net/netfilter/xt_LOG.c

   1 /*
   2  * This is a module which is used for logging packets.
   3  */
   4
   5 /* (C) 1999-2001 Paul `Rusty' Russell
   6  * (C) 2002-2004 Netfilter Core Team <coreteam@netfilter.org>
   7  *
   8  * This program is free software; you can redistribute it and/or modify
   9  * it under the terms of the GNU General Public License version 2 as
  10  * published by the Free Software Foundation.
  11  */
  12
  13 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
  14 #include <linux/module.h>
  15 #include <linux/spinlock.h>
  16 #include <linux/skbuff.h>
  17 #include <linux/if_arp.h>
  18 #include <linux/ip.h>
  19 #include <net/ipv6.h>
  20 #include <net/icmp.h>
  21 #include <net/udp.h>
  22 #include <net/tcp.h>
  23 #include <net/route.h>
  24
  25 #include <linux/netfilter.h>
  26 #include <linux/netfilter/x_tables.h>
  27 #include <linux/netfilter/xt_LOG.h>
  28 #include <linux/netfilter_ipv6/ip6_tables.h>
  29 #include <net/netfilter/nf_log.h>
  30 #include <net/netfilter/xt_log.h>
  31
  32 static struct nf_loginfo default_loginfo = {
  33         .type   = NF_LOG_TYPE_LOG,
  34         .u = {
  35                 .log = {
  36                         .level    = 5,
  37                         .logflags = NF_LOG_MASK,
  38                 },
  39         },
  40 };
  41
  42 static int dump_udp_header(struct sbuff *m, const struct sk_buff *skb,
  43                            u8 proto, int fragment, unsigned int offset)
  44 {
  45         struct udphdr _udph;
  46         const struct udphdr *uh;
  47
  48         if (proto == IPPROTO_UDP)
  49                 /* Max length: 10 "PROTO=UDP "     */
  50                 sb_add(m, "PROTO=UDP ");
  51         else    /* Max length: 14 "PROTO=UDPLITE " */
  52                 sb_add(m, "PROTO=UDPLITE ");
  53
  54         if (fragment)
  55                 goto out;
  56
  57         /* Max length: 25 "INCOMPLETE [65535 bytes] " */
  58         uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
  59         if (uh == NULL) {
  60                 sb_add(m, "INCOMPLETE [%u bytes] ", skb->len - offset);
  61
  62                 return 1;
  63         }
  64
  65         /* Max length: 20 "SPT=65535 DPT=65535 " */
  66         sb_add(m, "SPT=%u DPT=%u LEN=%u ", ntohs(uh->source), ntohs(uh->dest),
  67                 ntohs(uh->len));
  68
  69 out:
  70         return 0;
  71 }
  72
  73 static int dump_tcp_header(struct sbuff *m, const struct sk_buff *skb,
  74                            u8 proto, int fragment, unsigned int offset,
  75                            unsigned int logflags)
  76 {
  77         struct tcphdr _tcph;
  78         const struct tcphdr *th;
  79
  80         /* Max length: 10 "PROTO=TCP " */
  81         sb_add(m, "PROTO=TCP ");
  82
  83         if (fragment)
  84                 return 0;
  85
  86         /* Max length: 25 "INCOMPLETE [65535 bytes] " */
  87         th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
  88         if (th == NULL) {
  89                 sb_add(m, "INCOMPLETE [%u bytes] ", skb->len - offset);
  90                 return 1;
  91         }
  92
  93         /* Max length: 20 "SPT=65535 DPT=65535 " */
  94         sb_add(m, "SPT=%u DPT=%u ", ntohs(th->source), ntohs(th->dest));
  95         /* Max length: 30 "SEQ=4294967295 ACK=4294967295 " */
  96         if (logflags & XT_LOG_TCPSEQ)
  97                 sb_add(m, "SEQ=%u ACK=%u ", ntohl(th->seq), ntohl(th->ack_seq));
  98
  99         /* Max length: 13 "WINDOW=65535 " */
 100         sb_add(m, "WINDOW=%u ", ntohs(th->window));
 101         /* Max length: 9 "RES=0x3C " */
 102         sb_add(m, "RES=0x%02x ", (u_int8_t)(ntohl(tcp_flag_word(th) &
 103                                             TCP_RESERVED_BITS) >> 22));
 104         /* Max length: 32 "CWR ECE URG ACK PSH RST SYN FIN " */
 105         if (th->cwr)
 106                 sb_add(m, "CWR ");
 107         if (th->ece)
 108                 sb_add(m, "ECE ");
 109         if (th->urg)
 110                 sb_add(m, "URG ");
 111         if (th->ack)
 112                 sb_add(m, "ACK ");
 113         if (th->psh)
 114                 sb_add(m, "PSH ");
 115         if (th->rst)
 116                 sb_add(m, "RST ");
 117         if (th->syn)
 118                 sb_add(m, "SYN ");
 119         if (th->fin)
 120                 sb_add(m, "FIN ");
 121         /* Max length: 11 "URGP=65535 " */
 122         sb_add(m, "URGP=%u ", ntohs(th->urg_ptr));
 123
 124         if ((logflags & XT_LOG_TCPOPT) && th->doff*4 > sizeof(struct tcphdr)) {
 125                 u_int8_t _opt[60 - sizeof(struct tcphdr)];
 126                 const u_int8_t *op;
