1 | // SPDX-License-Identifier: GPL-2.0-only |
2 | /* |
3 | * This is a module which is used for logging packets to userspace via |
4 | * nfetlink. |
5 | * |
6 | * (C) 2005 by Harald Welte <laforge@netfilter.org> |
7 | * (C) 2006-2012 Patrick McHardy <kaber@trash.net> |
8 | * |
9 | * Based on the old ipv4-only ipt_ULOG.c: |
10 | * (C) 2000-2004 by Harald Welte <laforge@netfilter.org> |
11 | */ |
12 | |
13 | #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt |
14 | |
15 | #include <linux/module.h> |
16 | #include <linux/skbuff.h> |
17 | #include <linux/if_arp.h> |
18 | #include <linux/init.h> |
19 | #include <linux/ip.h> |
20 | #include <linux/ipv6.h> |
21 | #include <linux/netdevice.h> |
22 | #include <linux/netfilter.h> |
23 | #include <linux/netfilter_bridge.h> |
24 | #include <net/netlink.h> |
25 | #include <linux/netfilter/nfnetlink.h> |
26 | #include <linux/netfilter/nfnetlink_log.h> |
27 | #include <linux/netfilter/nf_conntrack_common.h> |
28 | #include <linux/spinlock.h> |
29 | #include <linux/sysctl.h> |
30 | #include <linux/proc_fs.h> |
31 | #include <linux/security.h> |
32 | #include <linux/list.h> |
33 | #include <linux/slab.h> |
34 | #include <net/sock.h> |
35 | #include <net/netfilter/nf_log.h> |
36 | #include <net/netns/generic.h> |
37 | |
38 | #include <linux/atomic.h> |
39 | #include <linux/refcount.h> |
40 | |
41 | |
42 | #if IS_ENABLED(CONFIG_BRIDGE_NETFILTER) |
43 | #include "../bridge/br_private.h" |
44 | #endif |
45 | |
46 | #if IS_ENABLED(CONFIG_NF_CONNTRACK) |
47 | #include <net/netfilter/nf_conntrack.h> |
48 | #endif |
49 | |
50 | #define NFULNL_COPY_DISABLED 0xff |
51 | #define NFULNL_NLBUFSIZ_DEFAULT NLMSG_GOODSIZE |
52 | #define NFULNL_TIMEOUT_DEFAULT 100 /* every second */ |
53 | #define NFULNL_QTHRESH_DEFAULT 100 /* 100 packets */ |
54 | /* max packet size is limited by 16-bit struct nfattr nfa_len field */ |
55 | #define NFULNL_COPY_RANGE_MAX (0xFFFF - NLA_HDRLEN) |
56 | |
57 | #define PRINTR(x, args...) do { if (net_ratelimit()) \ |
58 | printk(x, ## args); } while (0); |
59 | |
60 | struct nfulnl_instance { |
61 | struct hlist_node hlist; /* global list of instances */ |
62 | spinlock_t lock; |
63 | refcount_t use; /* use count */ |
64 | |
65 | unsigned int qlen; /* number of nlmsgs in skb */ |
66 | struct sk_buff *skb; /* pre-allocatd skb */ |
67 | struct timer_list timer; |
68 | struct net *net; |
69 | netns_tracker ns_tracker; |
70 | struct user_namespace *peer_user_ns; /* User namespace of the peer process */ |
71 | u32 peer_portid; /* PORTID of the peer process */ |
72 | |
73 | /* configurable parameters */ |
74 | unsigned int flushtimeout; /* timeout until queue flush */ |
75 | unsigned int nlbufsiz; /* netlink buffer allocation size */ |
76 | unsigned int qthreshold; /* threshold of the queue */ |
77 | u_int32_t copy_range; |
78 | u_int32_t seq; /* instance-local sequential counter */ |
79 | u_int16_t group_num; /* number of this queue */ |
80 | u_int16_t flags; |
81 | u_int8_t copy_mode; |
82 | struct rcu_head rcu; |
83 | }; |
84 | |
85 | #define INSTANCE_BUCKETS 16 |
86 | |
87 | static unsigned int nfnl_log_net_id __read_mostly; |
88 | |
89 | struct nfnl_log_net { |
90 | spinlock_t instances_lock; |
91 | struct hlist_head instance_table[INSTANCE_BUCKETS]; |
92 | atomic_t global_seq; |
93 | }; |
94 | |
95 | static struct nfnl_log_net *nfnl_log_pernet(struct net *net) |
96 | { |
97 | return net_generic(net, id: nfnl_log_net_id); |
98 | } |
99 | |
100 | static inline u_int8_t instance_hashfn(u_int16_t group_num) |
101 | { |
102 | return ((group_num & 0xff) % INSTANCE_BUCKETS); |
103 | } |
104 | |
105 | static struct nfulnl_instance * |
106 | __instance_lookup(const struct nfnl_log_net *log, u16 group_num) |
107 | { |
108 | const struct hlist_head *head; |
109 | struct nfulnl_instance *inst; |
110 | |
111 | head = &log->instance_table[instance_hashfn(group_num)]; |
112 | hlist_for_each_entry_rcu(inst, head, hlist) { |
113 | if (inst->group_num == group_num) |
114 | return inst; |
115 | } |
116 | return NULL; |
117 | } |
118 | |
119 | static inline void |
120 | instance_get(struct nfulnl_instance *inst) |
121 | { |
122 | refcount_inc(r: &inst->use); |
123 | } |
124 | |
125 | static struct nfulnl_instance * |
126 | instance_lookup_get_rcu(const struct nfnl_log_net *log, u16 group_num) |
127 | { |
128 | struct nfulnl_instance *inst; |
129 | |
130 | inst = __instance_lookup(log, group_num); |
131 | if (inst && !refcount_inc_not_zero(r: &inst->use)) |
132 | inst = NULL; |
133 | |
134 | return inst; |
135 | } |
136 | |
137 | static struct nfulnl_instance * |
138 | instance_lookup_get(const struct nfnl_log_net *log, u16 group_num) |
139 | { |
140 | struct nfulnl_instance *inst; |
141 | |
142 | rcu_read_lock(); |
143 | inst = instance_lookup_get_rcu(log, group_num); |
144 | rcu_read_unlock(); |
145 | |
146 | return inst; |
147 | } |
148 | |
149 | static void nfulnl_instance_free_rcu(struct rcu_head *head) |
150 | { |
151 | struct nfulnl_instance *inst = |
