/net/netfilter/nfnetlink_log.c

https://bitbucket.org/abioy/linux · C · 1004 lines · 784 code · 164 blank · 56 comment · 113 complexity · 673534f929bcbcb247bb5e0f69b8a47f MD5 · raw file

  1. /*
  2. * This is a module which is used for logging packets to userspace via
  3. * nfetlink.
  4. *
  5. * (C) 2005 by Harald Welte <laforge@netfilter.org>
  6. *
  7. * Based on the old ipv4-only ipt_ULOG.c:
  8. * (C) 2000-2004 by Harald Welte <laforge@netfilter.org>
  9. *
  10. * This program is free software; you can redistribute it and/or modify
  11. * it under the terms of the GNU General Public License version 2 as
  12. * published by the Free Software Foundation.
  13. */
  14. #include <linux/module.h>
  15. #include <linux/skbuff.h>
  16. #include <linux/init.h>
  17. #include <linux/ip.h>
  18. #include <linux/ipv6.h>
  19. #include <linux/netdevice.h>
  20. #include <linux/netfilter.h>
  21. #include <linux/netlink.h>
  22. #include <linux/netfilter/nfnetlink.h>
  23. #include <linux/netfilter/nfnetlink_log.h>
  24. #include <linux/spinlock.h>
  25. #include <linux/sysctl.h>
  26. #include <linux/proc_fs.h>
  27. #include <linux/security.h>
  28. #include <linux/list.h>
  29. #include <linux/jhash.h>
  30. #include <linux/random.h>
  31. #include <linux/slab.h>
  32. #include <net/sock.h>
  33. #include <net/netfilter/nf_log.h>
  34. #include <net/netfilter/nfnetlink_log.h>
  35. #include <asm/atomic.h>
  36. #ifdef CONFIG_BRIDGE_NETFILTER
  37. #include "../bridge/br_private.h"
  38. #endif
  39. #define NFULNL_NLBUFSIZ_DEFAULT NLMSG_GOODSIZE
  40. #define NFULNL_TIMEOUT_DEFAULT 100 /* every second */
  41. #define NFULNL_QTHRESH_DEFAULT 100 /* 100 packets */
  42. #define NFULNL_COPY_RANGE_MAX 0xFFFF /* max packet size is limited by 16-bit struct nfattr nfa_len field */
  43. #define PRINTR(x, args...) do { if (net_ratelimit()) \
  44. printk(x, ## args); } while (0);
  45. struct nfulnl_instance {
  46. struct hlist_node hlist; /* global list of instances */
  47. spinlock_t lock;
  48. atomic_t use; /* use count */
  49. unsigned int qlen; /* number of nlmsgs in skb */
  50. struct sk_buff *skb; /* pre-allocatd skb */
  51. struct timer_list timer;
  52. int peer_pid; /* PID of the peer process */
  53. /* configurable parameters */
  54. unsigned int flushtimeout; /* timeout until queue flush */
  55. unsigned int nlbufsiz; /* netlink buffer allocation size */
  56. unsigned int qthreshold; /* threshold of the queue */
  57. u_int32_t copy_range;
  58. u_int32_t seq; /* instance-local sequential counter */
  59. u_int16_t group_num; /* number of this queue */
  60. u_int16_t flags;
  61. u_int8_t copy_mode;
  62. };
  63. static DEFINE_RWLOCK(instances_lock);
  64. static atomic_t global_seq;
  65. #define INSTANCE_BUCKETS 16
  66. static struct hlist_head instance_table[INSTANCE_BUCKETS];
  67. static unsigned int hash_init;
  68. static inline u_int8_t instance_hashfn(u_int16_t group_num)
  69. {
  70. return ((group_num & 0xff) % INSTANCE_BUCKETS);
  71. }
  72. static struct nfulnl_instance *
  73. __instance_lookup(u_int16_t group_num)
  74. {
  75. struct hlist_head *head;
  76. struct hlist_node *pos;
  77. struct nfulnl_instance *inst;
  78. head = &instance_table[instance_hashfn(group_num)];
  79. hlist_for_each_entry(inst, pos, head, hlist) {
  80. if (inst->group_num == group_num)
  81. return inst;
  82. }
  83. return NULL;
  84. }
  85. static inline void
  86. instance_get(struct nfulnl_instance *inst)
  87. {
  88. atomic_inc(&inst->use);
  89. }
  90. static struct nfulnl_instance *
