1 /* 2 * This is a module which is used for logging packets to userspace via 3 * nfetlink. 4 * 5 * (C) 2005 by Harald Welte <laforge@netfilter.org> 6 * (C) 2006-2012 Patrick McHardy <kaber@trash.net> 7 * 8 * Based on the old ipv4-only ipt_ULOG.c: 9 * (C) 2000-2004 by Harald Welte <laforge@netfilter.org> 10 * 11 * This program is free software; you can redistribute it and/or modify 12 * it under the terms of the GNU General Public License version 2 as 13 * published by the Free Software Foundation. 14 */ 15 16 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt 17 18 #include <linux/module.h> 19 #include <linux/skbuff.h> 20 #include <linux/if_arp.h> 21 #include <linux/init.h> 22 #include <linux/ip.h> 23 #include <linux/ipv6.h> 24 #include <linux/netdevice.h> 25 #include <linux/netfilter.h> 26 #include <linux/netfilter_bridge.h> 27 #include <net/netlink.h> 28 #include <linux/netfilter/nfnetlink.h> 29 #include <linux/netfilter/nfnetlink_log.h> 30 #include <linux/netfilter/nf_conntrack_common.h> 31 #include <linux/spinlock.h> 32 #include <linux/sysctl.h> 33 #include <linux/proc_fs.h> 34 #include <linux/security.h> 35 #include <linux/list.h> 36 #include <linux/slab.h> 37 #include <net/sock.h> 38 #include <net/netfilter/nf_log.h> 39 #include <net/netns/generic.h> 40 41 #include <linux/atomic.h> 42 #include <linux/refcount.h> 43 44 45 #if IS_ENABLED(CONFIG_BRIDGE_NETFILTER) 46 #include "../bridge/br_private.h" 47 #endif 48 49 #define NFULNL_COPY_DISABLED 0xff 50 #define NFULNL_NLBUFSIZ_DEFAULT NLMSG_GOODSIZE 51 #define NFULNL_TIMEOUT_DEFAULT 100 /* every second */ 52 #define NFULNL_QTHRESH_DEFAULT 100 /* 100 packets */ 53 /* max packet size is limited by 16-bit struct nfattr nfa_len field */ 54 #define NFULNL_COPY_RANGE_MAX (0xFFFF - NLA_HDRLEN) 55 56 #define PRINTR(x, args...) do { if (net_ratelimit()) \ 57 printk(x, ## args); } while (0); 58 59 struct nfulnl_instance { 60 struct hlist_node hlist; /* global list of instances */ 61 spinlock_t lock; 62 refcount_t use; /* use count */ 63 64 unsigned int qlen; /* number of nlmsgs in skb */ 65 struct sk_buff *skb; /* pre-allocatd skb */ 66 struct timer_list timer; 67 struct net *net; 68 struct user_namespace *peer_user_ns; /* User namespace of the peer process */ 69 u32 peer_portid; /* PORTID of the peer process */ 70 71 /* configurable parameters */ 72 unsigned int flushtimeout; /* timeout until queue flush */ 73 unsigned int nlbufsiz; /* netlink buffer allocation size */ 74 unsigned int qthreshold; /* threshold of the queue */ 75 u_int32_t copy_range; 76 u_int32_t seq; /* instance-local sequential counter */ 77 u_int16_t group_num; /* number of this queue */ 78 u_int16_t flags; 79 u_int8_t copy_mode; 80 struct rcu_head rcu; 81 }; 82 83 #define INSTANCE_BUCKETS 16 84 85 static unsigned int nfnl_log_net_id __read_mostly; 86 87 struct nfnl_log_net { 88 spinlock_t instances_lock; 89 struct hlist_head instance_table[INSTANCE_BUCKETS]; 90 atomic_t global_seq; 91 }; 92 93 static struct nfnl_log_net *nfnl_log_pernet(struct net *net) 94 { 95 return net_generic(net, nfnl_log_net_id); 96 } 97 98 static inline u_int8_t instance_hashfn(u_int16_t group_num) 99 { 100 return ((group_num & 0xff) % INSTANCE_BUCKETS); 101 } 102 103 static struct nfulnl_instance * 104 __instance_lookup(struct nfnl_log_net *log, u_int16_t group_num) 105 { 106 struct hlist_head *head; 107 struct nfulnl_instance *inst; 108 109 head = &log->instance_table[instance_hashfn(group_num)]; 110 hlist_for_each_entry_rcu(inst, head, hlist) { 111 if (inst->group_num == group_num) 112 return inst; 113 } 114 return NULL; 115 } 116 117 static inline void 118 instance_get(struct nfulnl_instance *inst) 119 { 120 refcount_inc(&inst->use); 121 } 122 123 static struct nfulnl_instance * 124 instance_lookup_get(struct nfnl_log_net *log, u_int16_t group_num) 125 { 126 struct nfulnl_instance *inst; 127 128 rcu_read_lock_bh(); 129 inst = __instance_lookup(log, group_num); 130 if (inst && !refcount_inc_not_zero(&inst->use)) 