152 | container_of(head, struct nfulnl_instance, rcu); |
153 | |
154 | put_net_track(net: inst->net, tracker: &inst->ns_tracker); |
155 | kfree(objp: inst); |
156 | module_put(THIS_MODULE); |
157 | } |
158 | |
159 | static void |
160 | instance_put(struct nfulnl_instance *inst) |
161 | { |
162 | if (inst && refcount_dec_and_test(r: &inst->use)) |
163 | call_rcu(head: &inst->rcu, func: nfulnl_instance_free_rcu); |
164 | } |
165 | |
166 | static void nfulnl_timer(struct timer_list *t); |
167 | |
168 | static struct nfulnl_instance * |
169 | instance_create(struct net *net, u_int16_t group_num, |
170 | u32 portid, struct user_namespace *user_ns) |
171 | { |
172 | struct nfulnl_instance *inst; |
173 | struct nfnl_log_net *log = nfnl_log_pernet(net); |
174 | int err; |
175 | |
176 | spin_lock_bh(lock: &log->instances_lock); |
177 | if (__instance_lookup(log, group_num)) { |
178 | err = -EEXIST; |
179 | goto out_unlock; |
180 | } |
181 | |
182 | inst = kzalloc(size: sizeof(*inst), GFP_ATOMIC); |
183 | if (!inst) { |
184 | err = -ENOMEM; |
185 | goto out_unlock; |
186 | } |
187 | |
188 | if (!try_module_get(THIS_MODULE)) { |
189 | kfree(objp: inst); |
190 | err = -EAGAIN; |
191 | goto out_unlock; |
192 | } |
193 | |
194 | INIT_HLIST_NODE(h: &inst->hlist); |
195 | spin_lock_init(&inst->lock); |
196 | /* needs to be two, since we _put() after creation */ |
197 | refcount_set(r: &inst->use, n: 2); |
198 | |
199 | timer_setup(&inst->timer, nfulnl_timer, 0); |
200 | |
201 | inst->net = get_net_track(net, tracker: &inst->ns_tracker, GFP_ATOMIC); |
202 | inst->peer_user_ns = user_ns; |
203 | inst->peer_portid = portid; |
204 | inst->group_num = group_num; |
205 | |
206 | inst->qthreshold = NFULNL_QTHRESH_DEFAULT; |
207 | inst->flushtimeout = NFULNL_TIMEOUT_DEFAULT; |
208 | inst->nlbufsiz = NFULNL_NLBUFSIZ_DEFAULT; |
209 | inst->copy_mode = NFULNL_COPY_PACKET; |
210 | inst->copy_range = NFULNL_COPY_RANGE_MAX; |
211 | |
212 | hlist_add_head_rcu(n: &inst->hlist, |
213 | h: &log->instance_table[instance_hashfn(group_num)]); |
214 | |
215 | |
216 | spin_unlock_bh(lock: &log->instances_lock); |
217 | |
218 | return inst; |
219 | |
220 | out_unlock: |
221 | spin_unlock_bh(lock: &log->instances_lock); |
222 | return ERR_PTR(error: err); |
223 | } |
224 | |
225 | static void __nfulnl_flush(struct nfulnl_instance *inst); |
226 | |
227 | /* called with BH disabled */ |
228 | static void |
229 | __instance_destroy(struct nfulnl_instance *inst) |
230 | { |
231 | /* first pull it out of the global list */ |
232 | hlist_del_rcu(n: &inst->hlist); |
233 | |
234 | /* then flush all pending packets from skb */ |
235 | |
236 | spin_lock(lock: &inst->lock); |
237 | |
238 | /* lockless readers wont be able to use us */ |
239 | inst->copy_mode = NFULNL_COPY_DISABLED; |
240 | |
241 | if (inst->skb) |
242 | __nfulnl_flush(inst); |
243 | spin_unlock(lock: &inst->lock); |
244 | |
245 | /* and finally put the refcount */ |
246 | instance_put(inst); |
247 | } |
248 | |
249 | static inline void |
250 | instance_destroy(struct nfnl_log_net *log, |
251 | struct nfulnl_instance *inst) |
252 | { |
253 | spin_lock_bh(lock: &log->instances_lock); |
254 | __instance_destroy(inst); |
255 | spin_unlock_bh(lock: &log->instances_lock); |
256 | } |
257 | |
258 | static int |
259 | nfulnl_set_mode(struct nfulnl_instance *inst, u_int8_t mode, |
260 | unsigned int range) |
261 | { |
262 | int status = 0; |
263 | |
264 | spin_lock_bh(lock: &inst->lock); |
265 | |
266 | switch (mode) { |
267 | case NFULNL_COPY_NONE: |
268 | case NFULNL_COPY_META: |
269 | inst->copy_mode = mode; |
270 | inst->copy_range = 0; |
271 | break; |
272 | |
273 | case NFULNL_COPY_PACKET: |
274 | inst->copy_mode = mode; |
275 | if (range == 0) |
276 | range = NFULNL_COPY_RANGE_MAX; |
277 | inst->copy_range = min_t(unsigned int, |
278 | range, NFULNL_COPY_RANGE_MAX); |
279 | break; |
280 | |
281 | default: |
282 | status = -EINVAL; |
283 | break; |
284 | } |
285 | |
286 | spin_unlock_bh(lock: &inst->lock); |
287 | |
288 | return status; |
289 | } |
290 | |
291 | static int |
292 | nfulnl_set_nlbufsiz(struct nfulnl_instance *inst, u_int32_t nlbufsiz) |
293 | { |
294 | int status; |
295 | |
296 | spin_lock_bh(lock: &inst->lock); |
297 | if (nlbufsiz < NFULNL_NLBUFSIZ_DEFAULT) |
298 | status = -ERANGE; |
299 | else if (nlbufsiz > 131072) |
300 | status = -ERANGE; |
301 | else { |
302 | inst->nlbufsiz = nlbufsiz; |
303 | status = 0; |
304 | } |
305 | spin_unlock_bh(lock: &inst->lock); |
306 | |
307 | return status; |
308 | } |
309 | |
310 | static void |
311 | nfulnl_set_timeout(struct nfulnl_instance *inst, u_int32_t timeout) |
312 | { |
313 | spin_lock_bh(lock: &inst->lock); |
314 | inst->flushtimeout = timeout; |
315 | spin_unlock_bh(lock: &inst->lock); |
316 | } |
317 | |
318 | static void |
319 | nfulnl_set_qthresh(struct nfulnl_instance *inst, u_int32_t qthresh) |
320 | { |
321 | spin_lock_bh(lock: &inst->lock); |
322 | inst->qthreshold = qthresh; |