  91. instance_lookup_get(u_int16_t group_num)
  92. {
  93. struct nfulnl_instance *inst;
  94. read_lock_bh(&instances_lock);
  95. inst = __instance_lookup(group_num);
  96. if (inst)
  97. instance_get(inst);
  98. read_unlock_bh(&instances_lock);
  99. return inst;
  100. }
  101. static void
  102. instance_put(struct nfulnl_instance *inst)
  103. {
  104. if (inst && atomic_dec_and_test(&inst->use)) {
  105. kfree(inst);
  106. module_put(THIS_MODULE);
  107. }
  108. }
  109. static void nfulnl_timer(unsigned long data);
  110. static struct nfulnl_instance *
  111. instance_create(u_int16_t group_num, int pid)
  112. {
  113. struct nfulnl_instance *inst;
  114. int err;
  115. write_lock_bh(&instances_lock);
  116. if (__instance_lookup(group_num)) {
  117. err = -EEXIST;
  118. goto out_unlock;
  119. }
  120. inst = kzalloc(sizeof(*inst), GFP_ATOMIC);
  121. if (!inst) {
  122. err = -ENOMEM;
  123. goto out_unlock;
  124. }
  125. if (!try_module_get(THIS_MODULE)) {
  126. kfree(inst);
  127. err = -EAGAIN;
  128. goto out_unlock;
  129. }
  130. INIT_HLIST_NODE(&inst->hlist);
  131. spin_lock_init(&inst->lock);
  132. /* needs to be two, since we _put() after creation */
  133. atomic_set(&inst->use, 2);
  134. setup_timer(&inst->timer, nfulnl_timer, (unsigned long)inst);
  135. inst->peer_pid = pid;
  136. inst->group_num = group_num;
  137. inst->qthreshold = NFULNL_QTHRESH_DEFAULT;
  138. inst->flushtimeout = NFULNL_TIMEOUT_DEFAULT;
  139. inst->nlbufsiz = NFULNL_NLBUFSIZ_DEFAULT;
  140. inst->copy_mode = NFULNL_COPY_PACKET;
  141. inst->copy_range = NFULNL_COPY_RANGE_MAX;
  142. hlist_add_head(&inst->hlist,
  143. &instance_table[instance_hashfn(group_num)]);
  144. write_unlock_bh(&instances_lock);
  145. return inst;
  146. out_unlock:
  147. write_unlock_bh(&instances_lock);
  148. return ERR_PTR(err);
  149. }
  150. static void __nfulnl_flush(struct nfulnl_instance *inst);
  151. static void
  152. __instance_destroy(struct nfulnl_instance *inst)
  153. {
  154. /* first pull it out of the global list */
  155. hlist_del(&inst->hlist);
  156. /* then flush all pending packets from skb */
  157. spin_lock_bh(&inst->lock);
  158. if (inst->skb)
  159. __nfulnl_flush(inst);
  160. spin_unlock_bh(&inst->lock);
  161. /* and finally put the refcount */
  162. instance_put(inst);
  163. }
  164. static inline void
  165. instance_destroy(struct nfulnl_instance *inst)
  166. {
  167. write_lock_bh(&instances_lock);
  168. __instance_destroy(inst);
  169. write_unlock_bh(&instances_lock);
  170. }
  171. static int
  172. nfulnl_set_mode(struct nfulnl_instance *inst, u_int8_t mode,
  173. unsigned int range)
  174. {
  175. int status = 0;
  176. spin_lock_bh(&inst->lock);
  177. switch (mode) {
  178. case NFULNL_COPY_NONE:
  179. case NFULNL_COPY_META:
  180. inst->copy_mode = mode;
  181. inst->copy_range = 0;
  182. break;
  183. case NFULNL_COPY_PACKET:
  184. inst->copy_mode = mode;
  185. inst->copy_range = min_t(unsigned int,
  186. range, NFULNL_COPY_RANGE_MAX);
  187. break;
  188. default:
  189. status = -EINVAL;
  190. break;
  191. }
  192. spin_unlock_bh(&inst->lock);
  193. return status;
  194. }
  195. static int
  196. nfulnl_set_nlbufsiz(struct nfulnl_instance *inst, u_int32_t nlbufsiz)
  197. {
  198. int status;
  199. spin_lock_bh(&inst->lock);
  200. if (nlbufsiz < NFULNL_NLBUFSIZ_DEFAULT)
  201. status = -ERANGE;
  202. else if (nlbufsiz > 131072)
  203. status = -ERANGE;
  204. else {
  205. inst->nlbufsiz = nlbufsiz;
  206. status = 0;
  207. }
  208. spin_unlock_bh(&inst->lock);
  209. return status;
  210. }