131 inst = NULL; 132 rcu_read_unlock_bh(); 133 134 return inst; 135 } 136 137 static void nfulnl_instance_free_rcu(struct rcu_head *head) 138 { 139 struct nfulnl_instance *inst = 140 container_of(head, struct nfulnl_instance, rcu); 141 142 put_net(inst->net); 143 kfree(inst); 144 module_put(THIS_MODULE); 145 } 146 147 static void 148 instance_put(struct nfulnl_instance *inst) 149 { 150 if (inst && refcount_dec_and_test(&inst->use)) 151 call_rcu_bh(&inst->rcu, nfulnl_instance_free_rcu); 152 } 153 154 static void nfulnl_timer(struct timer_list *t); 155 156 static struct nfulnl_instance * 157 instance_create(struct net *net, u_int16_t group_num, 158 u32 portid, struct user_namespace *user_ns) 159 { 160 struct nfulnl_instance *inst; 161 struct nfnl_log_net *log = nfnl_log_pernet(net); 162 int err; 163 164 spin_lock_bh(&log->instances_lock); 165 if (__instance_lookup(log, group_num)) { 166 err = -EEXIST; 167 goto out_unlock; 168 } 169 170 inst = kzalloc(sizeof(*inst), GFP_ATOMIC); 171 if (!inst) { 172 err = -ENOMEM; 173 goto out_unlock; 174 } 175 176 if (!try_module_get(THIS_MODULE)) { 177 kfree(inst); 178 err = -EAGAIN; 179 goto out_unlock; 180 } 181 182 INIT_HLIST_NODE(&inst->hlist); 183 spin_lock_init(&inst->lock); 184 /* needs to be two, since we _put() after creation */ 185 refcount_set(&inst->use, 2); 186 187 timer_setup(&inst->timer, nfulnl_timer, 0); 188 189 inst->net = get_net(net); 190 inst->peer_user_ns = user_ns; 191 inst->peer_portid = portid; 192 inst->group_num = group_num; 193 194 inst->qthreshold = NFULNL_QTHRESH_DEFAULT; 195 inst->flushtimeout = NFULNL_TIMEOUT_DEFAULT; 196 inst->nlbufsiz = NFULNL_NLBUFSIZ_DEFAULT; 197 inst->copy_mode = NFULNL_COPY_PACKET; 198 inst->copy_range = NFULNL_COPY_RANGE_MAX; 199 200 hlist_add_head_rcu(&inst->hlist, 201 &log->instance_table[instance_hashfn(group_num)]); 202 203 204 spin_unlock_bh(&log->instances_lock); 205 206 return inst; 207 208 out_unlock: 209 spin_unlock_bh(&log->instances_lock); 210 return ERR_PTR(err); 211 } 212 213 static void __nfulnl_flush(struct nfulnl_instance *inst); 214 215 /* called with BH disabled */ 216 static void 217 __instance_destroy(struct nfulnl_instance *inst) 218 { 219 /* first pull it out of the global list */ 220 hlist_del_rcu(&inst->hlist); 221 222 /* then flush all pending packets from skb */ 223 224 spin_lock(&inst->lock); 225 226 /* lockless readers wont be able to use us */ 227 inst->copy_mode = NFULNL_COPY_DISABLED; 228 229 if (inst->skb) 230 __nfulnl_flush(inst); 231 spin_unlock(&inst->lock); 232 233 /* and finally put the refcount */ 234 instance_put(inst); 235 } 236 237 static inline void 238 instance_destroy(struct nfnl_log_net *log, 239 struct nfulnl_instance *inst) 240 { 241 spin_lock_bh(&log->instances_lock); 242 __instance_destroy(inst); 243 spin_unlock_bh(&log->instances_lock); 244 } 245 246 static int 247 nfulnl_set_mode(struct nfulnl_instance *inst, u_int8_t mode, 248 unsigned int range) 249 { 250 int status = 0; 251 252 spin_lock_bh(&inst->lock); 253 254 switch (mode) { 255 case NFULNL_COPY_NONE: 256 case NFULNL_COPY_META: 257 inst->copy_mode = mode; 258 inst->copy_range = 0; 259 break; 260 261 case NFULNL_COPY_PACKET: 262 inst->copy_mode = mode; 263 if (range == 0) 264 range = NFULNL_COPY_RANGE_MAX; 265 inst->copy_range = min_t(unsigned int, 266 range, NFULNL_COPY_RANGE_MAX); 267 break; 268 269 default: 270 status = -EINVAL; 271 break; 272 } 273 274 spin_unlock_bh(&inst->lock); 275 276 return status; 277 } 278 279 static int 280 nfulnl_set_nlbufsiz(struct nfulnl_instance *inst, u_int32_t nlbufsiz) 281 { 282 int status; 283 284 spin_lock_bh(&inst->lock); 285 if (nlbufsiz < NFULNL_NLBUFSIZ_DEFAULT) 286 status = -ERANGE; 287 else if (nlbufsiz > 131072) 288 status = -ERANGE; 289 else { 290 inst->nlbufsiz = nlbufsiz; 291 status = 0; 292 } 293 spin_unlock_bh(&inst->lock); 294 295 return status; 296 } 297 298 static void 299 nfulnl_set_timeout(struct nfulnl_instance *inst, u_int32_t timeout) 300 { 301 