = { 27 .type = NF_LOG_TYPE_LOG, 28 .u = { 29 .log = { 30 .level = LOGLEVEL_NOTICE, 31 .logflags = NF_LOG_DEFAULT_MASK, 32 }, 33 }, 34}; 35 36struct arppayload { 37 unsigned char mac_src[ETH_ALEN]; 38 unsigned char ip_src[4]; 39 unsigned char mac_dst[ETH_ALEN]; 40 unsigned char ip_dst[4]; 41}; 42 43/* Guard against containers flooding syslog. */ 44static bool nf_log_allowed(const struct net *net) 45{ 46 return net_eq(net, &init_net) || sysctl_nf_log_all_netns; 47} 48 49static void nf_log_dump_vlan(struct nf_log_buf *m, const struct sk_buff *skb) 50{ 51 u16 vid; 52 53 if (!skb_vlan_tag_present(skb)) 54 return; 55 56 vid = skb_vlan_tag_get(skb); 57 nf_log_buf_add(m, "VPROTO=%04x VID=%u ", ntohs(skb->vlan_proto), vid); 58} 59static void noinline_for_stack 60dump_arp_packet(struct nf_log_buf *m, 61 const struct nf_loginfo *info, 62 const struct sk_buff *skb, unsigned int nhoff) 63{ 64 const struct arppayload *ap; 65 struct arppayload _arpp; 66 const struct arphdr *ah; 67 unsigned int logflags; 68 struct arphdr _arph; 69 70 ah = skb_header_pointer(skb, 0, sizeof(_arph), &_arph); 71 if (!ah) { 72 nf_log_buf_add(m, "TRUNCATED"); 73 return; 74 } 75 76 if (info->type == NF_LOG_TYPE_LOG) 77 logflags = info->u.log.logflags; 78 else 79 logflags = NF_LOG_DEFAULT_MASK; 80 81 if (logflags & NF_LOG_MACDECODE) { 82 nf_log_buf_add(m, "MACSRC=%pM MACDST=%pM ", 83 eth_hdr(skb)->h_source, eth_hdr(skb)->h_dest); 84 nf_log_dump_vlan(m, skb); 85 nf_log_buf_add(m, "MACPROTO=%04x ", 86 ntohs(eth_hdr(skb)->h_proto)); 87 } 88 89 nf_log_buf_add(m, "ARP HTYPE=%d PTYPE=0x%04x OPCODE=%d", 90 ntohs(ah->ar_hrd), ntohs(ah->ar_pro), ntohs(ah->ar_op)); 91 /* If it's for Ethernet and the lengths are OK, then log the ARP 92 * payload. 93 */ 94 if (ah->ar_hrd != htons(ARPHRD_ETHER) || 95 ah->ar_hln != ETH_ALEN || 96 ah->ar_pln != sizeof(__be32)) 97 return; 98 99 ap = skb_header_pointer(skb, sizeof(_arph), sizeof(_arpp), &_arpp); 100 if (!ap) { 101 nf_log_buf_add(m, " INCOMPLETE [%zu bytes]", 102 skb->len - sizeof(_arph)); 103 return; 104 } 105 nf_log_buf_add(m, " MACSRC=%pM IPSRC=%pI4 MACDST=%pM IPDST=%pI4", 106 ap->mac_src, ap->ip_src, ap->mac_dst, ap->ip_dst); 107} 108 109static void 110nf_log_dump_packet_common(struct nf_log_buf *m, u8 pf, 111 unsigned int hooknum, const struct sk_buff *skb, 112 const struct net_device *in, 113 const struct net_device *out, 114 const struct nf_loginfo *loginfo, const char *prefix) 115{ 116 const struct net_device *physoutdev __maybe_unused; 117 const struct net_device *physindev __maybe_unused; 118 119 nf_log_buf_add(m, KERN_SOH "%c%sIN=%s OUT=%s ", 120 '0' + loginfo->u.log.level, prefix, 121 in ? in->name : "", 122 out ? out->name : ""); 123#if IS_ENABLED(CONFIG_BRIDGE_NETFILTER) 124 physindev = nf_bridge_get_physindev(skb); 125 if (physindev && in != physindev) 126 nf_log_buf_add(m, "PHYSIN=%s ", physindev->name); 127 physoutdev = nf_bridge_get_physoutdev(skb); 128 if (physoutdev && out != physoutdev) 129 nf_log_buf_add(m, "PHYSOUT=%s ", physoutdev->name); 130#endif 131} 132 133static void nf_log_arp_packet(struct net *net, u_int8_t pf, 134 unsigned int hooknum, const struct sk_buff *skb, 135 const struct net_device *in, 136 const struct net_device *out, 137 const struct nf_loginfo *loginfo, 138 const char *prefix) 139{ 140 struct nf_log_buf *m; 141 142 if (!nf_log_allowed(net)) 143 return; 144 145 m = nf_log_buf_open(); 146 147 if (!loginfo) 148 loginfo = &default_loginfo; 149 150 nf_log_dump_packet_common(m, pf, hooknum, skb, in, out, loginfo, 151 prefix); 152 dump_arp_packet(m, loginfo, skb, 