  211. static int
  212. nfulnl_set_timeout(struct nfulnl_instance *inst, u_int32_t timeout)
  213. {
  214. spin_lock_bh(&inst->lock);
  215. inst->flushtimeout = timeout;
  216. spin_unlock_bh(&inst->lock);
  217. return 0;
  218. }
  219. static int
  220. nfulnl_set_qthresh(struct nfulnl_instance *inst, u_int32_t qthresh)
  221. {
  222. spin_lock_bh(&inst->lock);
  223. inst->qthreshold = qthresh;
  224. spin_unlock_bh(&inst->lock);
  225. return 0;
  226. }
  227. static int
  228. nfulnl_set_flags(struct nfulnl_instance *inst, u_int16_t flags)
  229. {
  230. spin_lock_bh(&inst->lock);
  231. inst->flags = flags;
  232. spin_unlock_bh(&inst->lock);
  233. return 0;
  234. }
  235. static struct sk_buff *
  236. nfulnl_alloc_skb(unsigned int inst_size, unsigned int pkt_size)
  237. {
  238. struct sk_buff *skb;
  239. unsigned int n;
  240. /* alloc skb which should be big enough for a whole multipart
  241. * message. WARNING: has to be <= 128k due to slab restrictions */
  242. n = max(inst_size, pkt_size);
  243. skb = alloc_skb(n, GFP_ATOMIC);
  244. if (!skb) {
  245. PRINTR("nfnetlink_log: can't alloc whole buffer (%u bytes)\n",
  246. inst_size);
  247. if (n > pkt_size) {
  248. /* try to allocate only as much as we need for current
  249. * packet */
  250. skb = alloc_skb(pkt_size, GFP_ATOMIC);
  251. if (!skb)
  252. PRINTR("nfnetlink_log: can't even alloc %u "
  253. "bytes\n", pkt_size);
  254. }
  255. }
  256. return skb;
  257. }
  258. static int
  259. __nfulnl_send(struct nfulnl_instance *inst)
  260. {
  261. int status = -1;
  262. if (inst->qlen > 1)
  263. NLMSG_PUT(inst->skb, 0, 0,
  264. NLMSG_DONE,
  265. sizeof(struct nfgenmsg));
  266. status = nfnetlink_unicast(inst->skb, &init_net, inst->peer_pid,
  267. MSG_DONTWAIT);
  268. inst->qlen = 0;
  269. inst->skb = NULL;
  270. nlmsg_failure:
  271. return status;
  272. }
  273. static void
  274. __nfulnl_flush(struct nfulnl_instance *inst)
  275. {
  276. /* timer holds a reference */
  277. if (del_timer(&inst->timer))
  278. instance_put(inst);
  279. if (inst->skb)
  280. __nfulnl_send(inst);
  281. }
  282. static void
  283. nfulnl_timer(unsigned long data)
  284. {
  285. struct nfulnl_instance *inst = (struct nfulnl_instance *)data;
  286. spin_lock_bh(&inst->lock);
  287. if (inst->skb)
  288. __nfulnl_send(inst);
  289. spin_unlock_bh(&inst->lock);
  290. instance_put(inst);
  291. }
  292. /* This is an inline function, we don't really care about a long
  293. * list of arguments */
  294. static inline int
  295. __build_packet_message(struct nfulnl_instance *inst,
  296. const struct sk_buff *skb,
  297. unsigned int data_len,
  298. u_int8_t pf,
  299. unsigned int hooknum,
  300. const struct net_device *indev,
  301. const struct net_device *outdev,
  302. const struct nf_loginfo *li,
  303. const char *prefix, unsigned int plen)
  304. {
  305. struct nfulnl_msg_packet_hdr pmsg;
  306. struct nlmsghdr *nlh;
  307. struct nfgenmsg *nfmsg;
  308. __be32 tmp_uint;
  309. sk_buff_data_t old_tail = inst->skb->tail;
  310. nlh = NLMSG_PUT(inst->skb, 0, 0,
  311. NFNL_SUBSYS_ULOG << 8 | NFULNL_MSG_PACKET,
  312. sizeof(struct nfgenmsg));
  313. nfmsg = NLMSG_DATA(nlh);
  314. nfmsg->nfgen_family = pf;
  315. nfmsg->version = NFNETLINK_V0;
  316. nfmsg->res_id = htons(inst->group_num);
  317. pmsg.hw_protocol = skb->protocol;
  318. pmsg.hook = hooknum;
  319. NLA_PUT(inst->skb, NFULA_PACKET_HDR, sizeof(pmsg), &pmsg);
  320. if (prefix)
  321. NLA_PUT(inst->skb, NFULA_PREFIX, plen, prefix);
  322. if (indev) {
  323. #ifndef CONFIG_BRIDGE_NETFILTER
