nfnetlink_log.c source code [linux/net/netfilter/nfnetlink_log.c]

1	// SPDX-License-Identifier: GPL-2.0-only
2	/*
3	* This is a module which is used for logging packets to userspace via
4	* nfetlink.
5	*
6	* (C) 2005 by Harald Welte <laforge@netfilter.org>
7	* (C) 2006-2012 Patrick McHardy <kaber@trash.net>
8	*
9	* Based on the old ipv4-only ipt_ULOG.c:
10	* (C) 2000-2004 by Harald Welte <laforge@netfilter.org>
11	*/
12
13	#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
14
15	#include <linux/module.h>
16	#include <linux/skbuff.h>
17	#include <linux/if_arp.h>
18	#include <linux/init.h>
19	#include <linux/ip.h>
20	#include <linux/ipv6.h>
21	#include <linux/netdevice.h>
22	#include <linux/netfilter.h>
23	#include <linux/netfilter_bridge.h>
24	#include <net/netlink.h>
25	#include <linux/netfilter/nfnetlink.h>
26	#include <linux/netfilter/nfnetlink_log.h>
27	#include <linux/netfilter/nf_conntrack_common.h>
28	#include <linux/spinlock.h>
29	#include <linux/sysctl.h>
30	#include <linux/proc_fs.h>
31	#include <linux/security.h>
32	#include <linux/list.h>
33	#include <linux/slab.h>
34	#include <net/sock.h>
35	#include <net/netfilter/nf_log.h>
36	#include <net/netns/generic.h>
37
38	#include <linux/atomic.h>
39	#include <linux/refcount.h>
40
41
42	#if IS_ENABLED(CONFIG_BRIDGE_NETFILTER)
43	#include "../bridge/br_private.h"
44	#endif
45
46	#if IS_ENABLED(CONFIG_NF_CONNTRACK)
47	#include <net/netfilter/nf_conntrack.h>
48	#endif
49
50	#define NFULNL_COPY_DISABLED 0xff
51	#define NFULNL_NLBUFSIZ_DEFAULT NLMSG_GOODSIZE
52	#define NFULNL_TIMEOUT_DEFAULT 100 /* every second */
53	#define NFULNL_QTHRESH_DEFAULT 100 /* 100 packets */
54	/ max packet size is limited by 16-bit struct nfattr nfa_len field /
55	#define NFULNL_COPY_RANGE_MAX (0xFFFF - NLA_HDRLEN)
56
57	#define PRINTR(x, args...) do { if (net_ratelimit()) \
58	printk(x, ## args); } while (0);
59
60	struct nfulnl_instance {
61	struct hlist_node hlist; / global list of instances /
62	spinlock_t lock;
63	refcount_t use; / use count /
64
65	unsigned int qlen; / number of nlmsgs in skb /
66	struct sk_buff skb; /* pre-allocatd skb /
67	struct timer_list timer;
68	struct net *net;
69	netns_tracker ns_tracker;
70	struct user_namespace peer_user_ns; /* User namespace of the peer process /
71	u32 peer_portid; / PORTID of the peer process /
72
73	/ configurable parameters /
74	unsigned int flushtimeout; / timeout until queue flush /
75	unsigned int nlbufsiz; / netlink buffer allocation size /
76	unsigned int qthreshold; / threshold of the queue /
77	u_int32_t copy_range;
78	u_int32_t seq; / instance-local sequential counter /
79	u_int16_t group_num; / number of this queue /
80	u_int16_t flags;
81	u_int8_t copy_mode;
82	struct rcu_head rcu;
83	};
84
85	#define INSTANCE_BUCKETS 16
86
87	static unsigned int nfnl_log_net_id __read_mostly;
88
89	struct nfnl_log_net {
90	spinlock_t instances_lock;
91	struct hlist_head instance_table[INSTANCE_BUCKETS];
92	atomic_t global_seq;
93	};
94
95	static struct nfnl_log_net nfnl_log_pernet(struct* net *net)
96	{
97	return net_generic(net, id: nfnl_log_net_id);
98	}
99
100	static inline u_int8_t instance_hashfn(u_int16_t group_num)
101	{
102	return ((group_num & `0xff`) % INSTANCE_BUCKETS);
103	}
104
105	static struct nfulnl_instance *
106	__instance_lookup(const struct nfnl_log_net *log, u16 group_num)
107	{
108	const struct hlist_head *head;
109	struct nfulnl_instance *inst;
110
111	head = &log->instance_table[instance_hashfn(group_num)];
112	hlist_for_each_entry_rcu(inst, head, hlist) {
113	if (inst->group_num == group_num)
114	return inst;
115	}
116	return NULL;
117	}
118
119	static inline void
120	instance_get(struct nfulnl_instance *inst)
121	{
122	refcount_inc(r: &inst->use);
123	}
124
125	static struct nfulnl_instance *
126	instance_lookup_get_rcu(const struct nfnl_log_net *log, u16 group_num)
127	{
128	struct nfulnl_instance *inst;
129
130	inst = __instance_lookup(log, group_num);
131	if (inst && !refcount_inc_not_zero(r: &inst->use))
132	inst = NULL;
133
134	return inst;
135	}
136
137	static struct nfulnl_instance *
138	instance_lookup_get(const struct nfnl_log_net *log, u16 group_num)
139	{
140	struct nfulnl_instance *inst;
141
142	rcu_read_lock();
143	inst = instance_lookup_get_rcu(log, group_num);
144	rcu_read_unlock();
145
146	return inst;
147	}
148
149	static void nfulnl_instance_free_rcu(struct rcu_head *head)
150	{
151	struct nfulnl_instance *inst =
152	container_of(head, struct nfulnl_instance, rcu);
153
154	put_net_track(net: inst->net, tracker: &inst->ns_tracker);
155	kfree(objp: inst);
156	module_put(THIS_MODULE);
157	}
158
159	static void
