1 /* 2 * This is a module which is used for logging packets to userspace via 3 * nfetlink. 4 * 5 * (C) 2005 by Harald Welte <laforge@netfilter.org> 6 * (C) 2006-2012 Patrick McHardy <kaber@trash.net> 7 * 8 * Based on the old ipv4-only ipt_ULOG.c: 9 * (C) 2000-2004 by Harald Welte <laforge@netfilter.org> 10 * 11 * This program is free software; you can redistribute it and/or modify 12 * it under the terms of the GNU General Public License version 2 as 13 * published by the Free Software Foundation. 14 */ 15 16 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt 17 18 #include <linux/module.h> 19 #include <linux/skbuff.h> 20 #include <linux/if_arp.h> 21 #include <linux/init.h> 22 #include <linux/ip.h> 23 #include <linux/ipv6.h> 24 #include <linux/netdevice.h> 25 #include <linux/netfilter.h> 26 #include <linux/netfilter_bridge.h> 27 #include <net/netlink.h> 28 #include <linux/netfilter/nfnetlink.h> 29 #include <linux/netfilter/nfnetlink_log.h> 30 #include <linux/netfilter/nf_conntrack_common.h> 31 #include <linux/spinlock.h> 32 #include <linux/sysctl.h> 33 #include <linux/proc_fs.h> 34 #include <linux/security.h> 35 #include <linux/list.h> 36 #include <linux/slab.h> 37 #include <net/sock.h> 38 #include <net/netfilter/nf_log.h> 39 #include <net/netns/generic.h> 40 #include <net/netfilter/nfnetlink_log.h> 41 42 #include <linux/atomic.h> 43 #include <linux/refcount.h> 44 45 46 #if IS_ENABLED(CONFIG_BRIDGE_NETFILTER) 47 #include "../bridge/br_private.h" 48 #endif 49 50 #define NFULNL_NLBUFSIZ_DEFAULT NLMSG_GOODSIZE 51 #define NFULNL_TIMEOUT_DEFAULT 100 /* every second */ 52 #define NFULNL_QTHRESH_DEFAULT 100 /* 100 packets */ 53 /* max packet size is limited by 16-bit struct nfattr nfa_len field */ 54 #define NFULNL_COPY_RANGE_MAX (0xFFFF - NLA_HDRLEN) 55 56 #define PRINTR(x, args...) do { if (net_ratelimit()) \ 57 printk(x, ## args); } while (0); 58 59 struct nfulnl_instance { 60 struct hlist_node hlist; /* global list of instances */ 61 spinlock_t lock; 62 refcount_t use; /* use count */ 63 64 unsigned int qlen; /* number of nlmsgs in skb */ 65 struct sk_buff *skb; /* pre-allocatd skb */ 66 struct timer_list timer; 67 struct net *net; 68 struct user_namespace *peer_user_ns; /* User namespace of the peer process */ 69 u32 peer_portid; /* PORTID of the peer process */ 70 71 /* configurable parameters */ 72 unsigned int flushtimeout; /* timeout until queue flush */ 73 unsigned int nlbufsiz; /* netlink buffer allocation size */ 74 unsigned int qthreshold; /* threshold of the queue */ 75 u_int32_t copy_range; 76 u_int32_t seq; /* instance-local sequential counter */ 77 u_int16_t group_num; /* number of this queue */ 78 u_int16_t flags; 79 u_int8_t copy_mode; 80 struct rcu_head rcu; 81 }; 82 83 #define INSTANCE_BUCKETS 16 84 85 static unsigned int nfnl_log_net_id __read_mostly; 86 87 struct nfnl_log_net { 88 spinlock_t instances_lock; 89 struct hlist_head instance_table[INSTANCE_BUCKETS]; 90 atomic_t global_seq; 91 }; 92 93 static struct nfnl_log_net *nfnl_log_pernet(struct net *net) 94 { 95 return net_generic(net, nfnl_log_net_id); 96 } 97 98 static inline u_int8_t instance_hashfn(u_int16_t group_num) 99 { 100 return ((group_num & 0xff) % INSTANCE_BUCKETS); 101 } 102 103 static struct nfulnl_instance * 104 __instance_lookup(struct nfnl_log_net *log, u_int16_t group_num) 105 { 106 struct hlist_head *head; 107 struct nfulnl_instance *inst; 108 109 head = &log->instance_table[instance_hashfn(group_num)]; 110 hlist_for_each_entry_rcu(inst, head, hlist) { 111 if (inst->group_num == group_num) 112 return inst; 113 } 114 return NULL; 115 } 116 117 static inline void 118 instance_get(struct nfulnl_instance *inst) 119 { 120 refcount_inc(&inst->use); 121 } 122 123 static struct nfulnl_instance * 124 instance_lookup_get(struct nfnl_log_net *log, u_int16_t group_num) 125 { 126 struct nfulnl_instance *inst; 127 128 rcu_read_lock_bh(); 129 inst = __instance_lookup(log, group_num); 130 if (inst && !refcount_inc_not_zero(&inst->use)) 131 inst = NULL; 132 rcu_read_unlock_bh(); 