spin_lock_bh(&inst->lock); 302 inst->flushtimeout = timeout; 303 spin_unlock_bh(&inst->lock); 304 } 305 306 static void 307 nfulnl_set_qthresh(struct nfulnl_instance *inst, u_int32_t qthresh) 308 { 309 spin_lock_bh(&inst->lock); 310 inst->qthreshold = qthresh; 311 spin_unlock_bh(&inst->lock); 312 } 313 314 static int 315 nfulnl_set_flags(struct nfulnl_instance *inst, u_int16_t flags) 316 { 317 spin_lock_bh(&inst->lock); 318 inst->flags = flags; 319 spin_unlock_bh(&inst->lock); 320 321 return 0; 322 } 323 324 static struct sk_buff * 325 nfulnl_alloc_skb(struct net *net, u32 peer_portid, unsigned int inst_size, 326 unsigned int pkt_size) 327 { 328 struct sk_buff *skb; 329 unsigned int n; 330 331 /* alloc skb which should be big enough for a whole multipart 332 * message. WARNING: has to be <= 128k due to slab restrictions */ 333 334 n = max(inst_size, pkt_size); 335 skb = alloc_skb(n, GFP_ATOMIC | __GFP_NOWARN); 336 if (!skb) { 337 if (n > pkt_size) { 338 /* try to allocate only as much as we need for current 339 * packet */ 340 341 skb = alloc_skb(pkt_size, GFP_ATOMIC); 342 } 343 } 344 345 return skb; 346 } 347 348 static void 349 __nfulnl_send(struct nfulnl_instance *inst) 350 { 351 if (inst->qlen > 1) { 352 struct nlmsghdr *nlh = nlmsg_put(inst->skb, 0, 0, 353 NLMSG_DONE, 354 sizeof(struct nfgenmsg), 355 0); 356 if (WARN_ONCE(!nlh, "bad nlskb size: %u, tailroom %d\n", 357 inst->skb->len, skb_tailroom(inst->skb))) { 358 kfree_skb(inst->skb); 359 goto out; 360 } 361 } 362 nfnetlink_unicast(inst->skb, inst->net, inst->peer_portid, 363 MSG_DONTWAIT); 364 out: 365 inst->qlen = 0; 366 inst->skb = NULL; 367 } 368 369 static void 370 __nfulnl_flush(struct nfulnl_instance *inst) 371 { 372 /* timer holds a reference */ 373 if (del_timer(&inst->timer)) 374 instance_put(inst); 375 if (inst->skb) 376 __nfulnl_send(inst); 377 } 378 379 static void 380 nfulnl_timer(struct timer_list *t) 381 { 382 struct nfulnl_instance *inst = from_timer(inst, t, timer); 383 384 spin_lock_bh(&inst->lock); 385 if (inst->skb) 386 __nfulnl_send(inst); 387 spin_unlock_bh(&inst->lock); 388 instance_put(inst); 389 } 390 391 /* This is an inline function, we don't really care about a long 392 * list of arguments */ 393 static inline int 394 __build_packet_message(struct nfnl_log_net *log, 395 struct nfulnl_instance *inst, 396 const struct sk_buff *skb, 397 unsigned int data_len, 398 u_int8_t pf, 399 unsigned int hooknum, 400 const struct net_device *indev, 401 const struct net_device *outdev, 402 const char *prefix, unsigned int plen, 403 const struct nfnl_ct_hook *nfnl_ct, 404 struct nf_conn *ct, enum ip_conntrack_info ctinfo) 405 { 406 struct nfulnl_msg_packet_hdr pmsg; 407 struct nlmsghdr *nlh; 408 struct nfgenmsg *nfmsg; 409 sk_buff_data_t old_tail = inst->skb->tail; 410 struct sock *sk; 411 const unsigned char *hwhdrp; 412 413 nlh = nlmsg_put(inst->skb, 0, 0, 414 nfnl_msg_type(NFNL_SUBSYS_ULOG, NFULNL_MSG_PACKET), 415 sizeof(struct nfgenmsg), 0); 416 if (!nlh) 417 return -1; 418 nfmsg = nlmsg_data(nlh); 419 nfmsg->nfgen_family = pf; 420 nfmsg->version = NFNETLINK_V0; 421 nfmsg->res_id = htons(inst->group_num); 422 423 memset(&pmsg, 0, sizeof(pmsg)); 424 pmsg.hw_protocol = skb->protocol; 425 pmsg.hook = hooknum; 426 427 if (nla_put(inst->skb, NFULA_PACKET_HDR, sizeof(pmsg), &pmsg)) 428 goto nla_put_failure; 429 430 if (prefix && 431 nla_put(inst->skb, NFULA_PREFIX, plen, prefix)) 432 goto nla_put_failure; 433 434 if (indev) { 435 #if !IS_ENABLED(CONFIG_BRIDGE_NETFILTER) 436 if (nla_put_be32(inst->skb, NFULA_IFINDEX_INDEV, 437 htonl(indev->ifindex))) 438 goto nla_put_failure; 439 #else 440 if (pf == PF_BRIDGE) { 441 /* Case 1: outdev is physical input device, we need to 442 * look for bridge group (when called from 443 * netfilter_bridge) */ 444 if (nla_put_be32(inst->skb, NFULA_IFINDEX_PHYSINDEV, 445 htonl(indev->ifindex)) || 446 /* this is the bridge group "brX" */ 447 /* rcu_read_lock()ed by nf_hook_thresh or 448 * nf_log_packet. 