1 // SPDX-License-Identifier: GPL-2.0-only 2 /* (C) 1999-2001 Paul `Rusty' Russell 3 * (C) 2002-2004 Netfilter Core Team <coreteam@netfilter.org> 4 */ 5 6 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt 7 8 #include <linux/kernel.h> 9 #include <linux/module.h> 10 #include <linux/spinlock.h> 11 #include <linux/skbuff.h> 12 #include <linux/if_arp.h> 13 #include <linux/ip.h> 14 #include <net/ipv6.h> 15 #include <net/icmp.h> 16 #include <net/udp.h> 17 #include <net/tcp.h> 18 #include <net/route.h> 19 20 #include <linux/netfilter.h> 21 #include <linux/netfilter_bridge.h> 22 #include <linux/netfilter_ipv6.h> 23 #include <linux/netfilter/xt_LOG.h> 24 #include <net/netfilter/nf_log.h> 25 26 static const struct nf_loginfo default_loginfo = { 27 .type = NF_LOG_TYPE_LOG, 28 .u = { 29 .log = { 30 .level = LOGLEVEL_NOTICE, 31 .logflags = NF_LOG_DEFAULT_MASK, 32 }, 33 }, 34 }; 35 36 struct arppayload { 37 unsigned char mac_src[ETH_ALEN]; 38 unsigned char ip_src[4]; 39 unsigned char mac_dst[ETH_ALEN]; 40 unsigned char ip_dst[4]; 41 }; 42 43 /* Guard against containers flooding syslog. */ 44 static bool nf_log_allowed(const struct net *net) 45 { 46 return net_eq(net, &init_net) || sysctl_nf_log_all_netns; 47 } 48 49 static void nf_log_dump_vlan(struct nf_log_buf *m, const struct sk_buff *skb) 50 { 51 u16 vid; 52 53 if (!skb_vlan_tag_present(skb)) 54 return; 55 56 vid = skb_vlan_tag_get(skb); 57 nf_log_buf_add(m, "VPROTO=%04x VID=%u ", ntohs(skb->vlan_proto), vid); 58 } 59 static void noinline_for_stack 60 dump_arp_packet(struct nf_log_buf *m, 61 const struct nf_loginfo *info, 62 const struct sk_buff *skb, unsigned int nhoff) 63 { 64 const struct arppayload *ap; 65 struct arppayload _arpp; 66 const struct arphdr *ah; 67 unsigned int logflags; 68 struct arphdr _arph; 69 70 ah = skb_header_pointer(skb, nhoff, sizeof(_arph), &_arph); 71 if (!ah) { 72 nf_log_buf_add(m, "TRUNCATED"); 73 return; 74 } 75 76 if (info->type == NF_LOG_TYPE_LOG) 77 logflags = info->u.log.logflags; 78 else 79 logflags = NF_LOG_DEFAULT_MASK; 80 81 if (logflags & NF_LOG_MACDECODE) { 82 nf_log_buf_add(m, "MACSRC=%pM MACDST=%pM ", 83 eth_hdr(skb)->h_source, eth_hdr(skb)->h_dest); 84 nf_log_dump_vlan(m, skb); 85 nf_log_buf_add(m, "MACPROTO=%04x ", 86 ntohs(eth_hdr(skb)->h_proto)); 87 } 88 89 nf_log_buf_add(m, "ARP HTYPE=%d PTYPE=0x%04x OPCODE=%d", 90 ntohs(ah->ar_hrd), ntohs(ah->ar_pro), ntohs(ah->ar_op)); 91 /* If it's for Ethernet and the lengths are OK, then log the ARP 92 * payload. 93 */ 94 if (ah->ar_hrd != htons(ARPHRD_ETHER) || 95 ah->ar_hln != ETH_ALEN || 96 ah->ar_pln != sizeof(__be32)) 97 return; 98 99 ap = skb_header_pointer(skb, nhoff + sizeof(_arph), sizeof(_arpp), &_arpp); 100 if (!ap) { 101 nf_log_buf_add(m, " INCOMPLETE [%zu bytes]", 102 skb->len - sizeof(_arph)); 103 return; 104 } 105 nf_log_buf_add(m, " MACSRC=%pM IPSRC=%pI4 MACDST=%pM IPDST=%pI4", 106 ap->mac_src, ap->ip_src, ap->mac_dst, ap->ip_dst); 107 } 108 109 static void 110 nf_log_dump_packet_common(struct nf_log_buf *m, u8 pf, 111 unsigned int hooknum, const struct sk_buff *skb, 112 const struct net_device *in, 113 const struct net_device *out, 114 const struct nf_loginfo *loginfo, const char *prefix, 115 struct net *net) 116 { 117 const struct net_device *physoutdev __maybe_unused; 118 const struct net_device *physindev __maybe_unused; 119 120 nf_log_buf_add(m, KERN_SOH "%c%sIN=%s OUT=%s ", 121 '0' + loginfo->u.log.level, prefix, 122 in ? in->name : "", 123 out ? out->name : ""); 124 #if IS_ENABLED(CONFIG_BRIDGE_NETFILTER) 125 physindev = nf_bridge_get_physindev(skb, net); 126 if (physindev && in != physindev) 127 nf_log_buf_add(m, "PHYSIN=%s ", physindev->name); 128 physoutdev = nf_bridge_get_physoutdev(skb); 129 if (physoutdev && out != physoutdev) 130 nf_log_buf_add(m, "PHYSOUT=%s ", physoutdev->name); 131 #endif 132 } 133 134 static void nf_log_arp_packet(struct net *net, u_int8_t pf, 135 unsigned int hooknum, const struct sk_buff *skb, 136 const struct net_device *in, 137 const struct net_device *out, 138 const struct nf_loginfo *loginfo, 139 const char *prefix) 140 { 141 struct nf_log_buf *m; 142 143 if (!nf_log_allowed(net)) 144 return; 145 146 m = nf_log_buf_open(); 147 148 if (!loginfo) 149 loginfo = &default_loginfo; 150 151 nf_log_dump_packet_common(m, pf, hooknum, skb, in, out, loginfo, 152 prefix, net); 153 dump_arp_packet(m, loginfo, skb, skb_network_offset(skb)); 154 155 nf_log_buf_close(m); 156 } 157 158 static struct nf_logger nf_arp_logger __read_mostly = { 159 .name = "nf_log_arp", 160 .type = NF_LOG_TYPE_LOG, 161 .logfn = nf_log_arp_packet, 162 .me = THIS_MODULE, 163 }; 164 165 static void nf_log_dump_sk_uid_gid(struct net *net, struct nf_log_buf *m, 166 struct sock *sk) 167 { 168 if (!sk || !sk_fullsock(sk) || !net_eq(net, sock_net(sk))) 169 return; 170 171 read_lock_bh(&sk->sk_callback_lock); 172 if (sk->sk_socket && sk->sk_socket->file) { 173 const struct cred *cred = sk->sk_socket->file->f_cred; 174 175 nf_log_buf_add(m, "UID=%u GID=%u ", 176 from_kuid_munged(&init_user_ns, cred->fsuid), 177 from_kgid_munged(&init_user_ns, cred->fsgid)); 178 } 179 read_unlock_bh(&sk->sk_callback_lock); 180 } 181 182 static noinline_for_stack int 183 nf_log_dump_tcp_header(struct nf_log_buf *m, 184 const struct sk_buff *skb, 185 u8 proto, int fragment, 186 unsigned int offset, 187 unsigned int logflags) 188 { 189 struct tcphdr _tcph; 190 const struct tcphdr *th; 191 192 /* Max length: 10 "PROTO=TCP " */ 193 nf_log_buf_add(m, "PROTO=TCP "); 194 195 if (fragment) 196 return 0; 197 198 /* Max length: 25 "INCOMPLETE [65535 bytes] " */ 199 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph); 200 if (!th) { 201 nf_log_buf_add(m, "INCOMPLETE [%u bytes] ", skb->len - offset); 202 return 1; 203 } 204 205 /* Max length: 20 "SPT=65535 DPT=65535 " */ 206 nf_log_buf_add(m, "SPT=%u DPT=%u ", 207 ntohs(th->source), ntohs(th->dest)); 208 /* Max length: 30 "SEQ=4294967295 ACK=4294967295 " */ 209 if (logflags & NF_LOG_TCPSEQ) { 210 nf_log_buf_add(m, "SEQ=%u ACK=%u ", 211 ntohl(th->seq), ntohl(th->ack_seq)); 212 } 213 214 /* Max length: 13 "WINDOW=65535 " */ 215 nf_log_buf_add(m, "WINDOW=%u ", ntohs(th->window)); 216 /* Max length: 9 "RES=0x3C " */ 217 nf_log_buf_add(m, "RES=0x%02x ", (u_int8_t)(ntohl(tcp_flag_word(th) & 218 TCP_RESERVED_BITS) >> 22)); 219 /* Max length: 35 "AE CWR ECE URG ACK PSH RST SYN FIN " */ 220 if (th->ae) 221 nf_log_buf_add(m, "AE "); 222 if (th->cwr) 223 nf_log_buf_add(m, "CWR "); 224 if (th->ece) 225 nf_log_buf_add(m, "ECE "); 226 if (th->urg) 227 nf_log_buf_add(m, "URG "); 228 if (th->ack) 229 nf_log_buf_add(m, "ACK "); 230 if (th->psh) 231 nf_log_buf_add(m, "PSH "); 232 if (th->rst) 233 nf_log_buf_add(m, "RST "); 234 if (th->syn) 235 nf_log_buf_add(m, "SYN "); 236 if (th->fin) 237 nf_log_buf_add(m, "FIN "); 238 /* Max length: 11 "URGP=65535 " */ 239 nf_log_buf_add(m, "URGP=%u ", ntohs(th->urg_ptr)); 240 241 if ((logflags & NF_LOG_TCPOPT) && th->doff * 4 > sizeof(struct tcphdr)) { 242 unsigned int optsize = th->doff * 4 - sizeof(struct tcphdr); 243 u8 _opt[60 - sizeof(struct tcphdr)]; 244 unsigned int i; 245 const u8 *op; 246 247 op = skb_header_pointer(skb, offset + sizeof(struct tcphdr), 248 optsize, _opt); 249 if (!op) { 250 nf_log_buf_add(m, "OPT (TRUNCATED)"); 251 return 1; 252 } 253 254 /* Max length: 127 "OPT (" 15*4*2chars ") " */ 255 nf_log_buf_add(m, "OPT ("); 256 for (i = 0; i < optsize; i++) 257 nf_log_buf_add(m, "%02X", op[i]); 258 259 nf_log_buf_add(m, ") "); 260 } 261 262 return 0; 263 } 264 265 static noinline_for_stack int 266 nf_log_dump_udp_header(struct nf_log_buf *m, 267 const struct sk_buff *skb, 268 u8 proto, int fragment, 269 unsigned int offset) 270 { 271 struct udphdr _udph; 272 const struct udphdr *uh; 273 274 if (proto == IPPROTO_UDP) 275 /* Max length: 10 "PROTO=UDP " */ 276 nf_log_buf_add(m, "PROTO=UDP "); 277 else /* Max length: 14 "PROTO=UDPLITE " */ 278 nf_log_buf_add(m, "PROTO=UDPLITE "); 279 280 if (fragment) 281 goto out; 282 283 /* Max length: 25 "INCOMPLETE [65535 bytes] " */ 284 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph); 285 if (!uh) { 286 nf_log_buf_add(m, "INCOMPLETE [%u bytes] ", skb->len - offset); 287 288 return 1; 289 } 290 291 /* Max length: 20 "SPT=65535 DPT=65535 " */ 292 nf_log_buf_add(m, "SPT=%u DPT=%u LEN=%u ", 293 ntohs(uh->source), ntohs(uh->dest), ntohs(uh->len)); 294 295 out: 296 return 0; 297 } 298 299 /* One level of recursion won't kill us */ 300 static noinline_for_stack void 301 dump_ipv4_packet(struct net *net, struct nf_log_buf *m, 302 const struct nf_loginfo *info, 303 const struct sk_buff *skb, unsigned int iphoff) 304 { 305 const struct iphdr *ih; 306 unsigned int logflags; 307 struct iphdr _iph; 308 309 if (info->type == NF_LOG_TYPE_LOG) 310 logflags = info->u.log.logflags; 311 else 312 logflags = NF_LOG_DEFAULT_MASK; 313 314 ih = skb_header_pointer(skb, iphoff, sizeof(_iph), &_iph); 315 if (!ih) { 316 nf_log_buf_add(m, "TRUNCATED"); 317 return; 318 } 319 320 /* Important fields: 321 * TOS, len, DF/MF, fragment offset, TTL, src, dst, options. 322 * Max length: 40 "SRC=255.255.255.255 DST=255.255.255.255 " 323 */ 324 nf_log_buf_add(m, "SRC=%pI4 DST=%pI4 ", &ih->saddr, &ih->daddr); 325 326 /* Max length: 46 "LEN=65535 TOS=0xFF PREC=0xFF TTL=255 ID=65535 " */ 327 nf_log_buf_add(m, "LEN=%u TOS=0x%02X PREC=0x%02X TTL=%u ID=%u ", 328 iph_totlen(skb, ih), ih->tos & IPTOS_TOS_MASK, 329 ih->tos & IPTOS_PREC_MASK, ih->ttl, ntohs(ih->id)); 330 331 /* Max length: 6 "CE DF MF " */ 332 if (ntohs(ih->frag_off) & IP_CE) 333 nf_log_buf_add(m, "CE "); 334 if (ntohs(ih->frag_off) & IP_DF) 335 nf_log_buf_add(m, "DF "); 336 if (ntohs(ih->frag_off) & IP_MF) 337 nf_log_buf_add(m, "MF "); 338 339 /* Max length: 11 "FRAG:65535 " */ 340 if (ntohs(ih->frag_off) & IP_OFFSET) 341 nf_log_buf_add(m, "FRAG:%u ", ntohs(ih->frag_off) & IP_OFFSET); 342 343 if ((logflags & NF_LOG_IPOPT) && 344 ih->ihl * 4 > sizeof(struct iphdr)) { 345 unsigned char _opt[4 * 15 - sizeof(struct iphdr)]; 346 const unsigned char *op; 347 unsigned int i, optsize; 348 349 optsize = ih->ihl * 4 - sizeof(struct iphdr); 350 op = skb_header_pointer(skb, iphoff + sizeof(_iph), 351 optsize, _opt); 352 if (!op) { 353 nf_log_buf_add(m, "TRUNCATED"); 354 return; 355 } 356 357 /* Max length: 127 "OPT (" 15*4*2chars ") " */ 358 nf_log_buf_add(m, "OPT ("); 359 for (i = 0; i < optsize; i++) 360 nf_log_buf_add(m, "%02X", op[i]); 361 nf_log_buf_add(m, ") "); 362 } 363 364 switch (ih->protocol) { 365 case IPPROTO_TCP: 366 if (nf_log_dump_tcp_header(m, skb, ih->protocol, 367 ntohs(ih->frag_off) & IP_OFFSET, 368 iphoff + ih->ihl * 4, logflags)) 369 return; 370 break; 371 case IPPROTO_UDP: 372 case IPPROTO_UDPLITE: 373 if (nf_log_dump_udp_header(m, skb, ih->protocol, 374 ntohs(ih->frag_off) & IP_OFFSET, 375 iphoff + ih->ihl * 4)) 376 return; 377 break; 378 case IPPROTO_ICMP: { 379 static const size_t required_len[NR_ICMP_TYPES + 1] = { 380 [ICMP_ECHOREPLY] = 4, 381 [ICMP_DEST_UNREACH] = 8 + sizeof(struct iphdr), 382 [ICMP_SOURCE_QUENCH] = 8 + sizeof(struct iphdr), 383 [ICMP_REDIRECT] = 8 + sizeof(struct iphdr), 384 [ICMP_ECHO] = 4, 385 [ICMP_TIME_EXCEEDED] = 8 + sizeof(struct iphdr), 386 [ICMP_PARAMETERPROB] = 8 + sizeof(struct iphdr), 387 [ICMP_TIMESTAMP] = 20, 388 [ICMP_TIMESTAMPREPLY] = 20, 389 [ICMP_ADDRESS] = 12, 390 [ICMP_ADDRESSREPLY] = 12 }; 391 const struct icmphdr *ich; 392 struct icmphdr _icmph; 393 394 /* Max length: 11 "PROTO=ICMP " */ 395 nf_log_buf_add(m, "PROTO=ICMP "); 396 397 if (ntohs(ih->frag_off) & IP_OFFSET) 398 break; 399 400 /* Max length: 25 "INCOMPLETE [65535 bytes] " */ 401 ich = skb_header_pointer(skb, iphoff + ih->ihl * 4, 402 sizeof(_icmph), &_icmph); 403 if (!ich) { 404 nf_log_buf_add(m, "INCOMPLETE [%u bytes] ", 405 skb->len - iphoff - ih->ihl * 4); 406 break; 407 } 408 409 /* Max length: 18 "TYPE=255 CODE=255 " */ 410 nf_log_buf_add(m, "TYPE=%u CODE=%u ", ich->type, ich->code); 411 412 /* Max length: 25 "INCOMPLETE [65535 bytes] " */ 413 if (ich->type <= NR_ICMP_TYPES && 414 required_len[ich->type] && 415 skb->len - iphoff - ih->ihl * 4 < required_len[ich->type]) { 416 nf_log_buf_add(m, "INCOMPLETE [%u bytes] ", 417 skb->len - iphoff - ih->ihl * 4); 418 break; 419 } 420 421 switch (ich->type) { 422 case ICMP_ECHOREPLY: 423 case ICMP_ECHO: 424 /* Max length: 19 "ID=65535 SEQ=65535 " */ 425 nf_log_buf_add(m, "ID=%u SEQ=%u ", 426 ntohs(ich->un.echo.id), 427 ntohs(ich->un.echo.sequence)); 428 break; 429 430 case ICMP_PARAMETERPROB: 431 /* Max length: 14 "PARAMETER=255 " */ 432 nf_log_buf_add(m, "PARAMETER=%u ", 433 ntohl(ich->un.gateway) >> 24); 434 break; 435 case ICMP_REDIRECT: 436 /* Max length: 24 "GATEWAY=255.255.255.255 " */ 437 nf_log_buf_add(m, "GATEWAY=%pI4 ", &ich->un.gateway); 438 fallthrough; 439 case ICMP_DEST_UNREACH: 440 case ICMP_SOURCE_QUENCH: 441 case ICMP_TIME_EXCEEDED: 442 /* Max length: 3+maxlen */ 443 if (!iphoff) { /* Only recurse once. */ 444 nf_log_buf_add(m, "["); 445 dump_ipv4_packet(net, m, info, skb, 446 iphoff + ih->ihl * 4 + sizeof(_icmph)); 447 nf_log_buf_add(m, "] "); 448 } 449 450 /* Max length: 10 "MTU=65535 " */ 451 if (ich->type == ICMP_DEST_UNREACH && 452 ich->code == ICMP_FRAG_NEEDED) { 453 nf_log_buf_add(m, "MTU=%u ", 454 ntohs(ich->un.frag.mtu)); 455 } 456 } 457 break; 458 } 459 /* Max Length */ 460 case IPPROTO_AH: { 461 const struct ip_auth_hdr *ah; 462 struct ip_auth_hdr _ahdr; 463 464 if (ntohs(ih->frag_off) & IP_OFFSET) 465 break; 466 467 /* Max length: 9 "PROTO=AH " */ 468 nf_log_buf_add(m, "PROTO=AH "); 469 470 /* Max length: 25 "INCOMPLETE [65535 bytes] " */ 471 ah = skb_header_pointer(skb, iphoff + ih->ihl * 4, 472 sizeof(_ahdr), &_ahdr); 473 if (!ah) { 474 nf_log_buf_add(m, "INCOMPLETE [%u bytes] ", 475 skb->len - iphoff - ih->ihl * 4); 476 break; 477 } 478 479 /* Length: 15 "SPI=0xF1234567 " */ 480 nf_log_buf_add(m, "SPI=0x%x ", ntohl(ah->spi)); 481 break; 482 } 483 case IPPROTO_ESP: { 484 const struct ip_esp_hdr *eh; 485 struct ip_esp_hdr _esph; 486 487 /* Max length: 10 "PROTO=ESP " */ 488 nf_log_buf_add(m, "PROTO=ESP "); 489 490 if (ntohs(ih->frag_off) & IP_OFFSET) 491 break; 492 493 /* Max length: 25 "INCOMPLETE [65535 bytes] " */ 494 eh = skb_header_pointer(skb, iphoff + ih->ihl * 4, 495 sizeof(_esph), &_esph); 496 if (!eh) { 497 nf_log_buf_add(m, "INCOMPLETE [%u bytes] ", 498 skb->len - iphoff - ih->ihl * 4); 499 break; 500 } 501 502 /* Length: 15 "SPI=0xF1234567 " */ 503 nf_log_buf_add(m, "SPI=0x%x ", ntohl(eh->spi)); 504 break; 505 } 506 /* Max length: 10 "PROTO 255 " */ 507 default: 508 nf_log_buf_add(m, "PROTO=%u ", ih->protocol); 509 } 510 511 /* Max length: 15 "UID=4294967295 " */ 512 if ((logflags & NF_LOG_UID) && !iphoff) 513 nf_log_dump_sk_uid_gid(net, m, skb->sk); 514 515 /* Max length: 16 "MARK=0xFFFFFFFF " */ 516 if (!iphoff && skb->mark) 517 nf_log_buf_add(m, "MARK=0x%x ", skb->mark); 518 519 /* Proto Max log string length */ 520 /* IP: 40+46+6+11+127 = 230 */ 521 /* TCP: 10+max(25,20+30+13+9+35+11+127) = 255 */ 522 /* UDP: 10+max(25,20) = 35 */ 523 /* UDPLITE: 14+max(25,20) = 39 */ 524 /* ICMP: 11+max(25, 18+25+max(19,14,24+3+n+10,3+n+10)) = 91+n */ 525 /* ESP: 10+max(25)+15 = 50 */ 526 /* AH: 9+max(25)+15 = 49 */ 527 /* unknown: 10 */ 528 529 /* (ICMP allows recursion one level deep) */ 530 /* maxlen = IP + ICMP + IP + max(TCP,UDP,ICMP,unknown) */ 531 /* maxlen = 230+ 91 + 230 + 255 = 806 */ 532 } 533 534 static noinline_for_stack void 535 dump_ipv6_packet(struct net *net, struct nf_log_buf *m, 536 const struct nf_loginfo *info, 537 const struct sk_buff *skb, unsigned int ip6hoff, 538 int recurse) 539 { 540 const struct ipv6hdr *ih; 541 unsigned int hdrlen = 0; 542 unsigned int logflags; 543 struct ipv6hdr _ip6h; 544 unsigned int ptr; 545 u8 currenthdr; 546 int fragment; 547 548 if (info->type == NF_LOG_TYPE_LOG) 549 logflags = info->u.log.logflags; 550 else 551 logflags = NF_LOG_DEFAULT_MASK; 552 553 ih = skb_header_pointer(skb, ip6hoff, sizeof(_ip6h), &_ip6h); 554 if (!ih) { 555 nf_log_buf_add(m, "TRUNCATED"); 556 return; 557 } 558 559 /* Max length: 88 "SRC=0000.0000.0000.0000.0000.0000.0000.0000 DST=0000.0000.0000.0000.0000.0000.0000.0000 " */ 560 nf_log_buf_add(m, "SRC=%pI6 DST=%pI6 ", &ih->saddr, &ih->daddr); 561 562 /* Max length: 44 "LEN=65535 TC=255 HOPLIMIT=255 FLOWLBL=FFFFF " */ 563 nf_log_buf_add(m, "LEN=%zu TC=%u HOPLIMIT=%u FLOWLBL=%u ", 564 ntohs(ih->payload_len) + sizeof(struct ipv6hdr), 565 (ntohl(*(__be32 *)ih) & 0x0ff00000) >> 20, 566 ih->hop_limit, 567 (ntohl(*(__be32 *)ih) & 0x000fffff)); 568 569 fragment = 0; 570 ptr = ip6hoff + sizeof(struct ipv6hdr); 571 currenthdr = ih->nexthdr; 572 while (currenthdr != NEXTHDR_NONE && nf_ip6_ext_hdr(currenthdr)) { 573 struct ipv6_opt_hdr _hdr; 574 const struct ipv6_opt_hdr *hp; 575 576 hp = skb_header_pointer(skb, ptr, sizeof(_hdr), &_hdr); 577 if (!hp) { 578 nf_log_buf_add(m, "TRUNCATED"); 579 return; 580 } 581 582 /* Max length: 48 "OPT (...) " */ 583 if (logflags & NF_LOG_IPOPT) 584 nf_log_buf_add(m, "OPT ( "); 585 586 switch (currenthdr) { 587 case IPPROTO_FRAGMENT: { 588 struct frag_hdr _fhdr; 589 const struct frag_hdr *fh; 590 591 nf_log_buf_add(m, "FRAG:"); 592 fh = skb_header_pointer(skb, ptr, sizeof(_fhdr), 593 &_fhdr); 594 if (!fh) { 595 nf_log_buf_add(m, "TRUNCATED "); 596 return; 597 } 598 599 /* Max length: 6 "65535 " */ 600 nf_log_buf_add(m, "%u ", ntohs(fh->frag_off) & 0xFFF8); 601 602 /* Max length: 11 "INCOMPLETE " */ 603 if (fh->frag_off & htons(0x0001)) 604 nf_log_buf_add(m, "INCOMPLETE "); 605 606 nf_log_buf_add(m, "ID:%08x ", 607 ntohl(fh->identification)); 608 609 if (ntohs(fh->frag_off) & 0xFFF8) 610 fragment = 1; 611 612 hdrlen = 8; 613 break; 614 } 615 case IPPROTO_DSTOPTS: 616 case IPPROTO_ROUTING: 617 case IPPROTO_HOPOPTS: 618 if (fragment) { 619 if (logflags & NF_LOG_IPOPT) 620 nf_log_buf_add(m, ")"); 621 return; 622 } 623 hdrlen = ipv6_optlen(hp); 624 break; 625 /* Max Length */ 626 case IPPROTO_AH: 627 if (logflags & NF_LOG_IPOPT) { 628 struct ip_auth_hdr _ahdr; 629 const struct ip_auth_hdr *ah; 630 631 /* Max length: 3 "AH " */ 632 nf_log_buf_add(m, "AH "); 633 634 if (fragment) { 635 nf_log_buf_add(m, ")"); 636 return; 637 } 638 639 ah = skb_header_pointer(skb, ptr, sizeof(_ahdr), 640 &_ahdr); 641 if (!ah) { 642 /* Max length: 26 "INCOMPLETE [65535 bytes] )" */ 643 nf_log_buf_add(m, "INCOMPLETE [%u bytes] )", 644 skb->len - ptr); 645 return; 646 } 647 648 /* Length: 15 "SPI=0xF1234567 */ 649 nf_log_buf_add(m, "SPI=0x%x ", ntohl(ah->spi)); 650 } 651 652 hdrlen = ipv6_authlen(hp); 653 break; 654 case IPPROTO_ESP: 655 if (logflags & NF_LOG_IPOPT) { 656 struct ip_esp_hdr _esph; 657 const struct ip_esp_hdr *eh; 658 659 /* Max length: 4 "ESP " */ 660 nf_log_buf_add(m, "ESP "); 661 662 if (fragment) { 663 nf_log_buf_add(m, ")"); 664 return; 665 } 666 667 /* Max length: 26 "INCOMPLETE [65535 bytes] )" */ 668 eh = skb_header_pointer(skb, ptr, sizeof(_esph), 669 &_esph); 670 if (!eh) { 671 nf_log_buf_add(m, "INCOMPLETE [%u bytes] )", 672 skb->len - ptr); 673 return; 674 } 675 676 /* Length: 16 "SPI=0xF1234567 )" */ 677 nf_log_buf_add(m, "SPI=0x%x )", 678 ntohl(eh->spi)); 679 } 680 return; 681 default: 682 /* Max length: 20 "Unknown Ext Hdr 255" */ 683 nf_log_buf_add(m, "Unknown Ext Hdr %u", currenthdr); 684 return; 685 } 686 if (logflags & NF_LOG_IPOPT) 687 nf_log_buf_add(m, ") "); 688 689 currenthdr = hp->nexthdr; 690 ptr += hdrlen; 691 } 692 693 switch (currenthdr) { 694 case IPPROTO_TCP: 695 if (nf_log_dump_tcp_header(m, skb, currenthdr, fragment, 696 ptr, logflags)) 697 return; 698 break; 699 case IPPROTO_UDP: 700 case IPPROTO_UDPLITE: 701 if (nf_log_dump_udp_header(m, skb, currenthdr, fragment, ptr)) 702 return; 703 break; 704 case IPPROTO_ICMPV6: { 705 struct icmp6hdr _icmp6h; 706 const struct icmp6hdr *ic; 707 708 /* Max length: 13 "PROTO=ICMPv6 " */ 709 nf_log_buf_add(m, "PROTO=ICMPv6 "); 710 711 if (fragment) 712 break; 713 714 /* Max length: 25 "INCOMPLETE [65535 bytes] " */ 715 ic = skb_header_pointer(skb, ptr, sizeof(_icmp6h), &_icmp6h); 716 if (!ic) { 717 nf_log_buf_add(m, "INCOMPLETE [%u bytes] ", 718 skb->len - ptr); 719 return; 720 } 721 722 /* Max length: 18 "TYPE=255 CODE=255 " */ 723 nf_log_buf_add(m, "TYPE=%u CODE=%u ", 724 ic->icmp6_type, ic->icmp6_code); 725 726 switch (ic->icmp6_type) { 727 case ICMPV6_ECHO_REQUEST: 728 case ICMPV6_ECHO_REPLY: 729 /* Max length: 19 "ID=65535 SEQ=65535 " */ 730 nf_log_buf_add(m, "ID=%u SEQ=%u ", 731 ntohs(ic->icmp6_identifier), 732 ntohs(ic->icmp6_sequence)); 733 break; 734 case ICMPV6_MGM_QUERY: 735 case ICMPV6_MGM_REPORT: 736 case ICMPV6_MGM_REDUCTION: 737 break; 738 739 case ICMPV6_PARAMPROB: 740 /* Max length: 17 "POINTER=ffffffff " */ 741 nf_log_buf_add(m, "POINTER=%08x ", 742 ntohl(ic->icmp6_pointer)); 743 fallthrough; 744 case ICMPV6_DEST_UNREACH: 745 case ICMPV6_PKT_TOOBIG: 746 case ICMPV6_TIME_EXCEED: 747 /* Max length: 3+maxlen */ 748 if (recurse) { 749 nf_log_buf_add(m, "["); 750 dump_ipv6_packet(net, m, info, skb, 751 ptr + sizeof(_icmp6h), 0); 752 nf_log_buf_add(m, "] "); 753 } 754 755 /* Max length: 10 "MTU=65535 " */ 756 if (ic->icmp6_type == ICMPV6_PKT_TOOBIG) { 757 nf_log_buf_add(m, "MTU=%u ", 758 ntohl(ic->icmp6_mtu)); 759 } 760 } 761 break; 762 } 763 /* Max length: 10 "PROTO=255 " */ 764 default: 765 nf_log_buf_add(m, "PROTO=%u ", currenthdr); 766 } 767 768 /* Max length: 15 "UID=4294967295 " */ 769 if ((logflags & NF_LOG_UID) && recurse) 770 nf_log_dump_sk_uid_gid(net, m, skb->sk); 771 772 /* Max length: 16 "MARK=0xFFFFFFFF " */ 773 if (recurse && skb->mark) 774 nf_log_buf_add(m, "MARK=0x%x ", skb->mark); 775 } 776 777 static void dump_mac_header(struct nf_log_buf *m, 778 const struct nf_loginfo *info, 779 const struct sk_buff *skb) 780 { 781 struct net_device *dev = skb->dev; 782 unsigned int logflags = 0; 783 784 if (info->type == NF_LOG_TYPE_LOG) 785 logflags = info->u.log.logflags; 786 787 if (!