net/netfilter/xt_LOG.c

   1 /*
   2  * This is a module which is used for logging packets.
   3  */
   4
   5 /* (C) 1999-2001 Paul `Rusty' Russell
   6  * (C) 2002-2004 Netfilter Core Team <coreteam@netfilter.org>
   7  *
   8  * This program is free software; you can redistribute it and/or modify
   9  * it under the terms of the GNU General Public License version 2 as
  10  * published by the Free Software Foundation.
  11  */
  12
  13 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
  14 #include <linux/module.h>
  15 #include <linux/spinlock.h>
  16 #include <linux/skbuff.h>
  17 #include <linux/if_arp.h>
  18 #include <linux/ip.h>
  19 #include <net/ipv6.h>
  20 #include <net/icmp.h>
  21 #include <net/udp.h>
  22 #include <net/tcp.h>
  23 #include <net/route.h>
  24
  25 #include <linux/netfilter.h>
  26 #include <linux/netfilter/x_tables.h>
  27 #include <linux/netfilter/xt_LOG.h>
  28 #include <linux/netfilter_ipv6/ip6_tables.h>
  29 #include <net/netfilter/nf_log.h>
  30 #include <net/netfilter/xt_log.h>
  31
  32 static struct nf_loginfo default_loginfo = {
  33         .type   = NF_LOG_TYPE_LOG,
  34         .u = {
  35                 .log = {
  36                         .level    = 5,
  37                         .logflags = NF_LOG_MASK,
  38                 },
  39         },
  40 };
  41
  42 static int dump_udp_header(struct sbuff *m, const struct sk_buff *skb,
  43                            u8 proto, int fragment, unsigned int offset)
  44 {
  45         struct udphdr _udph;
  46         const struct udphdr *uh;
  47
  48         if (proto == IPPROTO_UDP)
  49                 /* Max length: 10 "PROTO=UDP "     */
  50                 sb_add(m, "PROTO=UDP ");
  51         else    /* Max length: 14 "PROTO=UDPLITE " */
  52                 sb_add(m, "PROTO=UDPLITE ");
  53
  54         if (fragment)
  55                 goto out;
  56
  57         /* Max length: 25 "INCOMPLETE [65535 bytes] " */
  58         uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
  59         if (uh == NULL) {
  60                 sb_add(m, "INCOMPLETE [%u bytes] ", skb->len - offset);
  61
  62                 return 1;
  63         }
  64
  65         /* Max length: 20 "SPT=65535 DPT=65535 " */
  66         sb_add(m, "SPT=%u DPT=%u LEN=%u ", ntohs(uh->source), ntohs(uh->dest),
  67                 ntohs(uh->len));
  68
  69 out:
  70         return 0;
  71 }
  72
  73 static int dump_tcp_header(struct sbuff *m, const struct sk_buff *skb,
  74                            u8 proto, int fragment, unsigned int offset,
  75                            unsigned int logflags)
  76 {
  77         struct tcphdr _tcph;
  78         const struct tcphdr *th;
  79
  80         /* Max length: 10 "PROTO=TCP " */
  81         sb_add(m, "PROTO=TCP ");
  82
  83         if (fragment)
  84                 return 0;
  85
  86         /* Max length: 25 "INCOMPLETE [65535 bytes] " */
  87         th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
  88         if (th == NULL) {
  89                 sb_add(m, "INCOMPLETE [%u bytes] ", skb->len - offset);
  90                 return 1;
  91         }
  92
  93         /* Max length: 20 "SPT=65535 DPT=65535 " */
  94         sb_add(m, "SPT=%u DPT=%u ", ntohs(th->source), ntohs(th->dest));
  95         /* Max length: 30 "SEQ=4294967295 ACK=4294967295 " */
  96         if (logflags & XT_LOG_TCPSEQ)
  97                 sb_add(m, "SEQ=%u ACK=%u ", ntohl(th->seq), ntohl(th->ack_seq));
  98
  99         /* Max length: 13 "WINDOW=65535 " */
 100         sb_add(m, "WINDOW=%u ", ntohs(th->window));
 101         /* Max length: 9 "RES=0x3C " */
 102         sb_add(m, "RES=0x%02x ", (u_int8_t)(ntohl(tcp_flag_word(th) &
 103                                             TCP_RESERVED_BITS) >> 22));
 104         /* Max length: 32 "CWR ECE URG ACK PSH RST SYN FIN " */
 105         if (th->cwr)
 106                 sb_add(m, "CWR ");
 107         if (th->ece)
 108                 sb_add(m, "ECE ");
 109         if (th->urg)
 110                 sb_add(m, "URG ");
 111         if (th->ack)
 112                 sb_add(m, "ACK ");
 113         if (th->psh)
 114                 sb_add(m, "PSH ");
 115         if (th->rst)
 116                 sb_add(m, "RST ");
 117         if (th->syn)
 118                 sb_add(m, "SYN ");
 119         if (th->fin)
 120                 sb_add(m, "FIN ");
 121         /* Max length: 11 "URGP=65535 " */
 122         sb_add(m, "URGP=%u ", ntohs(th->urg_ptr));
 123
 124         if ((logflags & XT_LOG_TCPOPT) && th->doff*4 > sizeof(struct tcphdr)) {
 125                 u_int8_t _opt[60 - sizeof(struct tcphdr)];
 126                 const u_int8_t *op;
