/net/netfilter/nfnetlink_log.c
C | 1004 lines | 784 code | 164 blank | 56 comment | 113 complexity | 673534f929bcbcb247bb5e0f69b8a47f MD5 | raw file
Possible License(s): CC-BY-SA-3.0, GPL-2.0, LGPL-2.0, AGPL-1.0
1/*
2 * This is a module which is used for logging packets to userspace via
3 * nfetlink.
4 *
5 * (C) 2005 by Harald Welte <laforge@netfilter.org>
6 *
7 * Based on the old ipv4-only ipt_ULOG.c:
8 * (C) 2000-2004 by Harald Welte <laforge@netfilter.org>
9 *
10 * This program is free software; you can redistribute it and/or modify
11 * it under the terms of the GNU General Public License version 2 as
12 * published by the Free Software Foundation.
13 */
14#include <linux/module.h>
15#include <linux/skbuff.h>
16#include <linux/init.h>
17#include <linux/ip.h>
18#include <linux/ipv6.h>
19#include <linux/netdevice.h>
20#include <linux/netfilter.h>
21#include <linux/netlink.h>
22#include <linux/netfilter/nfnetlink.h>
23#include <linux/netfilter/nfnetlink_log.h>
24#include <linux/spinlock.h>
25#include <linux/sysctl.h>
26#include <linux/proc_fs.h>
27#include <linux/security.h>
28#include <linux/list.h>
29#include <linux/jhash.h>
30#include <linux/random.h>
31#include <linux/slab.h>
32#include <net/sock.h>
33#include <net/netfilter/nf_log.h>
34#include <net/netfilter/nfnetlink_log.h>
35
36#include <asm/atomic.h>
37
38#ifdef CONFIG_BRIDGE_NETFILTER
39#include "../bridge/br_private.h"
40#endif
41
42#define NFULNL_NLBUFSIZ_DEFAULT NLMSG_GOODSIZE
43#define NFULNL_TIMEOUT_DEFAULT 100 /* every second */
44#define NFULNL_QTHRESH_DEFAULT 100 /* 100 packets */
45#define NFULNL_COPY_RANGE_MAX 0xFFFF /* max packet size is limited by 16-bit struct nfattr nfa_len field */
46
47#define PRINTR(x, args...) do { if (net_ratelimit()) \
48 printk(x, ## args); } while (0);
49
50struct nfulnl_instance {
51 struct hlist_node hlist; /* global list of instances */
52 spinlock_t lock;
53 atomic_t use; /* use count */
54
55 unsigned int qlen; /* number of nlmsgs in skb */
56 struct sk_buff *skb; /* pre-allocatd skb */
57 struct timer_list timer;
58 int peer_pid; /* PID of the peer process */
59
60 /* configurable parameters */
61 unsigned int flushtimeout; /* timeout until queue flush */
62 unsigned int nlbufsiz; /* netlink buffer allocation size */
63 unsigned int qthreshold; /* threshold of the queue */
64 u_int32_t copy_range;
65 u_int32_t seq; /* instance-local sequential counter */
66 u_int16_t group_num; /* number of this queue */
67 u_int16_t flags;
68 u_int8_t copy_mode;
69};
70
71static DEFINE_RWLOCK(instances_lock);
72static atomic_t global_seq;
73
74#define INSTANCE_BUCKETS 16
75static struct hlist_head instance_table[INSTANCE_BUCKETS];
76static unsigned int hash_init;
77
78static inline u_int8_t instance_hashfn(u_int16_t group_num)
79{
80 return ((group_num & 0xff) % INSTANCE_BUCKETS);
81}
82
83static struct nfulnl_instance *
84__instance_lookup(u_int16_t group_num)
85{
86 struct hlist_head *head;
87 struct hlist_node *pos;
88 struct nfulnl_instance *inst;
89
90 head = &instance_table[instance_hashfn(group_num)];
91 hlist_for_each_entry(inst, pos, head, hlist) {
92 if (inst->group_num == group_num)
93 return inst;
94 }
95 return NULL;
96}
97
98static inline void
99instance_get(struct nfulnl_instance *inst)
100{
101 atomic_inc(&inst->use);
102}
103
104static struct nfulnl_instance *
