1/* 2 * This is a module which is used for logging packets. 3 */ 4 5/* (C) 1999-2001 Paul `Rusty' Russell 6 * (C) 2002-2004 Netfilter Core Team <coreteam@netfilter.org> 7 * 8 * This program is free software; you can redistribute it and/or modify 9 * it under the terms of the GNU General Public License version 2 as 10 * published by the Free Software Foundation. 11 */ 12 13#include <linux/module.h> 14#include <linux/spinlock.h> 15#include <linux/skbuff.h> 16#include <linux/ip.h> 17#include <net/icmp.h> 18#include <net/udp.h> 19#include <net/tcp.h> 20#include <net/route.h> 21 22#include <linux/netfilter.h> 23#include <linux/netfilter/x_tables.h> 24#include <linux/netfilter_ipv4/ipt_LOG.h> 25 26MODULE_LICENSE("GPL"); 27MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>"); 28MODULE_DESCRIPTION("iptables syslog logging module"); 29 30#define DEBUGP(format, args...) 31 32/* Use lock to serialize, so printks don't overlap */ 33static DEFINE_SPINLOCK(log_lock); 34 35/* One level of recursion won't kill us */ 36static void dump_packet(const struct nf_loginfo *info, 37 const struct sk_buff *skb, 38 unsigned int iphoff) 39{ 40 struct iphdr _iph, *ih; 41 unsigned int logflags; 42 43 if (info->type == NF_LOG_TYPE_LOG) 44 logflags = info->u.log.logflags; 45 else 46 logflags = NF_LOG_MASK; 47 48 ih = skb_header_pointer(skb, iphoff, sizeof(_iph), &_iph); 49 if (ih == NULL) { 50 printk("TRUNCATED"); 51 return; 52 } 53 54 /* Important fields: 55 * TOS, len, DF/MF, fragment offset, TTL, src, dst, options. */ 56 /* Max length: 40 "SRC=255.255.255.255 DST=255.255.255.255 " */ 57 printk("SRC=%u.%u.%u.%u DST=%u.%u.%u.%u ", 58 NIPQUAD(ih->saddr), NIPQUAD(ih->daddr)); 59 60 /* Max length: 46 "LEN=65535 TOS=0xFF PREC=0xFF TTL=255 ID=65535 " */ 61 printk("LEN=%u TOS=0x%02X PREC=0x%02X TTL=%u ID=%u ", 62 ntohs(ih->tot_len), ih->tos & IPTOS_TOS_MASK, 63 ih->tos & IPTOS_PREC_MASK, ih->ttl, ntohs(ih->id)); 64 65 /* Max length: 6 "CE DF MF " */ 66 if (ntohs(ih->frag_off) & IP_CE) 67 printk("CE "); 68 if (ntohs(ih->frag_off) & IP_DF) 69 printk("DF "); 70 if (ntohs(ih->frag_off) & IP_MF) 71 printk("MF "); 72 73 /* Max length: 11 "FRAG:65535 " */ 74 if (ntohs(ih->frag_off) & IP_OFFSET) 75 printk("FRAG:%u ", ntohs(ih->frag_off) & IP_OFFSET); 76 77 if ((logflags & IPT_LOG_IPOPT) 78 && ih->ihl * 4 > sizeof(struct iphdr)) { 79 unsigned char _opt[4 * 15 - sizeof(struct iphdr)], *op; 80 unsigned int i, optsize; 81 82 optsize = ih->ihl * 4 - sizeof(struct iphdr); 83 op = skb_header_pointer(skb, iphoff+sizeof(_iph), 84 optsize, _opt); 85 if (op == NULL) { 86 printk("TRUNCATED"); 87 return; 88 } 89 90 /* Max length: 127 "OPT (" 