(logflags & NF_LOG_MACDECODE)) 788 goto fallback; 789 790 switch (dev->type) { 791 case ARPHRD_ETHER: 792 nf_log_buf_add(m, "MACSRC=%pM MACDST=%pM ", 793 eth_hdr(skb)->h_source, eth_hdr(skb)->h_dest); 794 nf_log_dump_vlan(m, skb); 795 nf_log_buf_add(m, "MACPROTO=%04x ", 796 ntohs(eth_hdr(skb)->h_proto)); 797 return; 798 default: 799 break; 800 } 801 802 fallback: 803 nf_log_buf_add(m, "MAC="); 804 if (dev->hard_header_len && 805 skb->mac_header != skb->network_header) { 806 const unsigned char *p = skb_mac_header(skb); 807 unsigned int i; 808 809 if (dev->type == ARPHRD_SIT) { 810 p -= ETH_HLEN; 811 812 if (p < skb->head) 813 p = NULL; 814 } 815 816 if (p) { 817 nf_log_buf_add(m, "%02x", *p++); 818 for (i = 1; i < dev->hard_header_len; i++) 819 nf_log_buf_add(m, ":%02x", *p++); 820 } 821 822 if (dev->type == ARPHRD_SIT) { 823 const struct iphdr *iph = 824 (struct iphdr *)skb_mac_header(skb); 825 826 nf_log_buf_add(m, " TUNNEL=%pI4->%pI4", &iph->saddr, 827 &iph->daddr); 828 } 829 } 830 nf_log_buf_add(m, " "); 831 } 832 833 static void nf_log_ip_packet(struct net *net, u_int8_t pf, 834 unsigned int hooknum, const struct sk_buff *skb, 835 const struct net_device *in, 836 const struct net_device *out, 837 const struct nf_loginfo *loginfo, 838 const char *prefix) 839 { 840 struct nf_log_buf *m; 841 842 if (!nf_log_allowed(net)) 843 return; 844 845 m = nf_log_buf_open(); 846 847 if (!loginfo) 848 loginfo = &default_loginfo; 849 850 nf_log_dump_packet_common(m, pf, hooknum, skb, in, 851 out, loginfo, prefix, net); 852 853 if (in) 854 dump_mac_header(m, loginfo, skb); 855 856 dump_ipv4_packet(net, m, loginfo, skb, skb_network_offset(skb)); 857 858 nf_log_buf_close(m); 859 } 860 861 static struct nf_logger nf_ip_logger __read_mostly = { 862 .name = "nf_log_ipv4", 863 .type = NF_LOG_TYPE_LOG, 864 .logfn = nf_log_ip_packet, 865 .me = THIS_MODULE, 866 }; 867 868 static void nf_log_ip6_packet(struct net *net, u_int8_t pf, 869 unsigned int hooknum, const struct sk_buff *skb, 870 const struct net_device *in, 871 const struct net_device *out, 872 const struct nf_loginfo *loginfo, 873 const char *prefix) 874 { 875 struct nf_log_buf *m; 876 877 if (!nf_log_allowed(net)) 878 return; 879 880 m = nf_log_buf_open(); 881 882 if (!loginfo) 883 loginfo = &default_loginfo; 884 885 nf_log_dump_packet_common(m, pf, hooknum, skb, in, out, 886 loginfo, prefix, net); 887 888 if (in) 889 dump_mac_header(m, loginfo, skb); 890 891 dump_ipv6_packet(net, m, loginfo, skb, skb_network_offset(skb), 1); 892 893 nf_log_buf_close(m); 894 } 895 896 static struct nf_logger nf_ip6_logger __read_mostly = { 897 .name = "nf_log_ipv6", 898 .type = NF_LOG_TYPE_LOG, 899 .logfn = nf_log_ip6_packet, 900 .me = THIS_MODULE, 901 }; 902 903 static void nf_log_unknown_packet(struct net *net, u_int8_t pf, 904 unsigned int hooknum, 905 const struct sk_buff *skb, 906 const struct net_device *in, 907 const struct net_device *out, 908 const struct nf_loginfo *loginfo, 909 const char *prefix) 910 { 911 struct nf_log_buf *m; 912 913 if (!nf_log_allowed(net)) 914 return; 915 916 m = nf_log_buf_open(); 917 918 if (!loginfo) 919 loginfo = &default_loginfo; 920 921 nf_log_dump_packet_common(m, pf, hooknum, skb, in, out, loginfo, 922 prefix, net); 923 924 dump_mac_header(m, loginfo, skb); 925 926 nf_log_buf_close(m); 927 } 928 929 static void nf_log_netdev_packet(struct net *net, u_int8_t pf, 930 unsigned int hooknum, 931 const struct sk_buff *skb, 932 const struct net_device *in, 933 const struct net_device *out, 934 const struct nf_loginfo *loginfo, 935 const char *prefix) 936 { 937 switch (skb->protocol) { 938 case htons(ETH_P_IP): 939 nf_log_ip_packet(net, pf, hooknum, skb, in, out, loginfo, prefix); 940 break; 941 case htons(ETH_P_IPV6): 942 nf_log_ip6_packet(net, pf, hooknum, skb, in, out, loginfo, prefix); 943 break; 944 case htons(ETH_P_ARP): 945 case htons(ETH_P_RARP): 946 nf_log_arp_packet(net, pf, hooknum, skb, in, out, loginfo, prefix); 947 break; 948 