105instance_lookup_get(u_int16_t group_num)
106{
107 struct nfulnl_instance *inst;
108
109 read_lock_bh(&instances_lock);
110 inst = __instance_lookup(group_num);
111 if (inst)
112 instance_get(inst);
113 read_unlock_bh(&instances_lock);
114
115 return inst;
116}
117
118static void
119instance_put(struct nfulnl_instance *inst)
120{
121 if (inst && atomic_dec_and_test(&inst->use)) {
122 kfree(inst);
123 module_put(THIS_MODULE);
124 }
125}
126
127static void nfulnl_timer(unsigned long data);
128
129static struct nfulnl_instance *
130instance_create(u_int16_t group_num, int pid)
131{
132 struct nfulnl_instance *inst;
133 int err;
134
135 write_lock_bh(&instances_lock);
136 if (__instance_lookup(group_num)) {
137 err = -EEXIST;
138 goto out_unlock;
139 }
140
141 inst = kzalloc(sizeof(*inst), GFP_ATOMIC);
142 if (!inst) {
143 err = -ENOMEM;
144 goto out_unlock;
145 }
146
147 if (!try_module_get(THIS_MODULE)) {
148 kfree(inst);
149 err = -EAGAIN;
150 goto out_unlock;
151 }
152
153 INIT_HLIST_NODE(&inst->hlist);
154 spin_lock_init(&inst->lock);
155 /* needs to be two, since we _put() after creation */
156 atomic_set(&inst->use, 2);
157
158 setup_timer(&inst->timer, nfulnl_timer, (unsigned long)inst);
159
160 inst->peer_pid = pid;
161 inst->group_num = group_num;
162
163 inst->qthreshold = NFULNL_QTHRESH_DEFAULT;
164 inst->flushtimeout = NFULNL_TIMEOUT_DEFAULT;
165 inst->nlbufsiz = NFULNL_NLBUFSIZ_DEFAULT;
166 inst->copy_mode = NFULNL_COPY_PACKET;
167 inst->copy_range = NFULNL_COPY_RANGE_MAX;
168
169 hlist_add_head(&inst->hlist,
170 &instance_table[instance_hashfn(group_num)]);
171
172 write_unlock_bh(&instances_lock);
173
174 return inst;
175
176out_unlock:
177 write_unlock_bh(&instances_lock);
178 return ERR_PTR(err);
179}
180
181static void __nfulnl_flush(struct nfulnl_instance *inst);
182
183static void
184__instance_destroy(struct nfulnl_instance *inst)
185{
186 /* first pull it out of the global list */
187 hlist_del(&inst->hlist);
188
189 /* then flush all pending packets from skb */
190
191 spin_lock_bh(&inst->lock);
192 if (inst->skb)
193 __nfulnl_flush(inst);
194 spin_unlock_bh(&inst->lock);
195
196 /* and finally put the refcount */
197 instance_put(inst);
198}
199
200static inline void
201instance_destroy(struct nfulnl_instance *inst)
202{
203 write_lock_bh(&instances_lock);
204 __instance_destroy(inst);
205 write_unlock_bh(&instances_lock);
206}
207
208static int
209nfulnl_set_mode(struct nfulnl_instance *inst, u_int8_t mode,
210 unsigned int range)
211{
212 int status = 0;
213
214 spin_lock_bh(&inst->lock);
215
216 switch (mode) {
217 case NFULNL_COPY_NONE:
218 case NFULNL_COPY_META:
219 inst->copy_mode = mode;
220 inst->copy_range = 0;
221 break;
222
223 case NFULNL_COPY_PACKET:
224 inst->copy_mode = mode;
225 inst->copy_range = min_t(unsigned int,
226 range, NFULNL_COPY_RANGE_MAX);
227 break;
228
229 default:
230 status = -EINVAL;
231 break;
232 }
233
234 spin_unlock_bh(&inst->lock);
235
236 return status;
237}
238
239static int
240nfulnl_set_nlbufsiz(struct nfulnl_instance *inst, u_int32_t nlbufsiz)
241{
242 int status;
243
244 spin_lock_bh(&inst->lock);
245 if (nlbufsiz < NFULNL_NLBUFSIZ_DEFAULT)
246 status = -ERANGE;
247 else if (nlbufsiz > 131072)
248 status = -ERANGE;
249 else {
250 inst->nlbufsiz = nlbufsiz;
251 status = 0;
252 }
253 spin_unlock_bh(&inst->lock);
254
255 return status;