0); 153 154 nf_log_buf_close(m); 155} 156 157static struct nf_logger nf_arp_logger __read_mostly = { 158 .name = "nf_log_arp", 159 .type = NF_LOG_TYPE_LOG, 160 .logfn = nf_log_arp_packet, 161 .me = THIS_MODULE, 162}; 163 164static void nf_log_dump_sk_uid_gid(struct net *net, struct nf_log_buf *m, 165 struct sock *sk) 166{ 167 if (!sk || !sk_fullsock(sk) || !net_eq(net, sock_net(sk))) 168 return; 169 170 read_lock_bh(&sk->sk_callback_lock); 171 if (sk->sk_socket && sk->sk_socket->file) { 172 const struct cred *cred = sk->sk_socket->file->f_cred; 173 174 nf_log_buf_add(m, "UID=%u GID=%u ", 175 from_kuid_munged(&init_user_ns, cred->fsuid), 176 from_kgid_munged(&init_user_ns, cred->fsgid)); 177 } 178 read_unlock_bh(&sk->sk_callback_lock); 179} 180 181static noinline_for_stack int 182nf_log_dump_tcp_header(struct nf_log_buf *m, 183 const struct sk_buff *skb, 184 u8 proto, int fragment, 185 unsigned int offset, 186 unsigned int logflags) 187{ 188 struct tcphdr _tcph; 189 const struct tcphdr *th; 190 191 /* Max length: 10 "PROTO=TCP " */ 192 nf_log_buf_add(m, "PROTO=TCP "); 193 194 if (fragment) 195 return 0; 196 197 /* Max length: 25 "INCOMPLETE [65535 bytes] " */ 198 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph); 199 if (!th) { 200 nf_log_buf_add(m, "INCOMPLETE [%u bytes] ", skb->len - offset); 201 return 1; 202 } 203 204 /* Max length: 20 "SPT=65535 DPT=65535 " */ 205 nf_log_buf_add(m, "SPT=%u DPT=%u ", 206 ntohs(th->source), ntohs(th->dest)); 207 /* Max length: 30 "SEQ=4294967295 ACK=4294967295 " */ 208 if (logflags & NF_LOG_TCPSEQ) { 209 nf_log_buf_add(m, "SEQ=%u ACK=%u ", 210 ntohl(th->seq), ntohl(th->ack_seq)); 211 } 212 213 /* Max length: 13 "WINDOW=65535 " */ 214 nf_log_buf_add(m, "WINDOW=%u ", ntohs(th->window)); 215 /* Max length: 9 "RES=0x3C " */ 216 nf_log_buf_add(m, "RES=0x%02x ", (u_int8_t)(ntohl(tcp_flag_word(th) & 217 TCP_RESERVED_BITS) >> 22)); 218 /* Max length: 32 "CWR ECE URG ACK PSH RST SYN FIN " */ 219 if (th->cwr) 220 nf_log_buf_add(m, "CWR "); 221 if (th->ece) 222 nf_log_buf_add(m, "ECE "); 223 if (th->urg) 224 nf_log_buf_add(m, "URG "); 225 if (th->ack) 226 nf_log_buf_add(m, "ACK "); 227 if (th->psh) 228 nf_log_buf_add(m, "PSH "); 229 if (th->rst) 230 nf_log_buf_add(m, "RST "); 231 if (th->syn) 232 nf_log_buf_add(m, "SYN "); 233 if (th->fin) 234 nf_log_buf_add(m, "FIN "); 235 /* Max length: 11 "URGP=65535 " */ 236 nf_log_buf_add(m, "URGP=%u ", ntohs(th->urg_ptr)); 237 238 if ((logflags & NF_LOG_TCPOPT) && th->doff * 4 > sizeof(struct tcphdr)) { 239 unsigned int optsize = th->doff * 4 - sizeof(struct tcphdr); 240 u8 _opt[60 - sizeof(struct tcphdr)]; 241 unsigned int i; 242 const u8 *op; 243 244 op = skb_header_pointer(skb, offset + sizeof(struct tcphdr), 245 optsize, _opt); 246 if (!op) { 247 nf_log_buf_add(m, "OPT (TRUNCATED)"); 248 return 1; 249 } 250 251 /* Max length: 127 "OPT (" 15*4*2chars ") " */ 252 nf_log_buf_add(m, "OPT ("); 253 for (i = 0; i < optsize; i++) 254 nf_log_buf_add(m, "%02X", op[i]); 255 256 nf_log_buf_add(m, ") "); 257 } 258 259 return 0; 260} 261 262static noinline_for_stack int 263nf_log_dump_udp_header(struct nf_log_buf *m, 264 const struct sk_buff *skb, 265 u8 proto, int fragment, 266 unsigned int offset) 267{ 268 struct udphdr _udph; 269 const struct udphdr *uh; 270 271 if (proto == IPPROTO_UDP) 272 /* Max length: 10 "PROTO=UDP " */ 273 nf_log_buf_add(m, "PROTO=UDP "); 274 else /* Max length: 14 "PROTO=UDPLITE " */ 275 nf_log_buf_add(m, "PROTO=UDPLITE "); 276 277 if (fragment) 278 goto out; 279 280 /* Max length: 25 "INCOMPLETE [65535 