Skip to content

Commit 30e0c6a

Browse files
Gao fengummakynes
Gao feng
authored and
ummakynes
committed
netfilter: nf_log: prepare net namespace support for loggers
This patch adds netns support to nf_log and it prepares netns support for existing loggers. It is composed of four major changes. 1) nf_log_register has been split to two functions: nf_log_register and nf_log_set. The new nf_log_register is used to globally register the nf_logger and nf_log_set is used for enabling pernet support from nf_loggers. Per netns is not yet complete after this patch, it comes in separate follow up patches. 2) Add net as a parameter of nf_log_bind_pf. Per netns is not yet complete after this patch, it only allows to bind the nf_logger to the protocol family from init_net and it skips other cases. 3) Adapt all nf_log_packet callers to pass netns as parameter. After this patch, this function only works for init_net. 4) Make the sysctl net/netfilter/nf_log pernet. Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
1 parent f3c1a44 commit 30e0c6a

16 files changed

+233
-100
lines changed

include/net/netfilter/nf_log.h

Lines changed: 10 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -49,12 +49,18 @@ struct nf_logger {
4949
int nf_log_register(u_int8_t pf, struct nf_logger *logger);
5050
void nf_log_unregister(struct nf_logger *logger);
5151

52-
int nf_log_bind_pf(u_int8_t pf, const struct nf_logger *logger);
53-
void nf_log_unbind_pf(u_int8_t pf);
52+
void nf_log_set(struct net *net, u_int8_t pf,
53+
const struct nf_logger *logger);
54+
void nf_log_unset(struct net *net, const struct nf_logger *logger);
55+
56+
int nf_log_bind_pf(struct net *net, u_int8_t pf,
57+
const struct nf_logger *logger);
58+
void nf_log_unbind_pf(struct net *net, u_int8_t pf);
5459

5560
/* Calls the registered backend logging function */
56-
__printf(7, 8)
57-
void nf_log_packet(u_int8_t pf,
61+
__printf(8, 9)
62+
void nf_log_packet(struct net *net,
63+
u_int8_t pf,
5864
unsigned int hooknum,
5965
const struct sk_buff *skb,
6066
const struct net_device *in,

include/net/netns/netfilter.h

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -2,10 +2,17 @@
22
#define __NETNS_NETFILTER_H
33

44
#include <linux/proc_fs.h>
5+
#include <linux/netfilter.h>
6+
7+
struct nf_logger;
58

69
struct netns_nf {
710
#if defined CONFIG_PROC_FS
811
struct proc_dir_entry *proc_netfilter;
12+
#endif
13+
const struct nf_logger __rcu *nf_loggers[NFPROTO_NUMPROTO];
14+
#ifdef CONFIG_SYSCTL
15+
struct ctl_table_header *nf_log_dir_header;
916
#endif
1017
};
1118
#endif

net/bridge/netfilter/ebt_log.c

Lines changed: 4 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -176,17 +176,18 @@ ebt_log_tg(struct sk_buff *skb, const struct xt_action_param *par)
176176
{
177177
const struct ebt_log_info *info = par->targinfo;
178178
struct nf_loginfo li;
179+
struct net *net = dev_net(par->in ? par->in : par->out);
179180

180181
li.type = NF_LOG_TYPE_LOG;
181182
li.u.log.level = info->loglevel;
182183
li.u.log.logflags = info->bitmask;
183184

184185
if (info->bitmask & EBT_LOG_NFLOG)
185-
nf_log_packet(NFPROTO_BRIDGE, par->hooknum, skb, par->in,
186-
par->out, &li, "%s", info->prefix);
186+
nf_log_packet(net, NFPROTO_BRIDGE, par->hooknum, skb,
187+
par->in, par->out, &li, "%s", info->prefix);
187188
else
188189
ebt_log_packet(NFPROTO_BRIDGE, par->hooknum, skb, par->in,
189-
par->out, &li, info->prefix);
190+
par->out, &li, info->prefix);
190191
return EBT_CONTINUE;
191192
}
192193

net/bridge/netfilter/ebt_nflog.c

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -24,14 +24,15 @@ ebt_nflog_tg(struct sk_buff *skb, const struct xt_action_param *par)
2424
{
2525
const struct ebt_nflog_info *info = par->targinfo;
2626
struct nf_loginfo li;
27+
struct net *net = dev_net(par->in ? par->in : par->out);
2728

2829
li.type = NF_LOG_TYPE_ULOG;
2930
li.u.ulog.copy_len = info->len;
3031
li.u.ulog.group = info->group;
3132
li.u.ulog.qthreshold = info->threshold;
3233