133 134 return inst; 135 } 136 137 static void nfulnl_instance_free_rcu(struct rcu_head *head) 138 { 139 struct nfulnl_instance *inst = 140 container_of(head, struct nfulnl_instance, rcu); 141 142 put_net(inst->net); 143 kfree(inst); 144 module_put(THIS_MODULE); 145 } 146 147 static void 148 instance_put(struct nfulnl_instance *inst) 149 { 150 if (inst && refcount_dec_and_test(&inst->use)) 151 call_rcu_bh(&inst->rcu, nfulnl_instance_free_rcu); 152 } 153 154 static void nfulnl_timer(struct timer_list *t); 155 156 static struct nfulnl_instance * 157 instance_create(struct net *net, u_int16_t group_num, 158 u32 portid, struct user_namespace *user_ns) 159 { 160 struct nfulnl_instance *inst; 161 struct nfnl_log_net *log = nfnl_log_pernet(net); 162 int err; 163 164 spin_lock_bh(&log->instances_lock); 165 if (__instance_lookup(log, group_num)) { 166 err = -EEXIST; 167 goto out_unlock; 168 } 169 170 inst = kzalloc(sizeof(*inst), GFP_ATOMIC); 171 if (!inst) { 172 err = -ENOMEM; 173 goto out_unlock; 174 } 175 176 if (!try_module_get(THIS_MODULE)) { 177 kfree(inst); 178 err = -EAGAIN; 179 goto out_unlock; 180 } 181 182 INIT_HLIST_NODE(&inst->hlist); 183 spin_lock_init(&inst->lock); 184 /* needs to be two, since we _put() after creation */ 185 refcount_set(&inst->use, 2); 186 187 timer_setup(&inst->timer, nfulnl_timer, 0); 188 189 inst->net = get_net(net); 190 inst->peer_user_ns = user_ns; 191 inst->peer_portid = portid; 192 inst->group_num = group_num; 193 194 inst->qthreshold = NFULNL_QTHRESH_DEFAULT; 195 inst->flushtimeout = NFULNL_TIMEOUT_DEFAULT; 196 inst->nlbufsiz = NFULNL_NLBUFSIZ_DEFAULT; 197 inst->copy_mode = NFULNL_COPY_PACKET; 198 inst->copy_range = NFULNL_COPY_RANGE_MAX; 199 200 hlist_add_head_rcu(&inst->hlist, 201 &log->instance_table[instance_hashfn(group_num)]); 202 203 204 spin_unlock_bh(&log->instances_lock); 205 206 return inst; 207 208 out_unlock: 209 spin_unlock_bh(&log->instances_lock); 210 return ERR_PTR(err); 211 } 212 213 static void __nfulnl_flush(struct nfulnl_instance *inst); 214 215 /* called with BH disabled */ 216 static void 217 __instance_destroy(struct nfulnl_instance *inst) 218 { 219 /* first pull it out of the global list */ 220 hlist_del_rcu(&inst->hlist); 221 222 /* then flush all pending packets from skb */ 223 224 spin_lock(&inst->lock); 225 226 /* lockless readers wont be able to use us */ 227 inst->copy_mode = NFULNL_COPY_DISABLED; 228 229 if (inst->skb) 230 __nfulnl_flush(inst); 231 spin_unlock(&inst->lock); 232 233 /* and finally put the refcount */ 234 instance_put(inst); 235 } 236 237 static inline void 238 instance_destroy(struct nfnl_log_net *log, 239 struct nfulnl_instance *inst) 240 { 241 spin_lock_bh(&log->instances_lock); 242 __instance_destroy(inst); 243 spin_unlock_bh(&log->instances_lock); 244 } 245 246 static int 247 nfulnl_set_mode(struct nfulnl_instance *inst, u_int8_t mode, 248 unsigned int range) 249 { 250 int status = 0; 251 252 spin_lock_bh(&inst->lock); 253 254 switch (mode) { 255 case NFULNL_COPY_NONE: 256 case NFULNL_COPY_META: 257 inst->copy_mode = mode; 258 inst->copy_range = 0; 259 break; 260 261 case NFULNL_COPY_PACKET: 262 inst->copy_mode = mode; 263 if (range == 0) 264 range = NFULNL_COPY_RANGE_MAX; 265 inst->copy_range = min_t(unsigned int, 266 range, NFULNL_COPY_RANGE_MAX); 267 break; 268 269 default: 270 status = -EINVAL; 271 break; 272 } 273 274 spin_unlock_bh(&inst->lock); 275 276 return status; 277 } 278 279 static int 280 nfulnl_set_nlbufsiz(struct nfulnl_instance *inst, u_int32_t nlbufsiz) 281 { 282 int status; 283 284 spin_lock_bh(&inst->lock); 285 if (nlbufsiz < NFULNL_NLBUFSIZ_DEFAULT) 286 status = -ERANGE; 287 else if (nlbufsiz > 131072) 288 status = -ERANGE; 289 else { 290 inst->nlbufsiz = nlbufsiz; 291 status = 0; 292 } 293 spin_unlock_bh(&inst->lock); 294 295 return status; 296 } 297 298 static void 299 nfulnl_set_timeout(struct nfulnl_instance *inst, u_int32_t timeout) 300 { 301 spin_lock_bh(&inst->lock); 302 inst->flushtimeout = timeout; 303 spin_unlock_bh(&inst->lock); 