bytes] " */ 281 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph); 282 if (!uh) { 283 nf_log_buf_add(m, "INCOMPLETE [%u bytes] ", skb->len - offset); 284 285 return 1; 286 } 287 288 /* Max length: 20 "SPT=65535 DPT=65535 " */ 289 nf_log_buf_add(m, "SPT=%u DPT=%u LEN=%u ", 290 ntohs(uh->source), ntohs(uh->dest), ntohs(uh->len)); 291 292out: 293 return 0; 294} 295 296/* One level of recursion won't kill us */ 297static noinline_for_stack void 298dump_ipv4_packet(struct net *net, struct nf_log_buf *m, 299 const struct nf_loginfo *info, 300 const struct sk_buff *skb, unsigned int iphoff) 301{ 302 const struct iphdr *ih; 303 unsigned int logflags; 304 struct iphdr _iph; 305 306 if (info->type == NF_LOG_TYPE_LOG) 307 logflags = info->u.log.logflags; 308 else 309 logflags = NF_LOG_DEFAULT_MASK; 310 311 ih = skb_header_pointer(skb, iphoff, sizeof(_iph), &_iph); 312 if (!ih) { 313 nf_log_buf_add(m, "TRUNCATED"); 314 return; 315 } 316 317 /* Important fields: 318 * TOS, len, DF/MF, fragment offset, TTL, src, dst, options. 319 * Max length: 40 "SRC=255.255.255.255 DST=255.255.255.255 " 320 */ 321 nf_log_buf_add(m, "SRC=%pI4 DST=%pI4 ", &ih->saddr, &ih->daddr); 322 323 /* Max length: 46 "LEN=65535 TOS=0xFF PREC=0xFF TTL=255 ID=65535 " */ 324 nf_log_buf_add(m, "LEN=%u TOS=0x%02X PREC=0x%02X TTL=%u ID=%u ", 325 ntohs(ih->tot_len), ih->tos & IPTOS_TOS_MASK, 326 ih->tos & IPTOS_PREC_MASK, ih->ttl, ntohs(ih->id)); 327 328 /* Max length: 6 "CE DF MF " */ 329 if (ntohs(ih->frag_off) & IP_CE) 330 nf_log_buf_add(m, "CE "); 331 if (ntohs(ih->frag_off) & IP_DF) 332 nf_log_buf_add(m, "DF "); 333 if (ntohs(ih->frag_off) & IP_MF) 334 nf_log_buf_add(m, "MF "); 335 336 /* Max length: 11 "FRAG:65535 " */ 337 if (ntohs(ih->frag_off) & IP_OFFSET) 338 nf_log_buf_add(m, "FRAG:%u ", ntohs(ih->frag_off) & IP_OFFSET); 339 340 if ((logflags & NF_LOG_IPOPT) && 341 ih->ihl * 4 > sizeof(struct iphdr)) { 342 unsigned char _opt[4 * 15 - sizeof(struct iphdr)]; 343 const unsigned char *op; 344 unsigned int i, optsize; 345 346 optsize = ih->ihl * 4 - sizeof(struct iphdr); 347 op = skb_header_pointer(skb, iphoff + sizeof(_iph), 348 optsize, _opt); 349 if (!op) { 350 nf_log_buf_add(m, "TRUNCATED"); 351 return; 352 } 353 354 /* Max length: 127 "OPT (" 15*4*2chars ") " */ 355 nf_log_buf_add(m, "OPT ("); 356 for (i = 0; i < optsize; i++) 357 nf_log_buf_add(m, "%02X", op[i]); 358 nf_log_buf_add(m, ") "); 359 } 360 361 switch (ih->protocol) { 362 case IPPROTO_TCP: 363 if (nf_log_dump_tcp_header(m, skb, ih->protocol, 364 ntohs(ih->frag_off) & IP_OFFSET, 365 iphoff + ih->ihl * 4, logflags)) 366 return; 367 break; 368 case IPPROTO_UDP: 369 case IPPROTO_UDPLITE: 370 if (nf_log_dump_udp_header(m, skb, ih->protocol, 371 ntohs(ih->frag_off) & IP_OFFSET, 372 iphoff + ih->ihl * 4)) 373 return; 374 break; 375 case IPPROTO_ICMP: { 376 static const size_t required_len[NR_ICMP_TYPES + 1] = { 377 [ICMP_ECHOREPLY] = 4, 378 [ICMP_DEST_UNREACH] = 8 + sizeof(struct iphdr), 379 [ICMP_SOURCE_QUENCH] = 8 + sizeof(struct iphdr), 380 [ICMP_REDIRECT] = 8 + sizeof(struct iphdr), 381 [ICMP_ECHO] = 4, 382 [ICMP_TIME_EXCEEDED] = 8 + sizeof(struct iphdr), 383 [ICMP_PARAMETERPROB] = 8 + sizeof(struct iphdr), 384 [ICMP_TIMESTAMP] = 20, 385 [ICMP_TIMESTAMPREPLY] = 20, 386 [ICMP_ADDRESS] = 12, 387 [ICMP_ADDRESSREPLY] = 12 }; 388 const struct icmphdr *ich; 389 struct icmphdr _icmph; 390 391 /* Max length: 11 "PROTO=ICMP " */ 392 nf_log_buf_add(m, "PROTO=ICMP "); 393 394 if (ntohs(ih->frag_off) & IP_OFFSET) 395 break; 396 397 /* Max length: 25 "INCOMPLETE [65535 bytes] " */ 398 