33-
nf_log_packet(PF_BRIDGE, par->hooknum, skb, par->in, par->out,
34-
&li, "%s", info->prefix);
34+
nf_log_packet(net, PF_BRIDGE, par->hooknum, skb, par->in,
35+
par->out, &li, "%s", info->prefix);
3536
return EBT_CONTINUE;
3637
}
3738

net/ipv4/netfilter/ip_tables.c

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -258,6 +258,7 @@ static void trace_packet(const struct sk_buff *skb,
258258
const char *hookname, *chainname, *comment;
259259
const struct ipt_entry *iter;
260260
unsigned int rulenum = 0;
261+
struct net *net = dev_net(in ? in : out);
261262

262263
table_base = private->entries[smp_processor_id()];
263264
root = get_entry(table_base, private->hook_entry[hook]);
@@ -270,7 +271,7 @@ static void trace_packet(const struct sk_buff *skb,
270271
&chainname, &comment, &rulenum) != 0)
271272
break;
272273

273-
nf_log_packet(AF_INET, hook, skb, in, out, &trace_loginfo,
274+
nf_log_packet(net, AF_INET, hook, skb, in, out, &trace_loginfo,
274275
"TRACE: %s:%s:%s:%u ",
275276
tablename, chainname, comment, rulenum);
276277
}

net/ipv4/netfilter/nf_conntrack_proto_icmp.c

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -187,16 +187,16 @@ icmp_error(struct net *net, struct nf_conn *tmpl,
187187
icmph = skb_header_pointer(skb, ip_hdrlen(skb), sizeof(_ih), &_ih);
188188
if (icmph == NULL) {
189189
if (LOG_INVALID(net, IPPROTO_ICMP))
190-
nf_log_packet(PF_INET, 0, skb, NULL, NULL, NULL,
191-
"nf_ct_icmp: short packet ");
190+
nf_log_packet(net, PF_INET, 0, skb, NULL, NULL,
191+
NULL, "nf_ct_icmp: short packet ");
192192
return -NF_ACCEPT;
193193
}
194194

195195
/* See ip_conntrack_proto_tcp.c */
196196
if (net->ct.sysctl_checksum && hooknum == NF_INET_PRE_ROUTING &&
197197
nf_ip_checksum(skb, hooknum, dataoff, 0)) {
198198
if (LOG_INVALID(net, IPPROTO_ICMP))
199-
nf_log_packet(PF_INET, 0, skb, NULL, NULL, NULL,
199+
nf_log_packet(net, PF_INET, 0, skb, NULL, NULL, NULL,
200200
"nf_ct_icmp: bad HW ICMP checksum ");
201201
return -NF_ACCEPT;
202202
}
@@ -209,7 +209,7 @@ icmp_error(struct net *net, struct nf_conn *tmpl,
209209
*/
210210
if (icmph->type > NR_ICMP_TYPES) {
211211
if (LOG_INVALID(net, IPPROTO_ICMP))
212-
nf_log_packet(PF_INET, 0, skb, NULL, NULL, NULL,
212+
nf_log_packet(net, PF_INET, 0, skb, NULL, NULL, NULL,
213213
"nf_ct_icmp: invalid ICMP type ");
214214
return -NF_ACCEPT;
215215
}

net/ipv6/netfilter/ip6_tables.c

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -284,6 +284,7 @@ static void trace_packet(const struct sk_buff *skb,
284284
const char *hookname, *chainname, *comment;
285285
const struct ip6t_entry *iter;
286286
unsigned int rulenum = 0;
287+
struct net *net = dev_net(in ? in : out);
287288

288289
table_base = private->entries[smp_processor_id()];
289290
root = get_entry(table_base, private->hook_entry[hook]);
@@ -296,7 +297,7 @@ static void trace_packet(const struct sk_buff *skb,
296297
&chainname, &comment, &rulenum) != 0)
297298
break;
298299

