2 * This is a module which is used for logging packets.
5 /* (C) 1999-2001 Paul `Rusty' Russell
6 * (C) 2002-2004 Netfilter Core Team <coreteam@netfilter.org>
8 * This program is free software; you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License version 2 as
10 * published by the Free Software Foundation.
13 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
14 #include <linux/module.h>
15 #include <linux/spinlock.h>
16 #include <linux/skbuff.h>
17 #include <linux/if_arp.h>
23 #include <net/route.h>
25 #include <linux/netfilter.h>
26 #include <linux/netfilter/x_tables.h>
27 #include <linux/netfilter/xt_LOG.h>
28 #include <linux/netfilter_ipv6/ip6_tables.h>
29 #include <net/netfilter/nf_log.h>
31 static struct nf_loginfo default_loginfo = {
32 .type = NF_LOG_TYPE_LOG,
36 .logflags = NF_LOG_MASK,
41 static int dump_udp_header(struct nf_log_buf *m, const struct sk_buff *skb,
42 u8 proto, int fragment, unsigned int offset)
45 const struct udphdr *uh;
47 if (proto == IPPROTO_UDP)
48 /* Max length: 10 "PROTO=UDP " */
49 nf_log_buf_add(m, "PROTO=UDP ");
50 else /* Max length: 14 "PROTO=UDPLITE " */
51 nf_log_buf_add(m, "PROTO=UDPLITE ");
56 /* Max length: 25 "INCOMPLETE [65535 bytes] " */
57 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
59 nf_log_buf_add(m, "INCOMPLETE [%u bytes] ", skb->len - offset);
64 /* Max length: 20 "SPT=65535 DPT=65535 " */
65 nf_log_buf_add(m, "SPT=%u DPT=%u LEN=%u ",
66 ntohs(uh->source), ntohs(uh->dest), ntohs(uh->len));
72 static int dump_tcp_header(struct nf_log_buf *m, const struct sk_buff *skb,
73 u8 proto, int fragment, unsigned int offset,
74 unsigned int logflags)
77 const struct tcphdr *th;
79 /* Max length: 10 "PROTO=TCP " */
80 nf_log_buf_add(m, "PROTO=TCP ");
85 /* Max length: 25 "INCOMPLETE [65535 bytes] " */
86 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
88 nf_log_buf_add(m, "INCOMPLETE [%u bytes] ", skb->len - offset);
92 /* Max length: 20 "SPT=65535 DPT=65535 " */
93 nf_log_buf_add(m, "SPT=%u DPT=%u ",
94 ntohs(th->source), ntohs(th->dest));
95 /* Max length: 30 "SEQ=4294967295 ACK=4294967295 " */
96 if (logflags & XT_LOG_TCPSEQ) {
97 nf_log_buf_add(m, "SEQ=%u ACK=%u ",
98 ntohl(th->seq), ntohl(th->ack_seq));
101 /* Max length: 13 "WINDOW=65535 " */
102 nf_log_buf_add(m, "WINDOW=%u ", ntohs(th->window));
103 /* Max length: 9 "RES=0x3C " */
104 nf_log_buf_add(m, "RES=0x%02x ", (u_int8_t)(ntohl(tcp_flag_word(th) &
105 TCP_RESERVED_BITS) >> 22));
106 /* Max length: 32 "CWR ECE URG ACK PSH RST SYN FIN " */
108 nf_log_buf_add(m, "CWR ");
110 nf_log_buf_add(m, "ECE ");
112 nf_log_buf_add(m, "URG ");
114 nf_log_buf_add(m, "ACK ");
116 nf_log_buf_add(m, "PSH ");