 127                 unsigned int i;
 128                 unsigned int optsize = th->doff*4 - sizeof(struct tcphdr);
 129
 130                 op = skb_header_pointer(skb, offset + sizeof(struct tcphdr),
 131                                         optsize, _opt);
 132                 if (op == NULL) {
 133                         sb_add(m, "OPT (TRUNCATED)");
 134                         return 1;
 135                 }
 136
 137                 /* Max length: 127 "OPT (" 15*4*2chars ") " */
 138                 sb_add(m, "OPT (");
 139                 for (i = 0; i < optsize; i++)
 140                         sb_add(m, "%02X", op[i]);
 141
 142                 sb_add(m, ") ");
 143         }
 144
 145         return 0;
 146 }
 147
 148 /* One level of recursion won't kill us */
 149 static void dump_ipv4_packet(struct sbuff *m,
 150                         const struct nf_loginfo *info,
 151                         const struct sk_buff *skb,
 152                         unsigned int iphoff)
 153 {
 154         struct iphdr _iph;
 155         const struct iphdr *ih;
 156         unsigned int logflags;
 157
 158         if (info->type == NF_LOG_TYPE_LOG)
 159                 logflags = info->u.log.logflags;
 160         else
 161                 logflags = NF_LOG_MASK;
 162
 163         ih = skb_header_pointer(skb, iphoff, sizeof(_iph), &_iph);
 164         if (ih == NULL) {
 165                 sb_add(m, "TRUNCATED");
 166                 return;
 167         }
 168
 169         /* Important fields:
 170          * TOS, len, DF/MF, fragment offset, TTL, src, dst, options. */
 171         /* Max length: 40 "SRC=255.255.255.255 DST=255.255.255.255 " */
 172         sb_add(m, "SRC=%pI4 DST=%pI4 ",
 173                &ih->saddr, &ih->daddr);
 174
 175         /* Max length: 46 "LEN=65535 TOS=0xFF PREC=0xFF TTL=255 ID=65535 " */
 176         sb_add(m, "LEN=%u TOS=0x%02X PREC=0x%02X TTL=%u ID=%u ",
 177                ntohs(ih->tot_len), ih->tos & IPTOS_TOS_MASK,
 178                ih->tos & IPTOS_PREC_MASK, ih->ttl, ntohs(ih->id));
 179
 180         /* Max length: 6 "CE DF MF " */
 181         if (ntohs(ih->frag_off) & IP_CE)
 182                 sb_add(m, "CE ");
 183         if (ntohs(ih->frag_off) & IP_DF)
 184                 sb_add(m, "DF ");
 185         if (ntohs(ih->frag_off) & IP_MF)
 186                 sb_add(m, "MF ");
 187
 188         /* Max length: 11 "FRAG:65535 " */
 189         if (ntohs(ih->frag_off) & IP_OFFSET)
 190                 sb_add(m, "FRAG:%u ", ntohs(ih->frag_off) & IP_OFFSET);
 191
 192         if ((logflags & XT_LOG_IPOPT) &&
 193             ih->ihl * 4 > sizeof(struct iphdr)) {
 194                 const unsigned char *op;
 195                 unsigned char _opt[4 * 15 - sizeof(struct iphdr)];
 196                 unsigned int i, optsize;
 197
 198                 optsize = ih->ihl * 4 - sizeof(struct iphdr);
 199                 op = skb_header_pointer(skb, iphoff+sizeof(_iph),
 200                                         optsize, _opt);
 201                 if (op == NULL) {
 202                         sb_add(m, "TRUNCATED");
 203                         return;
 204                 }
 205
 206                 /* Max length: 127 "OPT (" 15*4*2chars ") " */
 207                 sb_add(m, "OPT (");
 208                 for (i = 0; i < optsize; i++)
 209                         sb_add(m, "%02X", op[i]);
 210                 sb_add(m, ") ");
 211         }
 212
 213         switch (ih->protocol) {
 214         case IPPROTO_TCP:
 215                 if (dump_tcp_header(m, skb, ih->protocol,
 216                                     ntohs(ih->frag_off) & IP_OFFSET,
 217                                     iphoff+ih->ihl*4, logflags))
 218                         return;
 219                 break;
 220         case IPPROTO_UDP:
 221         case IPPROTO_UDPLITE:
 222                 if (dump_udp_header(m, skb, ih->protocol,
 223                                     ntohs(ih->frag_off) & IP_OFFSET,
 224                                     iphoff+ih->ihl*4))
 225                         return;
 226                 break;
 227         case IPPROTO_ICMP: {
 228                 struct icmphdr _icmph;
 229                 const struct icmphdr *ich;
 230                 static const size_t required_len[NR_ICMP_TYPES+1]
 231                         = { [ICMP_ECHOREPLY] = 4,
 232                             [ICMP_DEST_UNREACH]
 233                             = 8 + sizeof(struct iphdr),
 234                             [ICMP_SOURCE_QUENCH]
 235                             = 8 + sizeof(struct iphdr),
 236                             [ICMP_REDIRECT]
 237                             = 8 + sizeof(struct iphdr),
