1/* 2 * This is a module which is used for logging packets. 3 */ 4 5/* (C) 1999-2001 Paul `Rusty' Russell 6 * (C) 2002-2004 Netfilter Core Team <coreteam@netfilter.org> 7 * 8 * This program is free software; you can redistribute it and/or modify 9 * it under the terms of the GNU General Public License version 2 as 10 * published by the Free Software Foundation. 11 */ 12#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt 13#include <linux/module.h> 14#include <linux/spinlock.h> 15#include <linux/skbuff.h> 16#include <linux/if_arp.h> 17#include <linux/ip.h> 18#include <net/icmp.h> 19#include <net/udp.h> 20#include <net/tcp.h> 21#include <net/route.h> 22 23#include <linux/netfilter.h> 24#include <linux/netfilter/x_tables.h> 25#include <linux/netfilter_ipv4/ipt_LOG.h> 26#include <net/netfilter/nf_log.h> 27 28MODULE_LICENSE("GPL"); 29MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>"); 30MODULE_DESCRIPTION("Xtables: IPv4 packet logging to syslog"); 31 32/* Use lock to serialize, so printks don't overlap */ 33static DEFINE_SPINLOCK(log_lock); 34 35/* One level of recursion won't kill us */ 36static void dump_packet(const struct nf_loginfo *info, 37 const struct sk_buff *skb, 38 unsigned int iphoff) 39{ 40 struct iphdr _iph; 41 const struct iphdr *ih; 42 unsigned int logflags; 43 44 if (info->type == NF_LOG_TYPE_LOG) 45 logflags = info->u.log.logflags; 46 else 47 logflags = NF_LOG_MASK; 48 49 ih = skb_header_pointer(skb, iphoff, sizeof(_iph), &_iph); 50 if (ih == NULL) { 51 printk("TRUNCATED"); 52 return; 53 } 54 55 /* Important fields: 56 * TOS, len, DF/MF, fragment offset, TTL, src, dst, options. */ 57 /* Max length: 40 "SRC=255.255.255.255 DST=255.255.255.255 " */ 58 printk("SRC=%pI4 DST=%pI4 ", 59 &ih->saddr, &ih->daddr); 60 61 /* Max length: 46 "LEN=65535 TOS=0xFF PREC=0xFF TTL=255 ID=65535 " */ 62 printk("LEN=%u TOS=0x%02X PREC=0x%02X TTL=%u ID=%u ", 63 ntohs(ih->tot_len), ih->tos & IPTOS_TOS_MASK, 64 ih->tos & IPTOS_PREC_MASK, ih->ttl, ntohs(ih->id)); 65 66 /* Max length: 6 "CE DF MF " */ 67 if (ntohs(ih->frag_off) & IP_CE) 68 printk("CE "); 69 if (ntohs(ih->frag_off) & IP_DF) 70 printk("DF "); 71 if (ntohs(ih->frag_off) & IP_MF) 72 printk("MF "); 73 74 /* Max length: 11 "FRAG:65535 " */ 75 if (ntohs(ih->frag_off) & IP_OFFSET) 76 printk("FRAG:%u ", ntohs(ih->frag_off) & IP_OFFSET); 77 78 if ((logflags & IPT_LOG_IPOPT) && 79 ih->ihl * 4 > sizeof(struct iphdr)) { 80 const unsigned char *op; 81 unsigned char _opt[4 * 15 - sizeof(struct iphdr)]; 82 unsigned int i, optsize; 83 84 optsize = ih->ihl * 4 - sizeof(struct iphdr); 85 op = skb_header_pointer(skb, iphoff+sizeof(_iph), 86 optsize, _opt); 87 if (op == NULL) { 88 printk("TRUNCATED"); 89 return; 90 } 91 92 /* Max length: 127 "OPT (" 15*4*2chars ") " */ 93 printk("OPT ("); 