  324. NLA_PUT_BE32(inst->skb, NFULA_IFINDEX_INDEV,
  325. htonl(indev->ifindex));
  326. #else
  327. if (pf == PF_BRIDGE) {
  328. /* Case 1: outdev is physical input device, we need to
  329. * look for bridge group (when called from
  330. * netfilter_bridge) */
  331. NLA_PUT_BE32(inst->skb, NFULA_IFINDEX_PHYSINDEV,
  332. htonl(indev->ifindex));
  333. /* this is the bridge group "brX" */
  334. NLA_PUT_BE32(inst->skb, NFULA_IFINDEX_INDEV,
  335. htonl(indev->br_port->br->dev->ifindex));
  336. } else {
  337. /* Case 2: indev is bridge group, we need to look for
  338. * physical device (when called from ipv4) */
  339. NLA_PUT_BE32(inst->skb, NFULA_IFINDEX_INDEV,
  340. htonl(indev->ifindex));
  341. if (skb->nf_bridge && skb->nf_bridge->physindev)
  342. NLA_PUT_BE32(inst->skb, NFULA_IFINDEX_PHYSINDEV,
  343. htonl(skb->nf_bridge->physindev->ifindex));
  344. }
  345. #endif
  346. }
  347. if (outdev) {
  348. tmp_uint = htonl(outdev->ifindex);
  349. #ifndef CONFIG_BRIDGE_NETFILTER
  350. NLA_PUT_BE32(inst->skb, NFULA_IFINDEX_OUTDEV,
  351. htonl(outdev->ifindex));
  352. #else
  353. if (pf == PF_BRIDGE) {
  354. /* Case 1: outdev is physical output device, we need to
  355. * look for bridge group (when called from
  356. * netfilter_bridge) */
  357. NLA_PUT_BE32(inst->skb, NFULA_IFINDEX_PHYSOUTDEV,
  358. htonl(outdev->ifindex));
  359. /* this is the bridge group "brX" */
  360. NLA_PUT_BE32(inst->skb, NFULA_IFINDEX_OUTDEV,
  361. htonl(outdev->br_port->br->dev->ifindex));
  362. } else {
  363. /* Case 2: indev is a bridge group, we need to look
  364. * for physical device (when called from ipv4) */
  365. NLA_PUT_BE32(inst->skb, NFULA_IFINDEX_OUTDEV,
  366. htonl(outdev->ifindex));
  367. if (skb->nf_bridge && skb->nf_bridge->physoutdev)
  368. NLA_PUT_BE32(inst->skb, NFULA_IFINDEX_PHYSOUTDEV,
  369. htonl(skb->nf_bridge->physoutdev->ifindex));
  370. }
  371. #endif
  372. }
  373. if (skb->mark)
  374. NLA_PUT_BE32(inst->skb, NFULA_MARK, htonl(skb->mark));
  375. if (indev && skb->dev) {
  376. struct nfulnl_msg_packet_hw phw;
  377. int len = dev_parse_header(skb, phw.hw_addr);
  378. if (len > 0) {
  379. phw.hw_addrlen = htons(len);
  380. NLA_PUT(inst->skb, NFULA_HWADDR, sizeof(phw), &phw);
  381. }
  382. }
  383. if (indev && skb_mac_header_was_set(skb)) {
  384. NLA_PUT_BE16(inst->skb, NFULA_HWTYPE, htons(skb->dev->type));
  385. NLA_PUT_BE16(inst->skb, NFULA_HWLEN,
  386. htons(skb->dev->hard_header_len));
  387. NLA_PUT(inst->skb, NFULA_HWHEADER, skb->dev->hard_header_len,
  388. skb_mac_header(skb));
  389. }
  390. if (skb->tstamp.tv64) {
  391. struct nfulnl_msg_packet_timestamp ts;
  392. struct timeval tv = ktime_to_timeval(skb->tstamp);
  393. ts.sec = cpu_to_be64(tv.tv_sec);
  394. ts.usec = cpu_to_be64(tv.tv_usec);
  395. NLA_PUT(inst->skb, NFULA_TIMESTAMP, sizeof(ts), &ts);
  396. }
  397. /* UID */
  398. if (skb->sk) {
  399. read_lock_bh(&skb->sk->sk_callback_lock);
  400. if (skb->sk->sk_socket && skb->sk->sk_socket->file) {
  401. struct file *file = skb->sk->sk_socket->file;
  402. __be32 uid = htonl(file->f_cred->fsuid);
  403. __be32 gid = htonl(file->f_cred->fsgid);
  404. /* need to unlock here since NLA_PUT may goto */
  405. read_unlock_bh(&skb->sk->sk_callback_lock);
  406. NLA_PUT_BE32(inst->skb, NFULA_UID, uid);
  407. NLA_PUT_BE32(inst->skb, NFULA_GID, gid);
  408. } else
  409. read_unlock_bh(&skb->sk->sk_callback_lock);
  410. }
  411. /* local sequence number */
  412. if (inst->flags & NFULNL_CFG_F_SEQ)
  413. NLA_PUT_BE32(inst->skb, NFULA_SEQ, htonl(inst->seq++));