449 */ 450 nla_put_be32(inst->skb, NFULA_IFINDEX_INDEV, 451 htonl(br_port_get_rcu(indev)->br->dev->ifindex))) 452 goto nla_put_failure; 453 } else { 454 struct net_device *physindev; 455 456 /* Case 2: indev is bridge group, we need to look for 457 * physical device (when called from ipv4) */ 458 if (nla_put_be32(inst->skb, NFULA_IFINDEX_INDEV, 459 htonl(indev->ifindex))) 460 goto nla_put_failure; 461 462 physindev = nf_bridge_get_physindev(skb); 463 if (physindev && 464 nla_put_be32(inst->skb, NFULA_IFINDEX_PHYSINDEV, 465 htonl(physindev->ifindex))) 466 goto nla_put_failure; 467 } 468 #endif 469 } 470 471 if (outdev) { 472 #if !IS_ENABLED(CONFIG_BRIDGE_NETFILTER) 473 if (nla_put_be32(inst->skb, NFULA_IFINDEX_OUTDEV, 474 htonl(outdev->ifindex))) 475 goto nla_put_failure; 476 #else 477 if (pf == PF_BRIDGE) { 478 /* Case 1: outdev is physical output device, we need to 479 * look for bridge group (when called from 480 * netfilter_bridge) */ 481 if (nla_put_be32(inst->skb, NFULA_IFINDEX_PHYSOUTDEV, 482 htonl(outdev->ifindex)) || 483 /* this is the bridge group "brX" */ 484 /* rcu_read_lock()ed by nf_hook_thresh or 485 * nf_log_packet. 486 */ 487 nla_put_be32(inst->skb, NFULA_IFINDEX_OUTDEV, 488 htonl(br_port_get_rcu(outdev)->br->dev->ifindex))) 489 goto nla_put_failure; 490 } else { 491 struct net_device *physoutdev; 492 493 /* Case 2: indev is a bridge group, we need to look 494 * for physical device (when called from ipv4) */ 495 if (nla_put_be32(inst->skb, NFULA_IFINDEX_OUTDEV, 496 htonl(outdev->ifindex))) 497 goto nla_put_failure; 498 499 physoutdev = nf_bridge_get_physoutdev(skb); 500 if (physoutdev && 501 nla_put_be32(inst->skb, NFULA_IFINDEX_PHYSOUTDEV, 502 htonl(physoutdev->ifindex))) 503 goto nla_put_failure; 504 } 505 #endif 506 } 507 508 if (skb->mark && 509 nla_put_be32(inst->skb, NFULA_MARK, htonl(skb->mark))) 510 goto nla_put_failure; 511 512 if (indev && skb->dev && 513 skb->mac_header != skb->network_header) { 514 struct nfulnl_msg_packet_hw phw; 515 int len; 516 517 memset(&phw, 0, sizeof(phw)); 518 len = dev_parse_header(skb, phw.hw_addr); 519 if (len > 0) { 520 phw.hw_addrlen = htons(len); 521 if (nla_put(inst->skb, NFULA_HWADDR, sizeof(phw), &phw)) 522 goto nla_put_failure; 523 } 524 } 525 526 if (indev && skb_mac_header_was_set(skb)) { 527 if (nla_put_be16(inst->skb, NFULA_HWTYPE, htons(skb->dev->type)) || 528 nla_put_be16(inst->skb, NFULA_HWLEN, 529 htons(skb->dev->hard_header_len))) 530 goto nla_put_failure; 531 532 hwhdrp = skb_mac_header(skb); 533 534 if (skb->dev->type == ARPHRD_SIT) 535 hwhdrp -= ETH_HLEN; 536 537 if (hwhdrp >= skb->head && 538 nla_put(inst->skb, NFULA_HWHEADER, 539 skb->dev->hard_header_len, hwhdrp)) 540 goto nla_put_failure; 541 } 542 543 if (skb->tstamp) { 544 struct nfulnl_msg_packet_timestamp ts; 545 struct timespec64 kts = ktime_to_timespec64(skb->tstamp); 546 ts.sec = cpu_to_be64(kts.tv_sec); 547 ts.usec = cpu_to_be64(kts.tv_nsec / NSEC_PER_USEC); 548 549 if (nla_put(inst->skb, NFULA_TIMESTAMP, sizeof(ts), &ts)) 550 goto nla_put_failure; 551 } 552 553 /* UID */ 554 sk = skb->sk; 555 if (sk && sk_fullsock(sk)) { 556 read_lock_bh(&sk->sk_callback_lock); 557 if (sk->sk_socket && sk->sk_socket->file) { 558 struct file *file = sk->sk_socket->file; 559 const struct cred *cred = file->f_cred; 560 struct user_namespace *user_ns = inst->peer_user_ns; 561 __be32 uid = htonl(from_kuid_munged(user_ns, cred->fsuid)); 562 __be32 gid = htonl(from_kgid_munged(user_ns, cred->fsgid)); 563 read_unlock_bh(&sk->sk_callback_lock); 564 if (nla_put_be32(inst->skb, NFULA_UID, uid) || 565 nla_put_be32(inst->skb, NFULA_GID, gid)) 566 goto nla_put_failure; 567 } else 568 read_unlock_bh(&sk->sk_callback_lock); 569 } 570 571 /* local sequence number */ 572 if ((inst->flags & NFULNL_CFG_F_SEQ) && 573 nla_put_be32(inst->skb, NFULA_SEQ, htonl(inst->seq++))) 574 goto nla_put_failure; 575 576 /* global sequence number */ 577 if ((inst->flags & NFULNL_CFG_F_SEQ_GLOBAL) && 578 