118 nf_log_buf_add(m, "RST ");
120 nf_log_buf_add(m, "SYN ");
122 nf_log_buf_add(m, "FIN ");
123 /* Max length: 11 "URGP=65535 " */
124 nf_log_buf_add(m, "URGP=%u ", ntohs(th->urg_ptr));
126 if ((logflags & XT_LOG_TCPOPT) && th->doff*4 > sizeof(struct tcphdr)) {
127 u_int8_t _opt[60 - sizeof(struct tcphdr)];
130 unsigned int optsize = th->doff*4 - sizeof(struct tcphdr);
132 op = skb_header_pointer(skb, offset + sizeof(struct tcphdr),
135 nf_log_buf_add(m, "OPT (TRUNCATED)");
139 /* Max length: 127 "OPT (" 15*4*2chars ") " */
140 nf_log_buf_add(m, "OPT (");
141 for (i = 0; i < optsize; i++)
142 nf_log_buf_add(m, "%02X", op[i]);
144 nf_log_buf_add(m, ") ");
150 static void dump_sk_uid_gid(struct nf_log_buf *m, struct sock *sk)
152 if (!sk || sk->sk_state == TCP_TIME_WAIT)
155 read_lock_bh(&sk->sk_callback_lock);
156 if (sk->sk_socket && sk->sk_socket->file) {
157 const struct cred *cred = sk->sk_socket->file->f_cred;
158 nf_log_buf_add(m, "UID=%u GID=%u ",
159 from_kuid_munged(&init_user_ns, cred->fsuid),
160 from_kgid_munged(&init_user_ns, cred->fsgid));
162 read_unlock_bh(&sk->sk_callback_lock);
165 /* One level of recursion won't kill us */
166 static void dump_ipv4_packet(struct nf_log_buf *m,
167 const struct nf_loginfo *info,
168 const struct sk_buff *skb, unsigned int iphoff)
171 const struct iphdr *ih;
172 unsigned int logflags;
174 if (info->type == NF_LOG_TYPE_LOG)
175 logflags = info->u.log.logflags;
177 logflags = NF_LOG_MASK;
179 ih = skb_header_pointer(skb, iphoff, sizeof(_iph), &_iph);
181 nf_log_buf_add(m, "TRUNCATED");
186 * TOS, len, DF/MF, fragment offset, TTL, src, dst, options. */
187 /* Max length: 40 "SRC=255.255.255.255 DST=255.255.255.255 " */
188 nf_log_buf_add(m, "SRC=%pI4 DST=%pI4 ",
189 &ih->saddr, &ih->daddr);
191 /* Max length: 46 "LEN=65535 TOS=0xFF PREC=0xFF TTL=255 ID=65535 " */
192 nf_log_buf_add(m, "LEN=%u TOS=0x%02X PREC=0x%02X TTL=%u ID=%u ",
193 ntohs(ih->tot_len), ih->tos & IPTOS_TOS_MASK,
194 ih->tos & IPTOS_PREC_MASK, ih->ttl, ntohs(ih->id));
196 /* Max length: 6 "CE DF MF " */
197 if (ntohs(ih->frag_off) & IP_CE)
198 nf_log_buf_add(m, "CE ");
199 if (ntohs(ih->frag_off) & IP_DF)
200 nf_log_buf_add(m, "DF ");
201 if (ntohs(ih->frag_off) & IP_MF)
202 nf_log_buf_add(m, "MF ");
204 /* Max length: 11 "FRAG:65535 " */
205 if (ntohs(ih->frag_off) & IP_OFFSET)
206 nf_log_buf_add(m, "FRAG:%u ", ntohs(ih->frag_off) & IP_OFFSET);
208 if ((logflags & XT_LOG_IPOPT) &&
209 ih->ihl * 4 > sizeof(struct iphdr)) {
210 const unsigned char *op;
211 unsigned char _opt[4 * 15 - sizeof(struct iphdr)];
212 unsigned int i, optsize;
214 optsize = ih->ihl * 4 - sizeof(struct iphdr);
215 op = skb_header_pointer(skb, iphoff+sizeof(_iph),
