mirror of
https://github.com/adulau/aha.git
synced 2024-12-29 04:06:22 +00:00
[NETFILTER]: x_tables: add NFLOG target
Add new NFLOG target to allow use of nfnetlink_log for both IPv4 and IPv6. Currently we have two (unsupported by userspace) hacks in the LOG and ULOG targets to optionally call to the nflog API. They lack a few features, namely the IPv4 and IPv6 LOG targets can not specify a number of arguments related to nfnetlink_log, while the ULOG target is only available for IPv4. Remove those hacks and add a clean way to use nfnetlink_log. Signed-off-by: Patrick McHardy <kaber@trash.net>
This commit is contained in:
parent
39b46fc6f0
commit
baf7b1e112
9 changed files with 123 additions and 16 deletions
|
@ -22,6 +22,7 @@ header-y += xt_mark.h
|
||||||
header-y += xt_MARK.h
|
header-y += xt_MARK.h
|
||||||
header-y += xt_multiport.h
|
header-y += xt_multiport.h
|
||||||
header-y += xt_NFQUEUE.h
|
header-y += xt_NFQUEUE.h
|
||||||
|
header-y += xt_NFLOG.h
|
||||||
header-y += xt_pkttype.h
|
header-y += xt_pkttype.h
|
||||||
header-y += xt_policy.h
|
header-y += xt_policy.h
|
||||||
header-y += xt_realm.h
|
header-y += xt_realm.h
|
||||||
|
|
18
include/linux/netfilter/xt_NFLOG.h
Normal file
18
include/linux/netfilter/xt_NFLOG.h
Normal file
|
@ -0,0 +1,18 @@
|
||||||
|
#ifndef _XT_NFLOG_TARGET
|
||||||
|
#define _XT_NFLOG_TARGET
|
||||||
|
|
||||||
|
#define XT_NFLOG_DEFAULT_GROUP 0x1
|
||||||
|
#define XT_NFLOG_DEFAULT_THRESHOLD 1
|
||||||
|
|
||||||
|
#define XT_NFLOG_MASK 0x0
|
||||||
|
|
||||||
|
struct xt_nflog_info {
|
||||||
|
u_int32_t len;
|
||||||
|
u_int16_t group;
|
||||||
|
u_int16_t threshold;
|
||||||
|
u_int16_t flags;
|
||||||
|
u_int16_t pad;
|
||||||
|
char prefix[64];
|
||||||
|
};
|
||||||
|
|
||||||
|
#endif /* _XT_NFLOG_TARGET */
|
|
@ -6,7 +6,7 @@
|
||||||
#define IPT_LOG_TCPOPT 0x02 /* Log TCP options */
|
#define IPT_LOG_TCPOPT 0x02 /* Log TCP options */
|
||||||
#define IPT_LOG_IPOPT 0x04 /* Log IP options */
|
#define IPT_LOG_IPOPT 0x04 /* Log IP options */
|
||||||
#define IPT_LOG_UID 0x08 /* Log UID owning local socket */
|
#define IPT_LOG_UID 0x08 /* Log UID owning local socket */
|
||||||
#define IPT_LOG_NFLOG 0x10 /* Log using nf_log backend */
|
#define IPT_LOG_NFLOG 0x10 /* Unsupported, don't reuse */
|
||||||
#define IPT_LOG_MASK 0x1f
|
#define IPT_LOG_MASK 0x1f
|
||||||
|
|
||||||
struct ipt_log_info {
|
struct ipt_log_info {
|
||||||
|
|
|
@ -6,7 +6,7 @@
|
||||||
#define IP6T_LOG_TCPOPT 0x02 /* Log TCP options */
|
#define IP6T_LOG_TCPOPT 0x02 /* Log TCP options */
|
||||||
#define IP6T_LOG_IPOPT 0x04 /* Log IP options */
|
#define IP6T_LOG_IPOPT 0x04 /* Log IP options */
|
||||||
#define IP6T_LOG_UID 0x08 /* Log UID owning local socket */
|
#define IP6T_LOG_UID 0x08 /* Log UID owning local socket */
|
||||||
#define IP6T_LOG_NFLOG 0x10 /* Log using nf_log backend */
|
#define IP6T_LOG_NFLOG 0x10 /* Unsupported, don't use */
|
||||||
#define IP6T_LOG_MASK 0x1f
|
#define IP6T_LOG_MASK 0x1f
|
||||||
|
|
||||||
struct ip6t_log_info {
|
struct ip6t_log_info {
|
||||||
|
|
|
@ -430,13 +430,8 @@ ipt_log_target(struct sk_buff **pskb,
|
||||||
li.u.log.level = loginfo->level;
|
li.u.log.level = loginfo->level;
|
||||||
li.u.log.logflags = loginfo->logflags;
|
li.u.log.logflags = loginfo->logflags;
|
||||||
|
|
||||||
if (loginfo->logflags & IPT_LOG_NFLOG)