323 | spin_unlock_bh(lock: &inst->lock); |
324 | } |
325 | |
326 | static int |
327 | nfulnl_set_flags(struct nfulnl_instance *inst, u_int16_t flags) |
328 | { |
329 | spin_lock_bh(lock: &inst->lock); |
330 | inst->flags = flags; |
331 | spin_unlock_bh(lock: &inst->lock); |
332 | |
333 | return 0; |
334 | } |
335 | |
336 | static struct sk_buff * |
337 | nfulnl_alloc_skb(struct net *net, u32 peer_portid, unsigned int inst_size, |
338 | unsigned int pkt_size) |
339 | { |
340 | struct sk_buff *skb; |
341 | unsigned int n; |
342 | |
343 | /* alloc skb which should be big enough for a whole multipart |
344 | * message. WARNING: has to be <= 128k due to slab restrictions */ |
345 | |
346 | n = max(inst_size, pkt_size); |
347 | skb = alloc_skb(size: n, GFP_ATOMIC | __GFP_NOWARN); |
348 | if (!skb) { |
349 | if (n > pkt_size) { |
350 | /* try to allocate only as much as we need for current |
351 | * packet */ |
352 | |
353 | skb = alloc_skb(size: pkt_size, GFP_ATOMIC); |
354 | } |
355 | } |
356 | |
357 | return skb; |
358 | } |
359 | |
360 | static void |
361 | __nfulnl_send(struct nfulnl_instance *inst) |
362 | { |
363 | if (inst->qlen > 1) { |
364 | struct nlmsghdr *nlh = nlmsg_put(skb: inst->skb, portid: 0, seq: 0, |
365 | NLMSG_DONE, |
366 | payload: sizeof(struct nfgenmsg), |
367 | flags: 0); |
368 | if (WARN_ONCE(!nlh, "bad nlskb size: %u, tailroom %d\n" , |
369 | inst->skb->len, skb_tailroom(inst->skb))) { |
370 | kfree_skb(skb: inst->skb); |
371 | goto out; |
372 | } |
373 | } |
374 | nfnetlink_unicast(skb: inst->skb, net: inst->net, portid: inst->peer_portid); |
375 | out: |
376 | inst->qlen = 0; |
377 | inst->skb = NULL; |
378 | } |
379 | |
380 | static void |
381 | __nfulnl_flush(struct nfulnl_instance *inst) |
382 | { |
383 | /* timer holds a reference */ |
384 | if (del_timer(timer: &inst->timer)) |
385 | instance_put(inst); |
386 | if (inst->skb) |
387 | __nfulnl_send(inst); |
388 | } |
389 | |
390 | static void |
391 | nfulnl_timer(struct timer_list *t) |
392 | { |
393 | struct nfulnl_instance *inst = from_timer(inst, t, timer); |
394 | |
395 | spin_lock_bh(lock: &inst->lock); |
396 | if (inst->skb) |
397 | __nfulnl_send(inst); |
398 | spin_unlock_bh(lock: &inst->lock); |
399 | instance_put(inst); |
400 | } |
401 | |
402 | static u32 nfulnl_get_bridge_size(const struct sk_buff *skb) |
403 | { |
404 | u32 size = 0; |
405 | |
406 | if (!skb_mac_header_was_set(skb)) |
407 | return 0; |
408 | |
409 | if (skb_vlan_tag_present(skb)) { |
410 | size += nla_total_size(payload: 0); /* nested */ |
411 | size += nla_total_size(payload: sizeof(u16)); /* id */ |
412 | size += nla_total_size(payload: sizeof(u16)); /* tag */ |
413 | } |
414 | |
415 | if (skb->network_header > skb->mac_header) |
416 | size += nla_total_size(payload: skb->network_header - skb->mac_header); |
417 | |
418 | return size; |
419 | } |
420 | |
421 | static int nfulnl_put_bridge(struct nfulnl_instance *inst, const struct sk_buff *skb) |
422 | { |
423 | if (!skb_mac_header_was_set(skb)) |
424 | return 0; |
425 | |
426 | if (skb_vlan_tag_present(skb)) { |
427 | struct nlattr *nest; |
428 | |
429 | nest = nla_nest_start(skb: inst->skb, attrtype: NFULA_VLAN); |
430 | if (!nest) |
431 | goto nla_put_failure; |
432 | |
433 | if (nla_put_be16(skb: inst->skb, attrtype: NFULA_VLAN_TCI, htons(skb->vlan_tci)) || |
434 | nla_put_be16(skb: inst->skb, attrtype: NFULA_VLAN_PROTO, value: skb->vlan_proto)) |
435 | goto nla_put_failure; |
436 | |
437 | nla_nest_end(skb: inst->skb, start: nest); |
438 | } |
439 | |
440 | if (skb->mac_header < skb->network_header) { |
441 | int len = (int)(skb->network_header - skb->mac_header); |
442 | |
443 | if (nla_put(skb: inst->skb, attrtype: NFULA_L2HDR, attrlen: len, data: skb_mac_header(skb))) |
444 | goto nla_put_failure; |
445 | } |
446 | |
447 | return 0; |
448 | |
449 | nla_put_failure: |
450 | return -1; |
451 | } |
452 | |
453 | /* This is an inline function, we don't really care about a long |
454 | * list of arguments */ |
455 | static inline int |
456 | __build_packet_message(struct nfnl_log_net *log, |
457 | struct nfulnl_instance *inst, |
458 | const struct sk_buff *skb, |
459 | unsigned int data_len, |
460 | u_int8_t pf, |
461 | unsigned int hooknum, |
462 | const struct net_device *indev, |
463 | const struct net_device *outdev, |
464 | const char *prefix, unsigned int plen, |
465 | const struct nfnl_ct_hook *nfnl_ct, |
466 | struct nf_conn *ct, enum ip_conntrack_info ctinfo) |
467 | { |
468 | struct nfulnl_msg_packet_hdr pmsg; |
469 | struct nlmsghdr *nlh; |
470 | sk_buff_data_t old_tail = inst->skb->tail; |
471 | struct sock *sk; |
472 | const unsigned char *hwhdrp; |
473 | |
474 | nlh = nfnl_msg_put(skb: inst->skb, portid: 0, seq: 0, |
475 | type: nfnl_msg_type(NFNL_SUBSYS_ULOG, msg_type: NFULNL_MSG_PACKET), |
476 | flags: 0, family: pf, NFNETLINK_V0, htons(inst->group_num)); |
477 | if (!nlh) |
478 | return -1; |
479 | |
480 | memset(&pmsg, 0, sizeof(pmsg)); |