218 nf_log_buf_add(m, "TRUNCATED");
222 /* Max length: 127 "OPT (" 15*4*2chars ") " */
223 nf_log_buf_add(m, "OPT (");
224 for (i = 0; i < optsize; i++)
225 nf_log_buf_add(m, "%02X", op[i]);
226 nf_log_buf_add(m, ") ");
229 switch (ih->protocol) {
231 if (dump_tcp_header(m, skb, ih->protocol,
232 ntohs(ih->frag_off) & IP_OFFSET,
233 iphoff+ih->ihl*4, logflags))
237 case IPPROTO_UDPLITE:
238 if (dump_udp_header(m, skb, ih->protocol,
239 ntohs(ih->frag_off) & IP_OFFSET,
244 struct icmphdr _icmph;
245 const struct icmphdr *ich;
246 static const size_t required_len[NR_ICMP_TYPES+1]
247 = { [ICMP_ECHOREPLY] = 4,
249 = 8 + sizeof(struct iphdr),
251 = 8 + sizeof(struct iphdr),
253 = 8 + sizeof(struct iphdr),
256 = 8 + sizeof(struct iphdr),
258 = 8 + sizeof(struct iphdr),
259 [ICMP_TIMESTAMP] = 20,
260 [ICMP_TIMESTAMPREPLY] = 20,
262 [ICMP_ADDRESSREPLY] = 12 };
264 /* Max length: 11 "PROTO=ICMP " */
265 nf_log_buf_add(m, "PROTO=ICMP ");
267 if (ntohs(ih->frag_off) & IP_OFFSET)
270 /* Max length: 25 "INCOMPLETE [65535 bytes] " */
271 ich = skb_header_pointer(skb, iphoff + ih->ihl * 4,
272 sizeof(_icmph), &_icmph);
274 nf_log_buf_add(m, "INCOMPLETE [%u bytes] ",
275 skb->len - iphoff - ih->ihl*4);
279 /* Max length: 18 "TYPE=255 CODE=255 " */
280 nf_log_buf_add(m, "TYPE=%u CODE=%u ", ich->type, ich->code);
282 /* Max length: 25 "INCOMPLETE [65535 bytes] " */
283 if (ich->type <= NR_ICMP_TYPES &&
284 required_len[ich->type] &&
285 skb->len-iphoff-ih->ihl*4 < required_len[ich->type]) {
286 nf_log_buf_add(m, "INCOMPLETE [%u bytes] ",
287 skb->len - iphoff - ih->ihl*4);
294 /* Max length: 19 "ID=65535 SEQ=65535 " */
295 nf_log_buf_add(m, "ID=%u SEQ=%u ",
296 ntohs(ich->un.echo.id),
297 ntohs(ich->un.echo.sequence));
300 case ICMP_PARAMETERPROB:
301 /* Max length: 14 "PARAMETER=255 " */
302 nf_log_buf_add(m, "PARAMETER=%u ",
303 ntohl(ich->un.gateway) >> 24);
306 /* Max length: 24 "GATEWAY=255.255.255.255 " */
307 nf_log_buf_add(m, "GATEWAY=%pI4 ", &ich->un.gateway);
309 case ICMP_DEST_UNREACH:
310 case ICMP_SOURCE_QUENCH:
311 case ICMP_TIME_EXCEEDED:
312 /* Max length: 3+maxlen */
313 if (!iphoff) { /* Only recurse once. */
314 nf_log_buf_add(m, "[");
315 dump_ipv4_packet(m, info, skb,
316 iphoff + ih->ihl*4+sizeof(_icmph));
317 nf_log_buf_add(m, "] ");
320 /* Max length: 10 "MTU=65535 " */
321 if (ich->type == ICMP_DEST_UNREACH &&
322 ich->code == ICMP_FRAG_NEEDED) {
323 nf_log_buf_add(m, "MTU=%u ",
324 ntohs(ich->un.frag.mtu));
331 struct ip_auth_hdr _ahdr;
332 const struct ip_auth_hdr *ah;
334 if (ntohs(ih->frag_off) & IP_OFFSET)
337 /* Max length: 9 "PROTO=AH " */
338 nf_log_buf_add(m, "PROTO=AH ");