nla_put_be32(inst->skb, NFULA_SEQ_GLOBAL, 579 htonl(atomic_inc_return(&log->global_seq)))) 580 goto nla_put_failure; 581 582 if (ct && nfnl_ct->build(inst->skb, ct, ctinfo, 583 NFULA_CT, NFULA_CT_INFO) < 0) 584 goto nla_put_failure; 585 586 if (data_len) { 587 struct nlattr *nla; 588 int size = nla_attr_size(data_len); 589 590 if (skb_tailroom(inst->skb) < nla_total_size(data_len)) 591 goto nla_put_failure; 592 593 nla = skb_put(inst->skb, nla_total_size(data_len)); 594 nla->nla_type = NFULA_PAYLOAD; 595 nla->nla_len = size; 596 597 if (skb_copy_bits(skb, 0, nla_data(nla), data_len)) 598 BUG(); 599 } 600 601 nlh->nlmsg_len = inst->skb->tail - old_tail; 602 return 0; 603 604 nla_put_failure: 605 PRINTR(KERN_ERR "nfnetlink_log: error creating log nlmsg\n"); 606 return -1; 607 } 608 609 static const struct nf_loginfo default_loginfo = { 610 .type = NF_LOG_TYPE_ULOG, 611 .u = { 612 .ulog = { 613 .copy_len = 0xffff, 614 .group = 0, 615 .qthreshold = 1, 616 }, 617 }, 618 }; 619 620 /* log handler for internal netfilter logging api */ 621 static void 622 nfulnl_log_packet(struct net *net, 623 u_int8_t pf, 624 unsigned int hooknum, 625 const struct sk_buff *skb, 626 const struct net_device *in, 627 const struct net_device *out, 628 const struct nf_loginfo *li_user, 629 const char *prefix) 630 { 631 size_t size; 632 unsigned int data_len; 633 struct nfulnl_instance *inst; 634 const struct nf_loginfo *li; 635 unsigned int qthreshold; 636 unsigned int plen = 0; 637 struct nfnl_log_net *log = nfnl_log_pernet(net); 638 const struct nfnl_ct_hook *nfnl_ct = NULL; 639 struct nf_conn *ct = NULL; 640 enum ip_conntrack_info uninitialized_var(ctinfo); 641 642 if (li_user && li_user->type == NF_LOG_TYPE_ULOG) 643 li = li_user; 644 else 645 li = &default_loginfo; 646 647 inst = instance_lookup_get(log, li->u.ulog.group); 648 if (!inst) 649 return; 650 651 if (prefix) 652 plen = strlen(prefix) + 1; 653 654 /* FIXME: do we want to make the size calculation conditional based on 655 * what is actually present? way more branches and checks, but more 656 * memory efficient... */ 657 size = nlmsg_total_size(sizeof(struct nfgenmsg)) 658 + nla_total_size(sizeof(struct nfulnl_msg_packet_hdr)) 659 + nla_total_size(sizeof(u_int32_t)) /* ifindex */ 660 + nla_total_size(sizeof(u_int32_t)) /* ifindex */ 661 #if IS_ENABLED(CONFIG_BRIDGE_NETFILTER) 662 + nla_total_size(sizeof(u_int32_t)) /* ifindex */ 663 + nla_total_size(sizeof(u_int32_t)) /* ifindex */ 664 #endif 665 + nla_total_size(sizeof(u_int32_t)) /* mark */ 666 + nla_total_size(sizeof(u_int32_t)) /* uid */ 667 + nla_total_size(sizeof(u_int32_t)) /* gid */ 668 + nla_total_size(plen) /* prefix */ 669 + nla_total_size(sizeof(struct nfulnl_msg_packet_hw)) 670 + nla_total_size(sizeof(struct nfulnl_msg_packet_timestamp)) 671 + nla_total_size(sizeof(struct nfgenmsg)); /* NLMSG_DONE */ 672 673 if (in && skb_mac_header_was_set(skb)) { 674 size += nla_total_size(skb->dev->hard_header_len) 675 + nla_total_size(sizeof(u_int16_t)) /* hwtype */ 676 + nla_total_size(sizeof(u_int16_t)); /* hwlen */ 677 } 678 679 spin_lock_bh(&inst->lock); 680 681 if (inst->flags & NFULNL_CFG_F_SEQ) 682 size += nla_total_size(sizeof(u_int32_t)); 683 if (inst->flags & NFULNL_CFG_F_SEQ_GLOBAL) 684 size += nla_total_size(sizeof(u_int32_t)); 685 if (inst->flags & NFULNL_CFG_F_CONNTRACK) { 686 nfnl_ct = rcu_dereference(nfnl_ct_hook); 687 if (nfnl_ct != NULL) { 688 ct = nfnl_ct->get_ct(skb, &ctinfo); 689 if (ct != NULL) 690 size += nfnl_ct->build_size(ct); 691 } 692 } 693 694 qthreshold = inst->qthreshold; 695 /* per-rule qthreshold overrides per-instance */ 696 if (li->u.ulog.qthreshold) 697 if (qthreshold > li->u.ulog.qthreshold) 698 qthreshold = li->u.ulog.qthreshold; 699 700 701 switch (inst->copy_mode) { 702 case NFULNL_COPY_META: 703 case NFULNL_COPY_NONE: 704 data_len = 0; 705 break; 706 707 case NFULNL_COPY_PACKET: 708 data_len = inst->copy_range; 709 if ((li->u.ulog.flags & NF_LOG_F_COPY_LEN) && 710 (li->u.ulog.copy_len < data_len)) 