1 /* (C) 1999-2001 Paul `Rusty' Russell
2 * (C) 2002-2004 Netfilter Core Team <coreteam@netfilter.org>
3 *
4 * This program is free software; you can redistribute it and/or modify
5 * it under the terms of the GNU General Public License version 2 as
6 * published by the Free Software Foundation.
7 */
8
9 #include <linux/module.h>
10 #include <linux/spinlock.h>
11 #include <linux/skbuff.h>
12 #include <linux/if_arp.h>
13 #include <linux/ip.h>
14 #include <net/ipv6.h>
15 #include <net/icmp.h>
16 #include <net/udp.h>
17 #include <net/tcp.h>
18 #include <net/route.h>
19
20 #include <linux/netfilter.h>
21 #include <linux/netfilter_ipv6/ip6_tables.h>
22 #include <linux/netfilter/xt_LOG.h>
23 #include <net/netfilter/nf_log.h>
24
25 static struct nf_loginfo default_loginfo = {
26 .type = NF_LOG_TYPE_LOG,
27 .u = {
28 .log = {
29 .level = 5,
30 .logflags = NF_LOG_MASK,
31 },
32 },
33 };
34
35 /* One level of recursion won't kill us */
dump_ipv6_packet(struct nf_log_buf * m,const struct nf_loginfo * info,const struct sk_buff * skb,unsigned int ip6hoff,int recurse)36 static void dump_ipv6_packet(struct nf_log_buf *m,
37 const struct nf_loginfo *info,
38 const struct sk_buff *skb, unsigned int ip6hoff,
39 int recurse)
40 {
41 u_int8_t currenthdr;
42 int fragment;
43 struct ipv6hdr _ip6h;
44 const struct ipv6hdr *ih;
45 unsigned int ptr;
46 unsigned int hdrlen = 0;
47 unsigned int logflags;
48
49 if (info->type == NF_LOG_TYPE_LOG)
50 logflags = info->u.log.logflags;
51 else
52 logflags = NF_LOG_MASK;
53
54 ih = skb_header_pointer(skb, ip6hoff, sizeof(_ip6h), &_ip6h);
55 if (ih == NULL) {
56 nf_log_buf_add(m, "TRUNCATED");
57 return;
58 }
59
60 /* Max length: 88 "SRC=0000.0000.0000.0000.0000.0000.0000.0000 DST=0000.0000.0000.0000.0000.0000.0000.0000 " */
61 nf_log_buf_add(m, "SRC=%pI6 DST=%pI6 ", &ih->saddr, &ih->daddr);
62
63 /* Max length: 44 "LEN=65535 TC=255 HOPLIMIT=255 FLOWLBL=FFFFF " */
64 nf_log_buf_add(m, "LEN=%Zu TC=%u HOPLIMIT=%u FLOWLBL=%u ",
65 ntohs(ih->payload_len) + sizeof(struct ipv6hdr),
66 (ntohl(*(__be32 *)ih) & 0x0ff00000) >> 20,
67 ih->hop_limit,
68 (ntohl(*(__be32 *)ih) & 0x000fffff));
69
70 fragment = 0;
71 ptr = ip6hoff + sizeof(struct ipv6hdr);
72 currenthdr = ih->nexthdr;
73 while (currenthdr != NEXTHDR_NONE && ip6t_ext_hdr(currenthdr)) {
74 struct ipv6_opt_hdr _hdr;
75 const struct ipv6_opt_hdr *hp;
76
77 hp = skb_header_pointer(skb, ptr, sizeof(_hdr), &_hdr);
78 if (hp == NULL) {
79 nf_log_buf_add(m, "TRUNCATED");
80 return;
81 }
82
83 /* Max length: 48 "OPT (...) " */
84 if (logflags & XT_LOG_IPOPT)
85 nf_log_buf_add(m, "OPT ( ");
86
87 switch (currenthdr) {
88 case IPPROTO_FRAGMENT: {
89 struct frag_hdr _fhdr;
90 const struct frag_hdr *fh;
91
92 nf_log_buf_add(m, "FRAG:");