340 /* Max length: 25 "INCOMPLETE [65535 bytes] " */
341 ah = skb_header_pointer(skb, iphoff+ih->ihl*4,
342 sizeof(_ahdr), &_ahdr);
344 nf_log_buf_add(m, "INCOMPLETE [%u bytes] ",
345 skb->len - iphoff - ih->ihl*4);
349 /* Length: 15 "SPI=0xF1234567 " */
350 nf_log_buf_add(m, "SPI=0x%x ", ntohl(ah->spi));
354 struct ip_esp_hdr _esph;
355 const struct ip_esp_hdr *eh;
357 /* Max length: 10 "PROTO=ESP " */
358 nf_log_buf_add(m, "PROTO=ESP ");
360 if (ntohs(ih->frag_off) & IP_OFFSET)
363 /* Max length: 25 "INCOMPLETE [65535 bytes] " */
364 eh = skb_header_pointer(skb, iphoff+ih->ihl*4,
365 sizeof(_esph), &_esph);
367 nf_log_buf_add(m, "INCOMPLETE [%u bytes] ",
368 skb->len - iphoff - ih->ihl*4);
372 /* Length: 15 "SPI=0xF1234567 " */
373 nf_log_buf_add(m, "SPI=0x%x ", ntohl(eh->spi));
376 /* Max length: 10 "PROTO 255 " */
378 nf_log_buf_add(m, "PROTO=%u ", ih->protocol);
381 /* Max length: 15 "UID=4294967295 " */
382 if ((logflags & XT_LOG_UID) && !iphoff)
383 dump_sk_uid_gid(m, skb->sk);
385 /* Max length: 16 "MARK=0xFFFFFFFF " */
386 if (!iphoff && skb->mark)
387 nf_log_buf_add(m, "MARK=0x%x ", skb->mark);
389 /* Proto Max log string length */
390 /* IP: 40+46+6+11+127 = 230 */
391 /* TCP: 10+max(25,20+30+13+9+32+11+127) = 252 */
392 /* UDP: 10+max(25,20) = 35 */
393 /* UDPLITE: 14+max(25,20) = 39 */
394 /* ICMP: 11+max(25, 18+25+max(19,14,24+3+n+10,3+n+10)) = 91+n */
395 /* ESP: 10+max(25)+15 = 50 */
396 /* AH: 9+max(25)+15 = 49 */
399 /* (ICMP allows recursion one level deep) */
400 /* maxlen = IP + ICMP + IP + max(TCP,UDP,ICMP,unknown) */
401 /* maxlen = 230+ 91 + 230 + 252 = 803 */
404 static void dump_ipv4_mac_header(struct nf_log_buf *m,
405 const struct nf_loginfo *info,
406 const struct sk_buff *skb)
408 struct net_device *dev = skb->dev;
409 unsigned int logflags = 0;
411 if (info->type == NF_LOG_TYPE_LOG)
412 logflags = info->u.log.logflags;
414 if (!(logflags & XT_LOG_MACDECODE))
419 nf_log_buf_add(m, "MACSRC=%pM MACDST=%pM MACPROTO=%04x ",
420 eth_hdr(skb)->h_source, eth_hdr(skb)->h_dest,
421 ntohs(eth_hdr(skb)->h_proto));
428 nf_log_buf_add(m, "MAC=");
429 if (dev->hard_header_len &&
430 skb->mac_header != skb->network_header) {
431 const unsigned char *p = skb_mac_header(skb);
434 nf_log_buf_add(m, "%02x", *p++);
435 for (i = 1; i < dev->hard_header_len; i++, p++)
436 nf_log_buf_add(m, ":%02x", *p);
438 nf_log_buf_add(m, " ");
442 log_packet_common(struct nf_log_buf *m,
444 unsigned int hooknum,
445 const struct sk_buff *skb,
446 const struct net_device *in,
447 const struct net_device *out,
448 const struct nf_loginfo *loginfo,
451 nf_log_buf_add(m, KERN_SOH "%c%sIN=%s OUT=%s ",
452 '0' + loginfo->u.log.level, prefix,