160	instance_put(struct nfulnl_instance *inst)
161	{
162	if (inst && refcount_dec_and_test(r: &inst->use))
163	call_rcu(head: &inst->rcu, func: nfulnl_instance_free_rcu);
164	}
165
166	static void nfulnl_timer(struct timer_list *t);
167
168	static struct nfulnl_instance *
169	instance_create(struct net *net, u_int16_t group_num,
170	u32 portid, struct user_namespace *user_ns)
171	{
172	struct nfulnl_instance *inst;
173	struct nfnl_log_net *log = nfnl_log_pernet(net);
174	int err;
175
176	spin_lock_bh(lock: &log->instances_lock);
177	if (__instance_lookup(log, group_num)) {
178	err = -EEXIST;
179	goto out_unlock;
180	}
181
182	inst = kzalloc(size: sizeof(*inst), GFP_ATOMIC);
183	if (!inst) {
184	err = -ENOMEM;
185	goto out_unlock;
186	}
187
188	if (!try_module_get(THIS_MODULE)) {
189	kfree(objp: inst);
190	err = -EAGAIN;
191	goto out_unlock;
192	}
193
194	INIT_HLIST_NODE(h: &inst->hlist);
195	spin_lock_init(&inst->lock);
196	/ needs to be two, since we _put() after creation /
197	refcount_set(r: &inst->use, n: `2`);
198
199	timer_setup(&inst->timer, nfulnl_timer, `0`);
200
201	inst->net = get_net_track(net, tracker: &inst->ns_tracker, GFP_ATOMIC);
202	inst->peer_user_ns = user_ns;
203	inst->peer_portid = portid;
204	inst->group_num = group_num;
205
206	inst->qthreshold = NFULNL_QTHRESH_DEFAULT;
207	inst->flushtimeout = NFULNL_TIMEOUT_DEFAULT;
208	inst->nlbufsiz = NFULNL_NLBUFSIZ_DEFAULT;
209	inst->copy_mode = NFULNL_COPY_PACKET;
210	inst->copy_range = NFULNL_COPY_RANGE_MAX;
211
212	hlist_add_head_rcu(n: &inst->hlist,
213	h: &log->instance_table[instance_hashfn(group_num)]);
214
215
216	spin_unlock_bh(lock: &log->instances_lock);
217
218	return inst;
219
220	out_unlock:
221	spin_unlock_bh(lock: &log->instances_lock);
222	return ERR_PTR(error: err);
223	}
224
225	static void __nfulnl_flush(struct nfulnl_instance *inst);
226
227	/ called with BH disabled /
228	static void
229	__instance_destroy(struct nfulnl_instance *inst)
230	{
231	/ first pull it out of the global list /
232	hlist_del_rcu(n: &inst->hlist);
233
234	/ then flush all pending packets from skb /
235
236	spin_lock(lock: &inst->lock);
237
238	/ lockless readers wont be able to use us /
239	inst->copy_mode = NFULNL_COPY_DISABLED;
240
241	if (inst->skb)
242	__nfulnl_flush(inst);
243	spin_unlock(lock: &inst->lock);
244
245	/ and finally put the refcount /
246	instance_put(inst);
247	}
248
249	static inline void
250	instance_destroy(struct nfnl_log_net *log,
251	struct nfulnl_instance *inst)
252	{
253	spin_lock_bh(lock: &log->instances_lock);
254	__instance_destroy(inst);
255	spin_unlock_bh(lock: &log->instances_lock);
256	}
257
258	static int
259	nfulnl_set_mode(struct nfulnl_instance *inst, u_int8_t mode,
260	unsigned int range)
261	{
262	int status = `0`;
263
264	spin_lock_bh(lock: &inst->lock);
265
266	switch (mode) {
267	case NFULNL_COPY_NONE:
268	case NFULNL_COPY_META:
269	inst->copy_mode = mode;
270	inst->copy_range = `0`;
271	break;
272
273	case NFULNL_COPY_PACKET:
274	inst->copy_mode = mode;
275	if (range == `0`)
276	range = NFULNL_COPY_RANGE_MAX;
277	inst->copy_range = min_t(unsigned int,
278	range, NFULNL_COPY_RANGE_MAX);
279	break;
280
281	default:
282	status = -EINVAL;
283	break;
284	}
285
286	spin_unlock_bh(lock: &inst->lock);
287
288	return status;
289	}
290
291	static int
292	nfulnl_set_nlbufsiz(struct nfulnl_instance *inst, u_int32_t nlbufsiz)
293	{
294	int status;
295
296	spin_lock_bh(lock: &inst->lock);
297	if (nlbufsiz < NFULNL_NLBUFSIZ_DEFAULT)
298	status = -ERANGE;
299	else if (nlbufsiz > `131072`)
300	status = -ERANGE;
301	else {
302	inst->nlbufsiz = nlbufsiz;
303	status = `0`;
304	}
305	spin_unlock_bh(lock: &inst->lock);
306
307	return status;
308	}
309
310	static void
311	nfulnl_set_timeout(struct nfulnl_instance *inst, u_int32_t timeout)
312	{
313	spin_lock_bh(lock: &inst->lock);
314	inst->flushtimeout = timeout;
315	spin_unlock_bh(lock: &inst->lock);
316	}
317
318	static void
319	nfulnl_set_qthresh(struct nfulnl_instance *inst, u_int32_t qthresh)
320	{
321	spin_lock_bh(lock: &inst->lock);
322	inst->qthreshold = qthresh;
323	spin_unlock_bh(lock: &inst->lock);
324	}
325
326	static int
327	nfulnl_set_flags(struct nfulnl_instance *inst, u_int16_t flags)
328	{
329	spin_lock_bh(lock: &inst->lock);
330	inst->flags = flags;
331	spin_unlock_bh(lock: &inst->lock);
332
333	return `0`;
334	}
335
336	static struct sk_buff *
337	nfulnl_alloc_skb(struct net net, u32 peer_portid, unsigned* int inst_size,
338	unsigned int pkt_size)
339	{
340	struct sk_buff *skb;
341	unsigned int n;
342
343	/ alloc skb which should be big enough for a whole multipart*
344	* message. WARNING: has to be <= 128k due to slab restrictions */