93 fh = skb_header_pointer(skb, ptr, sizeof(_fhdr),
94 &_fhdr);
95 if (fh == NULL) {
96 nf_log_buf_add(m, "TRUNCATED ");
97 return;
98 }
99
100 /* Max length: 6 "65535 " */
101 nf_log_buf_add(m, "%u ", ntohs(fh->frag_off) & 0xFFF8);
102
103 /* Max length: 11 "INCOMPLETE " */
104 if (fh->frag_off & htons(0x0001))
105 nf_log_buf_add(m, "INCOMPLETE ");
106
107 nf_log_buf_add(m, "ID:%08x ",
108 ntohl(fh->identification));
109
110 if (ntohs(fh->frag_off) & 0xFFF8)
111 fragment = 1;
112
113 hdrlen = 8;
114
115 break;
116 }
117 case IPPROTO_DSTOPTS:
118 case IPPROTO_ROUTING:
119 case IPPROTO_HOPOPTS:
120 if (fragment) {
121 if (logflags & XT_LOG_IPOPT)
122 nf_log_buf_add(m, ")");
123 return;
124 }
125 hdrlen = ipv6_optlen(hp);
126 break;
127 /* Max Length */
128 case IPPROTO_AH:
129 if (logflags & XT_LOG_IPOPT) {
130 struct ip_auth_hdr _ahdr;
131 const struct ip_auth_hdr *ah;
132
133 /* Max length: 3 "AH " */
134 nf_log_buf_add(m, "AH ");
135
136 if (fragment) {
137 nf_log_buf_add(m, ")");
138 return;
139 }
140
141 ah = skb_header_pointer(skb, ptr, sizeof(_ahdr),
142 &_ahdr);
143 if (ah == NULL) {
144 /*
145 * Max length: 26 "INCOMPLETE [65535
146 * bytes] )"
147 */
148 nf_log_buf_add(m, "INCOMPLETE [%u bytes] )",
149 skb->len - ptr);
150 return;
151 }
152
153 /* Length: 15 "SPI=0xF1234567 */
154 nf_log_buf_add(m, "SPI=0x%x ", ntohl(ah->spi));
155
156 }
157
158 hdrlen = (hp->hdrlen+2)<<2;
159 break;
160 case IPPROTO_ESP:
161 if (logflags & XT_LOG_IPOPT) {
162 struct ip_esp_hdr _esph;
163 const struct ip_esp_hdr *eh;
164
165 /* Max length: 4 "ESP " */
166 nf_log_buf_add(m, "ESP ");
167
168 if (fragment) {
169 nf_log_buf_add(m, ")");
170 return;
171 }
172
173 /*
174 * Max length: 26 "INCOMPLETE [65535 bytes] )"
175 */
176 eh = skb_header_pointer(skb, ptr, sizeof(_esph),
177 &_esph);
178 if (eh == NULL) {
179 nf_log_buf_add(m, "INCOMPLETE [%u bytes] )",
180 skb->len - ptr);
181 return;
182 }
183
184 /* Length: 16 "SPI=0xF1234567 )" */
185 nf_log_buf_add(m, "SPI=0x%x )",
186 ntohl(eh->spi));
187 }
188 return;
189 default:
190 /* Max length: 20 "Unknown Ext Hdr 255" */
191 nf_log_buf_add(m, "Unknown Ext Hdr %u", currenthdr);
192 return;
193 }
194 if (logflags & XT_LOG_IPOPT)
195 nf_log_buf_add(m, ") ");
196
197 currenthdr = hp->nexthdr;
198 ptr += hdrlen;
199 }
200
201 switch (currenthdr) {
202 case IPPROTO_TCP:
203 if (nf_log_dump_tcp_header(m, skb, currenthdr, fragment,
204 ptr, logflags))
205 return;
206 break;
207 case IPPROTO_UDP:
208 case IPPROTO_UDPLITE:
209 if (nf_log_dump_udp_header(m, skb, currenthdr, fragment, ptr))
210 return;
211 break;
212 case IPPROTO_ICMPV6: {
213 struct icmp6hdr _icmp6h;
214 const struct icmp6hdr *ic;
215
216 /* Max length: 13 "PROTO=ICMPv6 " */
217 nf_log_buf_add(m, "PROTO=ICMPv6 ");