299-
nf_log_packet(AF_INET6, hook, skb, in, out, &trace_loginfo,
300+
nf_log_packet(net, AF_INET6, hook, skb, in, out, &trace_loginfo,
300301
"TRACE: %s:%s:%s:%u ",
301302
tablename, chainname, comment, rulenum);
302303
}

net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c

Lines changed: 4 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -131,7 +131,8 @@ static bool icmpv6_new(struct nf_conn *ct, const struct sk_buff *skb,
131131
type + 128);
132132
nf_ct_dump_tuple_ipv6(&ct->tuplehash[0].tuple);
133133
if (LOG_INVALID(nf_ct_net(ct), IPPROTO_ICMPV6))
134-
nf_log_packet(PF_INET6, 0, skb, NULL, NULL, NULL,
134+
nf_log_packet(nf_ct_net(ct), PF_INET6, 0, skb, NULL,
135+
NULL, NULL,
135136
"nf_ct_icmpv6: invalid new with type %d ",
136137
type + 128);
137138
return false;
@@ -203,15 +204,15 @@ icmpv6_error(struct net *net, struct nf_conn *tmpl,
203204
icmp6h = skb_header_pointer(skb, dataoff, sizeof(_ih), &_ih);
204205
if (icmp6h == NULL) {
205206
if (LOG_INVALID(net, IPPROTO_ICMPV6))
206-
nf_log_packet(PF_INET6, 0, skb, NULL, NULL, NULL,
207+
nf_log_packet(net, PF_INET6, 0, skb, NULL, NULL, NULL,
207208
"nf_ct_icmpv6: short packet ");
208209
return -NF_ACCEPT;
209210
}
210211

211212
if (net->ct.sysctl_checksum && hooknum == NF_INET_PRE_ROUTING &&
212213
nf_ip6_checksum(skb, hooknum, dataoff, IPPROTO_ICMPV6)) {
213214
if (LOG_INVALID(net, IPPROTO_ICMPV6))
214-
nf_log_packet(PF_INET6, 0, skb, NULL, NULL, NULL,
215+
nf_log_packet(net, PF_INET6, 0, skb, NULL, NULL, NULL,
215216
"nf_ct_icmpv6: ICMPv6 checksum failed ");
216217
return -NF_ACCEPT;
217218
}

net/netfilter/nf_conntrack_helper.c

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -353,7 +353,7 @@ void nf_ct_helper_log(struct sk_buff *skb, const struct nf_conn *ct,
353353
/* rcu_read_lock()ed by nf_hook_slow */
354354
helper = rcu_dereference(help->helper);
355355

356-
nf_log_packet(nf_ct_l3num(ct), 0, skb, NULL, NULL, NULL,
356+
nf_log_packet(nf_ct_net(ct), nf_ct_l3num(ct), 0, skb, NULL, NULL, NULL,
357357
"nf_ct_%s: dropping packet: %pV ", helper->name, &vaf);
358358

359359
va_end(args);

net/netfilter/nf_conntrack_proto_dccp.c

Lines changed: 5 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -456,7 +456,8 @@ static bool dccp_new(struct nf_conn *ct, const struct sk_buff *skb,
456456

457457
out_invalid:
458458
if (LOG_INVALID(net, IPPROTO_DCCP))
459-
nf_log_packet(nf_ct_l3num(ct), 0, skb, NULL, NULL, NULL, msg);
459+
nf_log_packet(net, nf_ct_l3num(ct), 0, skb, NULL, NULL,
460+
NULL, msg);
460461
return false;
461462
}
462463

@@ -542,13 +543,13 @@ static int dccp_packet(struct nf_conn *ct, const struct sk_buff *skb,
542543

543544
spin_unlock_bh(&ct->lock);
544545
if (LOG_INVALID(net, IPPROTO_DCCP))
545-
nf_log_packet(pf, 0, skb, NULL, NULL, NULL,
546+
nf_log_packet(net, pf, 0, skb, NULL, NULL, NULL,
546547
"nf_ct_dccp: invalid packet ignored ");
547548
return NF_ACCEPT;
548549
case CT_DCCP_INVALID:
549550
spin_unlock_bh(&ct->lock);
550551
if (LOG_INVALID(net, IPPROTO_DCCP))
551-
nf_log_packet(pf, 0, skb, NULL, NULL, NULL,
552+
nf_log_packet(net, pf, 0, skb, NULL, NULL, NULL,
552553
"nf_ct_dccp: invalid state transition ");
553554
return -NF_ACCEPT;
554555
}
@@ -613,7 +614,7 @@ static int dccp_error(struct net *net, struct nf_conn *tmpl,
613614

