Loading...
1// SPDX-License-Identifier: GPL-2.0-only
2/*
3 * This is a module which is used for logging packets.
4 */
5
6/* (C) 1999-2001 Paul `Rusty' Russell
7 * (C) 2002-2004 Netfilter Core Team <coreteam@netfilter.org>
8 */
9
10#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
11#include <linux/module.h>
12#include <linux/spinlock.h>
13#include <linux/skbuff.h>
14#include <linux/if_arp.h>
15#include <linux/ip.h>
16#include <net/ipv6.h>
17#include <net/icmp.h>
18#include <net/udp.h>
19#include <net/tcp.h>
20#include <net/route.h>
21
22#include <linux/netfilter.h>
23#include <linux/netfilter/x_tables.h>
24#include <linux/netfilter/xt_LOG.h>
25#include <linux/netfilter_ipv6/ip6_tables.h>
26#include <net/netfilter/nf_log.h>
27
28static unsigned int
29log_tg(struct sk_buff *skb, const struct xt_action_param *par)
30{
31 const struct xt_log_info *loginfo = par->targinfo;
32 struct net *net = xt_net(par);
33 struct nf_loginfo li;
34
35 li.type = NF_LOG_TYPE_LOG;
36 li.u.log.level = loginfo->level;
37 li.u.log.logflags = loginfo->logflags;
38
39 nf_log_packet(net, xt_family(par), xt_hooknum(par), skb, xt_in(par),
40 xt_out(par), &li, "%s", loginfo->prefix);
41 return XT_CONTINUE;
42}
43
44static int log_tg_check(const struct xt_tgchk_param *par)
45{
46 const struct xt_log_info *loginfo = par->targinfo;
47 int ret;
48
49 if (par->family != NFPROTO_IPV4 && par->family != NFPROTO_IPV6)
50 return -EINVAL;
51
52 if (loginfo->level >= 8) {
53 pr_debug("level %u >= 8\n", loginfo->level);
54 return -EINVAL;
55 }
56
57 if (loginfo->prefix[sizeof(loginfo->prefix)-1] != '\0') {
58 pr_debug("prefix is not null-terminated\n");
59 return -EINVAL;
60 }
61
62 ret = nf_logger_find_get(par->family, NF_LOG_TYPE_LOG);
63 if (ret != 0 && !par->nft_compat) {
64 request_module("%s", "nf_log_syslog");
65
66 ret = nf_logger_find_get(par->family, NF_LOG_TYPE_LOG);
67 }
68
69 return ret;
70}
71
72static void log_tg_destroy(const struct xt_tgdtor_param *par)
73{
74 nf_logger_put(par->family, NF_LOG_TYPE_LOG);
75}
76
77static struct xt_target log_tg_regs[] __read_mostly = {
78 {
79 .name = "LOG",
80 .family = NFPROTO_IPV4,
81 .target = log_tg,
82 .targetsize = sizeof(struct xt_log_info),
83 .checkentry = log_tg_check,
84 .destroy = log_tg_destroy,
85 .me = THIS_MODULE,
86 },
87#if IS_ENABLED(CONFIG_IP6_NF_IPTABLES)
88 {
89 .name = "LOG",
90 .family = NFPROTO_IPV6,
91 .target = log_tg,
92 .targetsize = sizeof(struct xt_log_info),
93 .checkentry = log_tg_check,
94 .destroy = log_tg_destroy,
95 .me = THIS_MODULE,
96 },
97#endif
98};
99
100static int __init log_tg_init(void)
101{
102 return xt_register_targets(log_tg_regs, ARRAY_SIZE(log_tg_regs));
103}
104
105static void __exit log_tg_exit(void)
106{
107 xt_unregister_targets(log_tg_regs, ARRAY_SIZE(log_tg_regs));
108}
109
110module_init(log_tg_init);
111module_exit(log_tg_exit);
112
113MODULE_LICENSE("GPL");
114MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>");
115MODULE_AUTHOR("Jan Rekorajski <baggins@pld.org.pl>");
116MODULE_DESCRIPTION("Xtables: IPv4/IPv6 packet logging");
117MODULE_ALIAS("ipt_LOG");
118MODULE_ALIAS("ip6t_LOG");
119MODULE_SOFTDEP("pre: nf_log_syslog");
1/*
2 * This is a module which is used for logging packets.
3 */
4
5/* (C) 1999-2001 Paul `Rusty' Russell
6 * (C) 2002-2004 Netfilter Core Team <coreteam@netfilter.org>
7 *
8 * This program is free software; you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License version 2 as
10 * published by the Free Software Foundation.