345
346	n = max(inst_size, pkt_size);
347	skb = alloc_skb(size: n, GFP_ATOMIC \| __GFP_NOWARN);
348	if (!skb) {
349	if (n > pkt_size) {
350	/ try to allocate only as much as we need for current*
351	* packet */
352
353	skb = alloc_skb(size: pkt_size, GFP_ATOMIC);
354	}
355	}
356
357	return skb;
358	}
359
360	static void
361	__nfulnl_send(struct nfulnl_instance *inst)
362	{
363	if (inst->qlen > `1`) {
364	struct nlmsghdr *nlh = nlmsg_put(skb: inst->skb, portid: `0`, seq: `0`,
365	NLMSG_DONE,
366	payload: sizeof(struct nfgenmsg),
367	flags: `0`);
368	if (WARN_ONCE(!nlh, "bad nlskb size: %u, tailroom %d\n",
369	inst->skb->len, skb_tailroom(inst->skb))) {
370	kfree_skb(skb: inst->skb);
371	goto out;
372	}
373	}
374	nfnetlink_unicast(skb: inst->skb, net: inst->net, portid: inst->peer_portid);
375	out:
376	inst->qlen = `0`;
377	inst->skb = NULL;
378	}
379
380	static void
381	__nfulnl_flush(struct nfulnl_instance *inst)
382	{
383	/ timer holds a reference /
384	if (del_timer(timer: &inst->timer))
385	instance_put(inst);
386	if (inst->skb)
387	__nfulnl_send(inst);
388	}
389
390	static void
391	nfulnl_timer(struct timer_list *t)
392	{
393	struct nfulnl_instance *inst = from_timer(inst, t, timer);
394
395	spin_lock_bh(lock: &inst->lock);
396	if (inst->skb)
397	__nfulnl_send(inst);
398	spin_unlock_bh(lock: &inst->lock);
399	instance_put(inst);
400	}
401
402	static u32 nfulnl_get_bridge_size(const struct sk_buff *skb)
403	{
404	u32 size = `0`;
405
406	if (!skb_mac_header_was_set(skb))
407	return `0`;
408
409	if (skb_vlan_tag_present(skb)) {
410	size += nla_total_size(payload: `0`); / nested /
411	size += nla_total_size(payload: sizeof(u16)); / id /
412	size += nla_total_size(payload: sizeof(u16)); / tag /
413	}
414
415	if (skb->network_header > skb->mac_header)
416	size += nla_total_size(payload: skb->network_header - skb->mac_header);
417
418	return size;
419	}
420
421	static int nfulnl_put_bridge(struct nfulnl_instance inst, const* struct sk_buff *skb)
422	{
423	if (!skb_mac_header_was_set(skb))
424	return `0`;
425
426	if (skb_vlan_tag_present(skb)) {
427	struct nlattr *nest;
428
429	nest = nla_nest_start(skb: inst->skb, attrtype: NFULA_VLAN);
430	if (!nest)
431	goto nla_put_failure;
432
433	if (nla_put_be16(skb: inst->skb, attrtype: NFULA_VLAN_TCI, htons(skb->vlan_tci)) \|\|
434	nla_put_be16(skb: inst->skb, attrtype: NFULA_VLAN_PROTO, value: skb->vlan_proto))
435	goto nla_put_failure;
436
437	nla_nest_end(skb: inst->skb, start: nest);
438	}
439
440	if (skb->mac_header < skb->network_header) {
441	int len = (int)(skb->network_header - skb->mac_header);
442
443	if (nla_put(skb: inst->skb, attrtype: NFULA_L2HDR, attrlen: len, data: skb_mac_header(skb)))
444	goto nla_put_failure;
445	}
446
447	return `0`;
448
449	nla_put_failure:
450	return -`1`;
451	}
452
453	/ This is an inline function, we don't really care about a long*
454	* list of arguments */
455	static inline int
456	__build_packet_message(struct nfnl_log_net *log,
457	struct nfulnl_instance *inst,
458	const struct sk_buff *skb,
459	unsigned int data_len,
460	u_int8_t pf,
461	unsigned int hooknum,
462	const struct net_device *indev,
463	const struct net_device *outdev,
464	const char prefix, unsigned* int plen,
465	const struct nfnl_ct_hook *nfnl_ct,
466	struct nf_conn ct, enum* ip_conntrack_info ctinfo)
467	{
468	struct nfulnl_msg_packet_hdr pmsg;
469	struct nlmsghdr *nlh;
470	sk_buff_data_t old_tail = inst->skb->tail;
471	struct sock *sk;
472	const unsigned char *hwhdrp;
473
474	nlh = nfnl_msg_put(skb: inst->skb, portid: `0`, seq: `0`,
475	type: nfnl_msg_type(NFNL_SUBSYS_ULOG, msg_type: NFULNL_MSG_PACKET),
476	flags: `0`, family: pf, NFNETLINK_V0, htons(inst->group_num));
477	if (!nlh)
478	return -`1`;
479
480	memset(&pmsg, `0`, sizeof(pmsg));
481	pmsg.hw_protocol = skb->protocol;
482	pmsg.hook = hooknum;
483
484	if (nla_put(skb: inst->skb, attrtype: NFULA_PACKET_HDR, attrlen: sizeof(pmsg), data: &pmsg))
485	goto nla_put_failure;
486
487	if (prefix &&
488	nla_put(skb: inst->skb, attrtype: NFULA_PREFIX, attrlen: plen, data: prefix))
489	goto nla_put_failure;
490
491	if (indev) {
492	#if !IS_ENABLED(CONFIG_BRIDGE_NETFILTER)
493	if (nla_put_be32(inst->skb, NFULA_IFINDEX_INDEV,
494	htonl(indev->ifindex)))
495	goto nla_put_failure;
496	#else
497	if (pf == PF_BRIDGE) {
498	/ Case 1: outdev is physical input device, we need to*
499	* look for bridge group (when called from
500	* netfilter_bridge) */
501	if (nla_put_be32(skb: inst->skb, attrtype: NFULA_IFINDEX_PHYSINDEV,
502	htonl(indev->ifindex)) \|\|
503	/ this is the bridge group "brX" /
504	/ rcu_read_lock()ed by nf_hook_thresh or*
505	* nf_log_packet.