481 | pmsg.hw_protocol = skb->protocol; |
482 | pmsg.hook = hooknum; |
483 | |
484 | if (nla_put(skb: inst->skb, attrtype: NFULA_PACKET_HDR, attrlen: sizeof(pmsg), data: &pmsg)) |
485 | goto nla_put_failure; |
486 | |
487 | if (prefix && |
488 | nla_put(skb: inst->skb, attrtype: NFULA_PREFIX, attrlen: plen, data: prefix)) |
489 | goto nla_put_failure; |
490 | |
491 | if (indev) { |
492 | #if !IS_ENABLED(CONFIG_BRIDGE_NETFILTER) |
493 | if (nla_put_be32(inst->skb, NFULA_IFINDEX_INDEV, |
494 | htonl(indev->ifindex))) |
495 | goto nla_put_failure; |
496 | #else |
497 | if (pf == PF_BRIDGE) { |
498 | /* Case 1: outdev is physical input device, we need to |
499 | * look for bridge group (when called from |
500 | * netfilter_bridge) */ |
501 | if (nla_put_be32(skb: inst->skb, attrtype: NFULA_IFINDEX_PHYSINDEV, |
502 | htonl(indev->ifindex)) || |
503 | /* this is the bridge group "brX" */ |
504 | /* rcu_read_lock()ed by nf_hook_thresh or |
505 | * nf_log_packet. |
506 | */ |
507 | nla_put_be32(skb: inst->skb, attrtype: NFULA_IFINDEX_INDEV, |
508 | htonl(br_port_get_rcu(indev)->br->dev->ifindex))) |
509 | goto nla_put_failure; |
510 | } else { |
511 | int physinif; |
512 | |
513 | /* Case 2: indev is bridge group, we need to look for |
514 | * physical device (when called from ipv4) */ |
515 | if (nla_put_be32(skb: inst->skb, attrtype: NFULA_IFINDEX_INDEV, |
516 | htonl(indev->ifindex))) |
517 | goto nla_put_failure; |
518 | |
519 | physinif = nf_bridge_get_physinif(skb); |
520 | if (physinif && |
521 | nla_put_be32(skb: inst->skb, attrtype: NFULA_IFINDEX_PHYSINDEV, |
522 | htonl(physinif))) |
523 | goto nla_put_failure; |
524 | } |
525 | #endif |
526 | } |
527 | |
528 | if (outdev) { |
529 | #if !IS_ENABLED(CONFIG_BRIDGE_NETFILTER) |
530 | if (nla_put_be32(inst->skb, NFULA_IFINDEX_OUTDEV, |
531 | htonl(outdev->ifindex))) |
532 | goto nla_put_failure; |
533 | #else |
534 | if (pf == PF_BRIDGE) { |
535 | /* Case 1: outdev is physical output device, we need to |
536 | * look for bridge group (when called from |
537 | * netfilter_bridge) */ |
538 | if (nla_put_be32(skb: inst->skb, attrtype: NFULA_IFINDEX_PHYSOUTDEV, |
539 | htonl(outdev->ifindex)) || |
540 | /* this is the bridge group "brX" */ |
541 | /* rcu_read_lock()ed by nf_hook_thresh or |
542 | * nf_log_packet. |
543 | */ |
544 | nla_put_be32(skb: inst->skb, attrtype: NFULA_IFINDEX_OUTDEV, |
545 | htonl(br_port_get_rcu(outdev)->br->dev->ifindex))) |
546 | goto nla_put_failure; |
547 | } else { |
548 | struct net_device *physoutdev; |
549 | |
550 | /* Case 2: indev is a bridge group, we need to look |
551 | * for physical device (when called from ipv4) */ |
552 | if (nla_put_be32(skb: inst->skb, attrtype: NFULA_IFINDEX_OUTDEV, |
553 | htonl(outdev->ifindex))) |
554 | goto nla_put_failure; |
555 | |
556 | physoutdev = nf_bridge_get_physoutdev(skb); |
557 | if (physoutdev && |
558 | nla_put_be32(skb: inst->skb, attrtype: NFULA_IFINDEX_PHYSOUTDEV, |
559 | htonl(physoutdev->ifindex))) |
560 | goto nla_put_failure; |
561 | } |
562 | #endif |
563 | } |
564 | |
565 | if (skb->mark && |
566 | nla_put_be32(skb: inst->skb, attrtype: NFULA_MARK, htonl(skb->mark))) |
567 | goto nla_put_failure; |
568 | |
569 | if (indev && skb->dev && |
570 | skb_mac_header_was_set(skb) && |
571 | skb_mac_header_len(skb) != 0) { |
572 | struct nfulnl_msg_packet_hw phw; |
573 | int len; |
574 | |
575 | memset(&phw, 0, sizeof(phw)); |
576 | len = dev_parse_header(skb, haddr: phw.hw_addr); |
577 | if (len > 0) { |
578 | phw.hw_addrlen = htons(len); |
579 | if (nla_put(skb: inst->skb, attrtype: NFULA_HWADDR, attrlen: sizeof(phw), data: &phw)) |
580 | goto nla_put_failure; |
581 | } |
582 | } |
583 | |
584 | if (indev && skb_mac_header_was_set(skb)) { |
585 | if (nla_put_be16(skb: inst->skb, attrtype: NFULA_HWTYPE, htons(skb->dev->type)) || |
586 | nla_put_be16(skb: inst->skb, attrtype: NFULA_HWLEN, |
587 | htons(skb->dev->hard_header_len))) |
588 | goto nla_put_failure; |
589 | |
590 | hwhdrp = skb_mac_header(skb); |
591 | |
592 | if (skb->dev->type == ARPHRD_SIT) |
593 | hwhdrp -= ETH_HLEN; |
594 | |
595 | if (hwhdrp >= skb->head && |
596 | nla_put(skb: inst->skb, attrtype: NFULA_HWHEADER, |
597 | attrlen: skb->dev->hard_header_len, data: hwhdrp)) |
598 | goto nla_put_failure; |
599 | } |
600 | |
601 | if (hooknum <= NF_INET_FORWARD) { |
602 | struct timespec64 kts = ktime_to_timespec64(skb_tstamp_cond(skb, true)); |
603 | struct nfulnl_msg_packet_timestamp ts; |
604 | ts.sec = cpu_to_be64(kts.tv_sec); |
605 | ts.usec = cpu_to_be64(kts.tv_nsec / NSEC_PER_USEC); |
606 | |
607 | if (nla_put(skb: inst->skb, attrtype: NFULA_TIMESTAMP, attrlen: sizeof(ts), data: &ts)) |
608 | goto nla_put_failure; |
609 | } |
610 | |
611 | /* UID */ |
612 | sk = skb->sk; |
613 | if (sk && sk_fullsock(sk)) { |
614 | read_lock_bh(&sk->sk_callback_lock); |
615 | if (sk->sk_socket && sk->sk_socket->file) { |
616 | struct file *file = sk->sk_socket->file; |
617 | const struct cred *cred = file->f_cred; |