304 } 305 306 static void 307 nfulnl_set_qthresh(struct nfulnl_instance *inst, u_int32_t qthresh) 308 { 309 spin_lock_bh(&inst->lock); 310 inst->qthreshold = qthresh; 311 spin_unlock_bh(&inst->lock); 312 } 313 314 static int 315 nfulnl_set_flags(struct nfulnl_instance *inst, u_int16_t flags) 316 { 317 spin_lock_bh(&inst->lock); 318 inst->flags = flags; 319 spin_unlock_bh(&inst->lock); 320 321 return 0; 322 } 323 324 static struct sk_buff * 325 nfulnl_alloc_skb(struct net *net, u32 peer_portid, unsigned int inst_size, 326 unsigned int pkt_size) 327 { 328 struct sk_buff *skb; 329 unsigned int n; 330 331 /* alloc skb which should be big enough for a whole multipart 332 * message. WARNING: has to be <= 128k due to slab restrictions */ 333 334 n = max(inst_size, pkt_size); 335 skb = alloc_skb(n, GFP_ATOMIC | __GFP_NOWARN); 336 if (!skb) { 337 if (n > pkt_size) { 338 /* try to allocate only as much as we need for current 339 * packet */ 340 341 skb = alloc_skb(pkt_size, GFP_ATOMIC); 342 } 343 } 344 345 return skb; 346 } 347 348 static void 349 __nfulnl_send(struct nfulnl_instance *inst) 350 { 351 if (inst->qlen > 1) { 352 struct nlmsghdr *nlh = nlmsg_put(inst->skb, 0, 0, 353 NLMSG_DONE, 354 sizeof(struct nfgenmsg), 355 0); 356 if (WARN_ONCE(!nlh, "bad nlskb size: %u, tailroom %d\n", 357 inst->skb->len, skb_tailroom(inst->skb))) { 358 kfree_skb(inst->skb); 359 goto out; 360 } 361 } 362 nfnetlink_unicast(inst->skb, inst->net, inst->peer_portid, 363 MSG_DONTWAIT); 364 out: 365 inst->qlen = 0; 366 inst->skb = NULL; 367 } 368 369 static void 370 __nfulnl_flush(struct nfulnl_instance *inst) 371 { 372 /* timer holds a reference */ 373 if (del_timer(&inst->timer)) 374 instance_put(inst); 375 if (inst->skb) 376 __nfulnl_send(inst); 377 } 378 379 static void 380 nfulnl_timer(struct timer_list *t) 381 { 382 struct nfulnl_instance *inst = from_timer(inst, t, timer); 383 384 spin_lock_bh(&inst->lock); 385 if (inst->skb) 386 __nfulnl_send(inst); 387 spin_unlock_bh(&inst->lock); 388 instance_put(inst); 389 } 390 391 /* This is an inline function, we don't really care about a long 392 * list of arguments */ 393 static inline int 394 __build_packet_message(struct nfnl_log_net *log, 395 struct nfulnl_instance *inst, 396 const struct sk_buff *skb, 397 unsigned int data_len, 398 u_int8_t pf, 399 unsigned int hooknum, 400 const struct net_device *indev, 401 const struct net_device *outdev, 402 const char *prefix, unsigned int plen, 403 const struct nfnl_ct_hook *nfnl_ct, 404 struct nf_conn *ct, enum ip_conntrack_info ctinfo) 405 { 406 struct nfulnl_msg_packet_hdr pmsg; 407 struct nlmsghdr *nlh; 408 struct nfgenmsg *nfmsg; 409 sk_buff_data_t old_tail = inst->skb->tail; 410 struct sock *sk; 411 const unsigned char *hwhdrp; 412 413 nlh = nlmsg_put(inst->skb, 0, 0, 414 nfnl_msg_type(NFNL_SUBSYS_ULOG, NFULNL_MSG_PACKET), 415 sizeof(struct nfgenmsg), 0); 416 if (!nlh) 417 return -1; 418 nfmsg = nlmsg_data(nlh); 419 nfmsg->nfgen_family = pf; 420 nfmsg->version = NFNETLINK_V0; 421 nfmsg->res_id = htons(inst->group_num); 422 423 memset(&pmsg, 0, sizeof(pmsg)); 424 pmsg.hw_protocol = skb->protocol; 425 pmsg.hook = hooknum; 426 427 if (nla_put(inst->skb, NFULA_PACKET_HDR, sizeof(pmsg), &pmsg)) 428 goto nla_put_failure; 429 430 if (prefix && 431 nla_put(inst->skb, NFULA_PREFIX, plen, prefix)) 432 goto nla_put_failure; 433 434 if (indev) { 435 #if !IS_ENABLED(CONFIG_BRIDGE_NETFILTER) 436 if (nla_put_be32(inst->skb, NFULA_IFINDEX_INDEV, 437 htonl(indev->ifindex))) 438 goto nla_put_failure; 439 #else 440 if (pf == PF_BRIDGE) { 441 /* Case 1: outdev is physical input device, we need to 442 * look for bridge group (when called from 443 * netfilter_bridge) */ 444 if (nla_put_be32(inst->skb, NFULA_IFINDEX_PHYSINDEV, 445 htonl(indev->ifindex)) || 446 /* this is the bridge group "brX" */ 447 /* rcu_read_lock()ed by nf_hook_thresh or 448 * nf_log_packet. 