94 for (i = 0; i < optsize; i++) 95 printk("%02X", op[i]); 96 printk(") "); 97 } 98 99 switch (ih->protocol) { 100 case IPPROTO_TCP: { 101 struct tcphdr _tcph; 102 const struct tcphdr *th; 103 104 /* Max length: 10 "PROTO=TCP " */ 105 printk("PROTO=TCP "); 106 107 if (ntohs(ih->frag_off) & IP_OFFSET) 108 break; 109 110 /* Max length: 25 "INCOMPLETE [65535 bytes] " */ 111 th = skb_header_pointer(skb, iphoff + ih->ihl * 4, 112 sizeof(_tcph), &_tcph); 113 if (th == NULL) { 114 printk("INCOMPLETE [%u bytes] ", 115 skb->len - iphoff - ih->ihl*4); 116 break; 117 } 118 119 /* Max length: 20 "SPT=65535 DPT=65535 " */ 120 printk("SPT=%u DPT=%u ", 121 ntohs(th->source), ntohs(th->dest)); 122 /* Max length: 30 "SEQ=4294967295 ACK=4294967295 " */ 123 if (logflags & IPT_LOG_TCPSEQ) 124 printk("SEQ=%u ACK=%u ", 125 ntohl(th->seq), ntohl(th->ack_seq)); 126 /* Max length: 13 "WINDOW=65535 " */ 127 printk("WINDOW=%u ", ntohs(th->window)); 128 /* Max length: 9 "RES=0x3F " */ 129 printk("RES=0x%02x ", (u8)(ntohl(tcp_flag_word(th) & TCP_RESERVED_BITS) >> 22)); 130 /* Max length: 32 "CWR ECE URG ACK PSH RST SYN FIN " */ 131 if (th->cwr) 132 printk("CWR "); 133 if (th->ece) 134 printk("ECE "); 135 if (th->urg) 136 printk("URG "); 137 if (th->ack) 138 printk("ACK "); 139 if (th->psh) 140 printk("PSH "); 141 if (th->rst) 142 printk("RST "); 143 if (th->syn) 144 printk("SYN "); 145 if (th->fin) 146 printk("FIN "); 147 /* Max length: 11 "URGP=65535 " */ 148 printk("URGP=%u ", ntohs(th->urg_ptr)); 149 150 if ((logflags & IPT_LOG_TCPOPT) && 151 th->doff * 4 > sizeof(struct tcphdr)) { 152 unsigned char _opt[4 * 15 - sizeof(struct tcphdr)]; 153 const unsigned char *op; 154 unsigned int i, optsize; 155 156 optsize = th->doff * 4 - sizeof(struct tcphdr); 157 op = skb_header_pointer(skb, 158 iphoff+ih->ihl*4+sizeof(_tcph), 159 optsize, _opt); 160 if (op == NULL) { 161 printk("TRUNCATED"); 162 return; 163 } 164 165 /* Max length: 127 "OPT (" 15*4*2chars ") " */ 166 printk("OPT ("); 167 for (i = 0; i < optsize; i++) 168 printk("%02X", op[i]); 169 printk(") "); 170 } 171 break; 172 } 173 case IPPROTO_UDP: 174 case IPPROTO_UDPLITE: { 175 struct udphdr _udph; 176 const struct udphdr *uh; 177 178 if (ih->protocol == IPPROTO_UDP) 179 /* Max length: 10 "PROTO=UDP " */ 180 printk("PROTO=UDP " ); 181 else /* Max length: 14 "PROTO=UDPLITE " */ 182 printk("PROTO=UDPLITE "); 183 184 if (ntohs(ih->frag_off) & IP_OFFSET) 185 break; 186 187 /* Max length: 25 "INCOMPLETE [65535 bytes] " */ 188 uh = skb_header_pointer(skb, iphoff+ih->ihl*4, 189 sizeof(_udph), &_udph); 190 if (uh == NULL) { 191 printk("INCOMPLETE [%u bytes] ", 192 skb->len - iphoff - ih->ihl*4); 193 break; 194 } 195 196 /* Max length: 20 "SPT=65535 DPT=65535 " */ 197 printk("SPT=%u DPT=%u LEN=%u ", 198 