11 */
12
13#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
14#include <linux/module.h>
15#include <linux/spinlock.h>
16#include <linux/skbuff.h>
17#include <linux/if_arp.h>
18#include <linux/ip.h>
19#include <net/ipv6.h>
20#include <net/icmp.h>
21#include <net/udp.h>
22#include <net/tcp.h>
23#include <net/route.h>
24
25#include <linux/netfilter.h>
26#include <linux/netfilter/x_tables.h>
27#include <linux/netfilter/xt_LOG.h>
28#include <linux/netfilter_ipv6/ip6_tables.h>
29#include <net/netfilter/nf_log.h>
30#include <net/netfilter/xt_log.h>
31
32static struct nf_loginfo default_loginfo = {
33 .type = NF_LOG_TYPE_LOG,
34 .u = {
35 .log = {
36 .level = 5,
37 .logflags = NF_LOG_MASK,
38 },
39 },
40};
41
42static int dump_udp_header(struct sbuff *m, const struct sk_buff *skb,
43 u8 proto, int fragment, unsigned int offset)
44{
45 struct udphdr _udph;
46 const struct udphdr *uh;
47
48 if (proto == IPPROTO_UDP)
49 /* Max length: 10 "PROTO=UDP " */
50 sb_add(m, "PROTO=UDP ");
51 else /* Max length: 14 "PROTO=UDPLITE " */
52 sb_add(m, "PROTO=UDPLITE ");
53
54 if (fragment)
55 goto out;
56
57 /* Max length: 25 "INCOMPLETE [65535 bytes] " */
58 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
59 if (uh == NULL) {
60 sb_add(m, "INCOMPLETE [%u bytes] ", skb->len - offset);
61
62 return 1;
63 }
64
65 /* Max length: 20 "SPT=65535 DPT=65535 " */
66 sb_add(m, "SPT=%u DPT=%u LEN=%u ", ntohs(uh->source), ntohs(uh->dest),
67 ntohs(uh->len));
68
69out:
70 return 0;
71}
72
73static int dump_tcp_header(struct sbuff *m, const struct sk_buff *skb,
74 u8 proto, int fragment, unsigned int offset,
75 unsigned int logflags)
76{
77 struct tcphdr _tcph;
78 const struct tcphdr *th;
79
80 /* Max length: 10 "PROTO=TCP " */
81 sb_add(m, "PROTO=TCP ");
82
83 if (fragment)
84 return 0;
85
86 /* Max length: 25 "INCOMPLETE [65535 bytes] " */
87 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
88 if (th == NULL) {
89 sb_add(m, "INCOMPLETE [%u bytes] ", skb->len - offset);
90 return 1;
91 }
92
93 /* Max length: 20 "SPT=65535 DPT=65535 " */
94 sb_add(m, "SPT=%u DPT=%u ", ntohs(th->source), ntohs(th->dest));
95 /* Max length: 30 "SEQ=4294967295 ACK=4294967295 " */
96 if (logflags & XT_LOG_TCPSEQ)
97 sb_add(m, "SEQ=%u ACK=%u ", ntohl(th->seq), ntohl(th->ack_seq));
98
99 /* Max length: 13 "WINDOW=65535 " */
100 sb_add(m, "WINDOW=%u ", ntohs(th->window));
101 /* Max length: 9 "RES=0x3C " */
102 sb_add(m, "RES=0x%02x ", (u_int8_t)(ntohl(tcp_flag_word(th) &
103 TCP_RESERVED_BITS) >> 22));
104 /* Max length: 32 "CWR ECE URG ACK PSH RST SYN FIN " */
105 if (th->cwr)
106 sb_add(m, "CWR ");
107 if (th->ece)
108 sb_add(m, "ECE ");
109 if (th->urg)
110 sb_add(m, "URG ");
111 if (th->ack)
112 sb_add(m, "ACK ");
113 if (th->psh)
114 sb_add(m, "PSH ");
115 if (th->rst)
116 sb_add(m, "RST ");
117 if (th->syn)
118 sb_add(m, "SYN ");
119 if (th->fin)
120 sb_add(m, "FIN ");
121 /* Max length: 11 "URGP=65535 " */
122 sb_add(m, "URGP=%u ", ntohs(th->urg_ptr));
123
124 if ((logflags & XT_LOG_TCPOPT) && th->doff*4 > sizeof(struct tcphdr)) {
125 u_int8_t _opt[60 - sizeof(struct tcphdr)];
126 const u_int8_t *op;
127 unsigned int i;
128 unsigned int optsize = th->doff*4 - sizeof(struct tcphdr);
129
130 op = skb_header_pointer(skb, offset + sizeof(struct tcphdr),
131 optsize, _opt);
132 if (op == NULL) {
133 sb_add(m, "OPT (TRUNCATED)");
134 return 1;
135 }
136
137 /* Max length: 127 "OPT (" 15*4*2chars ") " */