ich = skb_header_pointer(skb, iphoff + ih->ihl * 4, 399 sizeof(_icmph), &_icmph); 400 if (!ich) { 401 nf_log_buf_add(m, "INCOMPLETE [%u bytes] ", 402 skb->len - iphoff - ih->ihl * 4); 403 break; 404 } 405 406 /* Max length: 18 "TYPE=255 CODE=255 " */ 407 nf_log_buf_add(m, "TYPE=%u CODE=%u ", ich->type, ich->code); 408 409 /* Max length: 25 "INCOMPLETE [65535 bytes] " */ 410 if (ich->type <= NR_ICMP_TYPES && 411 required_len[ich->type] && 412 skb->len - iphoff - ih->ihl * 4 < required_len[ich->type]) { 413 nf_log_buf_add(m, "INCOMPLETE [%u bytes] ", 414 skb->len - iphoff - ih->ihl * 4); 415 break; 416 } 417 418 switch (ich->type) { 419 case ICMP_ECHOREPLY: 420 case ICMP_ECHO: 421 /* Max length: 19 "ID=65535 SEQ=65535 " */ 422 nf_log_buf_add(m, "ID=%u SEQ=%u ", 423 ntohs(ich->un.echo.id), 424 ntohs(ich->un.echo.sequence)); 425 break; 426 427 case ICMP_PARAMETERPROB: 428 /* Max length: 14 "PARAMETER=255 " */ 429 nf_log_buf_add(m, "PARAMETER=%u ", 430 ntohl(ich->un.gateway) >> 24); 431 break; 432 case ICMP_REDIRECT: 433 /* Max length: 24 "GATEWAY=255.255.255.255 " */ 434 nf_log_buf_add(m, "GATEWAY=%pI4 ", &ich->un.gateway); 435 fallthrough; 436 case ICMP_DEST_UNREACH: 437 case ICMP_SOURCE_QUENCH: 438 case ICMP_TIME_EXCEEDED: 439 /* Max length: 3+maxlen */ 440 if (!iphoff) { /* Only recurse once. */ 441 nf_log_buf_add(m, "["); 442 dump_ipv4_packet(net, m, info, skb, 443 iphoff + ih->ihl * 4 + sizeof(_icmph)); 444 nf_log_buf_add(m, "] "); 445 } 446 447 /* Max length: 10 "MTU=65535 " */ 448 if (ich->type == ICMP_DEST_UNREACH && 449 ich->code == ICMP_FRAG_NEEDED) { 450 nf_log_buf_add(m, "MTU=%u ", 451 ntohs(ich->un.frag.mtu)); 452 } 453 } 454 break; 455 } 456 /* Max Length */ 457 case IPPROTO_AH: { 458 const struct ip_auth_hdr *ah; 459 struct ip_auth_hdr _ahdr; 460 461 if (ntohs(ih->frag_off) & IP_OFFSET) 462 break; 463 464 /* Max length: 9 "PROTO=AH " */ 465 nf_log_buf_add(m, "PROTO=AH "); 466 467 /* Max length: 25 "INCOMPLETE [65535 bytes] " */ 468 ah = skb_header_pointer(skb, iphoff + ih->ihl * 4, 469 sizeof(_ahdr), &_ahdr); 470 if (!ah) { 471 nf_log_buf_add(m, "INCOMPLETE [%u bytes] ", 472 skb->len - iphoff - ih->ihl * 4); 473 break; 474 } 475 476 /* Length: 15 "SPI=0xF1234567 " */ 477 nf_log_buf_add(m, "SPI=0x%x ", ntohl(ah->spi)); 478 break; 479 } 480 case IPPROTO_ESP: { 481 const struct ip_esp_hdr *eh; 482 struct ip_esp_hdr _esph; 483 484 /* Max length: 10 "PROTO=ESP " */ 485 nf_log_buf_add(m, "PROTO=ESP "); 486 487 if (ntohs(ih->frag_off) & IP_OFFSET) 488 break; 489 490 /* Max length: 25 "INCOMPLETE [65535 bytes] " */ 491 eh = skb_header_pointer(skb, iphoff + ih->ihl * 4, 492 sizeof(_esph), &_esph); 493 if (!eh) { 494 nf_log_buf_add(m, "INCOMPLETE [%u bytes] ", 495 skb->len - iphoff - ih->ihl * 4); 496 break; 497 } 498 499 /* Length: 15 "SPI=0xF1234567 " */ 500 nf_log_buf_add(m, "SPI=0x%x ", ntohl(eh->spi)); 501 break; 502 } 503 /* Max length: 10 "PROTO 255 " */ 504 default: 505 nf_log_buf_add(m, "PROTO=%u ", ih->protocol); 506 } 507 508 /* Max length: 15 "UID=4294967295 " */ 509 if ((logflags & NF_LOG_UID) && !iphoff) 510 nf_log_dump_sk_uid_gid(net, m, skb->sk); 511 512 /* Max length: 16 "MARK=0xFFFFFFFF " */ 513 if (!iphoff && skb->mark) 514 nf_log_buf_add(m, "MARK=0x%x ", skb->mark); 515 516 /* Proto Max log string length */ 517 /* IP: 40+46+6+11+127 = 230 */ 518 /* TCP: 10+max(25,20+30+13+9+32+11+127) = 252 */ 519 /* UDP: 10+max(25,20) = 35 */ 520 /* UDPLITE: 14+max(25,20) = 39 */ 521 /* ICMP: 11+max(25, 18+25+max(19,14,24+3+n+10,3+n+10)) = 91+n */ 522 /* ESP: 10+max(25)+15 = 50 */ 523 /* AH: 