default: 949 nf_log_unknown_packet(net, pf, hooknum, skb, 950 in, out, loginfo, prefix); 951 break; 952 } 953 } 954 955 static struct nf_logger nf_netdev_logger __read_mostly = { 956 .name = "nf_log_netdev", 957 .type = NF_LOG_TYPE_LOG, 958 .logfn = nf_log_netdev_packet, 959 .me = THIS_MODULE, 960 }; 961 962 static struct nf_logger nf_bridge_logger __read_mostly = { 963 .name = "nf_log_bridge", 964 .type = NF_LOG_TYPE_LOG, 965 .logfn = nf_log_netdev_packet, 966 .me = THIS_MODULE, 967 }; 968 969 static int __net_init nf_log_syslog_net_init(struct net *net) 970 { 971 int ret = nf_log_set(net, NFPROTO_IPV4, &nf_ip_logger); 972 973 if (ret) 974 return ret; 975 976 ret = nf_log_set(net, NFPROTO_ARP, &nf_arp_logger); 977 if (ret) 978 goto err1; 979 980 ret = nf_log_set(net, NFPROTO_IPV6, &nf_ip6_logger); 981 if (ret) 982 goto err2; 983 984 ret = nf_log_set(net, NFPROTO_NETDEV, &nf_netdev_logger); 985 if (ret) 986 goto err3; 987 988 ret = nf_log_set(net, NFPROTO_BRIDGE, &nf_bridge_logger); 989 if (ret) 990 goto err4; 991 return 0; 992 err4: 993 nf_log_unset(net, &nf_netdev_logger); 994 err3: 995 nf_log_unset(net, &nf_ip6_logger); 996 err2: 997 nf_log_unset(net, &nf_arp_logger); 998 err1: 999 nf_log_unset(net, &nf_ip_logger); 1000 return ret; 1001 } 1002 1003 static void __net_exit nf_log_syslog_net_exit(struct net *net) 1004 { 1005 nf_log_unset(net, &nf_ip_logger); 1006 nf_log_unset(net, &nf_arp_logger); 1007 nf_log_unset(net, &nf_ip6_logger); 1008 nf_log_unset(net, &nf_netdev_logger); 1009 nf_log_unset(net, &nf_bridge_logger); 1010 } 1011 1012 static struct pernet_operations nf_log_syslog_net_ops = { 1013 .init = nf_log_syslog_net_init, 1014 .exit = nf_log_syslog_net_exit, 1015 }; 1016 1017 static int __init nf_log_syslog_init(void) 1018 { 1019 int ret; 1020 1021 ret = register_pernet_subsys(&nf_log_syslog_net_ops); 1022 if (ret < 0) 1023 return ret; 1024 1025 ret = nf_log_register(NFPROTO_IPV4, &nf_ip_logger); 1026 if (ret < 0) 1027 goto err1; 1028 1029 ret = nf_log_register(NFPROTO_ARP, &nf_arp_logger); 1030 if (ret < 0) 1031 goto err2; 1032 1033 ret = nf_log_register(NFPROTO_IPV6, &nf_ip6_logger); 1034 if (ret < 0) 1035 goto err3; 1036 1037 ret = nf_log_register(NFPROTO_NETDEV, &nf_netdev_logger); 1038 if (ret < 0) 1039 goto err4; 1040 1041 ret = nf_log_register(NFPROTO_BRIDGE, &nf_bridge_logger); 1042 if (ret < 0) 1043 goto err5; 1044 1045 return 0; 1046 err5: 1047 nf_log_unregister(&nf_netdev_logger); 1048 err4: 1049 nf_log_unregister(&nf_ip6_logger); 1050 err3: 1051 nf_log_unregister(&nf_arp_logger); 1052 err2: 1053 nf_log_unregister(&nf_ip_logger); 1054 err1: 1055 pr_err("failed to register logger\n"); 1056 unregister_pernet_subsys(&nf_log_syslog_net_ops); 1057 return ret; 1058 } 1059 1060 static void __exit nf_log_syslog_exit(void) 1061 { 1062 unregister_pernet_subsys(&nf_log_syslog_net_ops); 1063 nf_log_unregister(&nf_ip_logger); 1064 nf_log_unregister(&nf_arp_logger); 1065 nf_log_unregister(&nf_ip6_logger); 1066 nf_log_unregister(&nf_netdev_logger); 1067 nf_log_unregister(&nf_bridge_logger); 1068 } 1069 1070 module_init(nf_log_syslog_init); 1071 module_exit(nf_log_syslog_exit); 1072 1073 MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>"); 1074 MODULE_DESCRIPTION("Netfilter syslog packet logging"); 1075 MODULE_LICENSE("GPL"); 1076 MODULE_ALIAS("nf_log_arp"); 1077 MODULE_ALIAS("nf_log_bridge"); 1078 MODULE_ALIAS("nf_log_ipv4"); 1079 MODULE_ALIAS("nf_log_ipv6"); 1080 MODULE_ALIAS("nf_log_netdev"); 1081 MODULE_ALIAS_NF_LOGGER(AF_BRIDGE, 0); 1082 MODULE_ALIAS_NF_LOGGER(AF_INET, 0); 1083 MODULE_ALIAS_NF_LOGGER(3, 0); 1084 MODULE_ALIAS_NF_LOGGER(5, 0); /* NFPROTO_NETDEV */ 1085 MODULE_ALIAS_NF_LOGGER(AF_INET6, 0); 1086