618 | struct user_namespace *user_ns = inst->peer_user_ns; |
619 | __be32 uid = htonl(from_kuid_munged(user_ns, cred->fsuid)); |
620 | __be32 gid = htonl(from_kgid_munged(user_ns, cred->fsgid)); |
621 | read_unlock_bh(&sk->sk_callback_lock); |
622 | if (nla_put_be32(skb: inst->skb, attrtype: NFULA_UID, value: uid) || |
623 | nla_put_be32(skb: inst->skb, attrtype: NFULA_GID, value: gid)) |
624 | goto nla_put_failure; |
625 | } else |
626 | read_unlock_bh(&sk->sk_callback_lock); |
627 | } |
628 | |
629 | /* local sequence number */ |
630 | if ((inst->flags & NFULNL_CFG_F_SEQ) && |
631 | nla_put_be32(skb: inst->skb, attrtype: NFULA_SEQ, htonl(inst->seq++))) |
632 | goto nla_put_failure; |
633 | |
634 | /* global sequence number */ |
635 | if ((inst->flags & NFULNL_CFG_F_SEQ_GLOBAL) && |
636 | nla_put_be32(skb: inst->skb, attrtype: NFULA_SEQ_GLOBAL, |
637 | htonl(atomic_inc_return(&log->global_seq)))) |
638 | goto nla_put_failure; |
639 | |
640 | if (ct && nfnl_ct->build(inst->skb, ct, ctinfo, |
641 | NFULA_CT, NFULA_CT_INFO) < 0) |
642 | goto nla_put_failure; |
643 | |
644 | if ((pf == NFPROTO_NETDEV || pf == NFPROTO_BRIDGE) && |
645 | nfulnl_put_bridge(inst, skb) < 0) |
646 | goto nla_put_failure; |
647 | |
648 | if (data_len) { |
649 | struct nlattr *nla; |
650 | int size = nla_attr_size(payload: data_len); |
651 | |
652 | if (skb_tailroom(skb: inst->skb) < nla_total_size(payload: data_len)) |
653 | goto nla_put_failure; |
654 | |
655 | nla = skb_put(skb: inst->skb, len: nla_total_size(payload: data_len)); |
656 | nla->nla_type = NFULA_PAYLOAD; |
657 | nla->nla_len = size; |
658 | |
659 | if (skb_copy_bits(skb, offset: 0, to: nla_data(nla), len: data_len)) |
660 | BUG(); |
661 | } |
662 | |
663 | nlh->nlmsg_len = inst->skb->tail - old_tail; |
664 | return 0; |
665 | |
666 | nla_put_failure: |
667 | PRINTR(KERN_ERR "nfnetlink_log: error creating log nlmsg\n" ); |
668 | return -1; |
669 | } |
670 | |
671 | static const struct nf_loginfo default_loginfo = { |
672 | .type = NF_LOG_TYPE_ULOG, |
673 | .u = { |
674 | .ulog = { |
675 | .copy_len = 0xffff, |
676 | .group = 0, |
677 | .qthreshold = 1, |
678 | }, |
679 | }, |
680 | }; |
681 | |
682 | /* log handler for internal netfilter logging api */ |
683 | static void |
684 | nfulnl_log_packet(struct net *net, |
685 | u_int8_t pf, |
686 | unsigned int hooknum, |
687 | const struct sk_buff *skb, |
688 | const struct net_device *in, |
689 | const struct net_device *out, |
690 | const struct nf_loginfo *li_user, |
691 | const char *prefix) |
692 | { |
693 | size_t size; |
694 | unsigned int data_len; |
695 | struct nfulnl_instance *inst; |
696 | const struct nf_loginfo *li; |
697 | unsigned int qthreshold; |
698 | unsigned int plen = 0; |
699 | struct nfnl_log_net *log = nfnl_log_pernet(net); |
700 | const struct nfnl_ct_hook *nfnl_ct = NULL; |
701 | enum ip_conntrack_info ctinfo = 0; |
702 | struct nf_conn *ct = NULL; |
703 | |
704 | if (li_user && li_user->type == NF_LOG_TYPE_ULOG) |
705 | li = li_user; |
706 | else |
707 | li = &default_loginfo; |
708 | |
709 | inst = instance_lookup_get_rcu(log, group_num: li->u.ulog.group); |
710 | if (!inst) |
711 | return; |
712 | |
713 | if (prefix) |
714 | plen = strlen(prefix) + 1; |
715 | |
716 | /* FIXME: do we want to make the size calculation conditional based on |
717 | * what is actually present? way more branches and checks, but more |
718 | * memory efficient... */ |
719 | size = nlmsg_total_size(payload: sizeof(struct nfgenmsg)) |
720 | + nla_total_size(payload: sizeof(struct nfulnl_msg_packet_hdr)) |
721 | + nla_total_size(payload: sizeof(u_int32_t)) /* ifindex */ |
722 | + nla_total_size(payload: sizeof(u_int32_t)) /* ifindex */ |
723 | #if IS_ENABLED(CONFIG_BRIDGE_NETFILTER) |
724 | + nla_total_size(payload: sizeof(u_int32_t)) /* ifindex */ |
725 | + nla_total_size(payload: sizeof(u_int32_t)) /* ifindex */ |
726 | #endif |
727 | + nla_total_size(payload: sizeof(u_int32_t)) /* mark */ |
728 | + nla_total_size(payload: sizeof(u_int32_t)) /* uid */ |
729 | + nla_total_size(payload: sizeof(u_int32_t)) /* gid */ |
730 | + nla_total_size(payload: plen) /* prefix */ |
731 | + nla_total_size(payload: sizeof(struct nfulnl_msg_packet_hw)) |
732 | + nla_total_size(payload: sizeof(struct nfulnl_msg_packet_timestamp)) |
733 | + nla_total_size(payload: sizeof(struct nfgenmsg)); /* NLMSG_DONE */ |
734 | |
735 | if (in && skb_mac_header_was_set(skb)) { |
736 | size += nla_total_size(payload: skb->dev->hard_header_len) |
737 | + nla_total_size(payload: sizeof(u_int16_t)) /* hwtype */ |
738 | + nla_total_size(payload: sizeof(u_int16_t)); /* hwlen */ |
739 | } |
740 | |
741 | spin_lock_bh(lock: &inst->lock); |
742 | |
743 | if (inst->flags & NFULNL_CFG_F_SEQ) |
744 | size += nla_total_size(payload: sizeof(u_int32_t)); |
745 | if (inst->flags & NFULNL_CFG_F_SEQ_GLOBAL) |
746 | size += nla_total_size(payload: sizeof(u_int32_t)); |
747 | #if IS_ENABLED(CONFIG_NF_CONNTRACK) |