 238                             [ICMP_ECHO] = 4,
 239                             [ICMP_TIME_EXCEEDED]
 240                             = 8 + sizeof(struct iphdr),
 241                             [ICMP_PARAMETERPROB]
 242                             = 8 + sizeof(struct iphdr),
 243                             [ICMP_TIMESTAMP] = 20,
 244                             [ICMP_TIMESTAMPREPLY] = 20,
 245                             [ICMP_ADDRESS] = 12,
 246                             [ICMP_ADDRESSREPLY] = 12 };
 247
 248                 /* Max length: 11 "PROTO=ICMP " */
 249                 sb_add(m, "PROTO=ICMP ");
 250
 251                 if (ntohs(ih->frag_off) & IP_OFFSET)
 252                         break;
 253
 254                 /* Max length: 25 "INCOMPLETE [65535 bytes] " */
 255                 ich = skb_header_pointer(skb, iphoff + ih->ihl * 4,
 256                                          sizeof(_icmph), &_icmph);
 257                 if (ich == NULL) {
 258                         sb_add(m, "INCOMPLETE [%u bytes] ",
 259                                skb->len - iphoff - ih->ihl*4);
 260                         break;
 261                 }
 262
 263                 /* Max length: 18 "TYPE=255 CODE=255 " */
 264                 sb_add(m, "TYPE=%u CODE=%u ", ich->type, ich->code);
 265
 266                 /* Max length: 25 "INCOMPLETE [65535 bytes] " */
 267                 if (ich->type <= NR_ICMP_TYPES &&
 268                     required_len[ich->type] &&
 269                     skb->len-iphoff-ih->ihl*4 < required_len[ich->type]) {
 270                         sb_add(m, "INCOMPLETE [%u bytes] ",
 271                                skb->len - iphoff - ih->ihl*4);
 272                         break;
 273                 }
 274
 275                 switch (ich->type) {
 276                 case ICMP_ECHOREPLY:
 277                 case ICMP_ECHO:
 278                         /* Max length: 19 "ID=65535 SEQ=65535 " */
 279                         sb_add(m, "ID=%u SEQ=%u ",
 280                                ntohs(ich->un.echo.id),
 281                                ntohs(ich->un.echo.sequence));
 282                         break;
 283
 284                 case ICMP_PARAMETERPROB:
 285                         /* Max length: 14 "PARAMETER=255 " */
 286                         sb_add(m, "PARAMETER=%u ",
 287                                ntohl(ich->un.gateway) >> 24);
 288                         break;
 289                 case ICMP_REDIRECT:
 290                         /* Max length: 24 "GATEWAY=255.255.255.255 " */
 291                         sb_add(m, "GATEWAY=%pI4 ", &ich->un.gateway);
 292                         /* Fall through */
 293                 case ICMP_DEST_UNREACH:
 294                 case ICMP_SOURCE_QUENCH:
 295                 case ICMP_TIME_EXCEEDED:
 296                         /* Max length: 3+maxlen */
 297                         if (!iphoff) { /* Only recurse once. */
 298                                 sb_add(m, "[");
 299                                 dump_ipv4_packet(m, info, skb,
 300                                             iphoff + ih->ihl*4+sizeof(_icmph));
 301                                 sb_add(m, "] ");
 302                         }
 303
 304                         /* Max length: 10 "MTU=65535 " */
 305                         if (ich->type == ICMP_DEST_UNREACH &&
 306                             ich->code == ICMP_FRAG_NEEDED)
 307                                 sb_add(m, "MTU=%u ", ntohs(ich->un.frag.mtu));
 308                 }
 309                 break;
 310         }
 311         /* Max Length */
 312         case IPPROTO_AH: {
 313                 struct ip_auth_hdr _ahdr;
 314                 const struct ip_auth_hdr *ah;
 315
 316                 if (ntohs(ih->frag_off) & IP_OFFSET)
 317                         break;
 318
 319                 /* Max length: 9 "PROTO=AH " */
 320                 sb_add(m, "PROTO=AH ");
 321
 322                 /* Max length: 25 "INCOMPLETE [65535 bytes] " */
 323                 ah = skb_header_pointer(skb, iphoff+ih->ihl*4,
 324                                         sizeof(_ahdr), &_ahdr);
 325                 if (ah == NULL) {
 326                         sb_add(m, "INCOMPLETE [%u bytes] ",
 327                                skb->len - iphoff - ih->ihl*4);
 328                         break;
 329                 }
 330
 331                 /* Length: 15 "SPI=0xF1234567 " */
 332                 sb_add(m, "SPI=0x%x ", ntohl(ah->spi));
 333                 break;
 334         }
 335         case IPPROTO_ESP: {
 336                 struct ip_esp_hdr _esph;
 337                 const struct ip_esp_hdr *eh;