  414. /* global sequence number */
  415. if (inst->flags & NFULNL_CFG_F_SEQ_GLOBAL)
  416. NLA_PUT_BE32(inst->skb, NFULA_SEQ_GLOBAL,
  417. htonl(atomic_inc_return(&global_seq)));
  418. if (data_len) {
  419. struct nlattr *nla;
  420. int size = nla_attr_size(data_len);
  421. if (skb_tailroom(inst->skb) < nla_total_size(data_len)) {
  422. printk(KERN_WARNING "nfnetlink_log: no tailroom!\n");
  423. goto nlmsg_failure;
  424. }
  425. nla = (struct nlattr *)skb_put(inst->skb, nla_total_size(data_len));
  426. nla->nla_type = NFULA_PAYLOAD;
  427. nla->nla_len = size;
  428. if (skb_copy_bits(skb, 0, nla_data(nla), data_len))
  429. BUG();
  430. }
  431. nlh->nlmsg_len = inst->skb->tail - old_tail;
  432. return 0;
  433. nlmsg_failure:
  434. nla_put_failure:
  435. PRINTR(KERN_ERR "nfnetlink_log: error creating log nlmsg\n");
  436. return -1;
  437. }
  438. #define RCV_SKB_FAIL(err) do { netlink_ack(skb, nlh, (err)); return; } while (0)
  439. static struct nf_loginfo default_loginfo = {
  440. .type = NF_LOG_TYPE_ULOG,
  441. .u = {
  442. .ulog = {
  443. .copy_len = 0xffff,
  444. .group = 0,
  445. .qthreshold = 1,
  446. },
  447. },
  448. };
  449. /* log handler for internal netfilter logging api */
  450. void
  451. nfulnl_log_packet(u_int8_t pf,
  452. unsigned int hooknum,
  453. const struct sk_buff *skb,
  454. const struct net_device *in,
  455. const struct net_device *out,
  456. const struct nf_loginfo *li_user,
  457. const char *prefix)
  458. {
  459. unsigned int size, data_len;
  460. struct nfulnl_instance *inst;
  461. const struct nf_loginfo *li;
  462. unsigned int qthreshold;
  463. unsigned int plen;
  464. if (li_user && li_user->type == NF_LOG_TYPE_ULOG)
  465. li = li_user;
  466. else
  467. li = &default_loginfo;
  468. inst = instance_lookup_get(li->u.ulog.group);
  469. if (!inst)
  470. return;
  471. plen = 0;
  472. if (prefix)
  473. plen = strlen(prefix) + 1;
  474. /* FIXME: do we want to make the size calculation conditional based on
  475. * what is actually present? way more branches and checks, but more
  476. * memory efficient... */
  477. size = NLMSG_SPACE(sizeof(struct nfgenmsg))
  478. + nla_total_size(sizeof(struct nfulnl_msg_packet_hdr))
  479. + nla_total_size(sizeof(u_int32_t)) /* ifindex */
  480. + nla_total_size(sizeof(u_int32_t)) /* ifindex */
  481. #ifdef CONFIG_BRIDGE_NETFILTER
  482. + nla_total_size(sizeof(u_int32_t)) /* ifindex */
  483. + nla_total_size(sizeof(u_int32_t)) /* ifindex */
  484. #endif
  485. + nla_total_size(sizeof(u_int32_t)) /* mark */
  486. + nla_total_size(sizeof(u_int32_t)) /* uid */
  487. + nla_total_size(sizeof(u_int32_t)) /* gid */
  488. + nla_total_size(plen) /* prefix */
  489. + nla_total_size(sizeof(struct nfulnl_msg_packet_hw))
  490. + nla_total_size(sizeof(struct nfulnl_msg_packet_timestamp));
  491. if (in && skb_mac_header_was_set(skb)) {
  492. size += nla_total_size(skb->dev->hard_header_len)
  493. + nla_total_size(sizeof(u_int16_t)) /* hwtype */
  494. + nla_total_size(sizeof(u_int16_t)); /* hwlen */
  495. }
  496. spin_lock_bh(&inst->lock);
  497. if (inst->flags & NFULNL_CFG_F_SEQ)
  498. size += nla_total_size(sizeof(u_int32_t));
  499. if (inst->flags & NFULNL_CFG_F_SEQ_GLOBAL)
  500. size += nla_total_size(sizeof(u_int32_t));
  501. qthreshold = inst->qthreshold;
  502. /* per-rule qthreshold overrides per-instance */
  503. if (li->u.ulog.qthreshold)
  504. if (qthreshold > li->u.ulog.qthreshold)
  505. qthreshold = li->u.ulog.qthreshold;
  506. switch (inst->copy_mode) {
  507. case NFULNL_COPY_META:
  508. case NFULNL_COPY_NONE:
  509. data_len = 0;
  510. break;
  511. case NFULNL_COPY_PACKET:
  512. if (inst->copy_range == 0
  513. || inst->copy_range > skb->len)
  514. data_len = skb->len;
  515. else
  516. data_len = inst->copy_range;
  517. size += nla_total_size(data_len);
  518. break;
  519. default:
  520. goto unlock_and_release;
  521. }
  522. if (inst->skb &&
  523. size > skb_tailroom(inst->skb) - sizeof(struct nfgenmsg)) {
  524. /* either the queue len is too high or we don't have
  525. * enough room in the skb left. flush to userspace. */
  526. __nfulnl_flush(inst);
  527. }
  528. if (!inst->skb) {
  529. inst->skb = nfulnl_alloc_skb(inst->nlbufsiz, size);
  530. if (!inst->skb)
  531. goto alloc_failure;
  532. }
  533. inst->qlen++;
  534. __build_packet_message(inst, skb, data_len, pf,
  535. hooknum, in, out, li, prefix, plen);
  536. if (inst->qlen >= qthreshold)
  537. __nfulnl_flush(inst);
  538. /* timer_pending always called within inst->lock, so there
  539. * is no chance of a race here */
  540. else if (!timer_pending(&inst->timer)) {
  541. instance_get(inst);
  542. inst->timer.expires = jiffies + (inst->flushtimeout*HZ/100);
  543. add_timer(&inst->timer);
  544. }
  545. unlock_and_release:
  546. spin_unlock_bh(&inst->lock);
  547. instance_put(inst);
  548. return;
  549. alloc_failure:
  550. /* FIXME: statistics */
  551. goto unlock_and_release;
  552. }
  553. EXPORT_SYMBOL_GPL(nfulnl_log_packet);
  554. static int
  555. nfulnl_rcv_nl_event(struct notifier_block *this,
  556. unsigned long event, void *ptr)
  557. {
  558. struct netlink_notify *n = ptr;
  559. if (event == NETLINK_URELEASE && n->protocol == NETLINK_NETFILTER) {
  560. int i;
  561. /* destroy all instances for this pid */
  562. write_lock_bh(&instances_lock);
  563. for (i = 0; i < INSTANCE_BUCKETS; i++) {
  564. struct hlist_node *tmp, *t2;
  565. struct nfulnl_instance *inst;
  566. struct hlist_head *head = &instance_table[i];
  567. hlist_for_each_entry_safe(inst, tmp, t2, head, hlist) {
  568. if ((net_eq(n->net, &init_net)) &&
  569. (n->pid == inst->peer_pid))
  570. __instance_destroy(inst);
  571. }
  572. }
  573. write_unlock_bh(&instances_lock);
  574. }
  575. return NOTIFY_DONE;
  576. }
  577. static struct notifier_block nfulnl_rtnl_notifier = {
  578. .notifier_call = nfulnl_rcv_nl_event,
  579. };
  580. static int
  581. nfulnl_recv_unsupp(struct sock *ctnl, struct sk_buff *skb,
  582. const struct nlmsghdr *nlh,
  583. const struct nlattr * const nfqa[])
  584. {
  585. return -ENOTSUPP;
  586. }
  587. static struct nf_logger nfulnl_logger __read_mostly = {
  588. .name = "nfnetlink_log",
  589. .logfn = &nfulnl_log_packet,
  590. .me = THIS_MODULE,
  591. };
  592. static const struct nla_policy nfula_cfg_policy[NFULA_CFG_MAX+1] = {
  593. [NFULA_CFG_CMD] = { .len = sizeof(struct nfulnl_msg_config_cmd) },
  594. [NFULA_CFG_MODE] = { .len = sizeof(struct nfulnl_msg_config_mode) },
  595. [NFULA_CFG_TIMEOUT] = { .type = NLA_U32 },
  596. [NFULA_CFG_QTHRESH] = { .type = NLA_U32 },
  597. [NFULA_CFG_NLBUFSIZ] = { .type = NLA_U32 },
  598. [NFULA_CFG_FLAGS] = { .type = NLA_U16 },
  599. };
  600. static int
  601. nfulnl_recv_config(struct sock *ctnl, struct sk_buff *skb,
  602. const struct nlmsghdr *nlh,
  603. const struct nlattr * const nfula[])
  604. {
  605. struct nfgenmsg *nfmsg = NLMSG_DATA(nlh);
  606. u_int16_t group_num = ntohs(nfmsg->res_id);
  607. struct nfulnl_instance *inst;
  608. struct nfulnl_msg_config_cmd *cmd = NULL;
  609. int ret = 0;
  610. if (nfula[NFULA_CFG_CMD]) {