138 sb_add(m, "OPT (");
139 for (i = 0; i < optsize; i++)
140 sb_add(m, "%02X", op[i]);
141
142 sb_add(m, ") ");
143 }
144
145 return 0;
146}
147
148/* One level of recursion won't kill us */
149static void dump_ipv4_packet(struct sbuff *m,
150 const struct nf_loginfo *info,
151 const struct sk_buff *skb,
152 unsigned int iphoff)
153{
154 struct iphdr _iph;
155 const struct iphdr *ih;
156 unsigned int logflags;
157
158 if (info->type == NF_LOG_TYPE_LOG)
159 logflags = info->u.log.logflags;
160 else
161 logflags = NF_LOG_MASK;
162
163 ih = skb_header_pointer(skb, iphoff, sizeof(_iph), &_iph);
164 if (ih == NULL) {
165 sb_add(m, "TRUNCATED");
166 return;
167 }
168
169 /* Important fields:
170 * TOS, len, DF/MF, fragment offset, TTL, src, dst, options. */
171 /* Max length: 40 "SRC=255.255.255.255 DST=255.255.255.255 " */
172 sb_add(m, "SRC=%pI4 DST=%pI4 ",
173 &ih->saddr, &ih->daddr);
174
175 /* Max length: 46 "LEN=65535 TOS=0xFF PREC=0xFF TTL=255 ID=65535 " */
176 sb_add(m, "LEN=%u TOS=0x%02X PREC=0x%02X TTL=%u ID=%u ",
177 ntohs(ih->tot_len), ih->tos & IPTOS_TOS_MASK,
178 ih->tos & IPTOS_PREC_MASK, ih->ttl, ntohs(ih->id));
179
180 /* Max length: 6 "CE DF MF " */
181 if (ntohs(ih->frag_off) & IP_CE)
182 sb_add(m, "CE ");
183 if (ntohs(ih->frag_off) & IP_DF)
184 sb_add(m, "DF ");
185 if (ntohs(ih->frag_off) & IP_MF)
186 sb_add(m, "MF ");
187
188 /* Max length: 11 "FRAG:65535 " */
189 if (ntohs(ih->frag_off) & IP_OFFSET)
190 sb_add(m, "FRAG:%u ", ntohs(ih->frag_off) & IP_OFFSET);
191
192 if ((logflags & XT_LOG_IPOPT) &&
193 ih->ihl * 4 > sizeof(struct iphdr)) {
194 const unsigned char *op;
195 unsigned char _opt[4 * 15 - sizeof(struct iphdr)];
196 unsigned int i, optsize;
197
198 optsize = ih->ihl * 4 - sizeof(struct iphdr);
199 op = skb_header_pointer(skb, iphoff+sizeof(_iph),
200 optsize, _opt);
201 if (op == NULL) {
202 sb_add(m, "TRUNCATED");
203 return;
204 }
205
206 /* Max length: 127 "OPT (" 15*4*2chars ") " */
207 sb_add(m, "OPT (");
208 for (i = 0; i < optsize; i++)
209 sb_add(m, "%02X", op[i]);
210 sb_add(m, ") ");
211 }
212
213 switch (ih->protocol) {
214 case IPPROTO_TCP:
215 if (dump_tcp_header(m, skb, ih->protocol,
216 ntohs(ih->frag_off) & IP_OFFSET,
217 iphoff+ih->ihl*4, logflags))
218 return;
219 break;
220 case IPPROTO_UDP:
221 case IPPROTO_UDPLITE:
222 if (dump_udp_header(m, skb, ih->protocol,
223 ntohs(ih->frag_off) & IP_OFFSET,
224 iphoff+ih->ihl*4))
225 return;
226 break;
227 case IPPROTO_ICMP: {
228 struct icmphdr _icmph;
229 const struct icmphdr *ich;
230 static const size_t required_len[NR_ICMP_TYPES+1]
231 = { [ICMP_ECHOREPLY] = 4,
232 [ICMP_DEST_UNREACH]
233 = 8 + sizeof(struct iphdr),
234 [ICMP_SOURCE_QUENCH]
235 = 8 + sizeof(struct iphdr),
236 [ICMP_REDIRECT]
237 = 8 + sizeof(struct iphdr),
238 [ICMP_ECHO] = 4,
239 [ICMP_TIME_EXCEEDED]
240 = 8 + sizeof(struct iphdr),
241 [ICMP_PARAMETERPROB]
242 = 8 + sizeof(struct iphdr),
243 [ICMP_TIMESTAMP] = 20,
244 [ICMP_TIMESTAMPREPLY] = 20,
245 [ICMP_ADDRESS] = 12,
246 [ICMP_ADDRESSREPLY] = 12 };
247
248 /* Max length: 11 "PROTO=ICMP " */
249 sb_add(m, "PROTO=ICMP ");
250
251 if (ntohs(ih->frag_off) & IP_OFFSET)
252 break;
253
254 /* Max length: 25 "INCOMPLETE [65535 bytes] " */
255 ich = skb_header_pointer(skb, iphoff + ih->ihl * 4,
256 sizeof(_icmph), &_icmph);
257 if (ich == NULL) {
258 sb_add(m, "INCOMPLETE [%u bytes] ",
259 skb->len - iphoff - ih->ihl*4);