256}
257
258static int
259nfulnl_set_timeout(struct nfulnl_instance *inst, u_int32_t timeout)
260{
261 spin_lock_bh(&inst->lock);
262 inst->flushtimeout = timeout;
263 spin_unlock_bh(&inst->lock);
264
265 return 0;
266}
267
268static int
269nfulnl_set_qthresh(struct nfulnl_instance *inst, u_int32_t qthresh)
270{
271 spin_lock_bh(&inst->lock);
272 inst->qthreshold = qthresh;
273 spin_unlock_bh(&inst->lock);
274
275 return 0;
276}
277
278static int
279nfulnl_set_flags(struct nfulnl_instance *inst, u_int16_t flags)
280{
281 spin_lock_bh(&inst->lock);
282 inst->flags = flags;
283 spin_unlock_bh(&inst->lock);
284
285 return 0;
286}
287
288static struct sk_buff *
289nfulnl_alloc_skb(unsigned int inst_size, unsigned int pkt_size)
290{
291 struct sk_buff *skb;
292 unsigned int n;
293
294 /* alloc skb which should be big enough for a whole multipart
295 * message. WARNING: has to be <= 128k due to slab restrictions */
296
297 n = max(inst_size, pkt_size);
298 skb = alloc_skb(n, GFP_ATOMIC);
299 if (!skb) {
300 PRINTR("nfnetlink_log: can't alloc whole buffer (%u bytes)\n",
301 inst_size);
302
303 if (n > pkt_size) {
304 /* try to allocate only as much as we need for current
305 * packet */
306
307 skb = alloc_skb(pkt_size, GFP_ATOMIC);
308 if (!skb)
309 PRINTR("nfnetlink_log: can't even alloc %u "
310 "bytes\n", pkt_size);
311 }
312 }
313
314 return skb;
315}
316
317static int
318__nfulnl_send(struct nfulnl_instance *inst)
319{
320 int status = -1;
321
322 if (inst->qlen > 1)
323 NLMSG_PUT(inst->skb, 0, 0,
324 NLMSG_DONE,
325 sizeof(struct nfgenmsg));
326
327 status = nfnetlink_unicast(inst->skb, &init_net, inst->peer_pid,
328 MSG_DONTWAIT);
329
330 inst->qlen = 0;
331 inst->skb = NULL;
332
333nlmsg_failure:
334 return status;
335}
336
337static void
338__nfulnl_flush(struct nfulnl_instance *inst)
339{
340 /* timer holds a reference */
341 if (del_timer(&inst->timer))
342 instance_put(inst);
343 if (inst->skb)
344 __nfulnl_send(inst);
345}
346
347static void
348nfulnl_timer(unsigned long data)
349{
350 struct nfulnl_instance *inst = (struct nfulnl_instance *)data;
351
352 spin_lock_bh(&inst->lock);
353 if (inst->skb)
354 __nfulnl_send(inst);
355 spin_unlock_bh(&inst->lock);
356 instance_put(inst);
357}
358
359/* This is an inline function, we don't really care about a long
360 * list of arguments */
361static inline int
362__build_packet_message(struct nfulnl_instance *inst,
363 const struct sk_buff *skb,
364 unsigned int data_len,
365 u_int8_t pf,
366 unsigned int hooknum,
367 const struct net_device *indev,
368 const struct net_device *outdev,
369 const struct nf_loginfo *li,
370 const char *prefix, unsigned int plen)
371{
372 struct nfulnl_msg_packet_hdr pmsg;
373 struct nlmsghdr *nlh;
374 struct nfgenmsg *nfmsg;
375 __be32 tmp_uint;
376 sk_buff_data_t old_tail = inst->skb->tail;
377
378 nlh = NLMSG_PUT(inst->skb, 0, 0,
379 NFNL_SUBSYS_ULOG << 8 | NFULNL_MSG_PACKET,
380 sizeof(struct nfgenmsg));
381 nfmsg = NLMSG_DATA(nlh);
382 nfmsg->nfgen_family = pf;
383 nfmsg->version = NFNETLINK_V0;
384 nfmsg->res_id = htons(inst->group_num);
385
386 pmsg.hw_protocol = skb->protocol;
387 pmsg.hook = hooknum;
388
389 NLA_PUT(inst->skb, NFULA_PACKET_HDR, sizeof(pmsg), &pmsg);
390
391 if (prefix)
392 NLA_PUT(inst->skb, NFULA_PREFIX, plen, prefix);
393
394 if (indev) {
395#ifndef CONFIG_BRIDGE_NETFILTER