506	*/
507	nla_put_be32(skb: inst->skb, attrtype: NFULA_IFINDEX_INDEV,
508	htonl(br_port_get_rcu(indev)->br->dev->ifindex)))
509	goto nla_put_failure;
510	} else {
511	int physinif;
512
513	/ Case 2: indev is bridge group, we need to look for*
514	* physical device (when called from ipv4) */
515	if (nla_put_be32(skb: inst->skb, attrtype: NFULA_IFINDEX_INDEV,
516	htonl(indev->ifindex)))
517	goto nla_put_failure;
518
519	physinif = nf_bridge_get_physinif(skb);
520	if (physinif &&
521	nla_put_be32(skb: inst->skb, attrtype: NFULA_IFINDEX_PHYSINDEV,
522	htonl(physinif)))
523	goto nla_put_failure;
524	}
525	#endif
526	}
527
528	if (outdev) {
529	#if !IS_ENABLED(CONFIG_BRIDGE_NETFILTER)
530	if (nla_put_be32(inst->skb, NFULA_IFINDEX_OUTDEV,
531	htonl(outdev->ifindex)))
532	goto nla_put_failure;
533	#else
534	if (pf == PF_BRIDGE) {
535	/ Case 1: outdev is physical output device, we need to*
536	* look for bridge group (when called from
537	* netfilter_bridge) */
538	if (nla_put_be32(skb: inst->skb, attrtype: NFULA_IFINDEX_PHYSOUTDEV,
539	htonl(outdev->ifindex)) \|\|
540	/ this is the bridge group "brX" /
541	/ rcu_read_lock()ed by nf_hook_thresh or*
542	* nf_log_packet.
543	*/
544	nla_put_be32(skb: inst->skb, attrtype: NFULA_IFINDEX_OUTDEV,
545	htonl(br_port_get_rcu(outdev)->br->dev->ifindex)))
546	goto nla_put_failure;
547	} else {
548	struct net_device *physoutdev;
549
550	/ Case 2: indev is a bridge group, we need to look*
551	* for physical device (when called from ipv4) */
552	if (nla_put_be32(skb: inst->skb, attrtype: NFULA_IFINDEX_OUTDEV,
553	htonl(outdev->ifindex)))
554	goto nla_put_failure;
555
556	physoutdev = nf_bridge_get_physoutdev(skb);
557	if (physoutdev &&
558	nla_put_be32(skb: inst->skb, attrtype: NFULA_IFINDEX_PHYSOUTDEV,
559	htonl(physoutdev->ifindex)))
560	goto nla_put_failure;
561	}
562	#endif
563	}
564
565	if (skb->mark &&
566	nla_put_be32(skb: inst->skb, attrtype: NFULA_MARK, htonl(skb->mark)))
567	goto nla_put_failure;
568
569	if (indev && skb->dev &&
570	skb_mac_header_was_set(skb) &&
571	skb_mac_header_len(skb) != `0`) {
572	struct nfulnl_msg_packet_hw phw;
573	int len;
574
575	memset(&phw, `0`, sizeof(phw));
576	len = dev_parse_header(skb, haddr: phw.hw_addr);
577	if (len > `0`) {
578	phw.hw_addrlen = htons(len);
579	if (nla_put(skb: inst->skb, attrtype: NFULA_HWADDR, attrlen: sizeof(phw), data: &phw))
580	goto nla_put_failure;
581	}
582	}
583
584	if (indev && skb_mac_header_was_set(skb)) {
585	if (nla_put_be16(skb: inst->skb, attrtype: NFULA_HWTYPE, htons(skb->dev->type)) \|\|
586	nla_put_be16(skb: inst->skb, attrtype: NFULA_HWLEN,
587	htons(skb->dev->hard_header_len)))
588	goto nla_put_failure;
589
590	hwhdrp = skb_mac_header(skb);
591
592	if (skb->dev->type == ARPHRD_SIT)
593	hwhdrp -= ETH_HLEN;
594
595	if (hwhdrp >= skb->head &&
596	nla_put(skb: inst->skb, attrtype: NFULA_HWHEADER,
597	attrlen: skb->dev->hard_header_len, data: hwhdrp))
598	goto nla_put_failure;
599	}
600
601	if (hooknum <= NF_INET_FORWARD) {
602	struct timespec64 kts = ktime_to_timespec64(skb_tstamp_cond(skb, true));
603	struct nfulnl_msg_packet_timestamp ts;
604	ts.sec = cpu_to_be64(kts.tv_sec);
605	ts.usec = cpu_to_be64(kts.tv_nsec / NSEC_PER_USEC);
606
607	if (nla_put(skb: inst->skb, attrtype: NFULA_TIMESTAMP, attrlen: sizeof(ts), data: &ts))
608	goto nla_put_failure;
609	}
610
611	/ UID /
612	sk = skb->sk;
613	if (sk && sk_fullsock(sk)) {
614	read_lock_bh(&sk->sk_callback_lock);
615	if (sk->sk_socket && sk->sk_socket->file) {
616	struct file *file = sk->sk_socket->file;
617	const struct cred *cred = file->f_cred;
618	struct user_namespace *user_ns = inst->peer_user_ns;
619	__be32 uid = htonl(from_kuid_munged(user_ns, cred->fsuid));
620	__be32 gid = htonl(from_kgid_munged(user_ns, cred->fsgid));
621	read_unlock_bh(&sk->sk_callback_lock);
622	if (nla_put_be32(skb: inst->skb, attrtype: NFULA_UID, value: uid) \|\|
623	nla_put_be32(skb: inst->skb, attrtype: NFULA_GID, value: gid))
624	goto nla_put_failure;
625	} else
626	read_unlock_bh(&sk->sk_callback_lock);
627	}
628
629	/ local sequence number /
630	if ((inst->flags & NFULNL_CFG_F_SEQ) &&
631	nla_put_be32(skb: inst->skb, attrtype: NFULA_SEQ, htonl(inst->seq++)))
632	goto nla_put_failure;
633
634	/ global sequence number /
635	if ((inst->flags & NFULNL_CFG_F_SEQ_GLOBAL) &&