260 break;
261 }
262
263 /* Max length: 18 "TYPE=255 CODE=255 " */
264 sb_add(m, "TYPE=%u CODE=%u ", ich->type, ich->code);
265
266 /* Max length: 25 "INCOMPLETE [65535 bytes] " */
267 if (ich->type <= NR_ICMP_TYPES &&
268 required_len[ich->type] &&
269 skb->len-iphoff-ih->ihl*4 < required_len[ich->type]) {
270 sb_add(m, "INCOMPLETE [%u bytes] ",
271 skb->len - iphoff - ih->ihl*4);
272 break;
273 }
274
275 switch (ich->type) {
276 case ICMP_ECHOREPLY:
277 case ICMP_ECHO:
278 /* Max length: 19 "ID=65535 SEQ=65535 " */
279 sb_add(m, "ID=%u SEQ=%u ",
280 ntohs(ich->un.echo.id),
281 ntohs(ich->un.echo.sequence));
282 break;
283
284 case ICMP_PARAMETERPROB:
285 /* Max length: 14 "PARAMETER=255 " */
286 sb_add(m, "PARAMETER=%u ",
287 ntohl(ich->un.gateway) >> 24);
288 break;
289 case ICMP_REDIRECT:
290 /* Max length: 24 "GATEWAY=255.255.255.255 " */
291 sb_add(m, "GATEWAY=%pI4 ", &ich->un.gateway);
292 /* Fall through */
293 case ICMP_DEST_UNREACH:
294 case ICMP_SOURCE_QUENCH:
295 case ICMP_TIME_EXCEEDED:
296 /* Max length: 3+maxlen */
297 if (!iphoff) { /* Only recurse once. */
298 sb_add(m, "[");
299 dump_ipv4_packet(m, info, skb,
300 iphoff + ih->ihl*4+sizeof(_icmph));
301 sb_add(m, "] ");
302 }
303
304 /* Max length: 10 "MTU=65535 " */
305 if (ich->type == ICMP_DEST_UNREACH &&
306 ich->code == ICMP_FRAG_NEEDED)
307 sb_add(m, "MTU=%u ", ntohs(ich->un.frag.mtu));
308 }
309 break;
310 }
311 /* Max Length */
312 case IPPROTO_AH: {
313 struct ip_auth_hdr _ahdr;
314 const struct ip_auth_hdr *ah;
315
316 if (ntohs(ih->frag_off) & IP_OFFSET)
317 break;
318
319 /* Max length: 9 "PROTO=AH " */
320 sb_add(m, "PROTO=AH ");
321
322 /* Max length: 25 "INCOMPLETE [65535 bytes] " */
323 ah = skb_header_pointer(skb, iphoff+ih->ihl*4,
324 sizeof(_ahdr), &_ahdr);
325 if (ah == NULL) {
326 sb_add(m, "INCOMPLETE [%u bytes] ",
327 skb->len - iphoff - ih->ihl*4);
328 break;
329 }
330
331 /* Length: 15 "SPI=0xF1234567 " */
332 sb_add(m, "SPI=0x%x ", ntohl(ah->spi));
333 break;
334 }
335 case IPPROTO_ESP: {
336 struct ip_esp_hdr _esph;
337 const struct ip_esp_hdr *eh;
338
339 /* Max length: 10 "PROTO=ESP " */
340 sb_add(m, "PROTO=ESP ");
341
342 if (ntohs(ih->frag_off) & IP_OFFSET)
343 break;
344
345 /* Max length: 25 "INCOMPLETE [65535 bytes] " */
346 eh = skb_header_pointer(skb, iphoff+ih->ihl*4,
347 sizeof(_esph), &_esph);
348 if (eh == NULL) {
349 sb_add(m, "INCOMPLETE [%u bytes] ",
350 skb->len - iphoff - ih->ihl*4);
351 break;
352 }
353
354 /* Length: 15 "SPI=0xF1234567 " */
355 sb_add(m, "SPI=0x%x ", ntohl(eh->spi));
356 break;
357 }
358 /* Max length: 10 "PROTO 255 " */
359 default:
360 sb_add(m, "PROTO=%u ", ih->protocol);
361 }
362
363 /* Max length: 15 "UID=4294967295 " */
364 if ((logflags & XT_LOG_UID) && !iphoff && skb->sk) {
365 read_lock_bh(&skb->sk->sk_callback_lock);
366 if (skb->sk->sk_socket && skb->sk->sk_socket->file)
367 sb_add(m, "UID=%u GID=%u ",
368 skb->sk->sk_socket->file->f_cred->fsuid,
369 skb->sk->sk_socket->file->f_cred->fsgid);
370 read_unlock_bh(&skb->sk->sk_callback_lock);
371 }
372
373 /* Max length: 16 "MARK=0xFFFFFFFF " */
374 if (!iphoff && skb->mark)
375 sb_add(m, "MARK=0x%x ", skb->mark);
376
377 /* Proto Max log string length */
378 /* IP: 40+46+6+11+127 = 230 */
379 /* TCP: 10+max(25,20+30+13+9+32+11+127) = 252 */
380 /* UDP: 10+max(25,20) = 35 */
381 /* UDPLITE: 14+max(25,20) = 39 */