 338
 339                 /* Max length: 10 "PROTO=ESP " */
 340                 sb_add(m, "PROTO=ESP ");
 341
 342                 if (ntohs(ih->frag_off) & IP_OFFSET)
 343                         break;
 344
 345                 /* Max length: 25 "INCOMPLETE [65535 bytes] " */
 346                 eh = skb_header_pointer(skb, iphoff+ih->ihl*4,
 347                                         sizeof(_esph), &_esph);
 348                 if (eh == NULL) {
 349                         sb_add(m, "INCOMPLETE [%u bytes] ",
 350                                skb->len - iphoff - ih->ihl*4);
 351                         break;
 352                 }
 353
 354                 /* Length: 15 "SPI=0xF1234567 " */
 355                 sb_add(m, "SPI=0x%x ", ntohl(eh->spi));
 356                 break;
 357         }
 358         /* Max length: 10 "PROTO 255 " */
 359         default:
 360                 sb_add(m, "PROTO=%u ", ih->protocol);
 361         }
 362
 363         /* Max length: 15 "UID=4294967295 " */
 364         if ((logflags & XT_LOG_UID) && !iphoff && skb->sk) {
 365                 read_lock_bh(&skb->sk->sk_callback_lock);
 366                 if (skb->sk->sk_socket && skb->sk->sk_socket->file)
 367                         sb_add(m, "UID=%u GID=%u ",
 368                                 skb->sk->sk_socket->file->f_cred->fsuid,
 369                                 skb->sk->sk_socket->file->f_cred->fsgid);
 370                 read_unlock_bh(&skb->sk->sk_callback_lock);
 371         }
 372
 373         /* Max length: 16 "MARK=0xFFFFFFFF " */
 374         if (!iphoff && skb->mark)
 375                 sb_add(m, "MARK=0x%x ", skb->mark);
 376
 377         /* Proto    Max log string length */
 378         /* IP:      40+46+6+11+127 = 230 */
 379         /* TCP:     10+max(25,20+30+13+9+32+11+127) = 252 */
 380         /* UDP:     10+max(25,20) = 35 */
 381         /* UDPLITE: 14+max(25,20) = 39 */
 382         /* ICMP:    11+max(25, 18+25+max(19,14,24+3+n+10,3+n+10)) = 91+n */
 383         /* ESP:     10+max(25)+15 = 50 */
 384         /* AH:      9+max(25)+15 = 49 */
 385         /* unknown: 10 */
 386
 387         /* (ICMP allows recursion one level deep) */
 388         /* maxlen =  IP + ICMP +  IP + max(TCP,UDP,ICMP,unknown) */
 389         /* maxlen = 230+   91  + 230 + 252 = 803 */
 390 }
 391
 392 static void dump_ipv4_mac_header(struct sbuff *m,
 393                             const struct nf_loginfo *info,
 394                             const struct sk_buff *skb)
 395 {
 396         struct net_device *dev = skb->dev;
 397         unsigned int logflags = 0;
 398
 399         if (info->type == NF_LOG_TYPE_LOG)
 400                 logflags = info->u.log.logflags;
 401
 402         if (!(logflags & XT_LOG_MACDECODE))
 403                 goto fallback;
 404
 405         switch (dev->type) {
 406         case ARPHRD_ETHER:
 407                 sb_add(m, "MACSRC=%pM MACDST=%pM MACPROTO=%04x ",
 408                        eth_hdr(skb)->h_source, eth_hdr(skb)->h_dest,
 409                        ntohs(eth_hdr(skb)->h_proto));
 410                 return;
 411         default:
 412                 break;
 413         }
 414
 415 fallback:
 416         sb_add(m, "MAC=");
 417         if (dev->hard_header_len &&
 418             skb->mac_header != skb->network_header) {
 419                 const unsigned char *p = skb_mac_header(skb);
 420                 unsigned int i;
 421
 422                 sb_add(m, "%02x", *p++);
 423                 for (i = 1; i < dev->hard_header_len; i++, p++)
 424                         sb_add(m, ":%02x", *p);
 425         }
 426         sb_add(m, " ");
 427 }
 428
 429 static void
 430 log_packet_common(struct sbuff *m,
 431                   u_int8_t pf,
 432                   unsigned int hooknum,
 433                   const struct sk_buff *skb,
 434                   const struct net_device *in,
 435                   const struct net_device *out,
 436                   const struct nf_loginfo *loginfo,
 437                   const char *prefix)
 438 {
 439         sb_add(m, "<%d>%sIN=%s OUT=%s ", loginfo->u.log.level,
 440                prefix,
 441                in ? in->name : "",
 442                out ? out->name : "");
 443 #ifdef CONFIG_BRIDGE_NETFILTER
 444         if (skb->nf_bridge) {
 445                 const struct net_device *physindev;
 446                 const struct net_device *physoutdev;
 447
 448                 physindev = skb->nf_bridge->physindev;
 449                 if (physindev && in != physindev)
 450                         sb_add(m, "PHYSIN=%s ", physindev->name);
 451                 physoutdev = skb->nf_bridge->physoutdev;