454 out ? out->name : "");
455 #ifdef CONFIG_BRIDGE_NETFILTER
456 if (skb->nf_bridge) {
457 const struct net_device *physindev;
458 const struct net_device *physoutdev;
460 physindev = skb->nf_bridge->physindev;
461 if (physindev && in != physindev)
462 nf_log_buf_add(m, "PHYSIN=%s ", physindev->name);
463 physoutdev = skb->nf_bridge->physoutdev;
464 if (physoutdev && out != physoutdev)
465 nf_log_buf_add(m, "PHYSOUT=%s ", physoutdev->name);
472 ipt_log_packet(struct net *net,
474 unsigned int hooknum,
475 const struct sk_buff *skb,
476 const struct net_device *in,
477 const struct net_device *out,
478 const struct nf_loginfo *loginfo,
481 struct nf_log_buf *m;
483 /* FIXME: Disabled from containers until syslog ns is supported */
484 if (!net_eq(net, &init_net))
487 m = nf_log_buf_open();
490 loginfo = &default_loginfo;
492 log_packet_common(m, pf, hooknum, skb, in, out, loginfo, prefix);
495 dump_ipv4_mac_header(m, loginfo, skb);
497 dump_ipv4_packet(m, loginfo, skb, 0);
502 #if IS_ENABLED(CONFIG_IP6_NF_IPTABLES)
503 /* One level of recursion won't kill us */
504 static void dump_ipv6_packet(struct nf_log_buf *m,
505 const struct nf_loginfo *info,
506 const struct sk_buff *skb, unsigned int ip6hoff,
511 struct ipv6hdr _ip6h;
512 const struct ipv6hdr *ih;
514 unsigned int hdrlen = 0;
515 unsigned int logflags;
517 if (info->type == NF_LOG_TYPE_LOG)
518 logflags = info->u.log.logflags;
520 logflags = NF_LOG_MASK;
522 ih = skb_header_pointer(skb, ip6hoff, sizeof(_ip6h), &_ip6h);
524 nf_log_buf_add(m, "TRUNCATED");
528 /* Max length: 88 "SRC=0000.0000.0000.0000.0000.0000.0000.0000 DST=0000.0000.0000.0000.0000.0000.0000.0000 " */
529 nf_log_buf_add(m, "SRC=%pI6 DST=%pI6 ", &ih->saddr, &ih->daddr);
531 /* Max length: 44 "LEN=65535 TC=255 HOPLIMIT=255 FLOWLBL=FFFFF " */
532 nf_log_buf_add(m, "LEN=%Zu TC=%u HOPLIMIT=%u FLOWLBL=%u ",
533 ntohs(ih->payload_len) + sizeof(struct ipv6hdr),
534 (ntohl(*(__be32 *)ih) & 0x0ff00000) >> 20,
535 ih->hop_limit, (ntohl(*(__be32 *)ih) & 0x000fffff));
538 ptr = ip6hoff + sizeof(struct ipv6hdr);
539 currenthdr = ih->nexthdr;
540 while (currenthdr != NEXTHDR_NONE && ip6t_ext_hdr(currenthdr)) {
541 struct ipv6_opt_hdr _hdr;
542 const struct ipv6_opt_hdr *hp;
544 hp = skb_header_pointer(skb, ptr, sizeof(_hdr), &_hdr);
546 nf_log_buf_add(m, "TRUNCATED");
550 /* Max length: 48 "OPT (...) " */
551 if (logflags & XT_LOG_IPOPT)
552 nf_log_buf_add(m, "OPT ( ");
554 switch (currenthdr) {
555 case IPPROTO_FRAGMENT: {
556 struct frag_hdr _fhdr;
557 const struct frag_hdr *fh;
559 nf_log_buf_add(m, "FRAG:");
560 fh = skb_header_pointer(skb, ptr, sizeof(_fhdr),
563 nf_log_buf_add(m, "TRUNCATED ");
567 /* Max length: 6 "65535 " */