15*4*2chars ") " */ 91 printk("OPT ("); 92 for (i = 0; i < optsize; i++) 93 printk("%02X", op[i]); 94 printk(") "); 95 } 96 97 switch (ih->protocol) { 98 case IPPROTO_TCP: { 99 struct tcphdr _tcph, *th; 100 101 /* Max length: 10 "PROTO=TCP " */ 102 printk("PROTO=TCP "); 103 104 if (ntohs(ih->frag_off) & IP_OFFSET) 105 break; 106 107 /* Max length: 25 "INCOMPLETE [65535 bytes] " */ 108 th = skb_header_pointer(skb, iphoff + ih->ihl * 4, 109 sizeof(_tcph), &_tcph); 110 if (th == NULL) { 111 printk("INCOMPLETE [%u bytes] ", 112 skb->len - iphoff - ih->ihl*4); 113 break; 114 } 115 116 /* Max length: 20 "SPT=65535 DPT=65535 " */ 117 printk("SPT=%u DPT=%u ", 118 ntohs(th->source), ntohs(th->dest)); 119 /* Max length: 30 "SEQ=4294967295 ACK=4294967295 " */ 120 if (logflags & IPT_LOG_TCPSEQ) 121 printk("SEQ=%u ACK=%u ", 122 ntohl(th->seq), ntohl(th->ack_seq)); 123 /* Max length: 13 "WINDOW=65535 " */ 124 printk("WINDOW=%u ", ntohs(th->window)); 125 /* Max length: 9 "RES=0x3F " */ 126 printk("RES=0x%02x ", (u8)(ntohl(tcp_flag_word(th) & TCP_RESERVED_BITS) >> 22)); 127 /* Max length: 32 "CWR ECE URG ACK PSH RST SYN FIN " */ 128 if (th->cwr) 129 printk("CWR "); 130 if (th->ece) 131 printk("ECE "); 132 if (th->urg) 133 printk("URG "); 134 if (th->ack) 135 printk("ACK "); 136 if (th->psh) 137 printk("PSH "); 138 if (th->rst) 139 printk("RST "); 140 if (th->syn) 141 printk("SYN "); 142 if (th->fin) 143 printk("FIN "); 144 /* Max length: 11 "URGP=65535 " */ 145 printk("URGP=%u ", ntohs(th->urg_ptr)); 146 147 if ((logflags & IPT_LOG_TCPOPT) 148 && th->doff * 4 > sizeof(struct tcphdr)) { 149 unsigned char _opt[4 * 15 - sizeof(struct tcphdr)]; 150 unsigned char *op; 151 unsigned int i, optsize; 152 153 optsize = th->doff * 4 - sizeof(struct tcphdr); 154 op = skb_header_pointer(skb, 155 iphoff+ih->ihl*4+sizeof(_tcph), 156 optsize, _opt); 157 if (op == NULL) { 158 printk("TRUNCATED"); 159 return; 160 } 161 162 /* Max length: 127 "OPT (" 15*4*2chars ") " */ 163 printk("OPT ("); 164 for (i = 0; i < optsize; i++) 165 printk("%02X", op[i]); 166 printk(") "); 167 } 168 break; 169 } 170 case IPPROTO_UDP: 171 case IPPROTO_UDPLITE: { 172 struct udphdr _udph, *uh; 173 174 if (ih->protocol == IPPROTO_UDP) 175 /* Max length: 10 "PROTO=UDP " */ 176 printk("PROTO=UDP " ); 177 else /* Max length: 14 "PROTO=UDPLITE " */ 178 printk("PROTO=UDPLITE "); 179 180 if (ntohs(ih->frag_off) & IP_OFFSET) 181 break; 182 183 /* Max length: 25 "INCOMPLETE [65535 bytes] " */ 184 uh = skb_header_pointer(skb, iphoff+ih->ihl*4, 185 sizeof(_udph), &_udph); 186 if (uh == NULL) { 187 printk("INCOMPLETE [%u bytes] ", 188 skb->len - iphoff - ih->ihl*4); 