 127                 unsigned int i;
 128                 unsigned int optsize = th->doff*4 - sizeof(struct tcphdr);
 129
 130                 op = skb_header_pointer(skb, offset + sizeof(struct tcphdr),
 131                                         optsize, _opt);
 132                 if (op == NULL) {
 133                         sb_add(m, "OPT (TRUNCATED)");
 134                         return 1;
 135                 }
 136
 137                 /* Max length: 127 "OPT (" 15*4*2chars ") " */
 138                 sb_add(m, "OPT (");
 139                 for (i = 0; i < optsize; i++)
 140                         sb_add(m, "%02X", op[i]);
 141
 142                 sb_add(m, ") ");
 143         }
 144
 145         return 0;
 146 }
 147
 148 /* One level of recursion won't kill us */
 149 static void dump_ipv4_packet(struct sbuff *m,
 150                         const struct nf_loginfo *info,
 151                         const struct sk_buff *skb,
 152                         unsigned int iphoff)
 153 {
 154         struct iphdr _iph;
 155         const struct iphdr *ih;
 156         unsigned int logflags;
 157
 158         if (info->type == NF_LOG_TYPE_LOG)
 159                 logflags = info->u.log.logflags;
 160         else
 161                 logflags = NF_LOG_MASK;
 162
 163         ih = skb_header_pointer(skb, iphoff, sizeof(_iph), &_iph);
 164         if (ih == NULL) {
 165                 sb_add(m, "TRUNCATED");
 166                 return;
 167         }
 168
 169         /* Important fields:
 170          * TOS, len, DF/MF, fragment offset, TTL, src, dst, options. */
 171         /* Max length: 40 "SRC=255.255.255.255 DST=255.255.255.255 " */
 172         sb_add(m, "SRC=%pI4 DST=%pI4 ",
 173                &ih->saddr, &ih->daddr);
 174
 175         /* Max length: 46 "LEN=65535 TOS=0xFF PREC=0xFF TTL=255 ID=65535 " */
 176         sb_add(m, "LEN=%u TOS=0x%02X PREC=0x%02X TTL=%u ID=%u ",
 177                ntohs(ih->tot_len), ih->tos & IPTOS_TOS_MASK,
 178                ih->tos & IPTOS_PREC_MASK, ih->ttl, ntohs(ih->id));
 179
 180         /* Max length: 6 "CE DF MF " */
 181         if (ntohs(ih->frag_off) & IP_CE)
 182                 sb_add(m, "CE ");
 183         if (ntohs(ih->frag_off) & IP_DF)
 184                 sb_add(m, "DF ");
 185         if (ntohs(ih->frag_off) & IP_MF)
 186                 sb_add(m, "MF ");
 187
 188         /* Max length: 11 "FRAG:65535 " */
 189         if (ntohs(ih->frag_off) & IP_OFFSET)
 190                 sb_add(m, "FRAG:%u ", ntohs(ih->frag_off) & IP_OFFSET);
 191
 192         if ((logflags & XT_LOG_IPOPT) &&
 193             ih->ihl * 4 > sizeof(struct iphdr)) {
 194                 const unsigned char *op;
 195                 unsigned char _opt[4 * 15 - sizeof(struct iphdr)];
 196                 unsigned int i, optsize;
 197
 198                 optsize = ih->ihl * 4 - sizeof(struct iphdr);
 199                 op = skb_header_pointer(skb, iphoff+sizeof(_iph),
 200                                         optsize, _opt);
 201                 if (op == NULL) {
 202                         sb_add(m, "TRUNCATED");
 203                         return;
 204                 }
 205
 206                 /* Max length: 127 "OPT (" 15*4*2chars ") " */
 207                 sb_add(m, "OPT (");
 208                 for (i = 0; i < optsize; i++)
 209                         sb_add(m, "%02X", op[i]);
 210                 sb_add(m, ") ");
 211         }
 212
 213         switch (ih->protocol) {
 214         case IPPROTO_TCP:
 215                 if (dump_tcp_header(m, skb, ih->protocol,
 216                                     ntohs(ih->frag_off) & IP_OFFSET,
 217                                     iphoff+ih->ihl*4, logflags))
 218                         return;
 219         case IPPROTO_UDP:
 220         case IPPROTO_UDPLITE:
 221                 if (dump_udp_header(m, skb, ih->protocol,
 222                                     ntohs(ih->frag_off) & IP_OFFSET,
 223                                     iphoff+ih->ihl*4))
 224                         return;
 225         case IPPROTO_ICMP: {
 226                 struct icmphdr _icmph;
 227                 const struct icmphdr *ich;
 228                 static const size_t required_len[NR_ICMP_TYPES+1]
 229                         = { [ICMP_ECHOREPLY] = 4,
 230                             [ICMP_DEST_UNREACH]
 231                             = 8 + sizeof(struct iphdr),
 232                             [ICMP_SOURCE_QUENCH]
 233                             = 8 + sizeof(struct iphdr),
 234                             [ICMP_REDIRECT]
 235                             = 8 + sizeof(struct iphdr),