396 NLA_PUT_BE32(inst->skb, NFULA_IFINDEX_INDEV,
397 htonl(indev->ifindex));
398#else
399 if (pf == PF_BRIDGE) {
400 /* Case 1: outdev is physical input device, we need to
401 * look for bridge group (when called from
402 * netfilter_bridge) */
403 NLA_PUT_BE32(inst->skb, NFULA_IFINDEX_PHYSINDEV,
404 htonl(indev->ifindex));
405 /* this is the bridge group "brX" */
406 NLA_PUT_BE32(inst->skb, NFULA_IFINDEX_INDEV,
407 htonl(indev->br_port->br->dev->ifindex));
408 } else {
409 /* Case 2: indev is bridge group, we need to look for
410 * physical device (when called from ipv4) */
411 NLA_PUT_BE32(inst->skb, NFULA_IFINDEX_INDEV,
412 htonl(indev->ifindex));
413 if (skb->nf_bridge && skb->nf_bridge->physindev)
414 NLA_PUT_BE32(inst->skb, NFULA_IFINDEX_PHYSINDEV,
415 htonl(skb->nf_bridge->physindev->ifindex));
416 }
417#endif
418 }
419
420 if (outdev) {
421 tmp_uint = htonl(outdev->ifindex);
422#ifndef CONFIG_BRIDGE_NETFILTER
423 NLA_PUT_BE32(inst->skb, NFULA_IFINDEX_OUTDEV,
424 htonl(outdev->ifindex));
425#else
426 if (pf == PF_BRIDGE) {
427 /* Case 1: outdev is physical output device, we need to
428 * look for bridge group (when called from
429 * netfilter_bridge) */
430 NLA_PUT_BE32(inst->skb, NFULA_IFINDEX_PHYSOUTDEV,
431 htonl(outdev->ifindex));
432 /* this is the bridge group "brX" */
433 NLA_PUT_BE32(inst->skb, NFULA_IFINDEX_OUTDEV,
434 htonl(outdev->br_port->br->dev->ifindex));
435 } else {
436 /* Case 2: indev is a bridge group, we need to look
437 * for physical device (when called from ipv4) */
438 NLA_PUT_BE32(inst->skb, NFULA_IFINDEX_OUTDEV,
439 htonl(outdev->ifindex));
440 if (skb->nf_bridge && skb->nf_bridge->physoutdev)
441 NLA_PUT_BE32(inst->skb, NFULA_IFINDEX_PHYSOUTDEV,
442 htonl(skb->nf_bridge->physoutdev->ifindex));
443 }
444#endif
445 }
446
447 if (skb->mark)
448 NLA_PUT_BE32(inst->skb, NFULA_MARK, htonl(skb->mark));
449
450 if (indev && skb->dev) {
451 struct nfulnl_msg_packet_hw phw;
452 int len = dev_parse_header(skb, phw.hw_addr);
453 if (len > 0) {
454 phw.hw_addrlen = htons(len);
455 NLA_PUT(inst->skb, NFULA_HWADDR, sizeof(phw), &phw);
456 }
457 }
458
459 if (indev && skb_mac_header_was_set(skb)) {
460 NLA_PUT_BE16(inst->skb, NFULA_HWTYPE, htons(skb->dev->type));
461 NLA_PUT_BE16(inst->skb, NFULA_HWLEN,
462 htons(skb->dev->hard_header_len));
463 NLA_PUT(inst->skb, NFULA_HWHEADER, skb->dev->hard_header_len,
464 skb_mac_header(skb));
465 }
466
467 if (skb->tstamp.tv64) {
468 struct nfulnl_msg_packet_timestamp ts;
469 struct timeval tv = ktime_to_timeval(skb->tstamp);
470 ts.sec = cpu_to_be64(tv.tv_sec);
471 ts.usec = cpu_to_be64(tv.tv_usec);
472
473 NLA_PUT(inst->skb, NFULA_TIMESTAMP, sizeof(ts), &ts);
474 }
475
476 /* UID */
477 if (skb->sk) {
478 read_lock_bh(&skb->sk->sk_callback_lock);
479 if (skb->sk->sk_socket && skb->sk->sk_socket->file) {
480 struct file *file = skb->sk->sk_socket->file;
481 __be32 uid = htonl(file->f_cred->fsuid);
482 __be32 gid = htonl(file->f_cred->fsgid);
483 /* need to unlock here since NLA_PUT may goto */
484 read_unlock_bh(&skb->sk->sk_callback_lock);
485 NLA_PUT_BE32(inst->skb, NFULA_UID, uid);
486 NLA_PUT_BE32(inst->skb, NFULA_GID, gid);
487 } else
488 read_unlock_bh(&skb->sk->sk_callback_lock);
489 }
490
491 /* local sequence number */
492 if (inst->flags & NFULNL_CFG_F_SEQ)
493 NLA_PUT_BE32(inst->skb, NFULA_SEQ, htonl(inst->seq++));