9+max(25)+15 = 49 */ 524 /* unknown: 10 */ 525 526 /* (ICMP allows recursion one level deep) */ 527 /* maxlen = IP + ICMP + IP + max(TCP,UDP,ICMP,unknown) */ 528 /* maxlen = 230+ 91 + 230 + 252 = 803 */ 529} 530 531static noinline_for_stack void 532dump_ipv6_packet(struct net *net, struct nf_log_buf *m, 533 const struct nf_loginfo *info, 534 const struct sk_buff *skb, unsigned int ip6hoff, 535 int recurse) 536{ 537 const struct ipv6hdr *ih; 538 unsigned int hdrlen = 0; 539 unsigned int logflags; 540 struct ipv6hdr _ip6h; 541 unsigned int ptr; 542 u8 currenthdr; 543 int fragment; 544 545 if (info->type == NF_LOG_TYPE_LOG) 546 logflags = info->u.log.logflags; 547 else 548 logflags = NF_LOG_DEFAULT_MASK; 549 550 ih = skb_header_pointer(skb, ip6hoff, sizeof(_ip6h), &_ip6h); 551 if (!ih) { 552 nf_log_buf_add(m, "TRUNCATED"); 553 return; 554 } 555 556 /* Max length: 88 "SRC=0000.0000.0000.0000.0000.0000.0000.0000 DST=0000.0000.0000.0000.0000.0000.0000.0000 " */ 557 nf_log_buf_add(m, "SRC=%pI6 DST=%pI6 ", &ih->saddr, &ih->daddr); 558 559 /* Max length: 44 "LEN=65535 TC=255 HOPLIMIT=255 FLOWLBL=FFFFF " */ 560 nf_log_buf_add(m, "LEN=%zu TC=%u HOPLIMIT=%u FLOWLBL=%u ", 561 ntohs(ih->payload_len) + sizeof(struct ipv6hdr), 562 (ntohl(*(__be32 *)ih) & 0x0ff00000) >> 20, 563 ih->hop_limit, 564 (ntohl(*(__be32 *)ih) & 0x000fffff)); 565 566 fragment = 0; 567 ptr = ip6hoff + sizeof(struct ipv6hdr); 568 currenthdr = ih->nexthdr; 569 while (currenthdr != NEXTHDR_NONE && nf_ip6_ext_hdr(currenthdr)) { 570 struct ipv6_opt_hdr _hdr; 571 const struct ipv6_opt_hdr *hp; 572 573 hp = skb_header_pointer(skb, ptr, sizeof(_hdr), &_hdr); 574 if (!hp) { 575 nf_log_buf_add(m, "TRUNCATED"); 576 return; 577 } 578 579 /* Max length: 48 "OPT (...) " */ 580 if (logflags & NF_LOG_IPOPT) 581 nf_log_buf_add(m, "OPT ( "); 582 583 switch (currenthdr) { 584 case IPPROTO_FRAGMENT: { 585 struct frag_hdr _fhdr; 586 const struct frag_hdr *fh; 587 588 nf_log_buf_add(m, "FRAG:"); 589 fh = skb_header_pointer(skb, ptr, sizeof(_fhdr), 590 &_fhdr); 591 if (!fh) { 592 nf_log_buf_add(m, "TRUNCATED "); 593 return; 594 } 595 596 /* Max length: 6 "65535 " */ 597 nf_log_buf_add(m, "%u ", ntohs(fh->frag_off) & 0xFFF8); 598 599 /* Max length: 11 "INCOMPLETE " */ 600 if (fh->frag_off & htons(0x0001)) 601 nf_log_buf_add(m, "INCOMPLETE "); 602 603 nf_log_buf_add(m, "ID:%08x ", 604 ntohl(fh->identification)); 605 606 if (ntohs(fh->frag_off) & 0xFFF8) 607 fragment = 1; 608 609 hdrlen = 8; 610 break; 611 } 612 case IPPROTO_DSTOPTS: 613 case IPPROTO_ROUTING: 614 case IPPROTO_HOPOPTS: 615 if (fragment) { 616 if (logflags & NF_LOG_IPOPT) 617 nf_log_buf_add(m, ")"); 618 return; 619 } 620 hdrlen = ipv6_optlen(hp); 621 break; 622 /* Max Length */ 623 case IPPROTO_AH: 624 if (logflags & NF_LOG_IPOPT) { 625 struct ip_auth_hdr _ahdr; 626 const struct ip_auth_hdr *ah; 627 628 /* Max length: 3 "AH " */ 629 nf_log_buf_add(m, "AH "); 630 631 if (fragment) { 632 nf_log_buf_add(m, ")"); 633 return; 634 } 635 636 ah = skb_header_pointer(skb, ptr, sizeof(_ahdr), 637 &_ahdr); 638 if (!ah) { 639 /* Max length: 26 "INCOMPLETE [65535 bytes] )" */ 640 nf_log_buf_add(m, "INCOMPLETE [%u bytes] )", 641 skb->len - ptr); 642 return; 643 } 644 645 /* Length: 15 "SPI=0xF1234567 */ 646 nf_log_buf_add(m, "SPI=0x%x ", ntohl(ah->spi)); 647 } 648 649 hdrlen = ipv6_authlen(hp); 650 break; 651 case IPPROTO_ESP: 652 if (logflags & NF_LOG_IPOPT) { 653 struct ip_esp_hdr _esph; 654 const struct ip_esp_hdr *eh; 655 656 /* Max length: 4 "ESP " */ 657 nf_log_buf_add(m, "ESP "); 658 659 if (fragment) { 