ntohs(uh->source), ntohs(uh->dest), 199 ntohs(uh->len)); 200 break; 201 } 202 case IPPROTO_ICMP: { 203 struct icmphdr _icmph; 204 const struct icmphdr *ich; 205 static const size_t required_len[NR_ICMP_TYPES+1] 206 = { [ICMP_ECHOREPLY] = 4, 207 [ICMP_DEST_UNREACH] 208 = 8 + sizeof(struct iphdr), 209 [ICMP_SOURCE_QUENCH] 210 = 8 + sizeof(struct iphdr), 211 [ICMP_REDIRECT] 212 = 8 + sizeof(struct iphdr), 213 [ICMP_ECHO] = 4, 214 [ICMP_TIME_EXCEEDED] 215 = 8 + sizeof(struct iphdr), 216 [ICMP_PARAMETERPROB] 217 = 8 + sizeof(struct iphdr), 218 [ICMP_TIMESTAMP] = 20, 219 [ICMP_TIMESTAMPREPLY] = 20, 220 [ICMP_ADDRESS] = 12, 221 [ICMP_ADDRESSREPLY] = 12 }; 222 223 /* Max length: 11 "PROTO=ICMP " */ 224 printk("PROTO=ICMP "); 225 226 if (ntohs(ih->frag_off) & IP_OFFSET) 227 break; 228 229 /* Max length: 25 "INCOMPLETE [65535 bytes] " */ 230 ich = skb_header_pointer(skb, iphoff + ih->ihl * 4, 231 sizeof(_icmph), &_icmph); 232 if (ich == NULL) { 233 printk("INCOMPLETE [%u bytes] ", 234 skb->len - iphoff - ih->ihl*4); 235 break; 236 } 237 238 /* Max length: 18 "TYPE=255 CODE=255 " */ 239 printk("TYPE=%u CODE=%u ", ich->type, ich->code); 240 241 /* Max length: 25 "INCOMPLETE [65535 bytes] " */ 242 if (ich->type <= NR_ICMP_TYPES && 243 required_len[ich->type] && 244 skb->len-iphoff-ih->ihl*4 < required_len[ich->type]) { 245 printk("INCOMPLETE [%u bytes] ", 246 skb->len - iphoff - ih->ihl*4); 247 break; 248 } 249 250 switch (ich->type) { 251 case ICMP_ECHOREPLY: 252 case ICMP_ECHO: 253 /* Max length: 19 "ID=65535 SEQ=65535 " */ 254 printk("ID=%u SEQ=%u ", 255 ntohs(ich->un.echo.id), 256 ntohs(ich->un.echo.sequence)); 257 break; 258 259 case ICMP_PARAMETERPROB: 260 /* Max length: 14 "PARAMETER=255 " */ 261 printk("PARAMETER=%u ", 262 ntohl(ich->un.gateway) >> 24); 263 break; 264 case ICMP_REDIRECT: 265 /* Max length: 24 "GATEWAY=255.255.255.255 " */ 266 printk("GATEWAY=%pI4 ", &ich->un.gateway); 267 /* Fall through */ 268 case ICMP_DEST_UNREACH: 269 case ICMP_SOURCE_QUENCH: 270 case ICMP_TIME_EXCEEDED: 271 /* Max length: 3+maxlen */ 272 if (!iphoff) { /* Only recurse once. */ 273 printk("["); 274 dump_packet(info, skb, 275 iphoff + ih->ihl*4+sizeof(_icmph)); 276 printk("] "); 277 } 278 279 /* Max length: 10 "MTU=65535 " */ 280 if (ich->type == ICMP_DEST_UNREACH && 281 ich->code == ICMP_FRAG_NEEDED) 282 printk("MTU=%u ", ntohs(ich->un.frag.mtu)); 283 } 284 break; 285 } 286 /* Max Length */ 287 case IPPROTO_AH: { 288 struct ip_auth_hdr _ahdr; 289 const struct ip_auth_hdr *ah; 290 291 if (ntohs(ih->frag_off) & IP_OFFSET) 292 break; 293 294 /* Max length: 9 "PROTO=AH " */ 295 printk("PROTO=AH "); 296 297 /* Max length: 25 "INCOMPLETE [65535 bytes] " */ 298 ah = skb_header_pointer(skb, iphoff+ih->ihl*4, 299 sizeof(_ahdr), &_ahdr); 300 if (ah == NULL) { 301 