 452                 if (physoutdev && out != physoutdev)
 453                         sb_add(m, "PHYSOUT=%s ", physoutdev->name);
 454         }
 455 #endif
 456 }
 457
 458
 459 static void
 460 ipt_log_packet(u_int8_t pf,
 461                unsigned int hooknum,
 462                const struct sk_buff *skb,
 463                const struct net_device *in,
 464                const struct net_device *out,
 465                const struct nf_loginfo *loginfo,
 466                const char *prefix)
 467 {
 468         struct sbuff *m = sb_open();
 469
 470         if (!loginfo)
 471                 loginfo = &default_loginfo;
 472
 473         log_packet_common(m, pf, hooknum, skb, in, out, loginfo, prefix);
 474
 475         if (in != NULL)
 476                 dump_ipv4_mac_header(m, loginfo, skb);
 477
 478         dump_ipv4_packet(m, loginfo, skb, 0);
 479
 480         sb_close(m);
 481 }
 482
 483 #if IS_ENABLED(CONFIG_IP6_NF_IPTABLES)
 484 /* One level of recursion won't kill us */
 485 static void dump_ipv6_packet(struct sbuff *m,
 486                         const struct nf_loginfo *info,
 487                         const struct sk_buff *skb, unsigned int ip6hoff,
 488                         int recurse)
 489 {
 490         u_int8_t currenthdr;
 491         int fragment;
 492         struct ipv6hdr _ip6h;
 493         const struct ipv6hdr *ih;
 494         unsigned int ptr;
 495         unsigned int hdrlen = 0;
 496         unsigned int logflags;
 497
 498         if (info->type == NF_LOG_TYPE_LOG)
 499                 logflags = info->u.log.logflags;
 500         else
 501                 logflags = NF_LOG_MASK;
 502
 503         ih = skb_header_pointer(skb, ip6hoff, sizeof(_ip6h), &_ip6h);
 504         if (ih == NULL) {
 505                 sb_add(m, "TRUNCATED");
 506                 return;
 507         }
 508
 509         /* Max length: 88 "SRC=0000.0000.0000.0000.0000.0000.0000.0000 DST=0000.0000.0000.0000.0000.0000.0000.0000 " */
 510         sb_add(m, "SRC=%pI6 DST=%pI6 ", &ih->saddr, &ih->daddr);
 511
 512         /* Max length: 44 "LEN=65535 TC=255 HOPLIMIT=255 FLOWLBL=FFFFF " */
 513         sb_add(m, "LEN=%Zu TC=%u HOPLIMIT=%u FLOWLBL=%u ",
 514                ntohs(ih->payload_len) + sizeof(struct ipv6hdr),
 515                (ntohl(*(__be32 *)ih) & 0x0ff00000) >> 20,
 516                ih->hop_limit,
 517                (ntohl(*(__be32 *)ih) & 0x000fffff));
 518
 519         fragment = 0;
 520         ptr = ip6hoff + sizeof(struct ipv6hdr);
 521         currenthdr = ih->nexthdr;
 522         while (currenthdr != NEXTHDR_NONE && ip6t_ext_hdr(currenthdr)) {
 523                 struct ipv6_opt_hdr _hdr;
 524                 const struct ipv6_opt_hdr *hp;
 525
 526                 hp = skb_header_pointer(skb, ptr, sizeof(_hdr), &_hdr);
 527                 if (hp == NULL) {
 528                         sb_add(m, "TRUNCATED");
 529                         return;
 530                 }
 531
 532                 /* Max length: 48 "OPT (...) " */
 533                 if (logflags & XT_LOG_IPOPT)
 534                         sb_add(m, "OPT ( ");
 535
 536                 switch (currenthdr) {
 537                 case IPPROTO_FRAGMENT: {
 538                         struct frag_hdr _fhdr;
 539                         const struct frag_hdr *fh;
 540
 541                         sb_add(m, "FRAG:");
 542                         fh = skb_header_pointer(skb, ptr, sizeof(_fhdr),
 543                                                 &_fhdr);
 544                         if (fh == NULL) {
 545                                 sb_add(m, "TRUNCATED ");
 546                                 return;
 547                         }
 548
 549                         /* Max length: 6 "65535 " */
 550                         sb_add(m, "%u ", ntohs(fh->frag_off) & 0xFFF8);
 551
 552                         /* Max length: 11 "INCOMPLETE " */
 553                         if (fh->frag_off & htons(0x0001))
 554                                 sb_add(m, "INCOMPLETE ");
 555
 556                         sb_add(m, "ID:%08x ", ntohl(fh->identification));
 557
 558                         if (ntohs(fh->frag_off) & 0xFFF8)
 559                                 fragment = 1;
 560
 561                         hdrlen = 8;
 562
 563                         break;
 564                 }
 565                 case IPPROTO_DSTOPTS:
 566                 case IPPROTO_ROUTING:
 567                 case IPPROTO_HOPOPTS:
 568                         if (fragment) {
 569                                 if (logflags & XT_LOG_IPOPT)
 570                                         sb_add(m, ")");
 571                                 return;