 236                             [ICMP_ECHO] = 4,
 237                             [ICMP_TIME_EXCEEDED]
 238                             = 8 + sizeof(struct iphdr),
 239                             [ICMP_PARAMETERPROB]
 240                             = 8 + sizeof(struct iphdr),
 241                             [ICMP_TIMESTAMP] = 20,
 242                             [ICMP_TIMESTAMPREPLY] = 20,
 243                             [ICMP_ADDRESS] = 12,
 244                             [ICMP_ADDRESSREPLY] = 12 };
 245
 246                 /* Max length: 11 "PROTO=ICMP " */
 247                 sb_add(m, "PROTO=ICMP ");
 248
 249                 if (ntohs(ih->frag_off) & IP_OFFSET)
 250                         break;
 251
 252                 /* Max length: 25 "INCOMPLETE [65535 bytes] " */
 253                 ich = skb_header_pointer(skb, iphoff + ih->ihl * 4,
 254                                          sizeof(_icmph), &_icmph);
 255                 if (ich == NULL) {
 256                         sb_add(m, "INCOMPLETE [%u bytes] ",
 257                                skb->len - iphoff - ih->ihl*4);
 258                         break;
 259                 }
 260
 261                 /* Max length: 18 "TYPE=255 CODE=255 " */
 262                 sb_add(m, "TYPE=%u CODE=%u ", ich->type, ich->code);
 263
 264                 /* Max length: 25 "INCOMPLETE [65535 bytes] " */
 265                 if (ich->type <= NR_ICMP_TYPES &&
 266                     required_len[ich->type] &&
 267                     skb->len-iphoff-ih->ihl*4 < required_len[ich->type]) {
 268                         sb_add(m, "INCOMPLETE [%u bytes] ",
 269                                skb->len - iphoff - ih->ihl*4);
 270                         break;
 271                 }
 272
 273                 switch (ich->type) {
 274                 case ICMP_ECHOREPLY:
 275                 case ICMP_ECHO:
 276                         /* Max length: 19 "ID=65535 SEQ=65535 " */
 277                         sb_add(m, "ID=%u SEQ=%u ",
 278                                ntohs(ich->un.echo.id),
 279                                ntohs(ich->un.echo.sequence));
 280                         break;
 281
 282                 case ICMP_PARAMETERPROB:
 283                         /* Max length: 14 "PARAMETER=255 " */
 284                         sb_add(m, "PARAMETER=%u ",
 285                                ntohl(ich->un.gateway) >> 24);
 286                         break;
 287                 case ICMP_REDIRECT:
 288                         /* Max length: 24 "GATEWAY=255.255.255.255 " */
 289                         sb_add(m, "GATEWAY=%pI4 ", &ich->un.gateway);
 290                         /* Fall through */
 291                 case ICMP_DEST_UNREACH:
 292                 case ICMP_SOURCE_QUENCH:
 293                 case ICMP_TIME_EXCEEDED:
 294                         /* Max length: 3+maxlen */
 295                         if (!iphoff) { /* Only recurse once. */
 296                                 sb_add(m, "[");
 297                                 dump_ipv4_packet(m, info, skb,
 298                                             iphoff + ih->ihl*4+sizeof(_icmph));
 299                                 sb_add(m, "] ");
 300                         }
 301
 302                         /* Max length: 10 "MTU=65535 " */
 303                         if (ich->type == ICMP_DEST_UNREACH &&
 304                             ich->code == ICMP_FRAG_NEEDED)
 305                                 sb_add(m, "MTU=%u ", ntohs(ich->un.frag.mtu));
 306                 }
 307                 break;
 308         }
 309         /* Max Length */
 310         case IPPROTO_AH: {
 311                 struct ip_auth_hdr _ahdr;
 312                 const struct ip_auth_hdr *ah;
 313
 314                 if (ntohs(ih->frag_off) & IP_OFFSET)
 315                         break;
 316
 317                 /* Max length: 9 "PROTO=AH " */
 318                 sb_add(m, "PROTO=AH ");
 319
 320                 /* Max length: 25 "INCOMPLETE [65535 bytes] " */
 321                 ah = skb_header_pointer(skb, iphoff+ih->ihl*4,
 322                                         sizeof(_ahdr), &_ahdr);
 323                 if (ah == NULL) {
 324                         sb_add(m, "INCOMPLETE [%u bytes] ",
 325                                skb->len - iphoff - ih->ihl*4);
 326                         break;
 327                 }
 328
 329                 /* Length: 15 "SPI=0xF1234567 " */
 330                 sb_add(m, "SPI=0x%x ", ntohl(ah->spi));
 331                 break;
 332         }
 333         case IPPROTO_ESP: {
 334                 struct ip_esp_hdr _esph;
 335                 const struct ip_esp_hdr *eh;