449 */ 450 nla_put_be32(inst->skb, NFULA_IFINDEX_INDEV, 451 htonl(br_port_get_rcu(indev)->br->dev->ifindex))) 452 goto nla_put_failure; 453 } else { 454 struct net_device *physindev; 455 456 /* Case 2: indev is bridge group, we need to look for 457 * physical device (when called from ipv4) */ 458 if (nla_put_be32(inst->skb, NFULA_IFINDEX_INDEV, 459 htonl(indev->ifindex))) 460 goto nla_put_failure; 461 462 physindev = nf_bridge_get_physindev(skb); 463 if (physindev && 464 nla_put_be32(inst->skb, NFULA_IFINDEX_PHYSINDEV, 465 htonl(physindev->ifindex))) 466 goto nla_put_failure; 467 } 468 #endif 469 } 470 471 if (outdev) { 472 #if !IS_ENABLED(CONFIG_BRIDGE_NETFILTER) 473 if (nla_put_be32(inst->skb, NFULA_IFINDEX_OUTDEV, 474 htonl(outdev->ifindex))) 475 goto nla_put_failure; 476 #else 477 if (pf == PF_BRIDGE) { 478 /* Case 1: outdev is physical output device, we need to 479 * look for bridge group (when called from 480 * netfilter_bridge) */ 481 if (nla_put_be32(inst->skb, NFULA_IFINDEX_PHYSOUTDEV, 482 htonl(outdev->ifindex)) || 483 /* this is the bridge group "brX" */ 484 /* rcu_read_lock()ed by nf_hook_thresh or 485 * nf_log_packet. 486 */ 487 nla_put_be32(inst->skb, NFULA_IFINDEX_OUTDEV, 488 htonl(br_port_get_rcu(outdev)->br->dev->ifindex))) 489 goto nla_put_failure; 490 } else { 491 struct net_device *physoutdev; 492 493 /* Case 2: indev is a bridge group, we need to look 494 * for physical device (when called from ipv4) */ 495 if (nla_put_be32(inst->skb, NFULA_IFINDEX_OUTDEV, 496 htonl(outdev->ifindex))) 497 goto nla_put_failure; 498 499 physoutdev = nf_bridge_get_physoutdev(skb); 500 if (physoutdev && 501 nla_put_be32(inst->skb, NFULA_IFINDEX_PHYSOUTDEV, 502 htonl(physoutdev->ifindex))) 503 goto nla_put_failure; 504 } 505 #endif 506 } 507 508 if (skb->mark && 509 nla_put_be32(inst->skb, NFULA_MARK, htonl(skb->mark))) 510 goto nla_put_failure; 511 512 if (indev && skb->dev && 513 skb->mac_header != skb->network_header) { 514 struct nfulnl_msg_packet_hw phw; 515 int len; 516 517 memset(&phw, 0, sizeof(phw)); 518 len = dev_parse_header(skb, phw.hw_addr); 519 if (len > 0) { 520 phw.hw_addrlen = htons(len); 521 if (nla_put(inst->skb, NFULA_HWADDR, sizeof(phw), &phw)) 522 goto nla_put_failure; 523 } 524 } 525 526 if (indev && skb_mac_header_was_set(skb)) { 527 if (nla_put_be16(inst->skb, NFULA_HWTYPE, htons(skb->dev->type)) || 528 nla_put_be16(inst->skb, NFULA_HWLEN, 529 htons(skb->dev->hard_header_len))) 530 goto nla_put_failure; 531 532 hwhdrp = skb_mac_header(skb); 533 534 if (skb->dev->type == ARPHRD_SIT) 535 hwhdrp -= ETH_HLEN; 536 537 if (hwhdrp >= skb->head && 538 nla_put(inst->skb, NFULA_HWHEADER, 539 skb->dev->hard_header_len, hwhdrp)) 540 goto nla_put_failure; 541 } 542 543 if (skb->tstamp) { 544 struct nfulnl_msg_packet_timestamp ts; 545 struct timespec64 kts = ktime_to_timespec64(skb->tstamp); 546 ts.sec = cpu_to_be64(kts.tv_sec); 547 ts.usec = cpu_to_be64(kts.tv_nsec / NSEC_PER_USEC); 548 549 if (nla_put(inst->skb, NFULA_TIMESTAMP, sizeof(ts), &ts)) 550 goto nla_put_failure; 551 } 552 553 /* UID */ 554 sk = skb->sk; 555 if (sk && sk_fullsock(sk)) { 556 read_lock_bh(&sk->sk_callback_lock); 557 if (sk->sk_socket && sk->sk_socket->file) { 558 struct file *file = sk->sk_socket->file; 559 const struct cred *cred = file->f_cred; 560 struct user_namespace *user_ns = inst->peer_user_ns; 561 __be32 uid = htonl(from_kuid_munged(user_ns, cred->fsuid)); 562 __be32 gid = htonl(from_kgid_munged(user_ns, cred->fsgid)); 563 read_unlock_bh(&sk->sk_callback_lock); 564 if (nla_put_be32(inst->skb, NFULA_UID, uid) || 565 nla_put_be32(inst->skb, NFULA_GID, gid)) 566 goto nla_put_failure; 567 } else 568 read_unlock_bh(&sk->sk_callback_lock); 569 } 570 571 /* local sequence number */ 572 if ((inst->flags & NFULNL_CFG_F_SEQ) && 573 nla_put_be32(inst->skb, NFULA_SEQ, htonl(inst->seq++))) 574 goto nla_put_failure; 575 576 /* global sequence number */ 577 if ((inst->flags & NFULNL_CFG_F_SEQ_GLOBAL) && 578 nla_put_be32(inst->skb, NFULA_SEQ_GLOBAL, 579 htonl(atomic_inc_return(&log->global_seq)))) 580 goto nla_put_failure; 581 582 if (ct && nfnl_ct->build(inst->skb, ct, ctinfo, 583 NFULA_CT, NFULA_CT_INFO) < 