494
495 /* global sequence number */
496 if (inst->flags & NFULNL_CFG_F_SEQ_GLOBAL)
497 NLA_PUT_BE32(inst->skb, NFULA_SEQ_GLOBAL,
498 htonl(atomic_inc_return(&global_seq)));
499
500 if (data_len) {
501 struct nlattr *nla;
502 int size = nla_attr_size(data_len);
503
504 if (skb_tailroom(inst->skb) < nla_total_size(data_len)) {
505 printk(KERN_WARNING "nfnetlink_log: no tailroom!\n");
506 goto nlmsg_failure;
507 }
508
509 nla = (struct nlattr *)skb_put(inst->skb, nla_total_size(data_len));
510 nla->nla_type = NFULA_PAYLOAD;
511 nla->nla_len = size;
512
513 if (skb_copy_bits(skb, 0, nla_data(nla), data_len))
514 BUG();
515 }
516
517 nlh->nlmsg_len = inst->skb->tail - old_tail;
518 return 0;
519
520nlmsg_failure:
521nla_put_failure:
522 PRINTR(KERN_ERR "nfnetlink_log: error creating log nlmsg\n");
523 return -1;
524}
525
526#define RCV_SKB_FAIL(err) do { netlink_ack(skb, nlh, (err)); return; } while (0)
527
528static struct nf_loginfo default_loginfo = {
529 .type = NF_LOG_TYPE_ULOG,
530 .u = {
531 .ulog = {
532 .copy_len = 0xffff,
533 .group = 0,
534 .qthreshold = 1,
535 },
536 },
537};
538
539/* log handler for internal netfilter logging api */
540void
541nfulnl_log_packet(u_int8_t pf,
542 unsigned int hooknum,
543 const struct sk_buff *skb,
544 const struct net_device *in,
545 const struct net_device *out,
546 const struct nf_loginfo *li_user,
547 const char *prefix)
548{
549 unsigned int size, data_len;
550 struct nfulnl_instance *inst;
551 const struct nf_loginfo *li;
552 unsigned int qthreshold;
553 unsigned int plen;
554
555 if (li_user && li_user->type == NF_LOG_TYPE_ULOG)
556 li = li_user;
557 else
558 li = &default_loginfo;
559
560 inst = instance_lookup_get(li->u.ulog.group);
561 if (!inst)
562 return;
563
564 plen = 0;
565 if (prefix)
566 plen = strlen(prefix) + 1;
567
568 /* FIXME: do we want to make the size calculation conditional based on
569 * what is actually present? way more branches and checks, but more
570 * memory efficient... */
571 size = NLMSG_SPACE(sizeof(struct nfgenmsg))
572 + nla_total_size(sizeof(struct nfulnl_msg_packet_hdr))
573 + nla_total_size(sizeof(u_int32_t)) /* ifindex */
574 + nla_total_size(sizeof(u_int32_t)) /* ifindex */
575#ifdef CONFIG_BRIDGE_NETFILTER
576 + nla_total_size(sizeof(u_int32_t)) /* ifindex */
577 + nla_total_size(sizeof(u_int32_t)) /* ifindex */
578#endif
579 + nla_total_size(sizeof(u_int32_t)) /* mark */
580 + nla_total_size(sizeof(u_int32_t)) /* uid */
581 + nla_total_size(sizeof(u_int32_t)) /* gid */
582 + nla_total_size(plen) /* prefix */
583 + nla_total_size(sizeof(struct nfulnl_msg_packet_hw))
584 + nla_total_size(sizeof(struct nfulnl_msg_packet_timestamp));
585
586 if (in && skb_mac_header_was_set(skb)) {
587 size += nla_total_size(skb->dev->hard_header_len)
588 + nla_total_size(sizeof(u_int16_t)) /* hwtype */
589 + nla_total_size(sizeof(u_int16_t)); /* hwlen */
590 }
591
592 spin_lock_bh(&inst->lock);
593
594 if (inst->flags & NFULNL_CFG_F_SEQ)
595 size += nla_total_size(sizeof(u_int32_t));
596 if (inst->flags & NFULNL_CFG_F_SEQ_GLOBAL)
597 size += nla_total_size(sizeof(u_int32_t));
598
599 qthreshold = inst->qthreshold;
600 /* per-rule qthreshold overrides per-instance */
601 if (li->u.ulog.qthreshold)
602 if (qthreshold > li->u.ulog.qthreshold)
603 qthreshold = li->u.ulog.qthreshold;
604
605
606 switch (inst->copy_mode) {