 572                         }
 573                         hdrlen = ipv6_optlen(hp);
 574                         break;
 575                 /* Max Length */
 576                 case IPPROTO_AH:
 577                         if (logflags & XT_LOG_IPOPT) {
 578                                 struct ip_auth_hdr _ahdr;
 579                                 const struct ip_auth_hdr *ah;
 580
 581                                 /* Max length: 3 "AH " */
 582                                 sb_add(m, "AH ");
 583
 584                                 if (fragment) {
 585                                         sb_add(m, ")");
 586                                         return;
 587                                 }
 588
 589                                 ah = skb_header_pointer(skb, ptr, sizeof(_ahdr),
 590                                                         &_ahdr);
 591                                 if (ah == NULL) {
 592                                         /*
 593                                          * Max length: 26 "INCOMPLETE [65535
 594                                          *  bytes] )"
 595                                          */
 596                                         sb_add(m, "INCOMPLETE [%u bytes] )",
 597                                                skb->len - ptr);
 598                                         return;
 599                                 }
 600
 601                                 /* Length: 15 "SPI=0xF1234567 */
 602                                 sb_add(m, "SPI=0x%x ", ntohl(ah->spi));
 603
 604                         }
 605
 606                         hdrlen = (hp->hdrlen+2)<<2;
 607                         break;
 608                 case IPPROTO_ESP:
 609                         if (logflags & XT_LOG_IPOPT) {
 610                                 struct ip_esp_hdr _esph;
 611                                 const struct ip_esp_hdr *eh;
 612
 613                                 /* Max length: 4 "ESP " */
 614                                 sb_add(m, "ESP ");
 615
 616                                 if (fragment) {
 617                                         sb_add(m, ")");
 618                                         return;
 619                                 }
 620
 621                                 /*
 622                                  * Max length: 26 "INCOMPLETE [65535 bytes] )"
 623                                  */
 624                                 eh = skb_header_pointer(skb, ptr, sizeof(_esph),
 625                                                         &_esph);
 626                                 if (eh == NULL) {
 627                                         sb_add(m, "INCOMPLETE [%u bytes] )",
 628                                                skb->len - ptr);
 629                                         return;
 630                                 }
 631
 632                                 /* Length: 16 "SPI=0xF1234567 )" */
 633                                 sb_add(m, "SPI=0x%x )", ntohl(eh->spi));
 634
 635                         }
 636                         return;
 637                 default:
 638                         /* Max length: 20 "Unknown Ext Hdr 255" */
 639                         sb_add(m, "Unknown Ext Hdr %u", currenthdr);
 640                         return;
 641                 }
 642                 if (logflags & XT_LOG_IPOPT)
 643                         sb_add(m, ") ");
 644
 645                 currenthdr = hp->nexthdr;
 646                 ptr += hdrlen;
 647         }
 648
 649         switch (currenthdr) {
 650         case IPPROTO_TCP:
 651                 if (dump_tcp_header(m, skb, currenthdr, fragment, ptr,
 652                     logflags))
 653                         return;
 654                 break;
 655         case IPPROTO_UDP:
 656         case IPPROTO_UDPLITE:
 657                 if (dump_udp_header(m, skb, currenthdr, fragment, ptr))
 658                         return;
 659                 break;
 660         case IPPROTO_ICMPV6: {
 661                 struct icmp6hdr _icmp6h;
 662                 const struct icmp6hdr *ic;
 663
 664                 /* Max length: 13 "PROTO=ICMPv6 " */
 665                 sb_add(m, "PROTO=ICMPv6 ");
 666
 667                 if (fragment)
 668                         break;
 669
 670                 /* Max length: 25 "INCOMPLETE [65535 bytes] " */
 671                 ic = skb_header_pointer(skb, ptr, sizeof(_icmp6h), &_icmp6h);
 672                 if (ic == NULL) {
 673                         sb_add(m, "INCOMPLETE [%u bytes] ", skb->len - ptr);
 674                         return;
 675                 }
 676
 677                 /* Max length: 18 "TYPE=255 CODE=255 " */