382 /* ICMP: 11+max(25, 18+25+max(19,14,24+3+n+10,3+n+10)) = 91+n */
383 /* ESP: 10+max(25)+15 = 50 */
384 /* AH: 9+max(25)+15 = 49 */
385 /* unknown: 10 */
386
387 /* (ICMP allows recursion one level deep) */
388 /* maxlen = IP + ICMP + IP + max(TCP,UDP,ICMP,unknown) */
389 /* maxlen = 230+ 91 + 230 + 252 = 803 */
390}
391
392static void dump_ipv4_mac_header(struct sbuff *m,
393 const struct nf_loginfo *info,
394 const struct sk_buff *skb)
395{
396 struct net_device *dev = skb->dev;
397 unsigned int logflags = 0;
398
399 if (info->type == NF_LOG_TYPE_LOG)
400 logflags = info->u.log.logflags;
401
402 if (!(logflags & XT_LOG_MACDECODE))
403 goto fallback;
404
405 switch (dev->type) {
406 case ARPHRD_ETHER:
407 sb_add(m, "MACSRC=%pM MACDST=%pM MACPROTO=%04x ",
408 eth_hdr(skb)->h_source, eth_hdr(skb)->h_dest,
409 ntohs(eth_hdr(skb)->h_proto));
410 return;
411 default:
412 break;
413 }
414
415fallback:
416 sb_add(m, "MAC=");
417 if (dev->hard_header_len &&
418 skb->mac_header != skb->network_header) {
419 const unsigned char *p = skb_mac_header(skb);
420 unsigned int i;
421
422 sb_add(m, "%02x", *p++);
423 for (i = 1; i < dev->hard_header_len; i++, p++)
424 sb_add(m, ":%02x", *p);
425 }
426 sb_add(m, " ");
427}
428
429static void
430log_packet_common(struct sbuff *m,
431 u_int8_t pf,
432 unsigned int hooknum,
433 const struct sk_buff *skb,
434 const struct net_device *in,
435 const struct net_device *out,
436 const struct nf_loginfo *loginfo,
437 const char *prefix)
438{
439 sb_add(m, "<%d>%sIN=%s OUT=%s ", loginfo->u.log.level,
440 prefix,
441 in ? in->name : "",
442 out ? out->name : "");
443#ifdef CONFIG_BRIDGE_NETFILTER
444 if (skb->nf_bridge) {
445 const struct net_device *physindev;
446 const struct net_device *physoutdev;
447
448 physindev = skb->nf_bridge->physindev;
449 if (physindev && in != physindev)
450 sb_add(m, "PHYSIN=%s ", physindev->name);
451 physoutdev = skb->nf_bridge->physoutdev;
452 if (physoutdev && out != physoutdev)
453 sb_add(m, "PHYSOUT=%s ", physoutdev->name);
454 }
455#endif
456}
457
458
459static void
460ipt_log_packet(u_int8_t pf,
461 unsigned int hooknum,
462 const struct sk_buff *skb,
463 const struct net_device *in,
464 const struct net_device *out,
465 const struct nf_loginfo *loginfo,
466 const char *prefix)
467{
468 struct sbuff *m = sb_open();
469
470 if (!loginfo)
471 loginfo = &default_loginfo;
472
473 log_packet_common(m, pf, hooknum, skb, in, out, loginfo, prefix);
474
475 if (in != NULL)
476 dump_ipv4_mac_header(m, loginfo, skb);
477
478 dump_ipv4_packet(m, loginfo, skb, 0);
479
480 sb_close(m);
481}
482
483#if IS_ENABLED(CONFIG_IP6_NF_IPTABLES)
484/* One level of recursion won't kill us */
485static void dump_ipv6_packet(struct sbuff *m,
486 const struct nf_loginfo *info,
487 const struct sk_buff *skb, unsigned int ip6hoff,
488 int recurse)
489{
490 u_int8_t currenthdr;
491 int fragment;
492 struct ipv6hdr _ip6h;
493 const struct ipv6hdr *ih;
494 unsigned int ptr;
495 unsigned int hdrlen = 0;
496 unsigned int logflags;
497
498 if (info->type == NF_LOG_TYPE_LOG)
499 logflags = info->u.log.logflags;
500 else
501 logflags = NF_LOG_MASK;
502
503 ih = skb_header_pointer(skb, ip6hoff, sizeof(_ip6h), &_ip6h);
504 if (ih == NULL) {
505 sb_add(m, "TRUNCATED");
506 return;
507 }
508
509 /* Max length: 88 "SRC=0000.0000.0000.0000.0000.0000.0000.0000 DST=0000.0000.0000.0000.0000.0000.0000.0000 " */
510 sb_add(m, "SRC=%pI6 DST=%pI6 ", &ih->saddr, &ih->daddr);