660 nf_log_buf_add(m, ")"); 661 return; 662 } 663 664 /* Max length: 26 "INCOMPLETE [65535 bytes] )" */ 665 eh = skb_header_pointer(skb, ptr, sizeof(_esph), 666 &_esph); 667 if (!eh) { 668 nf_log_buf_add(m, "INCOMPLETE [%u bytes] )", 669 skb->len - ptr); 670 return; 671 } 672 673 /* Length: 16 "SPI=0xF1234567 )" */ 674 nf_log_buf_add(m, "SPI=0x%x )", 675 ntohl(eh->spi)); 676 } 677 return; 678 default: 679 /* Max length: 20 "Unknown Ext Hdr 255" */ 680 nf_log_buf_add(m, "Unknown Ext Hdr %u", currenthdr); 681 return; 682 } 683 if (logflags & NF_LOG_IPOPT) 684 nf_log_buf_add(m, ") "); 685 686 currenthdr = hp->nexthdr; 687 ptr += hdrlen; 688 } 689 690 switch (currenthdr) { 691 case IPPROTO_TCP: 692 if (nf_log_dump_tcp_header(m, skb, currenthdr, fragment, 693 ptr, logflags)) 694 return; 695 break; 696 case IPPROTO_UDP: 697 case IPPROTO_UDPLITE: 698 if (nf_log_dump_udp_header(m, skb, currenthdr, fragment, ptr)) 699 return; 700 break; 701 case IPPROTO_ICMPV6: { 702 struct icmp6hdr _icmp6h; 703 const struct icmp6hdr *ic; 704 705 /* Max length: 13 "PROTO=ICMPv6 " */ 706 nf_log_buf_add(m, "PROTO=ICMPv6 "); 707 708 if (fragment) 709 break; 710 711 /* Max length: 25 "INCOMPLETE [65535 bytes] " */ 712 ic = skb_header_pointer(skb, ptr, sizeof(_icmp6h), &_icmp6h); 713 if (!ic) { 714 nf_log_buf_add(m, "INCOMPLETE [%u bytes] ", 715 skb->len - ptr); 716 return; 717 } 718 719 /* Max length: 18 "TYPE=255 CODE=255 " */ 720 nf_log_buf_add(m, "TYPE=%u CODE=%u ", 721 ic->icmp6_type, ic->icmp6_code); 722 723 switch (ic->icmp6_type) { 724 case ICMPV6_ECHO_REQUEST: 725 case ICMPV6_ECHO_REPLY: 726 /* Max length: 19 "ID=65535 SEQ=65535 " */ 727 nf_log_buf_add(m, "ID=%u SEQ=%u ", 728 ntohs(ic->icmp6_identifier), 729 ntohs(ic->icmp6_sequence)); 730 break; 731 case ICMPV6_MGM_QUERY: 732 case ICMPV6_MGM_REPORT: 733 case ICMPV6_MGM_REDUCTION: 734 break; 735 736 case ICMPV6_PARAMPROB: 737 /* Max length: 17 "POINTER=ffffffff " */ 738 nf_log_buf_add(m, "POINTER=%08x ", 739 ntohl(ic->icmp6_pointer)); 740 fallthrough; 741 case ICMPV6_DEST_UNREACH: 742 case ICMPV6_PKT_TOOBIG: 743 case ICMPV6_TIME_EXCEED: 744 /* Max length: 3+maxlen */ 745 if (recurse) { 746 nf_log_buf_add(m, "["); 747 dump_ipv6_packet(net, m, info, skb, 748 ptr + sizeof(_icmp6h), 0); 749 nf_log_buf_add(m, "] "); 750 } 751 752 /* Max length: 10 "MTU=65535 " */ 753 if (ic->icmp6_type == ICMPV6_PKT_TOOBIG) { 754 nf_log_buf_add(m, "MTU=%u ", 755 ntohl(ic->icmp6_mtu)); 756 } 757 } 758 break; 759 } 760 /* Max length: 10 "PROTO=255 " */ 761 default: 762 nf_log_buf_add(m, "PROTO=%u ", currenthdr); 763 } 764 765 /* Max length: 15 "UID=4294967295 " */ 766 if ((logflags & NF_LOG_UID) && recurse) 767 nf_log_dump_sk_uid_gid(net, m, skb->sk); 768 769 /* Max length: 16 "MARK=0xFFFFFFFF " */ 770 if (recurse && skb->mark) 771 nf_log_buf_add(m, "MARK=0x%x ", skb->mark); 772} 773 774static void dump_mac_header(struct nf_log_buf *m, 775 const struct nf_loginfo *info, 776 const struct sk_buff *skb) 777{ 778 struct net_device *dev = skb->dev; 779 unsigned int logflags = 0; 780 781 if (info->type == NF_LOG_TYPE_LOG) 782 logflags = info->u.log.logflags; 783 784 if (!