711 data_len = li->u.ulog.copy_len; 712 713 if (data_len > skb->len) 714 data_len = skb->len; 715 716 size += nla_total_size(data_len); 717 break; 718 719 case NFULNL_COPY_DISABLED: 720 default: 721 goto unlock_and_release; 722 } 723 724 if (inst->skb && size > skb_tailroom(inst->skb)) { 725 /* either the queue len is too high or we don't have 726 * enough room in the skb left. flush to userspace. */ 727 __nfulnl_flush(inst); 728 } 729 730 if (!inst->skb) { 731 inst->skb = nfulnl_alloc_skb(net, inst->peer_portid, 732 inst->nlbufsiz, size); 733 if (!inst->skb) 734 goto alloc_failure; 735 } 736 737 inst->qlen++; 738 739 __build_packet_message(log, inst, skb, data_len, pf, 740 hooknum, in, out, prefix, plen, 741 nfnl_ct, ct, ctinfo); 742 743 if (inst->qlen >= qthreshold) 744 __nfulnl_flush(inst); 745 /* timer_pending always called within inst->lock, so there 746 * is no chance of a race here */ 747 else if (!timer_pending(&inst->timer)) { 748 instance_get(inst); 749 inst->timer.expires = jiffies + (inst->flushtimeout*HZ/100); 750 add_timer(&inst->timer); 751 } 752 753 unlock_and_release: 754 spin_unlock_bh(&inst->lock); 755 instance_put(inst); 756 return; 757 758 alloc_failure: 759 /* FIXME: statistics */ 760 goto unlock_and_release; 761 } 762 763 static int 764 nfulnl_rcv_nl_event(struct notifier_block *this, 765 unsigned long event, void *ptr) 766 { 767 struct netlink_notify *n = ptr; 768 struct nfnl_log_net *log = nfnl_log_pernet(n->net); 769 770 if (event == NETLINK_URELEASE && n->protocol == NETLINK_NETFILTER) { 771 int i; 772 773 /* destroy all instances for this portid */ 774 spin_lock_bh(&log->instances_lock); 775 for (i = 0; i < INSTANCE_BUCKETS; i++) { 776 struct hlist_node *t2; 777 struct nfulnl_instance *inst; 778 struct hlist_head *head = &log->instance_table[i]; 779 780 hlist_for_each_entry_safe(inst, t2, head, hlist) { 781 if (n->portid == inst->peer_portid) 782 __instance_destroy(inst); 783 } 784 } 785 spin_unlock_bh(&log->instances_lock); 786 } 787 return NOTIFY_DONE; 788 } 789 790 static struct notifier_block nfulnl_rtnl_notifier = { 791 .notifier_call = nfulnl_rcv_nl_event, 792 }; 793 794 static int nfulnl_recv_unsupp(struct net *net, struct sock *ctnl, 795 struct sk_buff *skb, const struct nlmsghdr *nlh, 796 const struct nlattr * const nfqa[], 797 struct netlink_ext_ack *extack) 798 { 799 return -ENOTSUPP; 800 } 801 802 static struct nf_logger nfulnl_logger __read_mostly = { 803 .name = "nfnetlink_log", 804 .type = NF_LOG_TYPE_ULOG, 805 .logfn = nfulnl_log_packet, 806 .me = THIS_MODULE, 807 }; 808 809 static const struct nla_policy nfula_cfg_policy[NFULA_CFG_MAX+1] = { 810 [NFULA_CFG_CMD] = { .len = sizeof(struct nfulnl_msg_config_cmd) }, 811 [NFULA_CFG_MODE] = { .len = sizeof(struct nfulnl_msg_config_mode) }, 812 [NFULA_CFG_TIMEOUT] = { .type = NLA_U32 }, 813 [NFULA_CFG_QTHRESH] = { .type = NLA_U32 }, 814 [NFULA_CFG_NLBUFSIZ] = { .type = NLA_U32 }, 815 [NFULA_CFG_FLAGS] = { .type = NLA_U16 }, 816 }; 817 818 static int nfulnl_recv_config(struct net *net, struct sock *ctnl, 819 struct sk_buff *skb, const struct nlmsghdr *nlh, 820 const struct nlattr * const nfula[], 821 struct netlink_ext_ack *extack) 822 { 823 struct nfgenmsg *nfmsg = nlmsg_data(nlh); 824 u_int16_t group_num = ntohs(nfmsg->res_id); 825 struct nfulnl_instance *inst; 826 struct nfulnl_msg_config_cmd *cmd = NULL; 827 struct nfnl_log_net *log = nfnl_log_pernet(net); 828 int ret = 0; 829 u16 flags = 0; 830 831 if (nfula[NFULA_CFG_CMD]) { 832 u_int8_t pf = nfmsg->nfgen_family; 833 cmd = nla_data(nfula[NFULA_CFG_CMD]); 834 835 /* Commands without queue context */ 836 switch (cmd->command) { 837 case NFULNL_CFG_CMD_PF_BIND: 838 return nf_log_bind_pf(net, pf, &nfulnl_logger); 839 case NFULNL_CFG_CMD_PF_UNBIND: 840 nf_log_unbind_pf(net, pf); 841 return 0; 842 } 843 } 844 845 inst = instance_lookup_get(log, group_num); 846 if (inst && inst->peer_portid != NETLINK_CB(skb).portid) { 847 ret = -EPERM; 848 goto out_put; 849 } 850 851 /* Check if we support these flags in first place, dependencies should 852 * be there too not to break atomicity. 