511
512 /* Max length: 44 "LEN=65535 TC=255 HOPLIMIT=255 FLOWLBL=FFFFF " */
513 sb_add(m, "LEN=%Zu TC=%u HOPLIMIT=%u FLOWLBL=%u ",
514 ntohs(ih->payload_len) + sizeof(struct ipv6hdr),
515 (ntohl(*(__be32 *)ih) & 0x0ff00000) >> 20,
516 ih->hop_limit,
517 (ntohl(*(__be32 *)ih) & 0x000fffff));
518
519 fragment = 0;
520 ptr = ip6hoff + sizeof(struct ipv6hdr);
521 currenthdr = ih->nexthdr;
522 while (currenthdr != NEXTHDR_NONE && ip6t_ext_hdr(currenthdr)) {
523 struct ipv6_opt_hdr _hdr;
524 const struct ipv6_opt_hdr *hp;
525
526 hp = skb_header_pointer(skb, ptr, sizeof(_hdr), &_hdr);
527 if (hp == NULL) {
528 sb_add(m, "TRUNCATED");
529 return;
530 }
531
532 /* Max length: 48 "OPT (...) " */
533 if (logflags & XT_LOG_IPOPT)
534 sb_add(m, "OPT ( ");
535
536 switch (currenthdr) {
537 case IPPROTO_FRAGMENT: {
538 struct frag_hdr _fhdr;
539 const struct frag_hdr *fh;
540
541 sb_add(m, "FRAG:");
542 fh = skb_header_pointer(skb, ptr, sizeof(_fhdr),
543 &_fhdr);
544 if (fh == NULL) {
545 sb_add(m, "TRUNCATED ");
546 return;
547 }
548
549 /* Max length: 6 "65535 " */
550 sb_add(m, "%u ", ntohs(fh->frag_off) & 0xFFF8);
551
552 /* Max length: 11 "INCOMPLETE " */
553 if (fh->frag_off & htons(0x0001))
554 sb_add(m, "INCOMPLETE ");
555
556 sb_add(m, "ID:%08x ", ntohl(fh->identification));
557
558 if (ntohs(fh->frag_off) & 0xFFF8)
559 fragment = 1;
560
561 hdrlen = 8;
562
563 break;
564 }
565 case IPPROTO_DSTOPTS:
566 case IPPROTO_ROUTING:
567 case IPPROTO_HOPOPTS:
568 if (fragment) {
569 if (logflags & XT_LOG_IPOPT)
570 sb_add(m, ")");
571 return;
572 }
573 hdrlen = ipv6_optlen(hp);
574 break;
575 /* Max Length */
576 case IPPROTO_AH:
577 if (logflags & XT_LOG_IPOPT) {
578 struct ip_auth_hdr _ahdr;
579 const struct ip_auth_hdr *ah;
580
581 /* Max length: 3 "AH " */
582 sb_add(m, "AH ");
583
584 if (fragment) {
585 sb_add(m, ")");
586 return;
587 }
588
589 ah = skb_header_pointer(skb, ptr, sizeof(_ahdr),
590 &_ahdr);
591 if (ah == NULL) {
592 /*
593 * Max length: 26 "INCOMPLETE [65535
594 * bytes] )"
595 */
596 sb_add(m, "INCOMPLETE [%u bytes] )",
597 skb->len - ptr);
598 return;
599 }
600
601 /* Length: 15 "SPI=0xF1234567 */
602 sb_add(m, "SPI=0x%x ", ntohl(ah->spi));
603
604 }
605
606 hdrlen = (hp->hdrlen+2)<<2;
607 break;
608 case IPPROTO_ESP:
609 if (logflags & XT_LOG_IPOPT) {
610 struct ip_esp_hdr _esph;
611 const struct ip_esp_hdr *eh;
612
613 /* Max length: 4 "ESP " */
614 sb_add(m, "ESP ");
615
616 if (fragment) {
617 sb_add(m, ")");
618 return;
619 }
620
621 /*
622 * Max length: 26 "INCOMPLETE [65535 bytes] )"
623 */
624 eh = skb_header_pointer(skb, ptr, sizeof(_esph),
625 &_esph);
626 if (eh == NULL) {
627 sb_add(m, "INCOMPLETE [%u bytes] )",
628 skb->len - ptr);
629 return;
630 }
631
632 /* Length: 16 "SPI=0xF1234567 )" */
633 sb_add(m, "SPI=0x%x )", ntohl(eh->spi));
634
635 }
636 return;
637 default:
638 /* Max length: 20 "Unknown Ext Hdr 255" */
639 sb_add(m, "Unknown Ext Hdr %u", currenthdr);
640 return;
641 }
642 if (logflags & XT_LOG_IPOPT)
643 sb_add(m, ") ");
644
645 currenthdr = hp->nexthdr;
646 ptr += hdrlen;
647 }
648
649 switch (currenthdr) {
650 case IPPROTO_TCP:
651 if (dump_tcp_header(m, skb, currenthdr, fragment, ptr,
652 logflags))
653 return;
654 break;
655 case IPPROTO_UDP:
656 case IPPROTO_UDPLITE:
657 if (dump_udp_header(m, skb, currenthdr, fragment, ptr))
658 return;
659 break;
660 case IPPROTO_ICMPV6: {