568 nf_log_buf_add(m, "%u ", ntohs(fh->frag_off) & 0xFFF8);
570 /* Max length: 11 "INCOMPLETE " */
571 if (fh->frag_off & htons(0x0001))
572 nf_log_buf_add(m, "INCOMPLETE ");
574 nf_log_buf_add(m, "ID:%08x ", ntohl(fh->identification));
576 if (ntohs(fh->frag_off) & 0xFFF8)
583 case IPPROTO_DSTOPTS:
584 case IPPROTO_ROUTING:
585 case IPPROTO_HOPOPTS:
587 if (logflags & XT_LOG_IPOPT)
588 nf_log_buf_add(m, ")");
591 hdrlen = ipv6_optlen(hp);
595 if (logflags & XT_LOG_IPOPT) {
596 struct ip_auth_hdr _ahdr;
597 const struct ip_auth_hdr *ah;
599 /* Max length: 3 "AH " */
600 nf_log_buf_add(m, "AH ");
603 nf_log_buf_add(m, ")");
607 ah = skb_header_pointer(skb, ptr, sizeof(_ahdr),
611 * Max length: 26 "INCOMPLETE [65535
614 nf_log_buf_add(m, "INCOMPLETE [%u bytes] )",
619 /* Length: 15 "SPI=0xF1234567 */
620 nf_log_buf_add(m, "SPI=0x%x ", ntohl(ah->spi));
624 hdrlen = (hp->hdrlen+2)<<2;
627 if (logflags & XT_LOG_IPOPT) {
628 struct ip_esp_hdr _esph;
629 const struct ip_esp_hdr *eh;
631 /* Max length: 4 "ESP " */
632 nf_log_buf_add(m, "ESP ");
635 nf_log_buf_add(m, ")");
640 * Max length: 26 "INCOMPLETE [65535 bytes] )"
642 eh = skb_header_pointer(skb, ptr, sizeof(_esph),
645 nf_log_buf_add(m, "INCOMPLETE [%u bytes] )",
650 /* Length: 16 "SPI=0xF1234567 )" */
651 nf_log_buf_add(m, "SPI=0x%x )", ntohl(eh->spi));
656 /* Max length: 20 "Unknown Ext Hdr 255" */
657 nf_log_buf_add(m, "Unknown Ext Hdr %u", currenthdr);
660 if (logflags & XT_LOG_IPOPT)
661 nf_log_buf_add(m, ") ");
663 currenthdr = hp->nexthdr;
667 switch (currenthdr) {
669 if (dump_tcp_header(m, skb, currenthdr, fragment, ptr,
674 case IPPROTO_UDPLITE:
675 if (dump_udp_header(m, skb, currenthdr, fragment, ptr))
678 case IPPROTO_ICMPV6: {
679 struct icmp6hdr _icmp6h;
680 const struct icmp6hdr *ic;
682 /* Max length: 13 "PROTO=ICMPv6 " */
683 nf_log_buf_add(m, "PROTO=ICMPv6 ");
688 /* Max length: 25 "INCOMPLETE [65535 bytes] " */
689 ic = skb_header_pointer(skb, ptr, sizeof(_icmp6h), &_icmp6h);
691 nf_log_buf_add(m, "INCOMPLETE [%u bytes] ",
696 /* Max length: 18 "TYPE=255 CODE=255 " */
697 nf_log_buf_add(m, "TYPE=%u CODE=%u ",
698 ic->icmp6_type, ic->icmp6_code);
700 switch (ic->icmp6_type) {
701 case ICMPV6_ECHO_REQUEST:
702 case ICMPV6_ECHO_REPLY:
703 /* Max length: 19 "ID=65535 SEQ=65535 " */
704 nf_log_buf_add(m, "ID=%u SEQ=%u ",
705 ntohs(ic->icmp6_identifier),
706 ntohs(ic->icmp6_sequence));
708 case ICMPV6_MGM_QUERY:
709 case ICMPV6_MGM_REPORT:
710 case ICMPV6_MGM_REDUCTION:
713 case ICMPV6_PARAMPROB:
714 /* Max length: 17 "POINTER=ffffffff " */
715 nf_log_buf_add(m, "POINTER=%08x ",
716 ntohl(ic->icmp6_pointer));
718 case ICMPV6_DEST_UNREACH:
719 case ICMPV6_PKT_TOOBIG:
720 case ICMPV6_TIME_EXCEED:
721 /* Max length: 3+maxlen */
723 nf_log_buf_add(m, "[");
724 dump_ipv6_packet(m, info, skb,
725 ptr + sizeof(_icmp6h), 0);
726 nf_log_buf_add(m, "] ");
729 /* Max length: 10 "MTU=65535 " */
730 if (ic->icmp6_type == ICMPV6_PKT_TOOBIG)
731 nf_log_buf_add(m, "MTU=%u ",
732 ntohl(ic->icmp6_mtu));
736 /* Max length: 10 "PROTO=255 " */
738 nf_log_buf_add(m, "PROTO=%u ", currenthdr);
741 /* Max length: 15 "UID=4294967295 " */
742 if ((logflags & XT_LOG_UID) && recurse)
743 dump_sk_uid_gid(m, skb->sk);
745 /* Max length: 16 "MARK=0xFFFFFFFF " */
746 if (recurse && skb->mark)
747 nf_log_buf_add(m, "MARK=0x%x ", skb->mark);
750 static void dump_ipv6_mac_header(struct nf_log_buf *m,
751 const struct nf_loginfo *info,
752 const struct sk_buff *skb)
754 struct net_device *dev = skb->dev;
755 unsigned int logflags = 0;
757 if (info->type == NF_LOG_TYPE_LOG)
758 logflags = info->u.log.logflags;
760 if (!(logflags & XT_LOG_MACDECODE))
765 nf_log_buf_add(m, "MACSRC=%pM MACDST=%pM MACPROTO=%04x ",
766 eth_hdr(skb)->h_source, eth_hdr(skb)->h_dest,
767 ntohs(eth_hdr(skb)->h_proto));
774 nf_log_buf_add(m, "MAC=");
775 if (dev->hard_header_len &&
776 skb->mac_header != skb->network_header) {
777 const unsigned char *p = skb_mac_header(skb);
778 unsigned int len = dev->hard_header_len;
781 if (dev->type == ARPHRD_SIT) {
789 nf_log_buf_add(m, "%02x", *p++);
790 for (i = 1; i < len; i++)
791 nf_log_buf_add(m, ":%02x", *p++);
793 nf_log_buf_add(m, " ");
795 if (dev->type == ARPHRD_SIT) {
796 const struct iphdr *iph =
797 (struct iphdr *)skb_mac_header(skb);
798 nf_log_buf_add(m, "TUNNEL=%pI4->%pI4 ",
799 &iph->saddr, &iph->daddr);
802 nf_log_buf_add(m, " ");
807 ip6t_log_packet(struct net *net,
809 unsigned int hooknum,
810 const struct sk_buff *skb,
811 const struct net_device *in,
812 const struct net_device *out,
813 const struct nf_loginfo *loginfo,
816 struct nf_log_buf *m;
818 /* FIXME: Disabled from containers until syslog ns is supported */
819 if (!net_eq(net, &init_net))
822 m = nf_log_buf_open();
825 loginfo = &default_loginfo;
827 log_packet_common(m, pf, hooknum, skb, in, out, loginfo, prefix);
830 dump_ipv6_mac_header(m, loginfo, skb);
832 dump_ipv6_packet(m, loginfo, skb, skb_network_offset(skb), 1);
839 log_tg(struct sk_buff *skb, const struct xt_action_param *par)
841 const struct xt_log_info *loginfo = par->targinfo;
842 struct nf_loginfo li;
843 struct net *net = dev_net(par->in ? par->in : par->out);
845 li.type = NF_LOG_TYPE_LOG;
846 li.u.log.level = loginfo->level;
847 li.u.log.logflags = loginfo->logflags;
849 if (par->family == NFPROTO_IPV4)
850 ipt_log_packet(net, NFPROTO_IPV4, par->hooknum, skb, par->in,