853 */ 854 if (nfula[NFULA_CFG_FLAGS]) { 855 flags = ntohs(nla_get_be16(nfula[NFULA_CFG_FLAGS])); 856 857 if ((flags & NFULNL_CFG_F_CONNTRACK) && 858 !rcu_access_pointer(nfnl_ct_hook)) { 859 #ifdef CONFIG_MODULES 860 nfnl_unlock(NFNL_SUBSYS_ULOG); 861 request_module("ip_conntrack_netlink"); 862 nfnl_lock(NFNL_SUBSYS_ULOG); 863 if (rcu_access_pointer(nfnl_ct_hook)) { 864 ret = -EAGAIN; 865 goto out_put; 866 } 867 #endif 868 ret = -EOPNOTSUPP; 869 goto out_put; 870 } 871 } 872 873 if (cmd != NULL) { 874 switch (cmd->command) { 875 case NFULNL_CFG_CMD_BIND: 876 if (inst) { 877 ret = -EBUSY; 878 goto out_put; 879 } 880 881 inst = instance_create(net, group_num, 882 NETLINK_CB(skb).portid, 883 sk_user_ns(NETLINK_CB(skb).sk)); 884 if (IS_ERR(inst)) { 885 ret = PTR_ERR(inst); 886 goto out; 887 } 888 break; 889 case NFULNL_CFG_CMD_UNBIND: 890 if (!inst) { 891 ret = -ENODEV; 892 goto out; 893 } 894 895 instance_destroy(log, inst); 896 goto out_put; 897 default: 898 ret = -ENOTSUPP; 899 goto out_put; 900 } 901 } else if (!inst) { 902 ret = -ENODEV; 903 goto out; 904 } 905 906 if (nfula[NFULA_CFG_MODE]) { 907 struct nfulnl_msg_config_mode *params = 908 nla_data(nfula[NFULA_CFG_MODE]); 909 910 nfulnl_set_mode(inst, params->copy_mode, 911 ntohl(params->copy_range)); 912 } 913 914 if (nfula[NFULA_CFG_TIMEOUT]) { 915 __be32 timeout = nla_get_be32(nfula[NFULA_CFG_TIMEOUT]); 916 917 nfulnl_set_timeout(inst, ntohl(timeout)); 918 } 919 920 if (nfula[NFULA_CFG_NLBUFSIZ]) { 921 __be32 nlbufsiz = nla_get_be32(nfula[NFULA_CFG_NLBUFSIZ]); 922 923 nfulnl_set_nlbufsiz(inst, ntohl(nlbufsiz)); 924 } 925 926 if (nfula[NFULA_CFG_QTHRESH]) { 927 __be32 qthresh = nla_get_be32(nfula[NFULA_CFG_QTHRESH]); 928 929 nfulnl_set_qthresh(inst, ntohl(qthresh)); 930 } 931 932 if (nfula[NFULA_CFG_FLAGS]) 933 nfulnl_set_flags(inst, flags); 934 935 out_put: 936 instance_put(inst); 937 out: 938 return ret; 939 } 940 941 static const struct nfnl_callback nfulnl_cb[NFULNL_MSG_MAX] = { 942 [NFULNL_MSG_PACKET] = { .call = nfulnl_recv_unsupp, 943 .attr_count = NFULA_MAX, }, 944 [NFULNL_MSG_CONFIG] = { .call = nfulnl_recv_config, 945 .attr_count = NFULA_CFG_MAX, 946 .policy = nfula_cfg_policy }, 947 }; 948 949 static const struct nfnetlink_subsystem nfulnl_subsys = { 950 .name = "log", 951 .subsys_id = NFNL_SUBSYS_ULOG, 952 .cb_count = NFULNL_MSG_MAX, 953 .cb = nfulnl_cb, 954 }; 955 956 #ifdef CONFIG_PROC_FS 957 struct iter_state { 958 struct seq_net_private p; 959 unsigned int bucket; 960 }; 961 962 static struct hlist_node *get_first(struct net *net, struct iter_state *st) 963 { 964 struct nfnl_log_net *log; 965 if (!st) 966 return NULL; 967 968 log = nfnl_log_pernet(net); 969 970 for (st->bucket = 0; st->bucket < INSTANCE_BUCKETS; st->bucket++) { 971 struct hlist_head *head = &log->instance_table[st->bucket]; 972 973 if (!hlist_empty(head)) 974 return rcu_dereference_bh(hlist_first_rcu(head)); 975 } 976 return NULL; 977 } 978 979 static struct hlist_node *get_next(struct net *net, struct iter_state *st, 980 struct hlist_node *h) 981 { 982 h = rcu_dereference_bh(hlist_next_rcu(h)); 983 while (!h) { 984 struct nfnl_log_net *log; 985 struct hlist_head *head; 986 987 if (++st->bucket >= INSTANCE_BUCKETS) 988 return NULL; 989 990 log = nfnl_log_pernet(net); 991 head = &log->instance_table[st->bucket]; 992 h = rcu_dereference_bh(hlist_first_rcu(head)); 993 } 994 return h; 995 } 996 997 static struct hlist_node *get_idx(struct net *net, struct iter_state *st, 998 loff_t pos) 999 { 1000 struct hlist_node *head; 1001 head = get_first(net, st); 1002 1003 if (head) 1004 while (pos && (head = get_next(net, st, head))) 1005 pos--; 1006 return pos ? NULL : head; 1007 } 1008 1009 static void *seq_start(struct seq_file *s, loff_t *pos) 1010 __acquires(rcu_bh) 1011 { 1012 rcu_read_lock_bh(); 1013 return get_idx(seq_file_net(s), s->private, *pos); 