 336
 337                 /* Max length: 10 "PROTO=ESP " */
 338                 sb_add(m, "PROTO=ESP ");
 339
 340                 if (ntohs(ih->frag_off) & IP_OFFSET)
 341                         break;
 342
 343                 /* Max length: 25 "INCOMPLETE [65535 bytes] " */
 344                 eh = skb_header_pointer(skb, iphoff+ih->ihl*4,
 345                                         sizeof(_esph), &_esph);
 346                 if (eh == NULL) {
 347                         sb_add(m, "INCOMPLETE [%u bytes] ",
 348                                skb->len - iphoff - ih->ihl*4);
 349                         break;
 350                 }
 351
 352                 /* Length: 15 "SPI=0xF1234567 " */
 353                 sb_add(m, "SPI=0x%x ", ntohl(eh->spi));
 354                 break;
 355         }
 356         /* Max length: 10 "PROTO 255 " */
 357         default:
 358                 sb_add(m, "PROTO=%u ", ih->protocol);
 359         }
 360
 361         /* Max length: 15 "UID=4294967295 " */
 362         if ((logflags & XT_LOG_UID) && !iphoff && skb->sk) {
 363                 read_lock_bh(&skb->sk->sk_callback_lock);
 364                 if (skb->sk->sk_socket && skb->sk->sk_socket->file)
 365                         sb_add(m, "UID=%u GID=%u ",
 366                                 skb->sk->sk_socket->file->f_cred->fsuid,
 367                                 skb->sk->sk_socket->file->f_cred->fsgid);
 368                 read_unlock_bh(&skb->sk->sk_callback_lock);
 369         }
 370
 371         /* Max length: 16 "MARK=0xFFFFFFFF " */
 372         if (!iphoff && skb->mark)
 373                 sb_add(m, "MARK=0x%x ", skb->mark);
 374
 375         /* Proto    Max log string length */
 376         /* IP:      40+46+6+11+127 = 230 */
 377         /* TCP:     10+max(25,20+30+13+9+32+11+127) = 252 */
 378         /* UDP:     10+max(25,20) = 35 */
 379         /* UDPLITE: 14+max(25,20) = 39 */
 380         /* ICMP:    11+max(25, 18+25+max(19,14,24+3+n+10,3+n+10)) = 91+n */
 381         /* ESP:     10+max(25)+15 = 50 */
 382         /* AH:      9+max(25)+15 = 49 */
 383         /* unknown: 10 */
 384
 385         /* (ICMP allows recursion one level deep) */
 386         /* maxlen =  IP + ICMP +  IP + max(TCP,UDP,ICMP,unknown) */
 387         /* maxlen = 230+   91  + 230 + 252 = 803 */
 388 }
 389
 390 static void dump_ipv4_mac_header(struct sbuff *m,
 391                             const struct nf_loginfo *info,
 392                             const struct sk_buff *skb)
 393 {
 394         struct net_device *dev = skb->dev;
 395         unsigned int logflags = 0;
 396
 397         if (info->type == NF_LOG_TYPE_LOG)
 398                 logflags = info->u.log.logflags;
 399
 400         if (!(logflags & XT_LOG_MACDECODE))
 401                 goto fallback;
 402
 403         switch (dev->type) {
 404         case ARPHRD_ETHER:
 405                 sb_add(m, "MACSRC=%pM MACDST=%pM MACPROTO=%04x ",
 406                        eth_hdr(skb)->h_source, eth_hdr(skb)->h_dest,
 407                        ntohs(eth_hdr(skb)->h_proto));
 408                 return;
 409         default:
 410                 break;
 411         }
 412
 413 fallback:
 414         sb_add(m, "MAC=");
 415         if (dev->hard_header_len &&
 416             skb->mac_header != skb->network_header) {
 417                 const unsigned char *p = skb_mac_header(skb);
 418                 unsigned int i;
 419
 420                 sb_add(m, "%02x", *p++);
 421                 for (i = 1; i < dev->hard_header_len; i++, p++)
 422                         sb_add(m, ":%02x", *p);
 423         }
 424         sb_add(m, " ");
 425 }
 426
 427 static void
 428 log_packet_common(struct sbuff *m,
 429                   u_int8_t pf,
 430                   unsigned int hooknum,
 431                   const struct sk_buff *skb,
 432                   const struct net_device *in,
 433                   const struct net_device *out,
 434                   const struct nf_loginfo *loginfo,
 435                   const char *prefix)
 436 {
 437         sb_add(m, "<%d>%sIN=%s OUT=%s ", loginfo->u.log.level,
 438                prefix,
 439                in ? in->name : "",
 440                out ? out->name : "");
 441 #ifdef CONFIG_BRIDGE_NETFILTER
 442         if (skb->nf_bridge) {
 443                 const struct net_device *physindev;
 444                 const struct net_device *physoutdev;
 445
 446                 physindev = skb->nf_bridge->physindev;
 447                 if (physindev && in != physindev)
 448                         sb_add(m, "PHYSIN=%s ", physindev->name);
 449                 physoutdev = skb->nf_bridge->physoutdev;