636	nla_put_be32(skb: inst->skb, attrtype: NFULA_SEQ_GLOBAL,
637	htonl(atomic_inc_return(&log->global_seq))))
638	goto nla_put_failure;
639
640	if (ct && nfnl_ct->build(inst->skb, ct, ctinfo,
641	NFULA_CT, NFULA_CT_INFO) < `0`)
642	goto nla_put_failure;
643
644	if ((pf == NFPROTO_NETDEV \|\| pf == NFPROTO_BRIDGE) &&
645	nfulnl_put_bridge(inst, skb) < `0`)
646	goto nla_put_failure;
647
648	if (data_len) {
649	struct nlattr *nla;
650	int size = nla_attr_size(payload: data_len);
651
652	if (skb_tailroom(skb: inst->skb) < nla_total_size(payload: data_len))
653	goto nla_put_failure;
654
655	nla = skb_put(skb: inst->skb, len: nla_total_size(payload: data_len));
656	nla->nla_type = NFULA_PAYLOAD;
657	nla->nla_len = size;
658
659	if (skb_copy_bits(skb, offset: `0`, to: nla_data(nla), len: data_len))
660	BUG();
661	}
662
663	nlh->nlmsg_len = inst->skb->tail - old_tail;
664	return `0`;
665
666	nla_put_failure:
667	PRINTR(KERN_ERR "nfnetlink_log: error creating log nlmsg\n");
668	return -`1`;
669	}
670
671	static const struct nf_loginfo default_loginfo = {
672	.type = NF_LOG_TYPE_ULOG,
673	.u = {
674	.ulog = {
675	.copy_len = `0xffff`,
676	.group = `0`,
677	.qthreshold = `1`,
678	},
679	},
680	};
681
682	/ log handler for internal netfilter logging api /
683	static void
684	nfulnl_log_packet(struct net *net,
685	u_int8_t pf,
686	unsigned int hooknum,
687	const struct sk_buff *skb,
688	const struct net_device *in,
689	const struct net_device *out,
690	const struct nf_loginfo *li_user,
691	const char *prefix)
692	{
693	size_t size;
694	unsigned int data_len;
695	struct nfulnl_instance *inst;
696	const struct nf_loginfo *li;
697	unsigned int qthreshold;
698	unsigned int plen = `0`;
699	struct nfnl_log_net *log = nfnl_log_pernet(net);
700	const struct nfnl_ct_hook *nfnl_ct = NULL;
701	enum ip_conntrack_info ctinfo = `0`;
702	struct nf_conn *ct = NULL;
703
704	if (li_user && li_user->type == NF_LOG_TYPE_ULOG)
705	li = li_user;
706	else
707	li = &default_loginfo;
708
709	inst = instance_lookup_get_rcu(log, group_num: li->u.ulog.group);
710	if (!inst)
711	return;
712
713	if (prefix)
714	plen = strlen(prefix) + `1`;
715
716	/ FIXME: do we want to make the size calculation conditional based on*
717	* what is actually present? way more branches and checks, but more
718	* memory efficient... */
719	size = nlmsg_total_size(payload: sizeof(struct nfgenmsg))
720	+ nla_total_size(payload: sizeof(struct nfulnl_msg_packet_hdr))
721	+ nla_total_size(payload: sizeof(u_int32_t)) / ifindex /
722	+ nla_total_size(payload: sizeof(u_int32_t)) / ifindex /
723	#if IS_ENABLED(CONFIG_BRIDGE_NETFILTER)
724	+ nla_total_size(payload: sizeof(u_int32_t)) / ifindex /
725	+ nla_total_size(payload: sizeof(u_int32_t)) / ifindex /
726	#endif
727	+ nla_total_size(payload: sizeof(u_int32_t)) / mark /
728	+ nla_total_size(payload: sizeof(u_int32_t)) / uid /
729	+ nla_total_size(payload: sizeof(u_int32_t)) / gid /
730	+ nla_total_size(payload: plen) / prefix /
731	+ nla_total_size(payload: sizeof(struct nfulnl_msg_packet_hw))
732	+ nla_total_size(payload: sizeof(struct nfulnl_msg_packet_timestamp))
733	+ nla_total_size(payload: sizeof(struct nfgenmsg)); / NLMSG_DONE /
734
735	if (in && skb_mac_header_was_set(skb)) {
736	size += nla_total_size(payload: skb->dev->hard_header_len)
737	+ nla_total_size(payload: sizeof(u_int16_t)) / hwtype /
738	+ nla_total_size(payload: sizeof(u_int16_t)); / hwlen /
739	}
740
741	spin_lock_bh(lock: &inst->lock);
742
743	if (inst->flags & NFULNL_CFG_F_SEQ)
744	size += nla_total_size(payload: sizeof(u_int32_t));
745	if (inst->flags & NFULNL_CFG_F_SEQ_GLOBAL)
746	size += nla_total_size(payload: sizeof(u_int32_t));
747	#if IS_ENABLED(CONFIG_NF_CONNTRACK)
748	if (inst->flags & NFULNL_CFG_F_CONNTRACK) {
749	nfnl_ct = rcu_dereference(nfnl_ct_hook);
750	if (nfnl_ct != NULL) {
751	ct = nf_ct_get(skb, ctinfo: &ctinfo);
752	if (ct != NULL)
753	size += nfnl_ct->build_size(ct);
754	}
755	}
756	#endif
757	if (pf == NFPROTO_NETDEV \|\| pf == NFPROTO_BRIDGE)
758	size += nfulnl_get_bridge_size(skb);
759
760	qthreshold = inst->qthreshold;
761	/ per-rule qthreshold overrides per-instance /
762	if (li->u.ulog.qthreshold)
763	if (qthreshold > li->u.ulog.qthreshold)
764	qthreshold = li->u.ulog.qthreshold;
765
766
767	switch (inst->copy_mode) {