|
ipt_log_packet(PF_INET, hooknum, *pskb, in, out, &li,
|
||||||
nf_log_packet(PF_INET, hooknum, *pskb, in, out, &li,
|
loginfo->prefix);
|
||||||
"%s", loginfo->prefix);
|
|
||||||
else
|
|
||||||
ipt_log_packet(PF_INET, hooknum, *pskb, in, out, &li,
|
|
||||||
loginfo->prefix);
|
|
||||||
|
|
||||||
return IPT_CONTINUE;
|
return IPT_CONTINUE;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -440,13 +440,8 @@ ip6t_log_target(struct sk_buff **pskb,
|
||||||
li.u.log.level = loginfo->level;
|
li.u.log.level = loginfo->level;
|
||||||
li.u.log.logflags = loginfo->logflags;
|
li.u.log.logflags = loginfo->logflags;
|
||||||
|
|
||||||
if (loginfo->logflags & IP6T_LOG_NFLOG)
|
ip6t_log_packet(PF_INET6, hooknum, *pskb, in, out, &li,
|
||||||
nf_log_packet(PF_INET6, hooknum, *pskb, in, out, &li,
|
loginfo->prefix);
|
||||||
"%s", loginfo->prefix);
|
|
||||||
else
|
|
||||||
ip6t_log_packet(PF_INET6, hooknum, *pskb, in, out, &li,
|
|
||||||
loginfo->prefix);
|
|
||||||
|
|
||||||
return IP6T_CONTINUE;
|
return IP6T_CONTINUE;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -184,6 +184,17 @@ config NETFILTER_XT_TARGET_NFQUEUE
|
||||||
|
|
||||||
To compile it as a module, choose M here. If unsure, say N.
|
To compile it as a module, choose M here. If unsure, say N.
|
||||||
|
|
||||||
|
config NETFILTER_XT_TARGET_NFLOG
|
||||||
|
tristate '"NFLOG" target support'
|
||||||
|
depends on NETFILTER_XTABLES
|
||||||
|
help
|
||||||
|
This option enables the NFLOG target, which allows to LOG
|
||||||
|
messages through the netfilter logging API, which can use
|
||||||
|
either the old LOG target, the old ULOG target or nfnetlink_log
|
||||||
|
as backend.
|
||||||
|
|
||||||
|
To compile it as a module, choose M here. If unsure, say N.
|
||||||
|
|
||||||
config NETFILTER_XT_TARGET_NOTRACK
|
config NETFILTER_XT_TARGET_NOTRACK
|
||||||
tristate '"NOTRACK" target support'
|
tristate '"NOTRACK" target support'
|
||||||
depends on NETFILTER_XTABLES
|
depends on NETFILTER_XTABLES
|
||||||
|
|
|
@ -31,6 +31,7 @@ obj-$(CONFIG_NETFILTER_XT_TARGET_CONNMARK) += xt_CONNMARK.o
|
||||||
obj-$(CONFIG_NETFILTER_XT_TARGET_DSCP) += xt_DSCP.o
|
obj-$(CONFIG_NETFILTER_XT_TARGET_DSCP) += xt_DSCP.o
|
||||||
obj-$(CONFIG_NETFILTER_XT_TARGET_MARK) += xt_MARK.o
|
obj-$(CONFIG_NETFILTER_XT_TARGET_MARK) += xt_MARK.o
|
||||||
obj-$(CONFIG_NETFILTER_XT_TARGET_NFQUEUE) += xt_NFQUEUE.o
|
obj-$(CONFIG_NETFILTER_XT_TARGET_NFQUEUE) += xt_NFQUEUE.o
|
||||||
|
obj-$(CONFIG_NETFILTER_XT_TARGET_NFLOG) += xt_NFLOG.o
|
||||||
obj-$(CONFIG_NETFILTER_XT_TARGET_NOTRACK) += xt_NOTRACK.o
|
obj-$(CONFIG_NETFILTER_XT_TARGET_NOTRACK) += xt_NOTRACK.o
|
||||||
obj-$(CONFIG_NETFILTER_XT_TARGET_SECMARK) += xt_SECMARK.o
|
obj-$(CONFIG_NETFILTER_XT_TARGET_SECMARK) += xt_SECMARK.o
|
||||||
obj-$(CONFIG_NETFILTER_XT_TARGET_CONNSECMARK) += xt_CONNSECMARK.o
|
obj-$(CONFIG_NETFILTER_XT_TARGET_CONNSECMARK) += xt_CONNSECMARK.o
|
||||||
|
|
86
net/netfilter/xt_NFLOG.c
Normal file
86
net/netfilter/xt_NFLOG.c
Normal file
|
@ -0,0 +1,86 @@
|
||||||
|
/*
|
||||||
|
* Copyright (c) 2006 Patrick McHardy <kaber@trash.net>
|
||||||
|
*
|
||||||
|
* This program is free software; you can redistribute it and/or modify
|
||||||
|
* it under the terms of the GNU General Public License version 2 as
|
||||||
|
* published by the Free Software Foundation.