189 break; 190 } 191 192 /* Max length: 20 "SPT=65535 DPT=65535 " */ 193 printk("SPT=%u DPT=%u LEN=%u ", 194 ntohs(uh->source), ntohs(uh->dest), 195 ntohs(uh->len)); 196 break; 197 } 198 case IPPROTO_ICMP: { 199 struct icmphdr _icmph, *ich; 200 static const size_t required_len[NR_ICMP_TYPES+1] 201 = { [ICMP_ECHOREPLY] = 4, 202 [ICMP_DEST_UNREACH] 203 = 8 + sizeof(struct iphdr), 204 [ICMP_SOURCE_QUENCH] 205 = 8 + sizeof(struct iphdr), 206 [ICMP_REDIRECT] 207 = 8 + sizeof(struct iphdr), 208 [ICMP_ECHO] = 4, 209 [ICMP_TIME_EXCEEDED] 210 = 8 + sizeof(struct iphdr), 211 [ICMP_PARAMETERPROB] 212 = 8 + sizeof(struct iphdr), 213 [ICMP_TIMESTAMP] = 20, 214 [ICMP_TIMESTAMPREPLY] = 20, 215 [ICMP_ADDRESS] = 12, 216 [ICMP_ADDRESSREPLY] = 12 }; 217 218 /* Max length: 11 "PROTO=ICMP " */ 219 printk("PROTO=ICMP "); 220 221 if (ntohs(ih->frag_off) & IP_OFFSET) 222 break; 223 224 /* Max length: 25 "INCOMPLETE [65535 bytes] " */ 225 ich = skb_header_pointer(skb, iphoff + ih->ihl * 4, 226 sizeof(_icmph), &_icmph); 227 if (ich == NULL) { 228 printk("INCOMPLETE [%u bytes] ", 229 skb->len - iphoff - ih->ihl*4); 230 break; 231 } 232 233 /* Max length: 18 "TYPE=255 CODE=255 " */ 234 printk("TYPE=%u CODE=%u ", ich->type, ich->code); 235 236 /* Max length: 25 "INCOMPLETE [65535 bytes] " */ 237 if (ich->type <= NR_ICMP_TYPES 238 && required_len[ich->type] 239 && skb->len-iphoff-ih->ihl*4 < required_len[ich->type]) { 240 printk("INCOMPLETE [%u bytes] ", 241 skb->len - iphoff - ih->ihl*4); 242 break; 243 } 244 245 switch (ich->type) { 246 case ICMP_ECHOREPLY: 247 case ICMP_ECHO: 248 /* Max length: 19 "ID=65535 SEQ=65535 " */ 249 printk("ID=%u SEQ=%u ", 250 ntohs(ich->un.echo.id), 251 ntohs(ich->un.echo.sequence)); 252 break; 253 254 case ICMP_PARAMETERPROB: 255 /* Max length: 14 "PARAMETER=255 " */ 256 printk("PARAMETER=%u ", 257 ntohl(ich->un.gateway) >> 24); 258 break; 259 case ICMP_REDIRECT: 260 /* Max length: 24 "GATEWAY=255.255.255.255 " */ 261 printk("GATEWAY=%u.%u.%u.%u ", 262 NIPQUAD(ich->un.gateway)); 263 /* Fall through */ 264 case ICMP_DEST_UNREACH: 265 case ICMP_SOURCE_QUENCH: 266 case ICMP_TIME_EXCEEDED: 267 /* Max length: 3+maxlen */ 268 if (!iphoff) { /* Only recurse once. */ 269 printk("["); 270 dump_packet(info, skb, 271 iphoff + ih->ihl*4+sizeof(_icmph)); 272 printk("] "); 273 } 274 275 /* Max length: 10 "MTU=65535 " */ 276 if (ich->type == ICMP_DEST_UNREACH 277 && ich->code == ICMP_FRAG_NEEDED) 278 printk("MTU=%u ", ntohs(ich->un.frag.mtu)); 279 } 280 break; 281 } 282 /* Max Length */ 283 case IPPROTO_AH: { 284 struct ip_auth_hdr _ahdr, *ah; 285 286 if (ntohs(ih->frag_off) & IP_OFFSET) 287 break; 288 