 678                 sb_add(m, "TYPE=%u CODE=%u ", ic->icmp6_type, ic->icmp6_code);
 679
 680                 switch (ic->icmp6_type) {
 681                 case ICMPV6_ECHO_REQUEST:
 682                 case ICMPV6_ECHO_REPLY:
 683                         /* Max length: 19 "ID=65535 SEQ=65535 " */
 684                         sb_add(m, "ID=%u SEQ=%u ",
 685                                 ntohs(ic->icmp6_identifier),
 686                                 ntohs(ic->icmp6_sequence));
 687                         break;
 688                 case ICMPV6_MGM_QUERY:
 689                 case ICMPV6_MGM_REPORT:
 690                 case ICMPV6_MGM_REDUCTION:
 691                         break;
 692
 693                 case ICMPV6_PARAMPROB:
 694                         /* Max length: 17 "POINTER=ffffffff " */
 695                         sb_add(m, "POINTER=%08x ", ntohl(ic->icmp6_pointer));
 696                         /* Fall through */
 697                 case ICMPV6_DEST_UNREACH:
 698                 case ICMPV6_PKT_TOOBIG:
 699                 case ICMPV6_TIME_EXCEED:
 700                         /* Max length: 3+maxlen */
 701                         if (recurse) {
 702                                 sb_add(m, "[");
 703                                 dump_ipv6_packet(m, info, skb,
 704                                             ptr + sizeof(_icmp6h), 0);
 705                                 sb_add(m, "] ");
 706                         }
 707
 708                         /* Max length: 10 "MTU=65535 " */
 709                         if (ic->icmp6_type == ICMPV6_PKT_TOOBIG)
 710                                 sb_add(m, "MTU=%u ", ntohl(ic->icmp6_mtu));
 711                 }
 712                 break;
 713         }
 714         /* Max length: 10 "PROTO=255 " */
 715         default:
 716                 sb_add(m, "PROTO=%u ", currenthdr);
 717         }
 718
 719         /* Max length: 15 "UID=4294967295 " */
 720         if ((logflags & XT_LOG_UID) && recurse && skb->sk) {
 721                 read_lock_bh(&skb->sk->sk_callback_lock);
 722                 if (skb->sk->sk_socket && skb->sk->sk_socket->file)
 723                         sb_add(m, "UID=%u GID=%u ",
 724                                 skb->sk->sk_socket->file->f_cred->fsuid,
 725                                 skb->sk->sk_socket->file->f_cred->fsgid);
 726                 read_unlock_bh(&skb->sk->sk_callback_lock);
 727         }
 728
 729         /* Max length: 16 "MARK=0xFFFFFFFF " */
 730         if (!recurse && skb->mark)
 731                 sb_add(m, "MARK=0x%x ", skb->mark);
 732 }
 733
 734 static void dump_ipv6_mac_header(struct sbuff *m,
 735                             const struct nf_loginfo *info,
 736                             const struct sk_buff *skb)
 737 {
 738         struct net_device *dev = skb->dev;
 739         unsigned int logflags = 0;
 740
 741         if (info->type == NF_LOG_TYPE_LOG)
 742                 logflags = info->u.log.logflags;
 743
 744         if (!(logflags & XT_LOG_MACDECODE))
 745                 goto fallback;
 746
 747         switch (dev->type) {
 748         case ARPHRD_ETHER:
 749                 sb_add(m, "MACSRC=%pM MACDST=%pM MACPROTO=%04x ",
 750                        eth_hdr(skb)->h_source, eth_hdr(skb)->h_dest,
 751                        ntohs(eth_hdr(skb)->h_proto));
 752                 return;
 753         default:
 754                 break;
 755         }
 756
 757 fallback:
 758         sb_add(m, "MAC=");
 759         if (dev->hard_header_len &&
 760             skb->mac_header != skb->network_header) {
 761                 const unsigned char *p = skb_mac_header(skb);
 762                 unsigned int len = dev->hard_header_len;
 763                 unsigned int i;
 764
 765                 if (dev->type == ARPHRD_SIT) {
 766                         p -= ETH_HLEN;
 767
 768                         if (p < skb->head)
 769                                 p = NULL;
 770                 }
 771
 772                 if (p != NULL) {
 773                         sb_add(m, "%02x", *p++);
 774                         for (i = 1; i < len; i++)
 775                                 sb_add(m, ":%02x", *p++);
 776                 }
 777                 sb_add(m, " ");
 778
 779                 if (dev->type == ARPHRD_SIT) {
 780                         const struct iphdr *iph =
 781                                 (struct iphdr *)skb_mac_header(skb);
 782                         sb_add(m, "TUNNEL=%pI4->%pI4 ", &iph->saddr,
 783                                &iph->daddr);
 784                 }
 785         } else
 786                 sb_add(m, " ");
 787 }
 788