614615
out_invalid:
615616
if (LOG_INVALID(net, IPPROTO_DCCP))
616-
nf_log_packet(pf, 0, skb, NULL, NULL, NULL, msg);
617+
nf_log_packet(net, pf, 0, skb, NULL, NULL, NULL, msg);
617618
return -NF_ACCEPT;
618619
}
619620

net/netfilter/nf_conntrack_proto_tcp.c

Lines changed: 9 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -720,7 +720,7 @@ static bool tcp_in_window(const struct nf_conn *ct,
720720
tn->tcp_be_liberal)
721721
res = true;
722722
if (!res && LOG_INVALID(net, IPPROTO_TCP))
723-
nf_log_packet(pf, 0, skb, NULL, NULL, NULL,
723+
nf_log_packet(net, pf, 0, skb, NULL, NULL, NULL,
724724
"nf_ct_tcp: %s ",
725725
before(seq, sender->td_maxend + 1) ?
726726
after(end, sender->td_end - receiver->td_maxwin - 1) ?
@@ -772,15 +772,15 @@ static int tcp_error(struct net *net, struct nf_conn *tmpl,
772772
th = skb_header_pointer(skb, dataoff, sizeof(_tcph), &_tcph);
773773
if (th == NULL) {
774774
if (LOG_INVALID(net, IPPROTO_TCP))
775-
nf_log_packet(pf, 0, skb, NULL, NULL, NULL,
775+
nf_log_packet(net, pf, 0, skb, NULL, NULL, NULL,
776776
"nf_ct_tcp: short packet ");
777777
return -NF_ACCEPT;
778778
}
779779

780780
/* Not whole TCP header or malformed packet */
781781
if (th->doff*4 < sizeof(struct tcphdr) || tcplen < th->doff*4) {
782782
if (LOG_INVALID(net, IPPROTO_TCP))
783-
nf_log_packet(pf, 0, skb, NULL, NULL, NULL,
783+
nf_log_packet(net, pf, 0, skb, NULL, NULL, NULL,
784784
"nf_ct_tcp: truncated/malformed packet ");
785785
return -NF_ACCEPT;
786786
}
@@ -793,7 +793,7 @@ static int tcp_error(struct net *net, struct nf_conn *tmpl,
793793
if (net->ct.sysctl_checksum && hooknum == NF_INET_PRE_ROUTING &&
794794
nf_checksum(skb, hooknum, dataoff, IPPROTO_TCP, pf)) {
795795
if (LOG_INVALID(net, IPPROTO_TCP))
796-
nf_log_packet(pf, 0, skb, NULL, NULL, NULL,
796+
nf_log_packet(net, pf, 0, skb, NULL, NULL, NULL,
797797
"nf_ct_tcp: bad TCP checksum ");
798798
return -NF_ACCEPT;
799799
}
@@ -802,7 +802,7 @@ static int tcp_error(struct net *net, struct nf_conn *tmpl,
802802
tcpflags = (tcp_flag_byte(th) & ~(TCPHDR_ECE|TCPHDR_CWR|TCPHDR_PSH));
803803
if (!tcp_valid_flags[tcpflags]) {
804804
if (LOG_INVALID(net, IPPROTO_TCP))
805-
nf_log_packet(pf, 0, skb, NULL, NULL, NULL,
805+
nf_log_packet(net, pf, 0, skb, NULL, NULL, NULL,
806806
"nf_ct_tcp: invalid TCP flag combination ");
807807
return -NF_ACCEPT;
808808
}
@@ -949,7 +949,7 @@ static int tcp_packet(struct nf_conn *ct,
949949
}
950950
spin_unlock_bh(&ct->lock);
951951
if (LOG_INVALID(net, IPPROTO_TCP))
952-
nf_log_packet(pf, 0, skb, NULL, NULL, NULL,
952+
nf_log_packet(net, pf, 0, skb, NULL, NULL, NULL,
953953
"nf_ct_tcp: invalid packet ignored in "
954954
"state %s ", tcp_conntrack_names[old_state]);
955955
return NF_ACCEPT;
@@ -959,7 +959,7 @@ static int tcp_packet(struct nf_conn *ct,
959959
dir, get_conntrack_index(th), old_state);
960960
spin_unlock_bh(&ct->lock);
961961
if (LOG_INVALID(net, IPPROTO_TCP))
962-
nf_log_packet(pf, 0, skb, NULL, NULL, NULL,
962+
nf_log_packet(net, pf, 0, skb, NULL, NULL, NULL,
963963
"nf_ct_tcp: invalid state ");
964964
return -NF_ACCEPT;
965965
case TCP_CONNTRACK_CLOSE:
@@ -969,8 +969,8 @@ static int tcp_packet(struct nf_conn *ct,
969969
/* Invalid RST */
970970
spin_unlock_bh(&ct->lock);
971971
if (LOG_INVALID(net, IPPROTO_TCP))
972-
nf_log_packet(pf, 0, skb, NULL, NULL, NULL,
973-
"nf_ct_tcp: invalid RST ");
972+
nf_log_packet(net, pf, 0, skb, NULL, NULL,
973+
NULL, "nf_ct_tcp: invalid RST ");
974974
return -NF_ACCEPT;
975975
}
976976
if (index == TCP_RST_SET