607 case NFULNL_COPY_META:
608 case NFULNL_COPY_NONE:
609 data_len = 0;
610 break;
611
612 case NFULNL_COPY_PACKET:
613 if (inst->copy_range == 0
614 || inst->copy_range > skb->len)
615 data_len = skb->len;
616 else
617 data_len = inst->copy_range;
618
619 size += nla_total_size(data_len);
620 break;
621
622 default:
623 goto unlock_and_release;
624 }
625
626 if (inst->skb &&
627 size > skb_tailroom(inst->skb) - sizeof(struct nfgenmsg)) {
628 /* either the queue len is too high or we don't have
629 * enough room in the skb left. flush to userspace. */
630 __nfulnl_flush(inst);
631 }
632
633 if (!inst->skb) {
634 inst->skb = nfulnl_alloc_skb(inst->nlbufsiz, size);
635 if (!inst->skb)
636 goto alloc_failure;
637 }
638
639 inst->qlen++;
640
641 __build_packet_message(inst, skb, data_len, pf,
642 hooknum, in, out, li, prefix, plen);
643
644 if (inst->qlen >= qthreshold)
645 __nfulnl_flush(inst);
646 /* timer_pending always called within inst->lock, so there
647 * is no chance of a race here */
648 else if (!timer_pending(&inst->timer)) {
649 instance_get(inst);
650 inst->timer.expires = jiffies + (inst->flushtimeout*HZ/100);
651 add_timer(&inst->timer);
652 }
653
654unlock_and_release:
655 spin_unlock_bh(&inst->lock);
656 instance_put(inst);
657 return;
658
659alloc_failure:
660 /* FIXME: statistics */
661 goto unlock_and_release;
662}
663EXPORT_SYMBOL_GPL(nfulnl_log_packet);
664
665static int
666nfulnl_rcv_nl_event(struct notifier_block *this,
667 unsigned long event, void *ptr)
668{
669 struct netlink_notify *n = ptr;
670
671 if (event == NETLINK_URELEASE && n->protocol == NETLINK_NETFILTER) {
672 int i;
673
674 /* destroy all instances for this pid */
675 write_lock_bh(&instances_lock);
676 for (i = 0; i < INSTANCE_BUCKETS; i++) {
677 struct hlist_node *tmp, *t2;
678 struct nfulnl_instance *inst;
679 struct hlist_head *head = &instance_table[i];
680
681 hlist_for_each_entry_safe(inst, tmp, t2, head, hlist) {
682 if ((net_eq(n->net, &init_net)) &&
683 (n->pid == inst->peer_pid))
684 __instance_destroy(inst);
685 }
686 }
687 write_unlock_bh(&instances_lock);
688 }
689 return NOTIFY_DONE;
690}
691
692static struct notifier_block nfulnl_rtnl_notifier = {
693 .notifier_call = nfulnl_rcv_nl_event,
694};
695
696static int
697nfulnl_recv_unsupp(struct sock *ctnl, struct sk_buff *skb,
698 const struct nlmsghdr *nlh,
699 const struct nlattr * const nfqa[])
700{
701 return -ENOTSUPP;
702}
703
704static struct nf_logger nfulnl_logger __read_mostly = {
705 .name = "nfnetlink_log",
706 .logfn = &nfulnl_log_packet,
707 .me = THIS_MODULE,
708};
709
710static const struct nla_policy nfula_cfg_policy[NFULA_CFG_MAX+1] = {
711 [NFULA_CFG_CMD] = { .len = sizeof(struct nfulnl_msg_config_cmd) },
712 [NFULA_CFG_MODE] = { .len = sizeof(struct nfulnl_msg_config_mode) },
713 [NFULA_CFG_TIMEOUT] = { .type = NLA_U32 },
714 [NFULA_CFG_QTHRESH] = { .type = NLA_U32 },
715 [NFULA_CFG_NLBUFSIZ] = { .type = NLA_U32 },
716 [NFULA_CFG_FLAGS] = { .type = NLA_U16 },
717};
718
719static int
720nfulnl_recv_config(struct sock *ctnl, struct sk_buff *skb,
721 const struct nlmsghdr *nlh,
722 const struct nlattr * const nfula[])
723{
724 struct nfgenmsg *nfmsg = NLMSG_DATA(nlh);
725 u_int16_t group_num = ntohs(nfmsg->res_id);
726 struct nfulnl_instance *inst;
727 struct nfulnl_msg_config_cmd *cmd = NULL;