748 | if (inst->flags & NFULNL_CFG_F_CONNTRACK) { |
749 | nfnl_ct = rcu_dereference(nfnl_ct_hook); |
750 | if (nfnl_ct != NULL) { |
751 | ct = nf_ct_get(skb, ctinfo: &ctinfo); |
752 | if (ct != NULL) |
753 | size += nfnl_ct->build_size(ct); |
754 | } |
755 | } |
756 | #endif |
757 | if (pf == NFPROTO_NETDEV || pf == NFPROTO_BRIDGE) |
758 | size += nfulnl_get_bridge_size(skb); |
759 | |
760 | qthreshold = inst->qthreshold; |
761 | /* per-rule qthreshold overrides per-instance */ |
762 | if (li->u.ulog.qthreshold) |
763 | if (qthreshold > li->u.ulog.qthreshold) |
764 | qthreshold = li->u.ulog.qthreshold; |
765 | |
766 | |
767 | switch (inst->copy_mode) { |
768 | case NFULNL_COPY_META: |
769 | case NFULNL_COPY_NONE: |
770 | data_len = 0; |
771 | break; |
772 | |
773 | case NFULNL_COPY_PACKET: |
774 | data_len = inst->copy_range; |
775 | if ((li->u.ulog.flags & NF_LOG_F_COPY_LEN) && |
776 | (li->u.ulog.copy_len < data_len)) |
777 | data_len = li->u.ulog.copy_len; |
778 | |
779 | if (data_len > skb->len) |
780 | data_len = skb->len; |
781 | |
782 | size += nla_total_size(payload: data_len); |
783 | break; |
784 | |
785 | case NFULNL_COPY_DISABLED: |
786 | default: |
787 | goto unlock_and_release; |
788 | } |
789 | |
790 | if (inst->skb && size > skb_tailroom(skb: inst->skb)) { |
791 | /* either the queue len is too high or we don't have |
792 | * enough room in the skb left. flush to userspace. */ |
793 | __nfulnl_flush(inst); |
794 | } |
795 | |
796 | if (!inst->skb) { |
797 | inst->skb = nfulnl_alloc_skb(net, peer_portid: inst->peer_portid, |
798 | inst_size: inst->nlbufsiz, pkt_size: size); |
799 | if (!inst->skb) |
800 | goto alloc_failure; |
801 | } |
802 | |
803 | inst->qlen++; |
804 | |
805 | __build_packet_message(log, inst, skb, data_len, pf, |
806 | hooknum, indev: in, outdev: out, prefix, plen, |
807 | nfnl_ct, ct, ctinfo); |
808 | |
809 | if (inst->qlen >= qthreshold) |
810 | __nfulnl_flush(inst); |
811 | /* timer_pending always called within inst->lock, so there |
812 | * is no chance of a race here */ |
813 | else if (!timer_pending(timer: &inst->timer)) { |
814 | instance_get(inst); |
815 | inst->timer.expires = jiffies + (inst->flushtimeout*HZ/100); |
816 | add_timer(timer: &inst->timer); |
817 | } |
818 | |
819 | unlock_and_release: |
820 | spin_unlock_bh(lock: &inst->lock); |
821 | instance_put(inst); |
822 | return; |
823 | |
824 | alloc_failure: |
825 | /* FIXME: statistics */ |
826 | goto unlock_and_release; |
827 | } |
828 | |
829 | static int |
830 | nfulnl_rcv_nl_event(struct notifier_block *this, |
831 | unsigned long event, void *ptr) |
832 | { |
833 | struct netlink_notify *n = ptr; |
834 | struct nfnl_log_net *log = nfnl_log_pernet(net: n->net); |
835 | |
836 | if (event == NETLINK_URELEASE && n->protocol == NETLINK_NETFILTER) { |
837 | int i; |
838 | |
839 | /* destroy all instances for this portid */ |
840 | spin_lock_bh(lock: &log->instances_lock); |
841 | for (i = 0; i < INSTANCE_BUCKETS; i++) { |
842 | struct hlist_node *t2; |
843 | struct nfulnl_instance *inst; |
844 | struct hlist_head *head = &log->instance_table[i]; |
845 | |
846 | hlist_for_each_entry_safe(inst, t2, head, hlist) { |
847 | if (n->portid == inst->peer_portid) |
848 | __instance_destroy(inst); |
849 | } |
850 | } |
851 | spin_unlock_bh(lock: &log->instances_lock); |
852 | } |
853 | return NOTIFY_DONE; |
854 | } |
855 | |
856 | static struct notifier_block nfulnl_rtnl_notifier = { |
857 | .notifier_call = nfulnl_rcv_nl_event, |
858 | }; |
859 | |
860 | static int nfulnl_recv_unsupp(struct sk_buff *skb, const struct nfnl_info *info, |
861 | const struct nlattr * const nfula[]) |
862 | { |
863 | return -ENOTSUPP; |
864 | } |
865 | |
866 | static struct nf_logger nfulnl_logger __read_mostly = { |
867 | .name = "nfnetlink_log" , |
868 | .type = NF_LOG_TYPE_ULOG, |
869 | .logfn = nfulnl_log_packet, |
870 | .me = THIS_MODULE, |
871 | }; |
872 | |
873 | static const struct nla_policy nfula_cfg_policy[NFULA_CFG_MAX+1] = { |
874 | [NFULA_CFG_CMD] = { .len = sizeof(struct nfulnl_msg_config_cmd) }, |
875 | [NFULA_CFG_MODE] = { .len = sizeof(struct nfulnl_msg_config_mode) }, |
876 | [NFULA_CFG_TIMEOUT] = { .type = NLA_U32 }, |
877 | [NFULA_CFG_QTHRESH] = { .type = NLA_U32 }, |
878 | [NFULA_CFG_NLBUFSIZ] = { .type = NLA_U32 }, |
879 | [NFULA_CFG_FLAGS] = { .type = NLA_U16 }, |
880 | }; |
881 | |
882 | static int nfulnl_recv_config(struct sk_buff *skb, const struct nfnl_info *info, |
883 | const struct nlattr * const nfula[]) |
884 | { |
885 | struct nfnl_log_net *log = nfnl_log_pernet(net: info->net); |
886 | u_int16_t group_num = ntohs(info->nfmsg->res_id); |
887 | struct nfulnl_msg_config_cmd *cmd = NULL; |
888 | struct nfulnl_instance *inst; |
889 | u16 flags = 0; |
890 | int ret = 0; |
891 | |
892 | if (nfula[NFULA_CFG_CMD]) { |
893 | u_int8_t pf = info->nfmsg->nfgen_family; |
894 | cmd = nla_data(nla: nfula[NFULA_CFG_CMD]); |
895 | |
896 | /* Commands without queue context */ |