 450                 if (physoutdev && out != physoutdev)
 451                         sb_add(m, "PHYSOUT=%s ", physoutdev->name);
 452         }
 453 #endif
 454 }
 455
 456
 457 static void
 458 ipt_log_packet(u_int8_t pf,
 459                unsigned int hooknum,
 460                const struct sk_buff *skb,
 461                const struct net_device *in,
 462                const struct net_device *out,
 463                const struct nf_loginfo *loginfo,
 464                const char *prefix)
 465 {
 466         struct sbuff *m = sb_open();
 467
 468         if (!loginfo)
 469                 loginfo = &default_loginfo;
 470
 471         log_packet_common(m, pf, hooknum, skb, in, out, loginfo, prefix);
 472
 473         if (in != NULL)
 474                 dump_ipv4_mac_header(m, loginfo, skb);
 475
 476         dump_ipv4_packet(m, loginfo, skb, 0);
 477
 478         sb_close(m);
 479 }
 480
 481 #if IS_ENABLED(CONFIG_IPV6)
 482 /* One level of recursion won't kill us */
 483 static void dump_ipv6_packet(struct sbuff *m,
 484                         const struct nf_loginfo *info,
 485                         const struct sk_buff *skb, unsigned int ip6hoff,
 486                         int recurse)
 487 {
 488         u_int8_t currenthdr;
 489         int fragment;
 490         struct ipv6hdr _ip6h;
 491         const struct ipv6hdr *ih;
 492         unsigned int ptr;
 493         unsigned int hdrlen = 0;
 494         unsigned int logflags;
 495
 496         if (info->type == NF_LOG_TYPE_LOG)
 497                 logflags = info->u.log.logflags;
 498         else
 499                 logflags = NF_LOG_MASK;
 500
 501         ih = skb_header_pointer(skb, ip6hoff, sizeof(_ip6h), &_ip6h);
 502         if (ih == NULL) {
 503                 sb_add(m, "TRUNCATED");
 504                 return;
 505         }
 506
 507         /* Max length: 88 "SRC=0000.0000.0000.0000.0000.0000.0000.0000 DST=0000.0000.0000.0000.0000.0000.0000.0000 " */
 508         sb_add(m, "SRC=%pI6 DST=%pI6 ", &ih->saddr, &ih->daddr);
 509
 510         /* Max length: 44 "LEN=65535 TC=255 HOPLIMIT=255 FLOWLBL=FFFFF " */
 511         sb_add(m, "LEN=%Zu TC=%u HOPLIMIT=%u FLOWLBL=%u ",
 512                ntohs(ih->payload_len) + sizeof(struct ipv6hdr),
 513                (ntohl(*(__be32 *)ih) & 0x0ff00000) >> 20,
 514                ih->hop_limit,
 515                (ntohl(*(__be32 *)ih) & 0x000fffff));
 516
 517         fragment = 0;
 518         ptr = ip6hoff + sizeof(struct ipv6hdr);
 519         currenthdr = ih->nexthdr;
 520         while (currenthdr != NEXTHDR_NONE && ip6t_ext_hdr(currenthdr)) {
 521                 struct ipv6_opt_hdr _hdr;
 522                 const struct ipv6_opt_hdr *hp;
 523
 524                 hp = skb_header_pointer(skb, ptr, sizeof(_hdr), &_hdr);
 525                 if (hp == NULL) {
 526                         sb_add(m, "TRUNCATED");
 527                         return;
 528                 }
 529
 530                 /* Max length: 48 "OPT (...) " */
 531                 if (logflags & XT_LOG_IPOPT)
 532                         sb_add(m, "OPT ( ");
 533
 534                 switch (currenthdr) {
 535                 case IPPROTO_FRAGMENT: {
 536                         struct frag_hdr _fhdr;
 537                         const struct frag_hdr *fh;
 538
 539                         sb_add(m, "FRAG:");
 540                         fh = skb_header_pointer(skb, ptr, sizeof(_fhdr),
 541                                                 &_fhdr);
 542                         if (fh == NULL) {
 543                                 sb_add(m, "TRUNCATED ");
 544                                 return;
 545                         }
 546
 547                         /* Max length: 6 "65535 " */
 548                         sb_add(m, "%u ", ntohs(fh->frag_off) & 0xFFF8);
 549
 550                         /* Max length: 11 "INCOMPLETE " */
 551                         if (fh->frag_off & htons(0x0001))
 552                                 sb_add(m, "INCOMPLETE ");
 553
 554                         sb_add(m, "ID:%08x ", ntohl(fh->identification));
 555
 556                         if (ntohs(fh->frag_off) & 0xFFF8)
 557                                 fragment = 1;
 558
 559                         hdrlen = 8;
 560
 561                         break;
 562                 }
 563                 case IPPROTO_DSTOPTS:
 564                 case IPPROTO_ROUTING:
 565                 case IPPROTO_HOPOPTS:
 566                         if (fragment) {
 567                                 if (logflags & XT_LOG_IPOPT)
 568                                         sb_add(m, ")");