0) 584 goto nla_put_failure; 585 586 if (data_len) { 587 struct nlattr *nla; 588 int size = nla_attr_size(data_len); 589 590 if (skb_tailroom(inst->skb) < nla_total_size(data_len)) 591 goto nla_put_failure; 592 593 nla = skb_put(inst->skb, nla_total_size(data_len)); 594 nla->nla_type = NFULA_PAYLOAD; 595 nla->nla_len = size; 596 597 if (skb_copy_bits(skb, 0, nla_data(nla), data_len)) 598 BUG(); 599 } 600 601 nlh->nlmsg_len = inst->skb->tail - old_tail; 602 return 0; 603 604 nla_put_failure: 605 PRINTR(KERN_ERR "nfnetlink_log: error creating log nlmsg\n"); 606 return -1; 607 } 608 609 static const struct nf_loginfo default_loginfo = { 610 .type = NF_LOG_TYPE_ULOG, 611 .u = { 612 .ulog = { 613 .copy_len = 0xffff, 614 .group = 0, 615 .qthreshold = 1, 616 }, 617 }, 618 }; 619 620 /* log handler for internal netfilter logging api */ 621 void 622 nfulnl_log_packet(struct net *net, 623 u_int8_t pf, 624 unsigned int hooknum, 625 const struct sk_buff *skb, 626 const struct net_device *in, 627 const struct net_device *out, 628 const struct nf_loginfo *li_user, 629 const char *prefix) 630 { 631 size_t size; 632 unsigned int data_len; 633 struct nfulnl_instance *inst; 634 const struct nf_loginfo *li; 635 unsigned int qthreshold; 636 unsigned int plen; 637 struct nfnl_log_net *log = nfnl_log_pernet(net); 638 const struct nfnl_ct_hook *nfnl_ct = NULL; 639 struct nf_conn *ct = NULL; 640 enum ip_conntrack_info uninitialized_var(ctinfo); 641 642 if (li_user && li_user->type == NF_LOG_TYPE_ULOG) 643 li = li_user; 644 else 645 li = &default_loginfo; 646 647 inst = instance_lookup_get(log, li->u.ulog.group); 648 if (!inst) 649 return; 650 651 plen = 0; 652 if (prefix) 653 plen = strlen(prefix) + 1; 654 655 /* FIXME: do we want to make the size calculation conditional based on 656 * what is actually present? way more branches and checks, but more 657 * memory efficient... */ 658 size = nlmsg_total_size(sizeof(struct nfgenmsg)) 659 + nla_total_size(sizeof(struct nfulnl_msg_packet_hdr)) 660 + nla_total_size(sizeof(u_int32_t)) /* ifindex */ 661 + nla_total_size(sizeof(u_int32_t)) /* ifindex */ 662 #if IS_ENABLED(CONFIG_BRIDGE_NETFILTER) 663 + nla_total_size(sizeof(u_int32_t)) /* ifindex */ 664 + nla_total_size(sizeof(u_int32_t)) /* ifindex */ 665 #endif 666 + nla_total_size(sizeof(u_int32_t)) /* mark */ 667 + nla_total_size(sizeof(u_int32_t)) /* uid */ 668 + nla_total_size(sizeof(u_int32_t)) /* gid */ 669 + nla_total_size(plen) /* prefix */ 670 + nla_total_size(sizeof(struct nfulnl_msg_packet_hw)) 671 + nla_total_size(sizeof(struct nfulnl_msg_packet_timestamp)) 672 + nla_total_size(sizeof(struct nfgenmsg)); /* NLMSG_DONE */ 673 674 if (in && skb_mac_header_was_set(skb)) { 675 size += nla_total_size(skb->dev->hard_header_len) 676 + nla_total_size(sizeof(u_int16_t)) /* hwtype */ 677 + nla_total_size(sizeof(u_int16_t)); /* hwlen */ 678 } 679 680 spin_lock_bh(&inst->lock); 681 682 if (inst->flags & NFULNL_CFG_F_SEQ) 683 size += nla_total_size(sizeof(u_int32_t)); 684 if (inst->flags & NFULNL_CFG_F_SEQ_GLOBAL) 685 size += nla_total_size(sizeof(u_int32_t)); 686 if (inst->flags & NFULNL_CFG_F_CONNTRACK) { 687 nfnl_ct = rcu_dereference(nfnl_ct_hook); 688 if (nfnl_ct != NULL) { 689 ct = nfnl_ct->get_ct(skb, &ctinfo); 690 if (ct != NULL) 691 size += nfnl_ct->build_size(ct); 692 } 693 } 694 695 qthreshold = inst->qthreshold; 696 /* per-rule qthreshold overrides per-instance */ 697 if (li->u.ulog.qthreshold) 698 if (qthreshold > li->u.ulog.qthreshold) 699 qthreshold = li->u.ulog.qthreshold; 700 701 702 switch (inst->copy_mode) { 703 case NFULNL_COPY_META: 704 case NFULNL_COPY_NONE: 705 data_len = 0; 706 break; 707 708 case NFULNL_COPY_PACKET: 709 data_len = inst->copy_range; 710 if ((li->u.ulog.flags & NF_LOG_F_COPY_LEN) && 711 (li->u.ulog.copy_len < data_len)) 712 data_len = li->u.ulog.copy_len; 713 714 if (data_len > skb->len) 715 data_len = skb->len; 716 717 size += nla_total_size(data_len); 718 break; 719 720 case NFULNL_COPY_DISABLED: 721 default: 722 goto unlock_and_release; 