728 int ret = 0;
729
730 if (nfula[NFULA_CFG_CMD]) {
731 u_int8_t pf = nfmsg->nfgen_family;
732 cmd = nla_data(nfula[NFULA_CFG_CMD]);
733
734 /* Commands without queue context */
735 switch (cmd->command) {
736 case NFULNL_CFG_CMD_PF_BIND:
737 return nf_log_bind_pf(pf, &nfulnl_logger);
738 case NFULNL_CFG_CMD_PF_UNBIND:
739 nf_log_unbind_pf(pf);
740 return 0;
741 }
742 }
743
744 inst = instance_lookup_get(group_num);
745 if (inst && inst->peer_pid != NETLINK_CB(skb).pid) {
746 ret = -EPERM;
747 goto out_put;
748 }
749
750 if (cmd != NULL) {
751 switch (cmd->command) {
752 case NFULNL_CFG_CMD_BIND:
753 if (inst) {
754 ret = -EBUSY;
755 goto out_put;
756 }
757
758 inst = instance_create(group_num,
759 NETLINK_CB(skb).pid);
760 if (IS_ERR(inst)) {
761 ret = PTR_ERR(inst);
762 goto out;
763 }
764 break;
765 case NFULNL_CFG_CMD_UNBIND:
766 if (!inst) {
767 ret = -ENODEV;
768 goto out;
769 }
770
771 instance_destroy(inst);
772 goto out_put;
773 default:
774 ret = -ENOTSUPP;
775 break;
776 }
777 }
778
779 if (nfula[NFULA_CFG_MODE]) {
780 struct nfulnl_msg_config_mode *params;
781 params = nla_data(nfula[NFULA_CFG_MODE]);
782
783 if (!inst) {
784 ret = -ENODEV;
785 goto out;
786 }
787 nfulnl_set_mode(inst, params->copy_mode,
788 ntohl(params->copy_range));
789 }
790
791 if (nfula[NFULA_CFG_TIMEOUT]) {
792 __be32 timeout = nla_get_be32(nfula[NFULA_CFG_TIMEOUT]);
793
794 if (!inst) {
795 ret = -ENODEV;
796 goto out;
797 }
798 nfulnl_set_timeout(inst, ntohl(timeout));
799 }
800
801 if (nfula[NFULA_CFG_NLBUFSIZ]) {
802 __be32 nlbufsiz = nla_get_be32(nfula[NFULA_CFG_NLBUFSIZ]);
803
804 if (!inst) {
805 ret = -ENODEV;
806 goto out;
807 }
808 nfulnl_set_nlbufsiz(inst, ntohl(nlbufsiz));
809 }
810
811 if (nfula[NFULA_CFG_QTHRESH]) {
812 __be32 qthresh = nla_get_be32(nfula[NFULA_CFG_QTHRESH]);
813
814 if (!inst) {
815 ret = -ENODEV;
816 goto out;
817 }
818 nfulnl_set_qthresh(inst, ntohl(qthresh));
819 }
820
821 if (nfula[NFULA_CFG_FLAGS]) {
822 __be16 flags = nla_get_be16(nfula[NFULA_CFG_FLAGS]);
823
824 if (!inst) {
825 ret = -ENODEV;
826 goto out;
827 }
828 nfulnl_set_flags(inst, ntohs(flags));
829 }
830
831out_put:
832 instance_put(inst);
833out:
834 return ret;
835}
836
837static const struct nfnl_callback nfulnl_cb[NFULNL_MSG_MAX] = {
838 [NFULNL_MSG_PACKET] = { .call = nfulnl_recv_unsupp,
839 .attr_count = NFULA_MAX, },
840 [NFULNL_MSG_CONFIG] = { .call = nfulnl_recv_config,
841 .attr_count = NFULA_CFG_MAX,
842 .policy = nfula_cfg_policy },
843};
844
845static const struct nfnetlink_subsystem nfulnl_subsys = {
846 .name = "log",
847 .subsys_id = NFNL_SUBSYS_ULOG,
848 .cb_count = NFULNL_MSG_MAX,
849 .cb = nfulnl_cb,
850};
851
852#ifdef CONFIG_PROC_FS
853struct iter_state {
854 unsigned int bucket;
855};
856
857static struct hlist_node *get_first(struct iter_state *st)
858{
859 if (!st)
860 return NULL;
861
862 for (st->bucket = 0; st->bucket < INSTANCE_BUCKETS; st->bucket++) {
863 if (!hlist_empty(&instance_table[st->bucket]))
864 return instance_table[st->bucket].first;
865 }
866 return NULL;
867}
868
869static struct hlist_node *get_next(struct iter_state *st, struct hlist_node *h)
870{
871 h = h->next;
872 while (!h) {
873 if (++st->bucket >= INSTANCE_BUCKETS)
874 return NULL;
875
876 h = instance_table[st->bucket].first;
877 }
878 return h;
879}
880
881static struct hlist_node *get_idx(struct iter_state *st, loff_t pos)