851 par->out, &li, loginfo->prefix);
852 #if IS_ENABLED(CONFIG_IP6_NF_IPTABLES)
853 else if (par->family == NFPROTO_IPV6)
854 ip6t_log_packet(net, NFPROTO_IPV6, par->hooknum, skb, par->in,
855 par->out, &li, loginfo->prefix);
863 static int log_tg_check(const struct xt_tgchk_param *par)
865 const struct xt_log_info *loginfo = par->targinfo;
867 if (par->family != NFPROTO_IPV4 && par->family != NFPROTO_IPV6)
870 if (loginfo->level >= 8) {
871 pr_debug("level %u >= 8\n", loginfo->level);
875 if (loginfo->prefix[sizeof(loginfo->prefix)-1] != '\0') {
876 pr_debug("prefix is not null-terminated\n");
883 static struct xt_target log_tg_regs[] __read_mostly = {
886 .family = NFPROTO_IPV4,
888 .targetsize = sizeof(struct xt_log_info),
889 .checkentry = log_tg_check,
892 #if IS_ENABLED(CONFIG_IP6_NF_IPTABLES)
895 .family = NFPROTO_IPV6,
897 .targetsize = sizeof(struct xt_log_info),
898 .checkentry = log_tg_check,
904 static struct nf_logger ipt_log_logger __read_mostly = {
906 .type = NF_LOG_TYPE_LOG,
907 .logfn = &ipt_log_packet,
911 #if IS_ENABLED(CONFIG_IP6_NF_IPTABLES)
912 static struct nf_logger ip6t_log_logger __read_mostly = {
914 .type = NF_LOG_TYPE_LOG,
915 .logfn = &ip6t_log_packet,
920 static int __net_init log_net_init(struct net *net)
922 nf_log_set(net, NFPROTO_IPV4, &ipt_log_logger);
923 #if IS_ENABLED(CONFIG_IP6_NF_IPTABLES)
924 nf_log_set(net, NFPROTO_IPV6, &ip6t_log_logger);
929 static void __net_exit log_net_exit(struct net *net)
931 nf_log_unset(net, &ipt_log_logger);
932 #if IS_ENABLED(CONFIG_IP6_NF_IPTABLES)
933 nf_log_unset(net, &ip6t_log_logger);
937 static struct pernet_operations log_net_ops = {
938 .init = log_net_init,
939 .exit = log_net_exit,
942 static int __init log_tg_init(void)
946 ret = register_pernet_subsys(&log_net_ops);
950 ret = xt_register_targets(log_tg_regs, ARRAY_SIZE(log_tg_regs));
954 nf_log_register(NFPROTO_IPV4, &ipt_log_logger);
955 #if IS_ENABLED(CONFIG_IP6_NF_IPTABLES)
956 nf_log_register(NFPROTO_IPV6, &ip6t_log_logger);
961 unregister_pernet_subsys(&log_net_ops);
966 static void __exit log_tg_exit(void)
968 unregister_pernet_subsys(&log_net_ops);
969 nf_log_unregister(&ipt_log_logger);
970 #if IS_ENABLED(CONFIG_IP6_NF_IPTABLES)
971 nf_log_unregister(&ip6t_log_logger);
973 xt_unregister_targets(log_tg_regs, ARRAY_SIZE(log_tg_regs));
976 module_init(log_tg_init);
977 module_exit(log_tg_exit);
979 MODULE_LICENSE("GPL");
980 MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>");
981 MODULE_AUTHOR("Jan Rekorajski <baggins@pld.org.pl>");
982 MODULE_DESCRIPTION("Xtables: IPv4/IPv6 packet logging");
983 MODULE_ALIAS("ipt_LOG");
984 MODULE_ALIAS("ip6t_LOG");