printk("INCOMPLETE [%u bytes] ", 302 skb->len - iphoff - ih->ihl*4); 303 break; 304 } 305 306 /* Length: 15 "SPI=0xF1234567 " */ 307 printk("SPI=0x%x ", ntohl(ah->spi)); 308 break; 309 } 310 case IPPROTO_ESP: { 311 struct ip_esp_hdr _esph; 312 const struct ip_esp_hdr *eh; 313 314 /* Max length: 10 "PROTO=ESP " */ 315 printk("PROTO=ESP "); 316 317 if (ntohs(ih->frag_off) & IP_OFFSET) 318 break; 319 320 /* Max length: 25 "INCOMPLETE [65535 bytes] " */ 321 eh = skb_header_pointer(skb, iphoff+ih->ihl*4, 322 sizeof(_esph), &_esph); 323 if (eh == NULL) { 324 printk("INCOMPLETE [%u bytes] ", 325 skb->len - iphoff - ih->ihl*4); 326 break; 327 } 328 329 /* Length: 15 "SPI=0xF1234567 " */ 330 printk("SPI=0x%x ", ntohl(eh->spi)); 331 break; 332 } 333 /* Max length: 10 "PROTO 255 " */ 334 default: 335 printk("PROTO=%u ", ih->protocol); 336 } 337 338 /* Max length: 15 "UID=4294967295 " */ 339 if ((logflags & IPT_LOG_UID) && !iphoff && skb->sk) { 340 read_lock_bh(&skb->sk->sk_callback_lock); 341 if (skb->sk->sk_socket && skb->sk->sk_socket->file) 342 printk("UID=%u GID=%u ", 343 skb->sk->sk_socket->file->f_cred->fsuid, 344 skb->sk->sk_socket->file->f_cred->fsgid); 345 read_unlock_bh(&skb->sk->sk_callback_lock); 346 } 347 348 /* Max length: 16 "MARK=0xFFFFFFFF " */ 349 if (!iphoff && skb->mark) 350 printk("MARK=0x%x ", skb->mark); 351 352 /* Proto Max log string length */ 353 /* IP: 40+46+6+11+127 = 230 */ 354 /* TCP: 10+max(25,20+30+13+9+32+11+127) = 252 */ 355 /* UDP: 10+max(25,20) = 35 */ 356 /* UDPLITE: 14+max(25,20) = 39 */ 357 /* ICMP: 11+max(25, 18+25+max(19,14,24+3+n+10,3+n+10)) = 91+n */ 358 /* ESP: 10+max(25)+15 = 50 */ 359 /* AH: 9+max(25)+15 = 49 */ 360 /* unknown: 10 */ 361 362 /* (ICMP allows recursion one level deep) */ 363 /* maxlen = IP + ICMP + IP + max(TCP,UDP,ICMP,unknown) */ 364 /* maxlen = 230+ 91 + 230 + 252 = 803 */ 365} 366 367static void dump_mac_header(const struct nf_loginfo *info, 368 const struct sk_buff *skb) 369{ 370 struct net_device *dev = skb->dev; 371 unsigned int logflags = 0; 372 373 if (info->type == NF_LOG_TYPE_LOG) 374 logflags = info->u.log.logflags; 375 376 if (!(logflags & IPT_LOG_MACDECODE)) 377 goto fallback; 378 379 switch (dev->type) { 380 case ARPHRD_ETHER: 381 printk("MACSRC=%pM MACDST=%pM MACPROTO=%04x ", 382 eth_hdr(skb)->h_source, eth_hdr(skb)->h_dest, 383 ntohs(eth_hdr(skb)->h_proto)); 384 return; 385 default: 386 break; 387 } 388 389fallback: 390 printk("MAC="); 391 if (dev->hard_header_len && 392 skb->mac_header != skb->network_header) { 393 const unsigned char *p = skb_mac_header(skb); 394 unsigned int i; 395 396 printk("%02x", *p++); 397 for (i = 1; i < dev->hard_header_len; i++, p++) 398 printk(":%02x", *p); 399 } 400 printk(" "); 401} 402 403static struct nf_loginfo default_loginfo = { 404 .type = NF_LOG_TYPE_LOG, 405 .u = { 406 .log = { 407 .level = 5, 408 .logflags = NF_LOG_MASK, 409 }, 410 }, 411}; 412 413static void 414ipt_log_packet(u_int8_t pf, 415 unsigned int hooknum, 416 const struct sk_buff *skb, 417 const struct net_device *in, 418 const struct net_device *out, 419 const struct nf_loginfo *loginfo, 420 const char *prefix) 421{ 422 if (!loginfo) 423 loginfo = &default_loginfo; 424 425 spin_lock_bh(&log_lock); 426 printk("<%d>%sIN=%s OUT=%s ", loginfo->u.log.level, 427 prefix, 428 in ? in->name : "", 429 out ? out->name : ""); 430#ifdef CONFIG_BRIDGE_NETFILTER 431 if (skb->nf_bridge) { 432 const struct net_device *physindev; 433 const struct net_device *physoutdev; 434 435 physindev = skb->nf_bridge->physindev; 436 if (physindev && in != physindev) 437 printk("PHYSIN=%s ", physindev->name); 438 physoutdev = skb->nf_bridge->physoutdev; 439 if (physoutdev && out != physoutdev) 440 printk("PHYSOUT=%s ", physoutdev->name); 441 } 442#endif 443 444 /* MAC logging for input path only. */ 445 if (in && !out) 446 dump_mac_header(loginfo, skb); 447 448 dump_packet(loginfo, skb, 0); 449 printk("\n"); 450 spin_unlock_bh(&log_lock); 451} 452 453static unsigned int 454log_tg(struct sk_buff *skb, const struct xt_action_param *par) 455{ 456 const struct ipt_log_info *loginfo = par->targinfo; 457 struct nf_loginfo li; 458 459 li.type = NF_LOG_TYPE_LOG; 460 li.u.log.level = loginfo->level; 461 li.u.log.logflags = loginfo->logflags; 462 463 ipt_log_packet(NFPROTO_IPV4, par->hooknum, skb, par->in, par->out, &li, 464 loginfo->prefix); 465 return XT_CONTINUE; 466} 467 468static int log_tg_check(const struct xt_tgchk_param *par) 469{ 470 const struct ipt_log_info *loginfo = par->targinfo; 471 472 if (loginfo->level >= 8) { 473 pr_debug("level %u >= 8\n", loginfo->level); 474 return -EINVAL; 475 } 476 if (loginfo->prefix[sizeof(loginfo->prefix)-1] != '\0') { 477 pr_debug("prefix is not null-terminated\n"); 478 return -EINVAL; 479 } 480 return 0; 481} 482 483static struct xt_target log_tg_reg __read_mostly = { 484 .name = "LOG", 485 .family = NFPROTO_IPV4, 486 .target = log_tg, 487 .targetsize = sizeof(struct ipt_log_info), 488 .checkentry = log_tg_check, 489 .me = THIS_MODULE, 490}; 491 492static struct nf_logger ipt_log_logger __read_mostly = { 493 .name = "ipt_LOG", 494 .logfn = &ipt_log_packet, 495 .me = THIS_MODULE, 496}; 497 498static int __init log_tg_init(void) 499{ 500 int ret; 501 502 ret = xt_register_target(&log_tg_reg); 503 if (ret < 0) 504 return ret; 505 nf_log_register(NFPROTO_IPV4, &ipt_log_logger); 506 return 0; 507} 508 509static void __exit log_tg_exit(void) 510{ 511 nf_log_unregister(&ipt_log_logger); 512 xt_unregister_target(&log_tg_reg); 513} 514 515module_init(log_tg_init); 516module_exit(log_tg_exit); 517