897 | switch (cmd->command) { |
898 | case NFULNL_CFG_CMD_PF_BIND: |
899 | return nf_log_bind_pf(net: info->net, pf, logger: &nfulnl_logger); |
900 | case NFULNL_CFG_CMD_PF_UNBIND: |
901 | nf_log_unbind_pf(net: info->net, pf); |
902 | return 0; |
903 | } |
904 | } |
905 | |
906 | inst = instance_lookup_get(log, group_num); |
907 | if (inst && inst->peer_portid != NETLINK_CB(skb).portid) { |
908 | ret = -EPERM; |
909 | goto out_put; |
910 | } |
911 | |
912 | /* Check if we support these flags in first place, dependencies should |
913 | * be there too not to break atomicity. |
914 | */ |
915 | if (nfula[NFULA_CFG_FLAGS]) { |
916 | flags = ntohs(nla_get_be16(nfula[NFULA_CFG_FLAGS])); |
917 | |
918 | if ((flags & NFULNL_CFG_F_CONNTRACK) && |
919 | !rcu_access_pointer(nfnl_ct_hook)) { |
920 | #ifdef CONFIG_MODULES |
921 | nfnl_unlock(NFNL_SUBSYS_ULOG); |
922 | request_module("ip_conntrack_netlink" ); |
923 | nfnl_lock(NFNL_SUBSYS_ULOG); |
924 | if (rcu_access_pointer(nfnl_ct_hook)) { |
925 | ret = -EAGAIN; |
926 | goto out_put; |
927 | } |
928 | #endif |
929 | ret = -EOPNOTSUPP; |
930 | goto out_put; |
931 | } |
932 | } |
933 | |
934 | if (cmd != NULL) { |
935 | switch (cmd->command) { |
936 | case NFULNL_CFG_CMD_BIND: |
937 | if (inst) { |
938 | ret = -EBUSY; |
939 | goto out_put; |
940 | } |
941 | |
942 | inst = instance_create(net: info->net, group_num, |
943 | NETLINK_CB(skb).portid, |
944 | user_ns: sk_user_ns(NETLINK_CB(skb).sk)); |
945 | if (IS_ERR(ptr: inst)) { |
946 | ret = PTR_ERR(ptr: inst); |
947 | goto out; |
948 | } |
949 | break; |
950 | case NFULNL_CFG_CMD_UNBIND: |
951 | if (!inst) { |
952 | ret = -ENODEV; |
953 | goto out; |
954 | } |
955 | |
956 | instance_destroy(log, inst); |
957 | goto out_put; |
958 | default: |
959 | ret = -ENOTSUPP; |
960 | goto out_put; |
961 | } |
962 | } else if (!inst) { |
963 | ret = -ENODEV; |
964 | goto out; |
965 | } |
966 | |
967 | if (nfula[NFULA_CFG_MODE]) { |
968 | struct nfulnl_msg_config_mode *params = |
969 | nla_data(nla: nfula[NFULA_CFG_MODE]); |
970 | |
971 | nfulnl_set_mode(inst, mode: params->copy_mode, |
972 | ntohl(params->copy_range)); |
973 | } |
974 | |
975 | if (nfula[NFULA_CFG_TIMEOUT]) { |
976 | __be32 timeout = nla_get_be32(nla: nfula[NFULA_CFG_TIMEOUT]); |
977 | |
978 | nfulnl_set_timeout(inst, ntohl(timeout)); |
979 | } |
980 | |
981 | if (nfula[NFULA_CFG_NLBUFSIZ]) { |
982 | __be32 nlbufsiz = nla_get_be32(nla: nfula[NFULA_CFG_NLBUFSIZ]); |
983 | |
984 | nfulnl_set_nlbufsiz(inst, ntohl(nlbufsiz)); |
985 | } |
986 | |
987 | if (nfula[NFULA_CFG_QTHRESH]) { |
988 | __be32 qthresh = nla_get_be32(nla: nfula[NFULA_CFG_QTHRESH]); |
989 | |
990 | nfulnl_set_qthresh(inst, ntohl(qthresh)); |
991 | } |
992 | |
993 | if (nfula[NFULA_CFG_FLAGS]) |
994 | nfulnl_set_flags(inst, flags); |
995 | |
996 | out_put: |
997 | instance_put(inst); |
998 | out: |
999 | return ret; |
1000 | } |
1001 | |
1002 | static const struct nfnl_callback nfulnl_cb[NFULNL_MSG_MAX] = { |
1003 | [NFULNL_MSG_PACKET] = { |
1004 | .call = nfulnl_recv_unsupp, |
1005 | .type = NFNL_CB_MUTEX, |
1006 | .attr_count = NFULA_MAX, |
1007 | }, |
1008 | [NFULNL_MSG_CONFIG] = { |
1009 | .call = nfulnl_recv_config, |
1010 | .type = NFNL_CB_MUTEX, |
1011 | .attr_count = NFULA_CFG_MAX, |
1012 | .policy = nfula_cfg_policy |
1013 | }, |
1014 | }; |
1015 | |
1016 | static const struct nfnetlink_subsystem nfulnl_subsys = { |
1017 | .name = "log" , |
1018 | .subsys_id = NFNL_SUBSYS_ULOG, |
1019 | .cb_count = NFULNL_MSG_MAX, |
1020 | .cb = nfulnl_cb, |
1021 | }; |
1022 | |
1023 | #ifdef CONFIG_PROC_FS |
1024 | struct iter_state { |
1025 | struct seq_net_private p; |
1026 | unsigned int bucket; |
1027 | }; |
1028 | |
1029 | static struct hlist_node *get_first(struct net *net, struct iter_state *st) |
1030 | { |
1031 | struct nfnl_log_net *log; |
1032 | if (!st) |
1033 | return NULL; |
1034 | |
1035 | log = nfnl_log_pernet(net); |
1036 | |
1037 | for (st->bucket = 0; st->bucket < INSTANCE_BUCKETS; st->bucket++) { |
1038 | struct hlist_head *head = &log->instance_table[st->bucket]; |
1039 | |
1040 | if (!hlist_empty(h: head)) |
1041 | return rcu_dereference(hlist_first_rcu(head)); |
1042 | } |
1043 | return NULL; |
1044 | } |
1045 | |
1046 | static struct hlist_node *get_next(struct net *net, struct iter_state *st, |
1047 | struct hlist_node *h) |
1048 | { |
1049 | h = rcu_dereference(hlist_next_rcu(h)); |
1050 | while (!h) { |
1051 | struct nfnl_log_net *log; |
1052 | struct hlist_head *head; |
1053 | |
1054 | if (++st->bucket >= INSTANCE_BUCKETS) |
1055 | return NULL; |
1056 | |
1057 | log = nfnl_log_pernet(net); |
1058 | head = &log->instance_table[st->bucket]; |
1059 | h = rcu_dereference(hlist_first_rcu(head)); |
1060 | } |
1061 | return h; |
1062 | } |
1063 | |
1064 | static struct hlist_node *get_idx(struct net *net, struct iter_state *st, |
1065 | loff_t pos) |
1066 | { |
1067 | struct hlist_node *head; |
1068 | head = get_first(net, st); |
1069 | |
1070 | if (head) |