 789 static void
 790 ip6t_log_packet(u_int8_t pf,
 791                 unsigned int hooknum,
 792                 const struct sk_buff *skb,
 793                 const struct net_device *in,
 794                 const struct net_device *out,
 795                 const struct nf_loginfo *loginfo,
 796                 const char *prefix)
 797 {
 798         struct sbuff *m = sb_open();
 799
 800         if (!loginfo)
 801                 loginfo = &default_loginfo;
 802
 803         log_packet_common(m, pf, hooknum, skb, in, out, loginfo, prefix);
 804
 805         if (in != NULL)
 806                 dump_ipv6_mac_header(m, loginfo, skb);
 807
 808         dump_ipv6_packet(m, loginfo, skb, skb_network_offset(skb), 1);
 809
 810         sb_close(m);
 811 }
 812 #endif
 813
 814 static unsigned int
 815 log_tg(struct sk_buff *skb, const struct xt_action_param *par)
 816 {
 817         const struct xt_log_info *loginfo = par->targinfo;
 818         struct nf_loginfo li;
 819
 820         li.type = NF_LOG_TYPE_LOG;
 821         li.u.log.level = loginfo->level;
 822         li.u.log.logflags = loginfo->logflags;
 823
 824         if (par->family == NFPROTO_IPV4)
 825                 ipt_log_packet(NFPROTO_IPV4, par->hooknum, skb, par->in,
 826                                par->out, &li, loginfo->prefix);
 827 #if IS_ENABLED(CONFIG_IP6_NF_IPTABLES)
 828         else if (par->family == NFPROTO_IPV6)
 829                 ip6t_log_packet(NFPROTO_IPV6, par->hooknum, skb, par->in,
 830                                 par->out, &li, loginfo->prefix);
 831 #endif
 832         else
 833                 WARN_ON_ONCE(1);
 834
 835         return XT_CONTINUE;
 836 }
 837
 838 static int log_tg_check(const struct xt_tgchk_param *par)
 839 {
 840         const struct xt_log_info *loginfo = par->targinfo;
 841
 842         if (par->family != NFPROTO_IPV4 && par->family != NFPROTO_IPV6)
 843                 return -EINVAL;
 844
 845         if (loginfo->level >= 8) {
 846                 pr_debug("level %u >= 8\n", loginfo->level);
 847                 return -EINVAL;
 848         }
 849
 850         if (loginfo->prefix[sizeof(loginfo->prefix)-1] != '\0') {
 851                 pr_debug("prefix is not null-terminated\n");
 852                 return -EINVAL;
 853         }
 854
 855         return 0;
 856 }
 857
 858 static struct xt_target log_tg_regs[] __read_mostly = {
 859         {
 860                 .name           = "LOG",
 861                 .family         = NFPROTO_IPV4,
 862                 .target         = log_tg,
 863                 .targetsize     = sizeof(struct xt_log_info),
 864                 .checkentry     = log_tg_check,
 865                 .me             = THIS_MODULE,
 866         },
 867 #if IS_ENABLED(CONFIG_IP6_NF_IPTABLES)
 868         {
 869                 .name           = "LOG",
 870                 .family         = NFPROTO_IPV6,
 871                 .target         = log_tg,
 872                 .targetsize     = sizeof(struct xt_log_info),
 873                 .checkentry     = log_tg_check,
 874                 .me             = THIS_MODULE,
 875         },
 876 #endif
 877 };
 878
 879 static struct nf_logger ipt_log_logger __read_mostly = {
 880         .name           = "ipt_LOG",
 881         .logfn          = &ipt_log_packet,
 882         .me             = THIS_MODULE,
 883 };
 884
 885 #if IS_ENABLED(CONFIG_IP6_NF_IPTABLES)
 886 static struct nf_logger ip6t_log_logger __read_mostly = {
 887         .name           = "ip6t_LOG",
 888         .logfn          = &ip6t_log_packet,
 889         .me             = THIS_MODULE,
 890 };
 891 #endif
 892
 893 static int __init log_tg_init(void)
 894 {
 895         int ret;
 896
 897         ret = xt_register_targets(log_tg_regs, ARRAY_SIZE(log_tg_regs));
 898         if (ret < 0)
 899                 return ret;
 900
 901         nf_log_register(NFPROTO_IPV4, &ipt_log_logger);
 902 #if IS_ENABLED(CONFIG_IP6_NF_IPTABLES)
 903         nf_log_register(NFPROTO_IPV6, &ip6t_log_logger);
 904 #endif
 905         return 0;
 906 }
 907
 908 static void __exit log_tg_exit(void)
 909 {
 910         nf_log_unregister(&ipt_log_logger);
 911 #if IS_ENABLED(CONFIG_IP6_NF_IPTABLES)
 912         nf_log_unregister(&ip6t_log_logger);
 913 #endif
 914         xt_unregister_targets(log_tg_regs, ARRAY_SIZE(log_tg_regs));
 915 }
 916
 917 module_init(log_tg_init);
 918 module_exit(log_tg_exit);
 919
 920 MODULE_LICENSE("GPL");
 921 MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>");
 922 MODULE_AUTHOR("Jan Rekorajski <baggins@pld.org.pl>");
 923 MODULE_DESCRIPTION("Xtables: IPv4/IPv6 packet logging");
 924 MODULE_ALIAS("ipt_LOG");
 925 MODULE_ALIAS("ip6t_LOG");