768	case NFULNL_COPY_META:
769	case NFULNL_COPY_NONE:
770	data_len = `0`;
771	break;
772
773	case NFULNL_COPY_PACKET:
774	data_len = inst->copy_range;
775	if ((li->u.ulog.flags & NF_LOG_F_COPY_LEN) &&
776	(li->u.ulog.copy_len < data_len))
777	data_len = li->u.ulog.copy_len;
778
779	if (data_len > skb->len)
780	data_len = skb->len;
781
782	size += nla_total_size(payload: data_len);
783	break;
784
785	case NFULNL_COPY_DISABLED:
786	default:
787	goto unlock_and_release;
788	}
789
790	if (inst->skb && size > skb_tailroom(skb: inst->skb)) {
791	/ either the queue len is too high or we don't have*
792	* enough room in the skb left. flush to userspace. */
793	__nfulnl_flush(inst);
794	}
795
796	if (!inst->skb) {
797	inst->skb = nfulnl_alloc_skb(net, peer_portid: inst->peer_portid,
798	inst_size: inst->nlbufsiz, pkt_size: size);
799	if (!inst->skb)
800	goto alloc_failure;
801	}
802
803	inst->qlen++;
804
805	__build_packet_message(log, inst, skb, data_len, pf,
806	hooknum, indev: in, outdev: out, prefix, plen,
807	nfnl_ct, ct, ctinfo);
808
809	if (inst->qlen >= qthreshold)
810	__nfulnl_flush(inst);
811	/ timer_pending always called within inst->lock, so there*
812	* is no chance of a race here */
813	else if (!timer_pending(timer: &inst->timer)) {
814	instance_get(inst);
815	inst->timer.expires = jiffies + (inst->flushtimeout*HZ/`100`);
816	add_timer(timer: &inst->timer);
817	}
818
819	unlock_and_release:
820	spin_unlock_bh(lock: &inst->lock);
821	instance_put(inst);
822	return;
823
824	alloc_failure:
825	/ FIXME: statistics /
826	goto unlock_and_release;
827	}
828
829	static int
830	nfulnl_rcv_nl_event(struct notifier_block *this,
831	unsigned long event, void *ptr)
832	{
833	struct netlink_notify *n = ptr;
834	struct nfnl_log_net *log = nfnl_log_pernet(net: n->net);
835
836	if (event == NETLINK_URELEASE && n->protocol == NETLINK_NETFILTER) {
837	int i;
838
839	/ destroy all instances for this portid /
840	spin_lock_bh(lock: &log->instances_lock);
841	for (i = `0`; i < INSTANCE_BUCKETS; i++) {
842	struct hlist_node *t2;
843	struct nfulnl_instance *inst;
844	struct hlist_head *head = &log->instance_table[i];
845
846	hlist_for_each_entry_safe(inst, t2, head, hlist) {
847	if (n->portid == inst->peer_portid)
848	__instance_destroy(inst);
849	}
850	}
851	spin_unlock_bh(lock: &log->instances_lock);
852	}
853	return NOTIFY_DONE;
854	}
855
856	static struct notifier_block nfulnl_rtnl_notifier = {
857	.notifier_call = nfulnl_rcv_nl_event,
858	};
859
860	static int nfulnl_recv_unsupp(struct sk_buff skb, const* struct nfnl_info *info,
861	const struct nlattr * const nfula[])
862	{
863	return -ENOTSUPP;
864	}
865
866	static struct nf_logger nfulnl_logger __read_mostly = {
867	.name = "nfnetlink_log",
868	.type = NF_LOG_TYPE_ULOG,
869	.logfn = nfulnl_log_packet,
870	.me = THIS_MODULE,
871	};
872
873	static const struct nla_policy nfula_cfg_policy[NFULA_CFG_MAX+`1`] = {
874	[NFULA_CFG_CMD] = { .len = sizeof(struct nfulnl_msg_config_cmd) },
875	[NFULA_CFG_MODE] = { .len = sizeof(struct nfulnl_msg_config_mode) },
876	[NFULA_CFG_TIMEOUT] = { .type = NLA_U32 },
877	[NFULA_CFG_QTHRESH] = { .type = NLA_U32 },
878	[NFULA_CFG_NLBUFSIZ] = { .type = NLA_U32 },
879	[NFULA_CFG_FLAGS] = { .type = NLA_U16 },
880	};
881
882	static int nfulnl_recv_config(struct sk_buff skb, const* struct nfnl_info *info,
883	const struct nlattr * const nfula[])
884	{
885	struct nfnl_log_net *log = nfnl_log_pernet(net: info->net);
886	u_int16_t group_num = ntohs(info->nfmsg->res_id);
887	struct nfulnl_msg_config_cmd *cmd = NULL;
888	struct nfulnl_instance *inst;
889	u16 flags = `0`;
890	int ret = `0`;
891
892	if (nfula[NFULA_CFG_CMD]) {
893	u_int8_t pf = info->nfmsg->nfgen_family;
894	cmd = nla_data(nla: nfula[NFULA_CFG_CMD]);
895
896	/ Commands without queue context /
897	switch (cmd->command) {
898	case NFULNL_CFG_CMD_PF_BIND:
899	return nf_log_bind_pf(net: info->net, pf, logger: &nfulnl_logger);
900	case NFULNL_CFG_CMD_PF_UNBIND:
901	nf_log_unbind_pf(net: info->net, pf);
902	return `0`;
903	}
904	}
905
906	inst = instance_lookup_get(log, group_num);
907	if (inst && inst->peer_portid != NETLINK_CB(skb).portid) {
908	ret = -EPERM;
909	goto out_put;
910	}
911
912	/ Check if we support these flags in first place, dependencies should*
913	* be there too not to break atomicity.