  611. u_int8_t pf = nfmsg->nfgen_family;
  612. cmd = nla_data(nfula[NFULA_CFG_CMD]);
  613. /* Commands without queue context */
  614. switch (cmd->command) {
  615. case NFULNL_CFG_CMD_PF_BIND:
  616. return nf_log_bind_pf(pf, &nfulnl_logger);
  617. case NFULNL_CFG_CMD_PF_UNBIND:
  618. nf_log_unbind_pf(pf);
  619. return 0;
  620. }
  621. }
  622. inst = instance_lookup_get(group_num);
  623. if (inst && inst->peer_pid != NETLINK_CB(skb).pid) {
  624. ret = -EPERM;
  625. goto out_put;
  626. }
  627. if (cmd != NULL) {
  628. switch (cmd->command) {
  629. case NFULNL_CFG_CMD_BIND:
  630. if (inst) {
  631. ret = -EBUSY;
  632. goto out_put;
  633. }
  634. inst = instance_create(group_num,
  635. NETLINK_CB(skb).pid);
  636. if (IS_ERR(inst)) {
  637. ret = PTR_ERR(inst);
  638. goto out;
  639. }
  640. break;
  641. case NFULNL_CFG_CMD_UNBIND:
  642. if (!inst) {
  643. ret = -ENODEV;
  644. goto out;
  645. }
  646. instance_destroy(inst);
  647. goto out_put;
  648. default:
  649. ret = -ENOTSUPP;
  650. break;
  651. }
  652. }
  653. if (nfula[NFULA_CFG_MODE]) {
  654. struct nfulnl_msg_config_mode *params;
  655. params = nla_data(nfula[NFULA_CFG_MODE]);
  656. if (!inst) {
  657. ret = -ENODEV;
  658. goto out;
  659. }
  660. nfulnl_set_mode(inst, params->copy_mode,
  661. ntohl(params->copy_range));
  662. }
  663. if (nfula[NFULA_CFG_TIMEOUT]) {
  664. __be32 timeout = nla_get_be32(nfula[NFULA_CFG_TIMEOUT]);
  665. if (!inst) {
  666. ret = -ENODEV;
  667. goto out;
  668. }
  669. nfulnl_set_timeout(inst, ntohl(timeout));
  670. }
  671. if (nfula[NFULA_CFG_NLBUFSIZ]) {
  672. __be32 nlbufsiz = nla_get_be32(nfula[NFULA_CFG_NLBUFSIZ]);
  673. if (!inst) {
  674. ret = -ENODEV;
  675. goto out;
  676. }
  677. nfulnl_set_nlbufsiz(inst, ntohl(nlbufsiz));
  678. }
  679. if (nfula[NFULA_CFG_QTHRESH]) {
  680. __be32 qthresh = nla_get_be32(nfula[NFULA_CFG_QTHRESH]);
  681. if (!inst) {
  682. ret = -ENODEV;
  683. goto out;
  684. }
  685. nfulnl_set_qthresh(inst, ntohl(qthresh));
  686. }
  687. if (nfula[NFULA_CFG_FLAGS]) {
  688. __be16 flags = nla_get_be16(nfula[NFULA_CFG_FLAGS]);
  689. if (!inst) {
  690. ret = -ENODEV;
  691. goto out;
  692. }
  693. nfulnl_set_flags(inst, ntohs(flags));
  694. }
  695. out_put:
  696. instance_put(inst);
  697. out:
  698. return ret;
  699. }
  700. static const struct nfnl_callback nfulnl_cb[NFULNL_MSG_MAX] = {
  701. [NFULNL_MSG_PACKET] = { .call = nfulnl_recv_unsupp,
  702. .attr_count = NFULA_MAX, },
  703. [NFULNL_MSG_CONFIG] = { .call = nfulnl_recv_config,
  704. .attr_count = NFULA_CFG_MAX,
  705. .policy = nfula_cfg_policy },
  706. };
  707. static const struct nfnetlink_subsystem nfulnl_subsys = {
  708. .name = "log",
  709. .subsys_id = NFNL_SUBSYS_ULOG,
  710. .cb_count = NFULNL_MSG_MAX,
  711. .cb = nfulnl_cb,
  712. };
  713. #ifdef CONFIG_PROC_FS
  714. struct iter_state {
  715. unsigned int bucket;
  716. };
  717. static struct hlist_node *get_first(struct iter_state *st)
  718. {
  719. if (!st)
  720. return NULL;
  721. for (st->bucket = 0; st->bucket < INSTANCE_BUCKETS; st->bucket++) {
  722. if (!hlist_empty(&instance_table[st->bucket]))
  723. return instance_table[st->bucket].first;
  724. }
  725. return NULL;
  726. }
  727. static struct hlist_node *get_next(struct iter_state *st, struct hlist_node *h)
  728. {
  729. h = h->next;
  730. while (!h) {
  731. if (++st->bucket >= INSTANCE_BUCKETS)
  732. return NULL;
  733. h = instance_table[st->bucket].first;
  734. }
  735. return h;
  736. }
  737. static struct hlist_node *get_idx(struct iter_state *st, loff_t pos)