(logflags & NF_LOG_MACDECODE)) 785 goto fallback; 786 787 switch (dev->type) { 788 case ARPHRD_ETHER: 789 nf_log_buf_add(m, "MACSRC=%pM MACDST=%pM ", 790 eth_hdr(skb)->h_source, eth_hdr(skb)->h_dest); 791 nf_log_dump_vlan(m, skb); 792 nf_log_buf_add(m, "MACPROTO=%04x ", 793 ntohs(eth_hdr(skb)->h_proto)); 794 return; 795 default: 796 break; 797 } 798 799fallback: 800 nf_log_buf_add(m, "MAC="); 801 if (dev->hard_header_len && 802 skb->mac_header != skb->network_header) { 803 const unsigned char *p = skb_mac_header(skb); 804 unsigned int i; 805 806 if (dev->type == ARPHRD_SIT) { 807 p -= ETH_HLEN; 808 809 if (p < skb->head) 810 p = NULL; 811 } 812 813 if (p) { 814 nf_log_buf_add(m, "%02x", *p++); 815 for (i = 1; i < dev->hard_header_len; i++) 816 nf_log_buf_add(m, ":%02x", *p++); 817 } 818 819 if (dev->type == ARPHRD_SIT) { 820 const struct iphdr *iph = 821 (struct iphdr *)skb_mac_header(skb); 822 823 nf_log_buf_add(m, " TUNNEL=%pI4->%pI4", &iph->saddr, 824 &iph->daddr); 825 } 826 } 827 nf_log_buf_add(m, " "); 828} 829 830static void nf_log_ip_packet(struct net *net, u_int8_t pf, 831 unsigned int hooknum, const struct sk_buff *skb, 832 const struct net_device *in, 833 const struct net_device *out, 834 const struct nf_loginfo *loginfo, 835 const char *prefix) 836{ 837 struct nf_log_buf *m; 838 839 if (!nf_log_allowed(net)) 840 return; 841 842 m = nf_log_buf_open(); 843 844 if (!loginfo) 845 loginfo = &default_loginfo; 846 847 nf_log_dump_packet_common(m, pf, hooknum, skb, in, 848 out, loginfo, prefix); 849 850 if (in) 851 dump_mac_header(m, loginfo, skb); 852 853 dump_ipv4_packet(net, m, loginfo, skb, 0); 854 855 nf_log_buf_close(m); 856} 857 858static struct nf_logger nf_ip_logger __read_mostly = { 859 .name = "nf_log_ipv4", 860 .type = NF_LOG_TYPE_LOG, 861 .logfn = nf_log_ip_packet, 862 .me = THIS_MODULE, 863}; 864 865static void nf_log_ip6_packet(struct net *net, u_int8_t pf, 866 unsigned int hooknum, const struct sk_buff *skb, 867 const struct net_device *in, 868 const struct net_device *out, 869 const struct nf_loginfo *loginfo, 870 const char *prefix) 871{ 872 struct nf_log_buf *m; 873 874 if (!nf_log_allowed(net)) 875 return; 876 877 m = nf_log_buf_open(); 878 879 if (!loginfo) 880 loginfo = &default_loginfo; 881 882 nf_log_dump_packet_common(m, pf, hooknum, skb, in, out, 883 loginfo, prefix); 884 885 if (in) 886 dump_mac_header(m, loginfo, skb); 887 888 dump_ipv6_packet(net, m, loginfo, skb, skb_network_offset(skb), 1); 889 890 nf_log_buf_close(m); 891} 892 893static struct nf_logger nf_ip6_logger __read_mostly = { 894 .name = "nf_log_ipv6", 895 .type = NF_LOG_TYPE_LOG, 896 .logfn = nf_log_ip6_packet, 897 .me = THIS_MODULE, 898}; 899 900static void nf_log_unknown_packet(struct net *net, u_int8_t pf, 901 unsigned int hooknum, 902 const struct sk_buff *skb, 903 const struct net_device *in, 904 const struct net_device *out, 905 const struct nf_loginfo *loginfo, 906 const char *prefix) 907{ 908 struct nf_log_buf *m; 909 910 if (!nf_log_allowed(net)) 911 return; 912 913 m = nf_log_buf_open(); 914 915 if (!loginfo) 916 loginfo = &default_loginfo; 917 918 nf_log_dump_packet_common(m, pf, hooknum, skb, in, out, loginfo, 919 prefix); 920 921 dump_mac_header(m, loginfo, skb); 922 923 nf_log_buf_close(m); 924} 925 926static void nf_log_netdev_packet(struct net *net, u_int8_t pf, 927 unsigned int hooknum, 928 const struct sk_buff *skb, 929 const struct net_device *in, 930 const struct net_device *out, 931 const struct nf_loginfo *loginfo, 932 const char *prefix) 933{ 934 switch (skb->protocol) { 935 case htons(ETH_P_IP): 936 nf_log_ip_packet(net, pf, hooknum, skb, in, out, loginfo, prefix); 937 break; 938 case htons(ETH_P_IPV6): 939 nf_log_ip6_packet(net, pf, hooknum, skb, in, out, loginfo, prefix); 940 break; 941 case htons(ETH_P_ARP): 942 case htons(ETH_P_RARP): 943 nf_log_arp_packet(net, pf, hooknum, skb, in, out, loginfo, prefix); 944 break; 945 default: 946 nf_log_unknown_packet(net, pf, hooknum, skb, 947 in, out, loginfo, prefix); 