723 } 724 725 if (inst->skb && size > skb_tailroom(inst->skb)) { 726 /* either the queue len is too high or we don't have 727 * enough room in the skb left. flush to userspace. */ 728 __nfulnl_flush(inst); 729 } 730 731 if (!inst->skb) { 732 inst->skb = nfulnl_alloc_skb(net, inst->peer_portid, 733 inst->nlbufsiz, size); 734 if (!inst->skb) 735 goto alloc_failure; 736 } 737 738 inst->qlen++; 739 740 __build_packet_message(log, inst, skb, data_len, pf, 741 hooknum, in, out, prefix, plen, 742 nfnl_ct, ct, ctinfo); 743 744 if (inst->qlen >= qthreshold) 745 __nfulnl_flush(inst); 746 /* timer_pending always called within inst->lock, so there 747 * is no chance of a race here */ 748 else if (!timer_pending(&inst->timer)) { 749 instance_get(inst); 750 inst->timer.expires = jiffies + (inst->flushtimeout*HZ/100); 751 add_timer(&inst->timer); 752 } 753 754 unlock_and_release: 755 spin_unlock_bh(&inst->lock); 756 instance_put(inst); 757 return; 758 759 alloc_failure: 760 /* FIXME: statistics */ 761 goto unlock_and_release; 762 } 763 EXPORT_SYMBOL_GPL(nfulnl_log_packet); 764 765 static int 766 nfulnl_rcv_nl_event(struct notifier_block *this, 767 unsigned long event, void *ptr) 768 { 769 struct netlink_notify *n = ptr; 770 struct nfnl_log_net *log = nfnl_log_pernet(n->net); 771 772 if (event == NETLINK_URELEASE && n->protocol == NETLINK_NETFILTER) { 773 int i; 774 775 /* destroy all instances for this portid */ 776 spin_lock_bh(&log->instances_lock); 777 for (i = 0; i < INSTANCE_BUCKETS; i++) { 778 struct hlist_node *t2; 779 struct nfulnl_instance *inst; 780 struct hlist_head *head = &log->instance_table[i]; 781 782 hlist_for_each_entry_safe(inst, t2, head, hlist) { 783 if (n->portid == inst->peer_portid) 784 __instance_destroy(inst); 785 } 786 } 787 spin_unlock_bh(&log->instances_lock); 788 } 789 return NOTIFY_DONE; 790 } 791 792 static struct notifier_block nfulnl_rtnl_notifier = { 793 .notifier_call = nfulnl_rcv_nl_event, 794 }; 795 796 static int nfulnl_recv_unsupp(struct net *net, struct sock *ctnl, 797 struct sk_buff *skb, const struct nlmsghdr *nlh, 798 const struct nlattr * const nfqa[], 799 struct netlink_ext_ack *extack) 800 { 801 return -ENOTSUPP; 802 } 803 804 static struct nf_logger nfulnl_logger __read_mostly = { 805 .name = "nfnetlink_log", 806 .type = NF_LOG_TYPE_ULOG, 807 .logfn = nfulnl_log_packet, 808 .me = THIS_MODULE, 809 }; 810 811 static const struct nla_policy nfula_cfg_policy[NFULA_CFG_MAX+1] = { 812 [NFULA_CFG_CMD] = { .len = sizeof(struct nfulnl_msg_config_cmd) }, 813 [NFULA_CFG_MODE] = { .len = sizeof(struct nfulnl_msg_config_mode) }, 814 [NFULA_CFG_TIMEOUT] = { .type = NLA_U32 }, 815 [NFULA_CFG_QTHRESH] = { .type = NLA_U32 }, 816 [NFULA_CFG_NLBUFSIZ] = { .type = NLA_U32 }, 817 [NFULA_CFG_FLAGS] = { .type = NLA_U16 }, 818 }; 819 820 static int nfulnl_recv_config(struct net *net, struct sock *ctnl, 821 struct sk_buff *skb, const struct nlmsghdr *nlh, 822 const struct nlattr * const nfula[], 823 struct netlink_ext_ack *extack) 824 { 825 struct nfgenmsg *nfmsg = nlmsg_data(nlh); 826 u_int16_t group_num = ntohs(nfmsg->res_id); 827 struct nfulnl_instance *inst; 828 struct nfulnl_msg_config_cmd *cmd = NULL; 829 struct nfnl_log_net *log = nfnl_log_pernet(net); 830 int ret = 0; 831 u16 flags = 0; 832 833 if (nfula[NFULA_CFG_CMD]) { 834 u_int8_t pf = nfmsg->nfgen_family; 835 cmd = nla_data(nfula[NFULA_CFG_CMD]); 836 837 /* Commands without queue context */ 838 switch (cmd->command) { 839 case NFULNL_CFG_CMD_PF_BIND: 840 return nf_log_bind_pf(net, pf, &nfulnl_logger); 841 case NFULNL_CFG_CMD_PF_UNBIND: 842 nf_log_unbind_pf(net, pf); 843 return 0; 844 } 845 } 846 847 inst = instance_lookup_get(log, group_num); 848 if (inst && inst->peer_portid != NETLINK_CB(skb).portid) { 849 ret = -EPERM; 850 goto out_put; 851 } 852 853 /* Check if we support these flags in first place, dependencies should 854 * be there too not to break atomicity. 