 569                                 return;
 570                         }
 571                         hdrlen = ipv6_optlen(hp);
 572                         break;
 573                 /* Max Length */
 574                 case IPPROTO_AH:
 575                         if (logflags & XT_LOG_IPOPT) {
 576                                 struct ip_auth_hdr _ahdr;
 577                                 const struct ip_auth_hdr *ah;
 578
 579                                 /* Max length: 3 "AH " */
 580                                 sb_add(m, "AH ");
 581
 582                                 if (fragment) {
 583                                         sb_add(m, ")");
 584                                         return;
 585                                 }
 586
 587                                 ah = skb_header_pointer(skb, ptr, sizeof(_ahdr),
 588                                                         &_ahdr);
 589                                 if (ah == NULL) {
 590                                         /*
 591                                          * Max length: 26 "INCOMPLETE [65535
 592                                          *  bytes] )"
 593                                          */
 594                                         sb_add(m, "INCOMPLETE [%u bytes] )",
 595                                                skb->len - ptr);
 596                                         return;
 597                                 }
 598
 599                                 /* Length: 15 "SPI=0xF1234567 */
 600                                 sb_add(m, "SPI=0x%x ", ntohl(ah->spi));
 601
 602                         }
 603
 604                         hdrlen = (hp->hdrlen+2)<<2;
 605                         break;
 606                 case IPPROTO_ESP:
 607                         if (logflags & XT_LOG_IPOPT) {
 608                                 struct ip_esp_hdr _esph;
 609                                 const struct ip_esp_hdr *eh;
 610
 611                                 /* Max length: 4 "ESP " */
 612                                 sb_add(m, "ESP ");
 613
 614                                 if (fragment) {
 615                                         sb_add(m, ")");
 616                                         return;
 617                                 }
 618
 619                                 /*
 620                                  * Max length: 26 "INCOMPLETE [65535 bytes] )"
 621                                  */
 622                                 eh = skb_header_pointer(skb, ptr, sizeof(_esph),
 623                                                         &_esph);
 624                                 if (eh == NULL) {
 625                                         sb_add(m, "INCOMPLETE [%u bytes] )",
 626                                                skb->len - ptr);
 627                                         return;
 628                                 }
 629
 630                                 /* Length: 16 "SPI=0xF1234567 )" */
 631                                 sb_add(m, "SPI=0x%x )", ntohl(eh->spi));
 632
 633                         }
 634                         return;
 635                 default:
 636                         /* Max length: 20 "Unknown Ext Hdr 255" */
 637                         sb_add(m, "Unknown Ext Hdr %u", currenthdr);
 638                         return;
 639                 }
 640                 if (logflags & XT_LOG_IPOPT)
 641                         sb_add(m, ") ");
 642
 643                 currenthdr = hp->nexthdr;
 644                 ptr += hdrlen;
 645         }
 646
 647         switch (currenthdr) {
 648         case IPPROTO_TCP:
 649                 if (dump_tcp_header(m, skb, currenthdr, fragment, ptr,
 650                     logflags))
 651                         return;
 652         case IPPROTO_UDP:
 653         case IPPROTO_UDPLITE:
 654                 if (dump_udp_header(m, skb, currenthdr, fragment, ptr))
 655                         return;
 656         case IPPROTO_ICMPV6: {
 657                 struct icmp6hdr _icmp6h;
 658                 const struct icmp6hdr *ic;
 659
 660                 /* Max length: 13 "PROTO=ICMPv6 " */
 661                 sb_add(m, "PROTO=ICMPv6 ");
 662
 663                 if (fragment)
 664                         break;
 665
 666                 /* Max length: 25 "INCOMPLETE [65535 bytes] " */
 667                 ic = skb_header_pointer(skb, ptr, sizeof(_icmp6h), &_icmp6h);
 668                 if (ic == NULL) {
 669                         sb_add(m, "INCOMPLETE [%u bytes] ", skb->len - ptr);
 670                         return;
 671                 }
 672