914	*/
915	if (nfula[NFULA_CFG_FLAGS]) {
916	flags = ntohs(nla_get_be16(nfula[NFULA_CFG_FLAGS]));
917
918	if ((flags & NFULNL_CFG_F_CONNTRACK) &&
919	!rcu_access_pointer(nfnl_ct_hook)) {
920	#ifdef CONFIG_MODULES
921	nfnl_unlock(NFNL_SUBSYS_ULOG);
922	request_module("ip_conntrack_netlink");
923	nfnl_lock(NFNL_SUBSYS_ULOG);
924	if (rcu_access_pointer(nfnl_ct_hook)) {
925	ret = -EAGAIN;
926	goto out_put;
927	}
928	#endif
929	ret = -EOPNOTSUPP;
930	goto out_put;
931	}
932	}
933
934	if (cmd != NULL) {
935	switch (cmd->command) {
936	case NFULNL_CFG_CMD_BIND:
937	if (inst) {
938	ret = -EBUSY;
939	goto out_put;
940	}
941
942	inst = instance_create(net: info->net, group_num,
943	NETLINK_CB(skb).portid,
944	user_ns: sk_user_ns(NETLINK_CB(skb).sk));
945	if (IS_ERR(ptr: inst)) {
946	ret = PTR_ERR(ptr: inst);
947	goto out;
948	}
949	break;
950	case NFULNL_CFG_CMD_UNBIND:
951	if (!inst) {
952	ret = -ENODEV;
953	goto out;
954	}
955
956	instance_destroy(log, inst);
957	goto out_put;
958	default:
959	ret = -ENOTSUPP;
960	goto out_put;
961	}
962	} else if (!inst) {
963	ret = -ENODEV;
964	goto out;
965	}
966
967	if (nfula[NFULA_CFG_MODE]) {
968	struct nfulnl_msg_config_mode *params =
969	nla_data(nla: nfula[NFULA_CFG_MODE]);
970
971	nfulnl_set_mode(inst, mode: params->copy_mode,
972	ntohl(params->copy_range));
973	}
974
975	if (nfula[NFULA_CFG_TIMEOUT]) {
976	__be32 timeout = nla_get_be32(nla: nfula[NFULA_CFG_TIMEOUT]);
977
978	nfulnl_set_timeout(inst, ntohl(timeout));
979	}
980
981	if (nfula[NFULA_CFG_NLBUFSIZ]) {
982	__be32 nlbufsiz = nla_get_be32(nla: nfula[NFULA_CFG_NLBUFSIZ]);
983
984	nfulnl_set_nlbufsiz(inst, ntohl(nlbufsiz));
985	}
986
987	if (nfula[NFULA_CFG_QTHRESH]) {
988	__be32 qthresh = nla_get_be32(nla: nfula[NFULA_CFG_QTHRESH]);
989
990	nfulnl_set_qthresh(inst, ntohl(qthresh));
991	}
992
993	if (nfula[NFULA_CFG_FLAGS])
994	nfulnl_set_flags(inst, flags);
995
996	out_put:
997	instance_put(inst);
998	out:
999	return ret;
1000	}
1001
1002	static const struct nfnl_callback nfulnl_cb[NFULNL_MSG_MAX] = {
1003	[NFULNL_MSG_PACKET] = {
1004	.call = nfulnl_recv_unsupp,
1005	.type = NFNL_CB_MUTEX,
1006	.attr_count = NFULA_MAX,
1007	},
1008	[NFULNL_MSG_CONFIG] = {
1009	.call = nfulnl_recv_config,
1010	.type = NFNL_CB_MUTEX,
1011	.attr_count = NFULA_CFG_MAX,
1012	.policy = nfula_cfg_policy
1013	},
1014	};
1015
1016	static const struct nfnetlink_subsystem nfulnl_subsys = {
1017	.name = "log",
1018	.subsys_id = NFNL_SUBSYS_ULOG,
1019	.cb_count = NFULNL_MSG_MAX,
1020	.cb = nfulnl_cb,
1021	};
1022
1023	#ifdef CONFIG_PROC_FS
1024	struct iter_state {
1025	struct seq_net_private p;
1026	unsigned int bucket;
1027	};
1028
1029	static struct hlist_node get_first(struct* net net, struct* iter_state *st)
1030	{
1031	struct nfnl_log_net *log;
1032	if (!st)
1033	return NULL;
1034
1035	log = nfnl_log_pernet(net);
1036
1037	for (st->bucket = `0`; st->bucket < INSTANCE_BUCKETS; st->bucket++) {
1038	struct hlist_head *head = &log->instance_table[st->bucket];
1039
1040	if (!hlist_empty(h: head))
1041	return rcu_dereference(hlist_first_rcu(head));
1042	}
1043	return NULL;
1044	}
1045
1046	static struct hlist_node get_next(struct* net net, struct* iter_state *st,
1047	struct hlist_node *h)
1048	{
1049	h = rcu_dereference(hlist_next_rcu(h));
1050	while (!h) {
1051	struct nfnl_log_net *log;
1052	struct hlist_head *head;
1053
1054	if (++st->bucket >= INSTANCE_BUCKETS)
1055	return NULL;
1056
1057	log = nfnl_log_pernet(net);
1058	head = &log->instance_table[st->bucket];
1059	h = rcu_dereference(hlist_first_rcu(head));
1060	}
1061	return h;
1062	}
1063
1064	static struct hlist_node get_idx(struct* net net, struct* iter_state *st,
1065	loff_t pos)
1066	{
1067	struct hlist_node *head;
1068	head = get_first(net, st);
1069
1070	if (head)
1071	while (pos && (head = get_next(net, st, h: head)))
1072	pos--;
1073	return pos ? NULL : head;
1074	}
1075
1076	static void seq_start(struct* seq_file s, loff_t pos)
1077	__acquires(rcu)
1078	{
1079	rcu_read_lock();
1080	return get_idx(net: seq_file_net(seq: s), st: s->private, pos: *pos);
1081	}
1082
1083	static void seq_next(struct* seq_file s, void* v, loff_t pos)