855 */ 856 if (nfula[NFULA_CFG_FLAGS]) { 857 flags = ntohs(nla_get_be16(nfula[NFULA_CFG_FLAGS])); 858 859 if ((flags & NFULNL_CFG_F_CONNTRACK) && 860 !rcu_access_pointer(nfnl_ct_hook)) { 861 #ifdef CONFIG_MODULES 862 nfnl_unlock(NFNL_SUBSYS_ULOG); 863 request_module("ip_conntrack_netlink"); 864 nfnl_lock(NFNL_SUBSYS_ULOG); 865 if (rcu_access_pointer(nfnl_ct_hook)) { 866 ret = -EAGAIN; 867 goto out_put; 868 } 869 #endif 870 ret = -EOPNOTSUPP; 871 goto out_put; 872 } 873 } 874 875 if (cmd != NULL) { 876 switch (cmd->command) { 877 case NFULNL_CFG_CMD_BIND: 878 if (inst) { 879 ret = -EBUSY; 880 goto out_put; 881 } 882 883 inst = instance_create(net, group_num, 884 NETLINK_CB(skb).portid, 885 sk_user_ns(NETLINK_CB(skb).sk)); 886 if (IS_ERR(inst)) { 887 ret = PTR_ERR(inst); 888 goto out; 889 } 890 break; 891 case NFULNL_CFG_CMD_UNBIND: 892 if (!inst) { 893 ret = -ENODEV; 894 goto out; 895 } 896 897 instance_destroy(log, inst); 898 goto out_put; 899 default: 900 ret = -ENOTSUPP; 901 goto out_put; 902 } 903 } else if (!inst) { 904 ret = -ENODEV; 905 goto out; 906 } 907 908 if (nfula[NFULA_CFG_MODE]) { 909 struct nfulnl_msg_config_mode *params = 910 nla_data(nfula[NFULA_CFG_MODE]); 911 912 nfulnl_set_mode(inst, params->copy_mode, 913 ntohl(params->copy_range)); 914 } 915 916 if (nfula[NFULA_CFG_TIMEOUT]) { 917 __be32 timeout = nla_get_be32(nfula[NFULA_CFG_TIMEOUT]); 918 919 nfulnl_set_timeout(inst, ntohl(timeout)); 920 } 921 922 if (nfula[NFULA_CFG_NLBUFSIZ]) { 923 __be32 nlbufsiz = nla_get_be32(nfula[NFULA_CFG_NLBUFSIZ]); 924 925 nfulnl_set_nlbufsiz(inst, ntohl(nlbufsiz)); 926 } 927 928 if (nfula[NFULA_CFG_QTHRESH]) { 929 __be32 qthresh = nla_get_be32(nfula[NFULA_CFG_QTHRESH]); 930 931 nfulnl_set_qthresh(inst, ntohl(qthresh)); 932 } 933 934 if (nfula[NFULA_CFG_FLAGS]) 935 nfulnl_set_flags(inst, flags); 936 937 out_put: 938 instance_put(inst); 939 out: 940 return ret; 941 } 942 943 static const struct nfnl_callback nfulnl_cb[NFULNL_MSG_MAX] = { 944 [NFULNL_MSG_PACKET] = { .call = nfulnl_recv_unsupp, 945 .attr_count = NFULA_MAX, }, 946 [NFULNL_MSG_CONFIG] = { .call = nfulnl_recv_config, 947 .attr_count = NFULA_CFG_MAX, 948 .policy = nfula_cfg_policy }, 949 }; 950 951 static const struct nfnetlink_subsystem nfulnl_subsys = { 952 .name = "log", 953 .subsys_id = NFNL_SUBSYS_ULOG, 954 .cb_count = NFULNL_MSG_MAX, 955 .cb = nfulnl_cb, 956 }; 957 958 #ifdef CONFIG_PROC_FS 959 struct iter_state { 960 struct seq_net_private p; 961 unsigned int bucket; 962 }; 963 964 static struct hlist_node *get_first(struct net *net, struct iter_state *st) 965 { 966 struct nfnl_log_net *log; 967 if (!st) 968 return NULL; 969 970 log = nfnl_log_pernet(net); 971 972 for (st->bucket = 0; st->bucket < INSTANCE_BUCKETS; st->bucket++) { 973 struct hlist_head *head = &log->instance_table[st->bucket]; 974 975 if (!hlist_empty(head)) 976 return rcu_dereference_bh(hlist_first_rcu(head)); 977 } 978 return NULL; 979 } 980 981 static struct hlist_node *get_next(struct net *net, struct iter_state *st, 982 struct hlist_node *h) 983 { 984 h = rcu_dereference_bh(hlist_next_rcu(h)); 985 while (!h) { 986 struct nfnl_log_net *log; 987 struct hlist_head *head; 988 989 if (++st->bucket >= INSTANCE_BUCKETS) 990 return NULL; 991 992 log = nfnl_log_pernet(net); 993 head = &log->instance_table[st->bucket]; 994 h = rcu_dereference_bh(hlist_first_rcu(head)); 995 } 996 return h; 997 } 998 999 static struct hlist_node *get_idx(struct net *net, struct iter_state *st, 1000 loff_t pos) 1001 { 1002 struct hlist_node *head; 1003 head = get_first(net, st); 1004 1005 if (head) 1006 while (pos && (head = get_next(net, st, head))) 1007 pos--; 1008 return pos ? NULL : head; 1009 } 1010 1011 static void *seq_start(struct seq_file *s, loff_t *pos) 1012 __acquires(rcu_bh) 1013 { 1014 rcu_read_lock_bh(); 1015 return get_idx(seq_file_net(s), s->private, *pos); 1016 } 1017 1018 static void *seq_next(struct seq_file *s, void *v, loff_t *pos) 1019 { 1020 (*pos)++; 1021 return get_next(seq_file_net(s), s->private, v); 1022 } 1023 1024 static void seq_stop(struct seq_file *s, void *v) 1025 __releases(rcu_bh) 1026 { 1027 rcu_read_unlock_bh(); 