  738. {
  739. struct hlist_node *head;
  740. head = get_first(st);
  741. if (head)
  742. while (pos && (head = get_next(st, head)))
  743. pos--;
  744. return pos ? NULL : head;
  745. }
  746. static void *seq_start(struct seq_file *seq, loff_t *pos)
  747. __acquires(instances_lock)
  748. {
  749. read_lock_bh(&instances_lock);
  750. return get_idx(seq->private, *pos);
  751. }
  752. static void *seq_next(struct seq_file *s, void *v, loff_t *pos)
  753. {
  754. (*pos)++;
  755. return get_next(s->private, v);
  756. }
  757. static void seq_stop(struct seq_file *s, void *v)
  758. __releases(instances_lock)
  759. {
  760. read_unlock_bh(&instances_lock);
  761. }
  762. static int seq_show(struct seq_file *s, void *v)
  763. {
  764. const struct nfulnl_instance *inst = v;
  765. return seq_printf(s, "%5d %6d %5d %1d %5d %6d %2d\n",
  766. inst->group_num,
  767. inst->peer_pid, inst->qlen,
  768. inst->copy_mode, inst->copy_range,
  769. inst->flushtimeout, atomic_read(&inst->use));
  770. }
  771. static const struct seq_operations nful_seq_ops = {
  772. .start = seq_start,
  773. .next = seq_next,
  774. .stop = seq_stop,
  775. .show = seq_show,
  776. };
  777. static int nful_open(struct inode *inode, struct file *file)
  778. {
  779. return seq_open_private(file, &nful_seq_ops,
  780. sizeof(struct iter_state));
  781. }
  782. static const struct file_operations nful_file_ops = {
  783. .owner = THIS_MODULE,
  784. .open = nful_open,
  785. .read = seq_read,
  786. .llseek = seq_lseek,
  787. .release = seq_release_private,
  788. };
  789. #endif /* PROC_FS */
  790. static int __init nfnetlink_log_init(void)
  791. {
  792. int i, status = -ENOMEM;
  793. for (i = 0; i < INSTANCE_BUCKETS; i++)
  794. INIT_HLIST_HEAD(&instance_table[i]);
  795. /* it's not really all that important to have a random value, so
  796. * we can do this from the init function, even if there hasn't
  797. * been that much entropy yet */
  798. get_random_bytes(&hash_init, sizeof(hash_init));
  799. netlink_register_notifier(&nfulnl_rtnl_notifier);
  800. status = nfnetlink_subsys_register(&nfulnl_subsys);
  801. if (status < 0) {
  802. printk(KERN_ERR "log: failed to create netlink socket\n");
  803. goto cleanup_netlink_notifier;
  804. }
  805. status = nf_log_register(NFPROTO_UNSPEC, &nfulnl_logger);
  806. if (status < 0) {
  807. printk(KERN_ERR "log: failed to register logger\n");
  808. goto cleanup_subsys;
  809. }
  810. #ifdef CONFIG_PROC_FS
  811. if (!proc_create("nfnetlink_log", 0440,
  812. proc_net_netfilter, &nful_file_ops))
  813. goto cleanup_logger;
  814. #endif
  815. return status;
  816. #ifdef CONFIG_PROC_FS
  817. cleanup_logger:
  818. nf_log_unregister(&nfulnl_logger);
  819. #endif
  820. cleanup_subsys:
  821. nfnetlink_subsys_unregister(&nfulnl_subsys);
  822. cleanup_netlink_notifier:
  823. netlink_unregister_notifier(&nfulnl_rtnl_notifier);
  824. return status;
  825. }
  826. static void __exit nfnetlink_log_fini(void)
  827. {
  828. nf_log_unregister(&nfulnl_logger);
  829. #ifdef CONFIG_PROC_FS
  830. remove_proc_entry("nfnetlink_log", proc_net_netfilter);
  831. #endif
  832. nfnetlink_subsys_unregister(&nfulnl_subsys);
  833. netlink_unregister_notifier(&nfulnl_rtnl_notifier);
  834. }
  835. MODULE_DESCRIPTION("netfilter userspace logging");
  836. MODULE_AUTHOR("Harald Welte <laforge@netfilter.org>");
  837. MODULE_LICENSE("GPL");
  838. MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_ULOG);
  839. module_init(nfnetlink_log_init);
  840. module_exit(nfnetlink_log_fini);