1084	{
1085	(*pos)++;
1086	return get_next(net: seq_file_net(seq: s), st: s->private, h: v);
1087	}
1088
1089	static void seq_stop(struct seq_file s, void* *v)
1090	__releases(rcu)
1091	{
1092	rcu_read_unlock();
1093	}
1094
1095	static int seq_show(struct seq_file s, void* *v)
1096	{
1097	const struct nfulnl_instance *inst = v;
1098
1099	seq_printf(m: s, fmt: "%5u %6u %5u %1u %5u %6u %2u\n",
1100	inst->group_num,
1101	inst->peer_portid, inst->qlen,
1102	inst->copy_mode, inst->copy_range,
1103	inst->flushtimeout, refcount_read(r: &inst->use));
1104
1105	return `0`;
1106	}
1107
1108	static const struct seq_operations nful_seq_ops = {
1109	.start = seq_start,
1110	.next = seq_next,
1111	.stop = seq_stop,
1112	.show = seq_show,
1113	};
1114	#endif /* PROC_FS */
1115
1116	static int __net_init nfnl_log_net_init(struct net *net)
1117	{
1118	unsigned int i;
1119	struct nfnl_log_net *log = nfnl_log_pernet(net);
1120	#ifdef CONFIG_PROC_FS
1121	struct proc_dir_entry *proc;
1122	kuid_t root_uid;
1123	kgid_t root_gid;
1124	#endif
1125
1126	for (i = `0`; i < INSTANCE_BUCKETS; i++)
1127	INIT_HLIST_HEAD(&log->instance_table[i]);
1128	spin_lock_init(&log->instances_lock);
1129
1130	#ifdef CONFIG_PROC_FS
1131	proc = proc_create_net("nfnetlink_log", `0440`, net->nf.proc_netfilter,
1132	&nful_seq_ops, sizeof(struct iter_state));
1133	if (!proc)
1134	return -ENOMEM;
1135
1136	root_uid = make_kuid(from: net->user_ns, uid: `0`);
1137	root_gid = make_kgid(from: net->user_ns, gid: `0`);
1138	if (uid_valid(uid: root_uid) && gid_valid(gid: root_gid))
1139	proc_set_user(proc, root_uid, root_gid);
1140	#endif
1141	return `0`;
1142	}
1143
1144	static void __net_exit nfnl_log_net_exit(struct net *net)
1145	{
1146	struct nfnl_log_net *log = nfnl_log_pernet(net);
1147	unsigned int i;
1148
1149	#ifdef CONFIG_PROC_FS
1150	remove_proc_entry("nfnetlink_log", net->nf.proc_netfilter);
1151	#endif
1152	nf_log_unset(net, logger: &nfulnl_logger);
1153	for (i = `0`; i < INSTANCE_BUCKETS; i++)
1154	WARN_ON_ONCE(!hlist_empty(&log->instance_table[i]));
1155	}
1156
1157	static struct pernet_operations nfnl_log_net_ops = {
1158	.init = nfnl_log_net_init,
1159	.exit = nfnl_log_net_exit,
1160	.id = &nfnl_log_net_id,
1161	.size = sizeof(struct nfnl_log_net),
1162	};
1163
1164	static int __init nfnetlink_log_init(void)
1165	{
1166	int status;
1167
1168	status = register_pernet_subsys(&nfnl_log_net_ops);
1169	if (status < `0`) {
1170	pr_err("failed to register pernet ops\n");
1171	goto out;
1172	}
1173
1174	netlink_register_notifier(nb: &nfulnl_rtnl_notifier);
1175	status = nfnetlink_subsys_register(n: &nfulnl_subsys);
1176	if (status < `0`) {
1177	pr_err("failed to create netlink socket\n");
1178	goto cleanup_netlink_notifier;
1179	}
1180
1181	status = nf_log_register(pf: NFPROTO_UNSPEC, logger: &nfulnl_logger);
1182	if (status < `0`) {
1183	pr_err("failed to register logger\n");
1184	goto cleanup_subsys;
1185	}
1186
1187	return status;
1188
1189	cleanup_subsys:
1190	nfnetlink_subsys_unregister(n: &nfulnl_subsys);
1191	cleanup_netlink_notifier:
1192	netlink_unregister_notifier(nb: &nfulnl_rtnl_notifier);
1193	unregister_pernet_subsys(&nfnl_log_net_ops);
1194	out:
1195	return status;
1196	}
1197
1198	static void __exit nfnetlink_log_fini(void)
1199	{
1200	nfnetlink_subsys_unregister(n: &nfulnl_subsys);
1201	netlink_unregister_notifier(nb: &nfulnl_rtnl_notifier);
1202	unregister_pernet_subsys(&nfnl_log_net_ops);
1203	nf_log_unregister(logger: &nfulnl_logger);
1204	}
1205
1206	MODULE_DESCRIPTION("netfilter userspace logging");
1207	MODULE_AUTHOR("Harald Welte <laforge@netfilter.org>");
1208	MODULE_LICENSE("GPL");
1209	MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_ULOG);
1210	MODULE_ALIAS_NF_LOGGER(AF_INET, `1`);
1211	MODULE_ALIAS_NF_LOGGER(AF_INET6, `1`);
1212	MODULE_ALIAS_NF_LOGGER(AF_BRIDGE, `1`);
1213	MODULE_ALIAS_NF_LOGGER(`3`, `1`); / NFPROTO_ARP /
1214	MODULE_ALIAS_NF_LOGGER(`5`, `1`); / NFPROTO_NETDEV /
1215
1216	module_init(nfnetlink_log_init);
1217	module_exit(nfnetlink_log_fini);
1218

source code of linux/net/netfilter/nfnetlink_log.c