218
219 if (fragment)
220 break;
221
222 /* Max length: 25 "INCOMPLETE [65535 bytes] " */
223 ic = skb_header_pointer(skb, ptr, sizeof(_icmp6h), &_icmp6h);
224 if (ic == NULL) {
225 nf_log_buf_add(m, "INCOMPLETE [%u bytes] ",
226 skb->len - ptr);
227 return;
228 }
229
230 /* Max length: 18 "TYPE=255 CODE=255 " */
231 nf_log_buf_add(m, "TYPE=%u CODE=%u ",
232 ic->icmp6_type, ic->icmp6_code);
233
234 switch (ic->icmp6_type) {
235 case ICMPV6_ECHO_REQUEST:
236 case ICMPV6_ECHO_REPLY:
237 /* Max length: 19 "ID=65535 SEQ=65535 " */
238 nf_log_buf_add(m, "ID=%u SEQ=%u ",
239 ntohs(ic->icmp6_identifier),
240 ntohs(ic->icmp6_sequence));
241 break;
242 case ICMPV6_MGM_QUERY:
243 case ICMPV6_MGM_REPORT:
244 case ICMPV6_MGM_REDUCTION:
245 break;
246
247 case ICMPV6_PARAMPROB:
248 /* Max length: 17 "POINTER=ffffffff " */
249 nf_log_buf_add(m, "POINTER=%08x ",
250 ntohl(ic->icmp6_pointer));
251 /* Fall through */
252 case ICMPV6_DEST_UNREACH:
253 case ICMPV6_PKT_TOOBIG:
254 case ICMPV6_TIME_EXCEED:
255 /* Max length: 3+maxlen */
256 if (recurse) {
257 nf_log_buf_add(m, "[");
258 dump_ipv6_packet(m, info, skb,
259 ptr + sizeof(_icmp6h), 0);
260 nf_log_buf_add(m, "] ");
261 }
262
263 /* Max length: 10 "MTU=65535 " */
264 if (ic->icmp6_type == ICMPV6_PKT_TOOBIG) {
265 nf_log_buf_add(m, "MTU=%u ",
266 ntohl(ic->icmp6_mtu));
267 }
268 }
269 break;
270 }
271 /* Max length: 10 "PROTO=255 " */
272 default:
273 nf_log_buf_add(m, "PROTO=%u ", currenthdr);
274 }
275
276 /* Max length: 15 "UID=4294967295 " */
277 if ((logflags & XT_LOG_UID) && recurse)
278 nf_log_dump_sk_uid_gid(m, skb->sk);
279
280 /* Max length: 16 "MARK=0xFFFFFFFF " */
281 if (recurse && skb->mark)
282 nf_log_buf_add(m, "MARK=0x%x ", skb->mark);
283 }
284
dump_ipv6_mac_header(struct nf_log_buf * m,const struct nf_loginfo * info,const struct sk_buff * skb)285 static void dump_ipv6_mac_header(struct nf_log_buf *m,
286 const struct nf_loginfo *info,
287 const struct sk_buff *skb)
288 {
289 struct net_device *dev = skb->dev;
290 unsigned int logflags = 0;
291
292 if (info->type == NF_LOG_TYPE_LOG)
293 logflags = info->u.log.logflags;
294
295 if (!(logflags & XT_LOG_MACDECODE))
296 goto fallback;
297
298 switch (dev->type) {
299 case ARPHRD_ETHER:
300 nf_log_buf_add(m, "MACSRC=%pM MACDST=%pM MACPROTO=%04x ",
301 eth_hdr(skb)->h_source, eth_hdr(skb)->h_dest,
302 ntohs(eth_hdr(skb)->h_proto));
303 return;
304 default:
305 break;
306 }
307
308 fallback:
309 nf_log_buf_add(m, "MAC=");
310 if (dev->hard_header_len &&
311 skb->mac_header != skb->network_header) {
312 const unsigned char *p = skb_mac_header(skb);
313 unsigned int len = dev->hard_header_len;
314 unsigned int i;
315
316 if (dev->type == ARPHRD_SIT) {
317 p -= ETH_HLEN;
318
319 if (p < skb->head)