1028 } 1029 1030 static int seq_show(struct seq_file *s, void *v) 1031 { 1032 const struct nfulnl_instance *inst = v; 1033 1034 seq_printf(s, "%5u %6u %5u %1u %5u %6u %2u\n", 1035 inst->group_num, 1036 inst->peer_portid, inst->qlen, 1037 inst->copy_mode, inst->copy_range, 1038 inst->flushtimeout, refcount_read(&inst->use)); 1039 1040 return 0; 1041 } 1042 1043 static const struct seq_operations nful_seq_ops = { 1044 .start = seq_start, 1045 .next = seq_next, 1046 .stop = seq_stop, 1047 .show = seq_show, 1048 }; 1049 1050 static int nful_open(struct inode *inode, struct file *file) 1051 { 1052 return seq_open_net(inode, file, &nful_seq_ops, 1053 sizeof(struct iter_state)); 1054 } 1055 1056 static const struct file_operations nful_file_ops = { 1057 .open = nful_open, 1058 .read = seq_read, 1059 .llseek = seq_lseek, 1060 .release = seq_release_net, 1061 }; 1062 1063 #endif /* PROC_FS */ 1064 1065 static int __net_init nfnl_log_net_init(struct net *net) 1066 { 1067 unsigned int i; 1068 struct nfnl_log_net *log = nfnl_log_pernet(net); 1069 #ifdef CONFIG_PROC_FS 1070 struct proc_dir_entry *proc; 1071 kuid_t root_uid; 1072 kgid_t root_gid; 1073 #endif 1074 1075 for (i = 0; i < INSTANCE_BUCKETS; i++) 1076 INIT_HLIST_HEAD(&log->instance_table[i]); 1077 spin_lock_init(&log->instances_lock); 1078 1079 #ifdef CONFIG_PROC_FS 1080 proc = proc_create("nfnetlink_log", 0440, 1081 net->nf.proc_netfilter, &nful_file_ops); 1082 if (!proc) 1083 return -ENOMEM; 1084 1085 root_uid = make_kuid(net->user_ns, 0); 1086 root_gid = make_kgid(net->user_ns, 0); 1087 if (uid_valid(root_uid) && gid_valid(root_gid)) 1088 proc_set_user(proc, root_uid, root_gid); 1089 #endif 1090 return 0; 1091 } 1092 1093 static void __net_exit nfnl_log_net_exit(struct net *net) 1094 { 1095 struct nfnl_log_net *log = nfnl_log_pernet(net); 1096 unsigned int i; 1097 1098 #ifdef CONFIG_PROC_FS 1099 remove_proc_entry("nfnetlink_log", net->nf.proc_netfilter); 1100 #endif 1101 nf_log_unset(net, &nfulnl_logger); 1102 for (i = 0; i < INSTANCE_BUCKETS; i++) 1103 WARN_ON_ONCE(!hlist_empty(&log->instance_table[i])); 1104 } 1105 1106 static struct pernet_operations nfnl_log_net_ops = { 1107 .init = nfnl_log_net_init, 1108 .exit = nfnl_log_net_exit, 1109 .id = &nfnl_log_net_id, 1110 .size = sizeof(struct nfnl_log_net), 1111 }; 1112 1113 static int __init nfnetlink_log_init(void) 1114 { 1115 int status; 1116 1117 status = register_pernet_subsys(&nfnl_log_net_ops); 1118 if (status < 0) { 1119 pr_err("failed to register pernet ops\n"); 1120 goto out; 1121 } 1122 1123 netlink_register_notifier(&nfulnl_rtnl_notifier); 1124 status = nfnetlink_subsys_register(&nfulnl_subsys); 1125 if (status < 0) { 1126 pr_err("failed to create netlink socket\n"); 1127 goto cleanup_netlink_notifier; 1128 } 1129 1130 status = nf_log_register(NFPROTO_UNSPEC, &nfulnl_logger); 1131 if (status < 0) { 1132 pr_err("failed to register logger\n"); 1133 goto cleanup_subsys; 1134 } 1135 1136 return status; 1137 1138 cleanup_subsys: 1139 nfnetlink_subsys_unregister(&nfulnl_subsys); 1140 cleanup_netlink_notifier: 1141 netlink_unregister_notifier(&nfulnl_rtnl_notifier); 1142 unregister_pernet_subsys(&nfnl_log_net_ops); 1143 out: 1144 return status; 1145 } 1146 1147 static void __exit nfnetlink_log_fini(void) 1148 { 1149 nfnetlink_subsys_unregister(&nfulnl_subsys); 1150 netlink_unregister_notifier(&nfulnl_rtnl_notifier); 1151 unregister_pernet_subsys(&nfnl_log_net_ops); 1152 nf_log_unregister(&nfulnl_logger); 1153 } 1154 1155 MODULE_DESCRIPTION("netfilter userspace logging"); 1156 MODULE_AUTHOR("Harald Welte <laforge@netfilter.org>"); 1157 MODULE_LICENSE("GPL"); 1158 MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_ULOG); 1159 MODULE_ALIAS_NF_LOGGER(AF_INET, 1); 1160 MODULE_ALIAS_NF_LOGGER(AF_INET6, 1); 1161 MODULE_ALIAS_NF_LOGGER(AF_BRIDGE, 1); 1162 MODULE_ALIAS_NF_LOGGER(3, 1); /* NFPROTO_ARP */ 1163 MODULE_ALIAS_NF_LOGGER(5, 1); /* NFPROTO_NETDEV */ 1164 1165 module_init(nfnetlink_log_init); 1166 module_exit(nfnetlink_log_fini); 1167