|
||||||
|
*/
|
||||||
|
|
||||||
|
#include <linux/module.h>
|
||||||
|
#include <linux/init.h>
|
||||||
|
#include <linux/skbuff.h>
|
||||||
|
|
||||||
|
#include <linux/netfilter/x_tables.h>
|
||||||
|
#include <linux/netfilter/xt_NFLOG.h>
|
||||||
|
|
||||||
|
MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
|
||||||
|
MODULE_DESCRIPTION("x_tables NFLOG target");
|
||||||
|
MODULE_LICENSE("GPL");
|
||||||
|
MODULE_ALIAS("ipt_NFLOG");
|
||||||
|
MODULE_ALIAS("ip6t_NFLOG");
|
||||||
|
|
||||||
|
static unsigned int
|
||||||
|
nflog_target(struct sk_buff **pskb,
|
||||||
|
const struct net_device *in, const struct net_device *out,
|
||||||
|
unsigned int hooknum, const struct xt_target *target,
|
||||||
|
const void *targinfo)
|
||||||
|
{
|
||||||
|
const struct xt_nflog_info *info = targinfo;
|
||||||
|
struct nf_loginfo li;
|
||||||
|
|
||||||
|
li.type = NF_LOG_TYPE_ULOG;
|
||||||
|
li.u.ulog.copy_len = info->len;
|
||||||
|
li.u.ulog.group = info->group;
|
||||||
|
li.u.ulog.qthreshold = info->threshold;
|
||||||
|
|
||||||
|
nf_log_packet(target->family, hooknum, *pskb, in, out, &li,
|
||||||
|
"%s", info->prefix);
|
||||||
|
return XT_CONTINUE;
|
||||||
|
}
|
||||||
|
|
||||||
|
static int
|
||||||
|
nflog_checkentry(const char *tablename, const void *entry,
|
||||||
|
const struct xt_target *target, void *targetinfo,
|
||||||
|
unsigned int hookmask)
|
||||||
|
{
|
||||||
|
struct xt_nflog_info *info = targetinfo;
|
||||||
|
|
||||||
|
if (info->flags & ~XT_NFLOG_MASK)
|
||||||
|
return 0;
|
||||||
|
if (info->prefix[sizeof(info->prefix) - 1] != '\0')
|
||||||
|
return 0;
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
|
||||||
|
static struct xt_target xt_nflog_target[] = {
|
||||||
|
{
|
||||||
|
.name = "NFLOG",
|
||||||
|
.family = AF_INET,
|
||||||
|
.checkentry = nflog_checkentry,
|
||||||
|
.target = nflog_target,
|
||||||
|
.targetsize = sizeof(struct xt_nflog_info),
|
||||||
|
.me = THIS_MODULE,
|
||||||
|
},
|
||||||
|
{
|
||||||
|
.name = "NFLOG",
|
||||||
|
.family = AF_INET6,
|
||||||
|
.checkentry = nflog_checkentry,
|
||||||
|
.target = nflog_target,
|
||||||
|
.targetsize = sizeof(struct xt_nflog_info),
|
||||||
|
.me = THIS_MODULE,
|
||||||
|
},
|
||||||
|
};
|
||||||
|
|
||||||
|
static int __init xt_nflog_init(void)
|
||||||
|
{
|
||||||
|
return xt_register_targets(xt_nflog_target,
|
||||||
|
ARRAY_SIZE(xt_nflog_target));
|
||||||
|
}
|
||||||
|
|
||||||
|
static void __exit xt_nflog_fini(void)
|
||||||
|
{
|
||||||
|
xt_unregister_targets(xt_nflog_target, ARRAY_SIZE(xt_nflog_target));
|
||||||
|
}
|
||||||
|
|
||||||
|
module_init(xt_nflog_init);
|
||||||
|
module_exit(xt_nflog_fini);
|
Loading…
Reference in a new issue