948 break; 949 } 950} 951 952static struct nf_logger nf_netdev_logger __read_mostly = { 953 .name = "nf_log_netdev", 954 .type = NF_LOG_TYPE_LOG, 955 .logfn = nf_log_netdev_packet, 956 .me = THIS_MODULE, 957}; 958 959static struct nf_logger nf_bridge_logger __read_mostly = { 960 .name = "nf_log_bridge", 961 .type = NF_LOG_TYPE_LOG, 962 .logfn = nf_log_netdev_packet, 963 .me = THIS_MODULE, 964}; 965 966static int __net_init nf_log_syslog_net_init(struct net *net) 967{ 968 int ret = nf_log_set(net, NFPROTO_IPV4, &nf_ip_logger); 969 970 if (ret) 971 return ret; 972 973 ret = nf_log_set(net, NFPROTO_ARP, &nf_arp_logger); 974 if (ret) 975 goto err1; 976 977 ret = nf_log_set(net, NFPROTO_IPV6, &nf_ip6_logger); 978 if (ret) 979 goto err2; 980 981 ret = nf_log_set(net, NFPROTO_NETDEV, &nf_netdev_logger); 982 if (ret) 983 goto err3; 984 985 ret = nf_log_set(net, NFPROTO_BRIDGE, &nf_bridge_logger); 986 if (ret) 987 goto err4; 988 return 0; 989err4: 990 nf_log_unset(net, &nf_netdev_logger); 991err3: 992 nf_log_unset(net, &nf_ip6_logger); 993err2: 994 nf_log_unset(net, &nf_arp_logger); 995err1: 996 nf_log_unset(net, &nf_ip_logger); 997 return ret; 998} 999 1000static void __net_exit nf_log_syslog_net_exit(struct net *net) 1001{ 1002 nf_log_unset(net, &nf_ip_logger); 1003 nf_log_unset(net, &nf_arp_logger); 1004 nf_log_unset(net, &nf_ip6_logger); 1005 nf_log_unset(net, &nf_netdev_logger); 1006 nf_log_unset(net, &nf_bridge_logger); 1007} 1008 1009static struct pernet_operations nf_log_syslog_net_ops = { 1010 .init = nf_log_syslog_net_init, 1011 .exit = nf_log_syslog_net_exit, 1012}; 1013 1014static int __init nf_log_syslog_init(void) 1015{ 1016 int ret; 1017 1018 ret = register_pernet_subsys(&nf_log_syslog_net_ops); 1019 if (ret < 0) 1020 return ret; 1021 1022 ret = nf_log_register(NFPROTO_IPV4, &nf_ip_logger); 1023 if (ret < 0) 1024 goto err1; 1025 1026 ret = nf_log_register(NFPROTO_ARP, &nf_arp_logger); 1027 if (ret < 0) 1028 goto err2; 1029 1030 ret = nf_log_register(NFPROTO_IPV6, &nf_ip6_logger); 1031 if (ret < 0) 1032 goto err3; 1033 1034 ret = nf_log_register(NFPROTO_NETDEV, &nf_netdev_logger); 1035 if (ret < 0) 1036 goto err4; 1037 1038 ret = nf_log_register(NFPROTO_BRIDGE, &nf_bridge_logger); 1039 if (ret < 0) 1040 goto err5; 1041 1042 return 0; 1043err5: 1044 nf_log_unregister(&nf_netdev_logger); 1045err4: 1046 nf_log_unregister(&nf_ip6_logger); 1047err3: 1048 nf_log_unregister(&nf_arp_logger); 1049err2: 1050 nf_log_unregister(&nf_ip_logger); 1051err1: 1052 pr_err("failed to register logger\n"); 1053 unregister_pernet_subsys(&nf_log_syslog_net_ops); 1054 return ret; 1055} 1056 1057static void __exit nf_log_syslog_exit(void) 1058{ 1059 unregister_pernet_subsys(&nf_log_syslog_net_ops); 1060 nf_log_unregister(&nf_ip_logger); 1061 nf_log_unregister(&nf_arp_logger); 1062 nf_log_unregister(&nf_ip6_logger); 1063 nf_log_unregister(&nf_netdev_logger); 1064 nf_log_unregister(&nf_bridge_logger); 1065} 1066 1067module_init(nf_log_syslog_init); 1068module_exit(nf_log_syslog_exit); 1069 1070MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>"); 1071MODULE_DESCRIPTION("Netfilter syslog packet logging"); 1072MODULE_LICENSE("GPL"); 1073MODULE_ALIAS("nf_log_arp"); 1074MODULE_ALIAS("nf_log_bridge"); 1075MODULE_ALIAS("nf_log_ipv4"); 1076MODULE_ALIAS("nf_log_ipv6"); 1077MODULE_ALIAS("nf_log_netdev"); 1078MODULE_ALIAS_NF_LOGGER(AF_BRIDGE, 0); 1079MODULE_ALIAS_NF_LOGGER(AF_INET, 0); 1080MODULE_ALIAS_NF_LOGGER(3, 0); 1081MODULE_ALIAS_NF_LOGGER(5, 0); /* NFPROTO_NETDEV */ 1082MODULE_ALIAS_NF_LOGGER(AF_INET6, 0);