882{
883 struct hlist_node *head;
884 head = get_first(st);
885
886 if (head)
887 while (pos && (head = get_next(st, head)))
888 pos--;
889 return pos ? NULL : head;
890}
891
892static void *seq_start(struct seq_file *seq, loff_t *pos)
893 __acquires(instances_lock)
894{
895 read_lock_bh(&instances_lock);
896 return get_idx(seq->private, *pos);
897}
898
899static void *seq_next(struct seq_file *s, void *v, loff_t *pos)
900{
901 (*pos)++;
902 return get_next(s->private, v);
903}
904
905static void seq_stop(struct seq_file *s, void *v)
906 __releases(instances_lock)
907{
908 read_unlock_bh(&instances_lock);
909}
910
911static int seq_show(struct seq_file *s, void *v)
912{
913 const struct nfulnl_instance *inst = v;
914
915 return seq_printf(s, "%5d %6d %5d %1d %5d %6d %2d\n",
916 inst->group_num,
917 inst->peer_pid, inst->qlen,
918 inst->copy_mode, inst->copy_range,
919 inst->flushtimeout, atomic_read(&inst->use));
920}
921
922static const struct seq_operations nful_seq_ops = {
923 .start = seq_start,
924 .next = seq_next,
925 .stop = seq_stop,
926 .show = seq_show,
927};
928
929static int nful_open(struct inode *inode, struct file *file)
930{
931 return seq_open_private(file, &nful_seq_ops,
932 sizeof(struct iter_state));
933}
934
935static const struct file_operations nful_file_ops = {
936 .owner = THIS_MODULE,
937 .open = nful_open,
938 .read = seq_read,
939 .llseek = seq_lseek,
940 .release = seq_release_private,
941};
942
943#endif /* PROC_FS */
944
945static int __init nfnetlink_log_init(void)
946{
947 int i, status = -ENOMEM;
948
949 for (i = 0; i < INSTANCE_BUCKETS; i++)
950 INIT_HLIST_HEAD(&instance_table[i]);
951
952 /* it's not really all that important to have a random value, so
953 * we can do this from the init function, even if there hasn't
954 * been that much entropy yet */
955 get_random_bytes(&hash_init, sizeof(hash_init));
956
957 netlink_register_notifier(&nfulnl_rtnl_notifier);
958 status = nfnetlink_subsys_register(&nfulnl_subsys);
959 if (status < 0) {
960 printk(KERN_ERR "log: failed to create netlink socket\n");
961 goto cleanup_netlink_notifier;
962 }
963
964 status = nf_log_register(NFPROTO_UNSPEC, &nfulnl_logger);
965 if (status < 0) {
966 printk(KERN_ERR "log: failed to register logger\n");
967 goto cleanup_subsys;
968 }
969
970#ifdef CONFIG_PROC_FS
971 if (!proc_create("nfnetlink_log", 0440,
972 proc_net_netfilter, &nful_file_ops))
973 goto cleanup_logger;
974#endif
975 return status;
976
977#ifdef CONFIG_PROC_FS
978cleanup_logger:
979 nf_log_unregister(&nfulnl_logger);
980#endif
981cleanup_subsys:
982 nfnetlink_subsys_unregister(&nfulnl_subsys);
983cleanup_netlink_notifier:
984 netlink_unregister_notifier(&nfulnl_rtnl_notifier);
985 return status;
986}
987
988static void __exit nfnetlink_log_fini(void)
989{
990 nf_log_unregister(&nfulnl_logger);
991#ifdef CONFIG_PROC_FS
992 remove_proc_entry("nfnetlink_log", proc_net_netfilter);
993#endif
994 nfnetlink_subsys_unregister(&nfulnl_subsys);
995 netlink_unregister_notifier(&nfulnl_rtnl_notifier);
996}
997
998MODULE_DESCRIPTION("netfilter userspace logging");
999MODULE_AUTHOR("Harald Welte <laforge@netfilter.org>");
1000MODULE_LICENSE("GPL");
1001MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_ULOG);
1002
1003module_init(nfnetlink_log_init);
1004module_exit(nfnetlink_log_fini);