320 p = NULL;
321 }
322
323 if (p != NULL) {
324 nf_log_buf_add(m, "%02x", *p++);
325 for (i = 1; i < len; i++)
326 nf_log_buf_add(m, ":%02x", *p++);
327 }
328 nf_log_buf_add(m, " ");
329
330 if (dev->type == ARPHRD_SIT) {
331 const struct iphdr *iph =
332 (struct iphdr *)skb_mac_header(skb);
333 nf_log_buf_add(m, "TUNNEL=%pI4->%pI4 ", &iph->saddr,
334 &iph->daddr);
335 }
336 } else {
337 nf_log_buf_add(m, " ");
338 }
339 }
340
nf_log_ip6_packet(struct net * net,u_int8_t pf,unsigned int hooknum,const struct sk_buff * skb,const struct net_device * in,const struct net_device * out,const struct nf_loginfo * loginfo,const char * prefix)341 static void nf_log_ip6_packet(struct net *net, u_int8_t pf,
342 unsigned int hooknum, const struct sk_buff *skb,
343 const struct net_device *in,
344 const struct net_device *out,
345 const struct nf_loginfo *loginfo,
346 const char *prefix)
347 {
348 struct nf_log_buf *m;
349
350 /* FIXME: Disabled from containers until syslog ns is supported */
351 if (!net_eq(net, &init_net))
352 return;
353
354 m = nf_log_buf_open();
355
356 if (!loginfo)
357 loginfo = &default_loginfo;
358
359 nf_log_dump_packet_common(m, pf, hooknum, skb, in, out,
360 loginfo, prefix);
361
362 if (in != NULL)
363 dump_ipv6_mac_header(m, loginfo, skb);
364
365 dump_ipv6_packet(m, loginfo, skb, skb_network_offset(skb), 1);
366
367 nf_log_buf_close(m);
368 }
369
370 static struct nf_logger nf_ip6_logger __read_mostly = {
371 .name = "nf_log_ipv6",
372 .type = NF_LOG_TYPE_LOG,
373 .logfn = nf_log_ip6_packet,
374 .me = THIS_MODULE,
375 };
376
nf_log_ipv6_net_init(struct net * net)377 static int __net_init nf_log_ipv6_net_init(struct net *net)
378 {
379 nf_log_set(net, NFPROTO_IPV6, &nf_ip6_logger);
380 return 0;
381 }
382
nf_log_ipv6_net_exit(struct net * net)383 static void __net_exit nf_log_ipv6_net_exit(struct net *net)
384 {
385 nf_log_unset(net, &nf_ip6_logger);
386 }
387
388 static struct pernet_operations nf_log_ipv6_net_ops = {
389 .init = nf_log_ipv6_net_init,
390 .exit = nf_log_ipv6_net_exit,
391 };
392
nf_log_ipv6_init(void)393 static int __init nf_log_ipv6_init(void)
394 {
395 int ret;
396
397 ret = register_pernet_subsys(&nf_log_ipv6_net_ops);
398 if (ret < 0)
399 return ret;
400
401 nf_log_register(NFPROTO_IPV6, &nf_ip6_logger);
402 return 0;
403 }
404
nf_log_ipv6_exit(void)405 static void __exit nf_log_ipv6_exit(void)
406 {
407 unregister_pernet_subsys(&nf_log_ipv6_net_ops);
408 nf_log_unregister(&nf_ip6_logger);
409 }
410
411 module_init(nf_log_ipv6_init);
412 module_exit(nf_log_ipv6_exit);
413
414 MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>");
415 MODULE_DESCRIPTION("Netfilter IPv4 packet logging");
416 MODULE_LICENSE("GPL");
417 MODULE_ALIAS_NF_LOGGER(AF_INET6, 0);
418