661 struct icmp6hdr _icmp6h;
662 const struct icmp6hdr *ic;
663
664 /* Max length: 13 "PROTO=ICMPv6 " */
665 sb_add(m, "PROTO=ICMPv6 ");
666
667 if (fragment)
668 break;
669
670 /* Max length: 25 "INCOMPLETE [65535 bytes] " */
671 ic = skb_header_pointer(skb, ptr, sizeof(_icmp6h), &_icmp6h);
672 if (ic == NULL) {
673 sb_add(m, "INCOMPLETE [%u bytes] ", skb->len - ptr);
674 return;
675 }
676
677 /* Max length: 18 "TYPE=255 CODE=255 " */
678 sb_add(m, "TYPE=%u CODE=%u ", ic->icmp6_type, ic->icmp6_code);
679
680 switch (ic->icmp6_type) {
681 case ICMPV6_ECHO_REQUEST:
682 case ICMPV6_ECHO_REPLY:
683 /* Max length: 19 "ID=65535 SEQ=65535 " */
684 sb_add(m, "ID=%u SEQ=%u ",
685 ntohs(ic->icmp6_identifier),
686 ntohs(ic->icmp6_sequence));
687 break;
688 case ICMPV6_MGM_QUERY:
689 case ICMPV6_MGM_REPORT:
690 case ICMPV6_MGM_REDUCTION:
691 break;
692
693 case ICMPV6_PARAMPROB:
694 /* Max length: 17 "POINTER=ffffffff " */
695 sb_add(m, "POINTER=%08x ", ntohl(ic->icmp6_pointer));
696 /* Fall through */
697 case ICMPV6_DEST_UNREACH:
698 case ICMPV6_PKT_TOOBIG:
699 case ICMPV6_TIME_EXCEED:
700 /* Max length: 3+maxlen */
701 if (recurse) {
702 sb_add(m, "[");
703 dump_ipv6_packet(m, info, skb,
704 ptr + sizeof(_icmp6h), 0);
705 sb_add(m, "] ");
706 }
707
708 /* Max length: 10 "MTU=65535 " */
709 if (ic->icmp6_type == ICMPV6_PKT_TOOBIG)
710 sb_add(m, "MTU=%u ", ntohl(ic->icmp6_mtu));
711 }
712 break;
713 }
714 /* Max length: 10 "PROTO=255 " */
715 default:
716 sb_add(m, "PROTO=%u ", currenthdr);
717 }
718
719 /* Max length: 15 "UID=4294967295 " */
720 if ((logflags & XT_LOG_UID) && recurse && skb->sk) {
721 read_lock_bh(&skb->sk->sk_callback_lock);
722 if (skb->sk->sk_socket && skb->sk->sk_socket->file)
723 sb_add(m, "UID=%u GID=%u ",
724 skb->sk->sk_socket->file->f_cred->fsuid,
725 skb->sk->sk_socket->file->f_cred->fsgid);
726 read_unlock_bh(&skb->sk->sk_callback_lock);
727 }
728
729 /* Max length: 16 "MARK=0xFFFFFFFF " */
730 if (!recurse && skb->mark)
731 sb_add(m, "MARK=0x%x ", skb->mark);
732}
733
734static void dump_ipv6_mac_header(struct sbuff *m,
735 const struct nf_loginfo *info,
736 const struct sk_buff *skb)
737{
738 struct net_device *dev = skb->dev;
739 unsigned int logflags = 0;
740
741 if (info->type == NF_LOG_TYPE_LOG)
742 logflags = info->u.log.logflags;
743
744 if (!(logflags & XT_LOG_MACDECODE))
745 goto fallback;
746
747 switch (dev->type) {
748 case ARPHRD_ETHER:
749 sb_add(m, "MACSRC=%pM MACDST=%pM MACPROTO=%04x ",
750 eth_hdr(skb)->h_source, eth_hdr(skb)->h_dest,
751 ntohs(eth_hdr(skb)->h_proto));
752 return;
753 default:
754 break;
755 }
756
757fallback:
758 sb_add(m, "MAC=");
759 if (dev->hard_header_len &&
760 skb->mac_header != skb->network_header) {
761 const unsigned char *p = skb_mac_header(skb);
762 unsigned int len = dev->hard_header_len;
763 unsigned int i;
764
765 if (dev->type == ARPHRD_SIT) {
766 p -= ETH_HLEN;
767
768 if (p < skb->head)
769 p = NULL;
770 }
771
772 if (p != NULL) {
773 sb_add(m, "%02x", *p++);
774 for (i = 1; i < len; i++)
775 sb_add(m, ":%02x", *p++);
776 }
777 sb_add(m, " ");
778
779 if (dev->type == ARPHRD_SIT) {
780 const struct iphdr *iph =
781 (struct iphdr *)skb_mac_header(skb);
782 sb_add(m, "TUNNEL=%pI4->%pI4 ", &iph->saddr,
783 &iph->daddr);
784 }
785 } else
786 sb_add(m, " ");
787}
788
789static void
790ip6t_log_packet(u_int8_t pf,
791 unsigned int hooknum,
792 const struct sk_buff *skb,