289 /* Max length: 9 "PROTO=AH " */ 290 printk("PROTO=AH "); 291 292 /* Max length: 25 "INCOMPLETE [65535 bytes] " */ 293 ah = skb_header_pointer(skb, iphoff+ih->ihl*4, 294 sizeof(_ahdr), &_ahdr); 295 if (ah == NULL) { 296 printk("INCOMPLETE [%u bytes] ", 297 skb->len - iphoff - ih->ihl*4); 298 break; 299 } 300 301 /* Length: 15 "SPI=0xF1234567 " */ 302 printk("SPI=0x%x ", ntohl(ah->spi)); 303 break; 304 } 305 case IPPROTO_ESP: { 306 struct ip_esp_hdr _esph, *eh; 307 308 /* Max length: 10 "PROTO=ESP " */ 309 printk("PROTO=ESP "); 310 311 if (ntohs(ih->frag_off) & IP_OFFSET) 312 break; 313 314 /* Max length: 25 "INCOMPLETE [65535 bytes] " */ 315 eh = skb_header_pointer(skb, iphoff+ih->ihl*4, 316 sizeof(_esph), &_esph); 317 if (eh == NULL) { 318 printk("INCOMPLETE [%u bytes] ", 319 skb->len - iphoff - ih->ihl*4); 320 break; 321 } 322 323 /* Length: 15 "SPI=0xF1234567 " */ 324 printk("SPI=0x%x ", ntohl(eh->spi)); 325 break; 326 } 327 /* Max length: 10 "PROTO 255 " */ 328 default: 329 printk("PROTO=%u ", ih->protocol); 330 } 331 332 /* Max length: 15 "UID=4294967295 " */ 333 if ((logflags & IPT_LOG_UID) && !iphoff && skb->sk) { 334 read_lock_bh(&skb->sk->sk_callback_lock); 335 if (skb->sk->sk_socket && skb->sk->sk_socket->file) 336 printk("UID=%u ", skb->sk->sk_socket->file->f_uid); 337 read_unlock_bh(&skb->sk->sk_callback_lock); 338 } 339 340 /* Proto Max log string length */ 341 /* IP: 40+46+6+11+127 = 230 */ 342 /* TCP: 10+max(25,20+30+13+9+32+11+127) = 252 */ 343 /* UDP: 10+max(25,20) = 35 */ 344 /* UDPLITE: 14+max(25,20) = 39 */ 345 /* ICMP: 11+max(25, 18+25+max(19,14,24+3+n+10,3+n+10)) = 91+n */ 346 /* ESP: 10+max(25)+15 = 50 */ 347 /* AH: 9+max(25)+15 = 49 */ 348 /* unknown: 10 */ 349 350 /* (ICMP allows recursion one level deep) */ 351 /* maxlen = IP + ICMP + IP + max(TCP,UDP,ICMP,unknown) */ 352 /* maxlen = 230+ 91 + 230 + 252 = 803 */ 353} 354 355static struct nf_loginfo default_loginfo = { 356 .type = NF_LOG_TYPE_LOG, 357 .u = { 358 .log = { 359 .level = 0, 360 .logflags = NF_LOG_MASK, 361 }, 362 }, 363}; 364 365static void 366ipt_log_packet(unsigned int pf, 367 unsigned int hooknum, 368 const struct sk_buff *skb, 369 const struct net_device *in, 370 const struct net_device *out, 371 const struct nf_loginfo *loginfo, 372 const char *prefix) 373{ 374 if (!loginfo) 375 loginfo = &default_loginfo; 376 377 spin_lock_bh(&log_lock); 378 printk("<%d>%sIN=%s OUT=%s ", loginfo->u.log.level, 379 prefix, 380 in ? in->name : "", 381 out ? out->name : ""); 382#ifdef CONFIG_BRIDGE_NETFILTER 383 if (skb->nf_bridge) { 384 struct net_device *physindev = skb->nf_bridge->physindev; 385 struct net_device *physoutdev = skb->nf_bridge->physoutdev; 386 387 if (physindev && in != physindev) 388 printk("PHYSIN=%s ", physindev->name); 389 if (physoutdev && out != physoutdev) 390 printk("PHYSOUT=%s ", physoutdev->name); 391 } 392#endif 393 394 if (in && !out) { 395 /* MAC logging for input chain only. */ 396 printk("MAC="); 397 if (skb->dev && skb->dev->hard_header_len 398 && skb->mac_header != skb->network_header) { 399 int i; 400 const unsigned char *p = skb_mac_header(skb); 401 for (i = 0; i < skb->dev->hard_header_len; i++,p++) 402 printk("%02x%c", *p, 403 i==skb->dev->hard_header_len - 1 404 ? ' ':':'); 405 } else 406 printk(" "); 407 } 408 409 dump_packet(loginfo, skb, 0); 410 printk("\n"); 411 spin_unlock_bh(&log_lock); 412} 413 414static unsigned int 415ipt_log_target(struct sk_buff **pskb, 416 const struct net_device *in, 417 const struct net_device *out, 418 unsigned int hooknum, 419 const struct xt_target *target, 420 const void *targinfo) 421{ 422 const struct ipt_log_info *loginfo = targinfo; 423 struct nf_loginfo li; 424 425 li.type = NF_LOG_TYPE_LOG; 426 li.u.log.level = loginfo->level; 427 li.u.log.logflags = loginfo->logflags; 428 429 ipt_log_packet(PF_INET, hooknum, *pskb, in, out, &li, 430 loginfo->prefix); 431 return XT_CONTINUE; 432} 433 434static int ipt_log_checkentry(const char *tablename, 435 const void *e, 436 const struct xt_target *target, 437 void *targinfo, 438 unsigned int hook_mask) 439{ 440 const struct ipt_log_info *loginfo = targinfo; 441 442 if (loginfo->level >= 8) { 443 DEBUGP("LOG: level %u >= 8\n", loginfo->level); 444 return 0; 445 } 446 if (loginfo->prefix[sizeof(loginfo->prefix)-1] != '\0') { 447 DEBUGP("LOG: prefix term %i\n", 448 loginfo->prefix[sizeof(loginfo->prefix)-1]); 449 return 0; 450 } 451 return 1; 452} 453 454static struct xt_target ipt_log_reg = { 455 .name = "LOG", 456 .family = AF_INET, 457 .target = ipt_log_target, 458 .targetsize = sizeof(struct ipt_log_info), 459 .checkentry = ipt_log_checkentry, 460 .me = THIS_MODULE, 461}; 462 463static struct nf_logger ipt_log_logger ={ 464 .name = "ipt_LOG", 465 .logfn = &ipt_log_packet, 466 .me = THIS_MODULE, 467}; 468 469static int __init ipt_log_init(void) 470{ 471 int ret; 472 473 ret = xt_register_target(&ipt_log_reg); 474 if (ret < 0) 475 return ret; 476 ret = nf_log_register(PF_INET, &ipt_log_logger); 477 if (ret < 0 && ret != -EEXIST) 478 xt_unregister_target(&ipt_log_reg); 479 return ret; 480} 481 482static void __exit ipt_log_fini(void) 483{ 484 nf_log_unregister(&ipt_log_logger); 485 xt_unregister_target(&ipt_log_reg); 486} 487 488module_init(ipt_log_init); 489module_exit(ipt_log_fini); 490