 673                 /* Max length: 18 "TYPE=255 CODE=255 " */
 674                 sb_add(m, "TYPE=%u CODE=%u ", ic->icmp6_type, ic->icmp6_code);
 675
 676                 switch (ic->icmp6_type) {
 677                 case ICMPV6_ECHO_REQUEST:
 678                 case ICMPV6_ECHO_REPLY:
 679                         /* Max length: 19 "ID=65535 SEQ=65535 " */
 680                         sb_add(m, "ID=%u SEQ=%u ",
 681                                 ntohs(ic->icmp6_identifier),
 682                                 ntohs(ic->icmp6_sequence));
 683                         break;
 684                 case ICMPV6_MGM_QUERY:
 685                 case ICMPV6_MGM_REPORT:
 686                 case ICMPV6_MGM_REDUCTION:
 687                         break;
 688
 689                 case ICMPV6_PARAMPROB:
 690                         /* Max length: 17 "POINTER=ffffffff " */
 691                         sb_add(m, "POINTER=%08x ", ntohl(ic->icmp6_pointer));
 692                         /* Fall through */
 693                 case ICMPV6_DEST_UNREACH:
 694                 case ICMPV6_PKT_TOOBIG:
 695                 case ICMPV6_TIME_EXCEED:
 696                         /* Max length: 3+maxlen */
 697                         if (recurse) {
 698                                 sb_add(m, "[");
 699                                 dump_ipv6_packet(m, info, skb,
 700                                             ptr + sizeof(_icmp6h), 0);
 701                                 sb_add(m, "] ");
 702                         }
 703
 704                         /* Max length: 10 "MTU=65535 " */
 705                         if (ic->icmp6_type == ICMPV6_PKT_TOOBIG)
 706                                 sb_add(m, "MTU=%u ", ntohl(ic->icmp6_mtu));
 707                 }
 708                 break;
 709         }
 710         /* Max length: 10 "PROTO=255 " */
 711         default:
 712                 sb_add(m, "PROTO=%u ", currenthdr);
 713         }
 714
 715         /* Max length: 15 "UID=4294967295 " */
 716         if ((logflags & XT_LOG_UID) && recurse && skb->sk) {
 717                 read_lock_bh(&skb->sk->sk_callback_lock);
 718                 if (skb->sk->sk_socket && skb->sk->sk_socket->file)
 719                         sb_add(m, "UID=%u GID=%u ",
 720                                 skb->sk->sk_socket->file->f_cred->fsuid,
 721                                 skb->sk->sk_socket->file->f_cred->fsgid);
 722                 read_unlock_bh(&skb->sk->sk_callback_lock);
 723         }
 724
 725         /* Max length: 16 "MARK=0xFFFFFFFF " */
 726         if (!recurse && skb->mark)
 727                 sb_add(m, "MARK=0x%x ", skb->mark);
 728 }
 729
 730 static void dump_ipv6_mac_header(struct sbuff *m,
 731                             const struct nf_loginfo *info,
 732                             const struct sk_buff *skb)
 733 {
 734         struct net_device *dev = skb->dev;
 735         unsigned int logflags = 0;
 736
 737         if (info->type == NF_LOG_TYPE_LOG)
 738                 logflags = info->u.log.logflags;
 739
 740         if (!(logflags & XT_LOG_MACDECODE))
 741                 goto fallback;
 742
 743         switch (dev->type) {
 744         case ARPHRD_ETHER:
 745                 sb_add(m, "MACSRC=%pM MACDST=%pM MACPROTO=%04x ",
 746                        eth_hdr(skb)->h_source, eth_hdr(skb)->h_dest,
 747                        ntohs(eth_hdr(skb)->h_proto));
 748                 return;
 749         default:
 750                 break;
 751         }
 752
 753 fallback:
 754         sb_add(m, "MAC=");
 755         if (dev->hard_header_len &&
 756             skb->mac_header != skb->network_header) {
 757                 const unsigned char *p = skb_mac_header(skb);
 758                 unsigned int len = dev->hard_header_len;
 759                 unsigned int i;
 760
 761                 if (dev->type == ARPHRD_SIT) {
 762                         p -= ETH_HLEN;
 763
 764                         if (p < skb->head)
 765                                 p = NULL;
 766                 }
 767
 768                 if (p != NULL) {
 769                         sb_add(m, "%02x", *p++);
 770                         for (i = 1; i < len; i++)
 771                                 sb_add(m, ":%02x", *p++);
 772                 }
 773                 sb_add(m, " ");
 774
 775                 if (dev->type == ARPHRD_SIT) {
 776                         const struct iphdr *iph =
 777                                 (struct iphdr *)skb_mac_header(skb);
 778                         sb_add(m, "TUNNEL=%pI4->%pI4 ", &iph->saddr,
 779                                &iph->daddr);
 780                 }
 781         } else