1071 | while (pos && (head = get_next(net, st, h: head))) |
1072 | pos--; |
1073 | return pos ? NULL : head; |
1074 | } |
1075 | |
1076 | static void *seq_start(struct seq_file *s, loff_t *pos) |
1077 | __acquires(rcu) |
1078 | { |
1079 | rcu_read_lock(); |
1080 | return get_idx(net: seq_file_net(seq: s), st: s->private, pos: *pos); |
1081 | } |
1082 | |
1083 | static void *seq_next(struct seq_file *s, void *v, loff_t *pos) |
1084 | { |
1085 | (*pos)++; |
1086 | return get_next(net: seq_file_net(seq: s), st: s->private, h: v); |
1087 | } |
1088 | |
1089 | static void seq_stop(struct seq_file *s, void *v) |
1090 | __releases(rcu) |
1091 | { |
1092 | rcu_read_unlock(); |
1093 | } |
1094 | |
1095 | static int seq_show(struct seq_file *s, void *v) |
1096 | { |
1097 | const struct nfulnl_instance *inst = v; |
1098 | |
1099 | seq_printf(m: s, fmt: "%5u %6u %5u %1u %5u %6u %2u\n" , |
1100 | inst->group_num, |
1101 | inst->peer_portid, inst->qlen, |
1102 | inst->copy_mode, inst->copy_range, |
1103 | inst->flushtimeout, refcount_read(r: &inst->use)); |
1104 | |
1105 | return 0; |
1106 | } |
1107 | |
1108 | static const struct seq_operations nful_seq_ops = { |
1109 | .start = seq_start, |
1110 | .next = seq_next, |
1111 | .stop = seq_stop, |
1112 | .show = seq_show, |
1113 | }; |
1114 | #endif /* PROC_FS */ |
1115 | |
1116 | static int __net_init nfnl_log_net_init(struct net *net) |
1117 | { |
1118 | unsigned int i; |
1119 | struct nfnl_log_net *log = nfnl_log_pernet(net); |
1120 | #ifdef CONFIG_PROC_FS |
1121 | struct proc_dir_entry *proc; |
1122 | kuid_t root_uid; |
1123 | kgid_t root_gid; |
1124 | #endif |
1125 | |
1126 | for (i = 0; i < INSTANCE_BUCKETS; i++) |
1127 | INIT_HLIST_HEAD(&log->instance_table[i]); |
1128 | spin_lock_init(&log->instances_lock); |
1129 | |
1130 | #ifdef CONFIG_PROC_FS |
1131 | proc = proc_create_net("nfnetlink_log" , 0440, net->nf.proc_netfilter, |
1132 | &nful_seq_ops, sizeof(struct iter_state)); |
1133 | if (!proc) |
1134 | return -ENOMEM; |
1135 | |
1136 | root_uid = make_kuid(from: net->user_ns, uid: 0); |
1137 | root_gid = make_kgid(from: net->user_ns, gid: 0); |
1138 | if (uid_valid(uid: root_uid) && gid_valid(gid: root_gid)) |
1139 | proc_set_user(proc, root_uid, root_gid); |
1140 | #endif |
1141 | return 0; |
1142 | } |
1143 | |
1144 | static void __net_exit nfnl_log_net_exit(struct net *net) |
1145 | { |
1146 | struct nfnl_log_net *log = nfnl_log_pernet(net); |
1147 | unsigned int i; |
1148 | |
1149 | #ifdef CONFIG_PROC_FS |
1150 | remove_proc_entry("nfnetlink_log" , net->nf.proc_netfilter); |
1151 | #endif |
1152 | nf_log_unset(net, logger: &nfulnl_logger); |
1153 | for (i = 0; i < INSTANCE_BUCKETS; i++) |
1154 | WARN_ON_ONCE(!hlist_empty(&log->instance_table[i])); |
1155 | } |
1156 | |
1157 | static struct pernet_operations nfnl_log_net_ops = { |
1158 | .init = nfnl_log_net_init, |
1159 | .exit = nfnl_log_net_exit, |
1160 | .id = &nfnl_log_net_id, |
1161 | .size = sizeof(struct nfnl_log_net), |
1162 | }; |
1163 | |
1164 | static int __init nfnetlink_log_init(void) |
1165 | { |
1166 | int status; |
1167 | |
1168 | status = register_pernet_subsys(&nfnl_log_net_ops); |
1169 | if (status < 0) { |
1170 | pr_err("failed to register pernet ops\n" ); |
1171 | goto out; |
1172 | } |
1173 | |
1174 | netlink_register_notifier(nb: &nfulnl_rtnl_notifier); |
1175 | status = nfnetlink_subsys_register(n: &nfulnl_subsys); |
1176 | if (status < 0) { |
1177 | pr_err("failed to create netlink socket\n" ); |
1178 | goto cleanup_netlink_notifier; |
1179 | } |
1180 | |
1181 | status = nf_log_register(pf: NFPROTO_UNSPEC, logger: &nfulnl_logger); |
1182 | if (status < 0) { |
1183 | pr_err("failed to register logger\n" ); |
1184 | goto cleanup_subsys; |
1185 | } |
1186 | |
1187 | return status; |
1188 | |
1189 | cleanup_subsys: |
1190 | nfnetlink_subsys_unregister(n: &nfulnl_subsys); |
1191 | cleanup_netlink_notifier: |
1192 | netlink_unregister_notifier(nb: &nfulnl_rtnl_notifier); |
1193 | unregister_pernet_subsys(&nfnl_log_net_ops); |
1194 | out: |
1195 | return status; |
1196 | } |
1197 | |
1198 | static void __exit nfnetlink_log_fini(void) |
1199 | { |
1200 | nfnetlink_subsys_unregister(n: &nfulnl_subsys); |
1201 | netlink_unregister_notifier(nb: &nfulnl_rtnl_notifier); |
1202 | unregister_pernet_subsys(&nfnl_log_net_ops); |
1203 | nf_log_unregister(logger: &nfulnl_logger); |
1204 | } |
1205 | |
1206 | MODULE_DESCRIPTION("netfilter userspace logging" ); |
1207 | MODULE_AUTHOR("Harald Welte <laforge@netfilter.org>" ); |
1208 | MODULE_LICENSE("GPL" ); |
1209 | MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_ULOG); |
1210 | MODULE_ALIAS_NF_LOGGER(AF_INET, 1); |
1211 | MODULE_ALIAS_NF_LOGGER(AF_INET6, 1); |
1212 | MODULE_ALIAS_NF_LOGGER(AF_BRIDGE, 1); |
1213 | MODULE_ALIAS_NF_LOGGER(3, 1); /* NFPROTO_ARP */ |
1214 | MODULE_ALIAS_NF_LOGGER(5, 1); /* NFPROTO_NETDEV */ |
1215 | |
1216 | module_init(nfnetlink_log_init); |
1217 | module_exit(nfnetlink_log_fini); |
1218 | |