1014 } 1015 1016 static void *seq_next(struct seq_file *s, void *v, loff_t *pos) 1017 { 1018 (*pos)++; 1019 return get_next(seq_file_net(s), s->private, v); 1020 } 1021 1022 static void seq_stop(struct seq_file *s, void *v) 1023 __releases(rcu_bh) 1024 { 1025 rcu_read_unlock_bh(); 1026 } 1027 1028 static int seq_show(struct seq_file *s, void *v) 1029 { 1030 const struct nfulnl_instance *inst = v; 1031 1032 seq_printf(s, "%5u %6u %5u %1u %5u %6u %2u\n", 1033 inst->group_num, 1034 inst->peer_portid, inst->qlen, 1035 inst->copy_mode, inst->copy_range, 1036 inst->flushtimeout, refcount_read(&inst->use)); 1037 1038 return 0; 1039 } 1040 1041 static const struct seq_operations nful_seq_ops = { 1042 .start = seq_start, 1043 .next = seq_next, 1044 .stop = seq_stop, 1045 .show = seq_show, 1046 }; 1047 #endif /* PROC_FS */ 1048 1049 static int __net_init nfnl_log_net_init(struct net *net) 1050 { 1051 unsigned int i; 1052 struct nfnl_log_net *log = nfnl_log_pernet(net); 1053 #ifdef CONFIG_PROC_FS 1054 struct proc_dir_entry *proc; 1055 kuid_t root_uid; 1056 kgid_t root_gid; 1057 #endif 1058 1059 for (i = 0; i < INSTANCE_BUCKETS; i++) 1060 INIT_HLIST_HEAD(&log->instance_table[i]); 1061 spin_lock_init(&log->instances_lock); 1062 1063 #ifdef CONFIG_PROC_FS 1064 proc = proc_create_net("nfnetlink_log", 0440, net->nf.proc_netfilter, 1065 &nful_seq_ops, sizeof(struct iter_state)); 1066 if (!proc) 1067 return -ENOMEM; 1068 1069 root_uid = make_kuid(net->user_ns, 0); 1070 root_gid = make_kgid(net->user_ns, 0); 1071 if (uid_valid(root_uid) && gid_valid(root_gid)) 1072 proc_set_user(proc, root_uid, root_gid); 1073 #endif 1074 return 0; 1075 } 1076 1077 static void __net_exit nfnl_log_net_exit(struct net *net) 1078 { 1079 struct nfnl_log_net *log = nfnl_log_pernet(net); 1080 unsigned int i; 1081 1082 #ifdef CONFIG_PROC_FS 1083 remove_proc_entry("nfnetlink_log", net->nf.proc_netfilter); 1084 #endif 1085 nf_log_unset(net, &nfulnl_logger); 1086 for (i = 0; i < INSTANCE_BUCKETS; i++) 1087 WARN_ON_ONCE(!hlist_empty(&log->instance_table[i])); 1088 } 1089 1090 static struct pernet_operations nfnl_log_net_ops = { 1091 .init = nfnl_log_net_init, 1092 .exit = nfnl_log_net_exit, 1093 .id = &nfnl_log_net_id, 1094 .size = sizeof(struct nfnl_log_net), 1095 }; 1096 1097 static int __init nfnetlink_log_init(void) 1098 { 1099 int status; 1100 1101 status = register_pernet_subsys(&nfnl_log_net_ops); 1102 if (status < 0) { 1103 pr_err("failed to register pernet ops\n"); 1104 goto out; 1105 } 1106 1107 netlink_register_notifier(&nfulnl_rtnl_notifier); 1108 status = nfnetlink_subsys_register(&nfulnl_subsys); 1109 if (status < 0) { 1110 pr_err("failed to create netlink socket\n"); 1111 goto cleanup_netlink_notifier; 1112 } 1113 1114 status = nf_log_register(NFPROTO_UNSPEC, &nfulnl_logger); 1115 if (status < 0) { 1116 pr_err("failed to register logger\n"); 1117 goto cleanup_subsys; 1118 } 1119 1120 return status; 1121 1122 cleanup_subsys: 1123 nfnetlink_subsys_unregister(&nfulnl_subsys); 1124 cleanup_netlink_notifier: 1125 netlink_unregister_notifier(&nfulnl_rtnl_notifier); 1126 unregister_pernet_subsys(&nfnl_log_net_ops); 1127 out: 1128 return status; 1129 } 1130 1131 static void __exit nfnetlink_log_fini(void) 1132 { 1133 nfnetlink_subsys_unregister(&nfulnl_subsys); 1134 netlink_unregister_notifier(&nfulnl_rtnl_notifier); 1135 unregister_pernet_subsys(&nfnl_log_net_ops); 1136 nf_log_unregister(&nfulnl_logger); 1137 } 1138 1139 MODULE_DESCRIPTION("netfilter userspace logging"); 1140 MODULE_AUTHOR("Harald Welte <laforge@netfilter.org>"); 1141 MODULE_LICENSE("GPL"); 1142 MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_ULOG); 1143 MODULE_ALIAS_NF_LOGGER(AF_INET, 1); 1144 MODULE_ALIAS_NF_LOGGER(AF_INET6, 1); 1145 MODULE_ALIAS_NF_LOGGER(AF_BRIDGE, 1); 1146 MODULE_ALIAS_NF_LOGGER(3, 1); /* NFPROTO_ARP */ 1147 MODULE_ALIAS_NF_LOGGER(5, 1); /* NFPROTO_NETDEV */ 1148 1149 module_init(nfnetlink_log_init); 1150 module_exit(nfnetlink_log_fini); 1151