 782                 sb_add(m, " ");
 783 }
 784
 785 static void
 786 ip6t_log_packet(u_int8_t pf,
 787                 unsigned int hooknum,
 788                 const struct sk_buff *skb,
 789                 const struct net_device *in,
 790                 const struct net_device *out,
 791                 const struct nf_loginfo *loginfo,
 792                 const char *prefix)
 793 {
 794         struct sbuff *m = sb_open();
 795
 796         if (!loginfo)
 797                 loginfo = &default_loginfo;
 798
 799         log_packet_common(m, pf, hooknum, skb, in, out, loginfo, prefix);
 800
 801         if (in != NULL)
 802                 dump_ipv6_mac_header(m, loginfo, skb);
 803
 804         dump_ipv6_packet(m, loginfo, skb, skb_network_offset(skb), 1);
 805
 806         sb_close(m);
 807 }
 808 #endif
 809
 810 static unsigned int
 811 log_tg(struct sk_buff *skb, const struct xt_action_param *par)
 812 {
 813         const struct xt_log_info *loginfo = par->targinfo;
 814         struct nf_loginfo li;
 815
 816         li.type = NF_LOG_TYPE_LOG;
 817         li.u.log.level = loginfo->level;
 818         li.u.log.logflags = loginfo->logflags;
 819
 820         if (par->family == NFPROTO_IPV4)
 821                 ipt_log_packet(NFPROTO_IPV4, par->hooknum, skb, par->in,
 822                                par->out, &li, loginfo->prefix);
 823 #if IS_ENABLED(CONFIG_IPV6)
 824         else if (par->family == NFPROTO_IPV6)
 825                 ip6t_log_packet(NFPROTO_IPV6, par->hooknum, skb, par->in,
 826                                 par->out, &li, loginfo->prefix);
 827 #endif
 828         else
 829                 WARN_ON_ONCE(1);
 830
 831         return XT_CONTINUE;
 832 }
 833
 834 static int log_tg_check(const struct xt_tgchk_param *par)
 835 {
 836         const struct xt_log_info *loginfo = par->targinfo;
 837
 838         if (par->family != NFPROTO_IPV4 && par->family != NFPROTO_IPV6)
 839                 return -EINVAL;
 840
 841         if (loginfo->level >= 8) {
 842                 pr_debug("level %u >= 8\n", loginfo->level);
 843                 return -EINVAL;
 844         }
 845
 846         if (loginfo->prefix[sizeof(loginfo->prefix)-1] != '\0') {
 847                 pr_debug("prefix is not null-terminated\n");
 848                 return -EINVAL;
 849         }
 850
 851         return 0;
 852 }
 853
 854 static struct xt_target log_tg_regs[] __read_mostly = {
 855         {
 856                 .name           = "LOG",
 857                 .family         = NFPROTO_IPV4,
 858                 .target         = log_tg,
 859                 .targetsize     = sizeof(struct xt_log_info),
 860                 .checkentry     = log_tg_check,
 861                 .me             = THIS_MODULE,
 862         },
 863 #if IS_ENABLED(CONFIG_IPV6)
 864         {
 865                 .name           = "LOG",
 866                 .family         = NFPROTO_IPV6,
 867                 .target         = log_tg,
 868                 .targetsize     = sizeof(struct xt_log_info),
 869                 .checkentry     = log_tg_check,
 870                 .me             = THIS_MODULE,
 871         },
 872 #endif
 873 };
 874
 875 static struct nf_logger ipt_log_logger __read_mostly = {
 876         .name           = "ipt_LOG",
 877         .logfn          = &ipt_log_packet,
 878         .me             = THIS_MODULE,
 879 };
 880
 881 #if IS_ENABLED(CONFIG_IPV6)
 882 static struct nf_logger ip6t_log_logger __read_mostly = {
 883         .name           = "ip6t_LOG",
 884         .logfn          = &ip6t_log_packet,
 885         .me             = THIS_MODULE,
 886 };
 887 #endif
 888
 889 static int __init log_tg_init(void)
 890 {
 891         int ret;
 892
 893         ret = xt_register_targets(log_tg_regs, ARRAY_SIZE(log_tg_regs));
 894         if (ret < 0)
 895                 return ret;
 896
 897         nf_log_register(NFPROTO_IPV4, &ipt_log_logger);
 898 #if IS_ENABLED(CONFIG_IPV6)
 899         nf_log_register(NFPROTO_IPV6, &ip6t_log_logger);
 900 #endif
 901         return 0;
 902 }
 903
 904 static void __exit log_tg_exit(void)
 905 {
 906         nf_log_unregister(&ipt_log_logger);
 907 #if IS_ENABLED(CONFIG_IPV6)
 908         nf_log_unregister(&ip6t_log_logger);
 909 #endif
 910         xt_unregister_targets(log_tg_regs, ARRAY_SIZE(log_tg_regs));
 911 }
 912
 913 module_init(log_tg_init);
 914 module_exit(log_tg_exit);
 915
 916 MODULE_LICENSE("GPL");
 917 MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>");
 918 MODULE_AUTHOR("Jan Rekorajski <baggins@pld.org.pl>");
 919 MODULE_DESCRIPTION("Xtables: IPv4/IPv6 packet logging");
 920 MODULE_ALIAS("ipt_LOG");
 921 MODULE_ALIAS("ip6t_LOG");