net/netfilter/nf_conntrack_proto_udp.c

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -119,15 +119,15 @@ static int udp_error(struct net *net, struct nf_conn *tmpl, struct sk_buff *skb,
119119
hdr = skb_header_pointer(skb, dataoff, sizeof(_hdr), &_hdr);
120120
if (hdr == NULL) {
121121
if (LOG_INVALID(net, IPPROTO_UDP))
122-
nf_log_packet(pf, 0, skb, NULL, NULL, NULL,
122+
nf_log_packet(net, pf, 0, skb, NULL, NULL, NULL,
123123
"nf_ct_udp: short packet ");
124124
return -NF_ACCEPT;
125125
}
126126

127127
/* Truncated/malformed packets */
128128
if (ntohs(hdr->len) > udplen || ntohs(hdr->len) < sizeof(*hdr)) {
129129
if (LOG_INVALID(net, IPPROTO_UDP))
130-
nf_log_packet(pf, 0, skb, NULL, NULL, NULL,
130+
nf_log_packet(net, pf, 0, skb, NULL, NULL, NULL,
131131
"nf_ct_udp: truncated/malformed packet ");
132132
return -NF_ACCEPT;
133133
}
@@ -143,7 +143,7 @@ static int udp_error(struct net *net, struct nf_conn *tmpl, struct sk_buff *skb,
143143
if (net->ct.sysctl_checksum && hooknum == NF_INET_PRE_ROUTING &&
144144
nf_checksum(skb, hooknum, dataoff, IPPROTO_UDP, pf)) {
145145
if (LOG_INVALID(net, IPPROTO_UDP))
146-
nf_log_packet(pf, 0, skb, NULL, NULL, NULL,
146+
nf_log_packet(net, pf, 0, skb, NULL, NULL, NULL,
147147
"nf_ct_udp: bad UDP checksum ");
148148
return -NF_ACCEPT;
149149
}

net/netfilter/nf_conntrack_proto_udplite.c

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -131,7 +131,7 @@ static int udplite_error(struct net *net, struct nf_conn *tmpl,
131131
hdr = skb_header_pointer(skb, dataoff, sizeof(_hdr), &_hdr);
132132
if (hdr == NULL) {
133133
if (LOG_INVALID(net, IPPROTO_UDPLITE))
134-
nf_log_packet(pf, 0, skb, NULL, NULL, NULL,
134+
nf_log_packet(net, pf, 0, skb, NULL, NULL, NULL,
135135
"nf_ct_udplite: short packet ");
136136
return -NF_ACCEPT;
137137
}
@@ -141,15 +141,15 @@ static int udplite_error(struct net *net, struct nf_conn *tmpl,
141141
cscov = udplen;
142142
else if (cscov < sizeof(*hdr) || cscov > udplen) {
143143
if (LOG_INVALID(net, IPPROTO_UDPLITE))
144-
nf_log_packet(pf, 0, skb, NULL, NULL, NULL,
144+
nf_log_packet(net, pf, 0, skb, NULL, NULL, NULL,
145145
"nf_ct_udplite: invalid checksum coverage ");
146146
return -NF_ACCEPT;
147147
}
148148

149149
/* UDPLITE mandates checksums */
150150
if (!hdr->check) {
151151
if (LOG_INVALID(net, IPPROTO_UDPLITE))
152-
nf_log_packet(pf, 0, skb, NULL, NULL, NULL,
152+
nf_log_packet(net, pf, 0, skb, NULL, NULL, NULL,
153153
"nf_ct_udplite: checksum missing ");
154154
return -NF_ACCEPT;
155155
}
@@ -159,7 +159,7 @@ static int udplite_error(struct net *net, struct nf_conn *tmpl,
159159
nf_checksum_partial(skb, hooknum, dataoff, cscov, IPPROTO_UDP,
160160
pf)) {
161161
if (LOG_INVALID(net, IPPROTO_UDPLITE))
162-
nf_log_packet(pf, 0, skb, NULL, NULL, NULL,
162+
nf_log_packet(net, pf, 0, skb, NULL, NULL, NULL,
163163
"nf_ct_udplite: bad UDPLite checksum ");
164164
return -NF_ACCEPT;
165165
}

0 commit comments

Comments
 (0)