793 const struct net_device *in,
794 const struct net_device *out,
795 const struct nf_loginfo *loginfo,
796 const char *prefix)
797{
798 struct sbuff *m = sb_open();
799
800 if (!loginfo)
801 loginfo = &default_loginfo;
802
803 log_packet_common(m, pf, hooknum, skb, in, out, loginfo, prefix);
804
805 if (in != NULL)
806 dump_ipv6_mac_header(m, loginfo, skb);
807
808 dump_ipv6_packet(m, loginfo, skb, skb_network_offset(skb), 1);
809
810 sb_close(m);
811}
812#endif
813
814static unsigned int
815log_tg(struct sk_buff *skb, const struct xt_action_param *par)
816{
817 const struct xt_log_info *loginfo = par->targinfo;
818 struct nf_loginfo li;
819
820 li.type = NF_LOG_TYPE_LOG;
821 li.u.log.level = loginfo->level;
822 li.u.log.logflags = loginfo->logflags;
823
824 if (par->family == NFPROTO_IPV4)
825 ipt_log_packet(NFPROTO_IPV4, par->hooknum, skb, par->in,
826 par->out, &li, loginfo->prefix);
827#if IS_ENABLED(CONFIG_IP6_NF_IPTABLES)
828 else if (par->family == NFPROTO_IPV6)
829 ip6t_log_packet(NFPROTO_IPV6, par->hooknum, skb, par->in,
830 par->out, &li, loginfo->prefix);
831#endif
832 else
833 WARN_ON_ONCE(1);
834
835 return XT_CONTINUE;
836}
837
838static int log_tg_check(const struct xt_tgchk_param *par)
839{
840 const struct xt_log_info *loginfo = par->targinfo;
841
842 if (par->family != NFPROTO_IPV4 && par->family != NFPROTO_IPV6)
843 return -EINVAL;
844
845 if (loginfo->level >= 8) {
846 pr_debug("level %u >= 8\n", loginfo->level);
847 return -EINVAL;
848 }
849
850 if (loginfo->prefix[sizeof(loginfo->prefix)-1] != '\0') {
851 pr_debug("prefix is not null-terminated\n");
852 return -EINVAL;
853 }
854
855 return 0;
856}
857
858static struct xt_target log_tg_regs[] __read_mostly = {
859 {
860 .name = "LOG",
861 .family = NFPROTO_IPV4,
862 .target = log_tg,
863 .targetsize = sizeof(struct xt_log_info),
864 .checkentry = log_tg_check,
865 .me = THIS_MODULE,
866 },
867#if IS_ENABLED(CONFIG_IP6_NF_IPTABLES)
868 {
869 .name = "LOG",
870 .family = NFPROTO_IPV6,
871 .target = log_tg,
872 .targetsize = sizeof(struct xt_log_info),
873 .checkentry = log_tg_check,
874 .me = THIS_MODULE,
875 },
876#endif
877};
878
879static struct nf_logger ipt_log_logger __read_mostly = {
880 .name = "ipt_LOG",
881 .logfn = &ipt_log_packet,
882 .me = THIS_MODULE,
883};
884
885#if IS_ENABLED(CONFIG_IP6_NF_IPTABLES)
886static struct nf_logger ip6t_log_logger __read_mostly = {
887 .name = "ip6t_LOG",
888 .logfn = &ip6t_log_packet,
889 .me = THIS_MODULE,
890};
891#endif
892
893static int __init log_tg_init(void)
894{
895 int ret;
896
897 ret = xt_register_targets(log_tg_regs, ARRAY_SIZE(log_tg_regs));
898 if (ret < 0)
899 return ret;
900
901 nf_log_register(NFPROTO_IPV4, &ipt_log_logger);
902#if IS_ENABLED(CONFIG_IP6_NF_IPTABLES)
903 nf_log_register(NFPROTO_IPV6, &ip6t_log_logger);
904#endif
905 return 0;
906}
907
908static void __exit log_tg_exit(void)
909{
910 nf_log_unregister(&ipt_log_logger);
911#if IS_ENABLED(CONFIG_IP6_NF_IPTABLES)
912 nf_log_unregister(&ip6t_log_logger);
913#endif
914 xt_unregister_targets(log_tg_regs, ARRAY_SIZE(log_tg_regs));
915}
916
917module_init(log_tg_init);
918module_exit(log_tg_exit);
919
920MODULE_LICENSE("GPL");
921MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>");
922MODULE_AUTHOR("Jan Rekorajski <baggins@pld.org.pl>");
923MODULE_DESCRIPTION("Xtables: IPv4/IPv6 packet logging");
924MODULE_ALIAS("ipt_LOG");
925MODULE_ALIAS("ip6t_LOG");