Commit 62eec0d7 authored by Florian Westphal's avatar Florian Westphal Committed by Pablo Neira Ayuso
Browse files

netfilter: conntrack: pass hook state to log functions 



The packet logger backend is unable to provide the incoming (or
outgoing) interface name because that information isn't available.

Pass the hook state, it contains the network namespace, the protocol
family, the network interfaces and other things.

Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
parent 836382dc

include/net/netfilter/nf_conntrack_l4proto.h

+12 −8
Original line number Diff line number Diff line
@@ -159,22 +159,26 @@ unsigned int nf_ct_port_nlattr_tuple_size(void); 
extern const struct nla_policy nf_ct_port_nla_policy[];



#ifdef CONFIG_SYSCTL

__printf(3, 4) __cold

__printf(4, 5) __cold

void nf_ct_l4proto_log_invalid(const struct sk_buff *skb,

			       const struct nf_conn *ct,

			       const struct nf_hook_state *state,

			       const char *fmt, ...);

__printf(5, 6) __cold

__printf(4, 5) __cold

void nf_l4proto_log_invalid(const struct sk_buff *skb,

			    struct net *net,

			    u16 pf, u8 protonum,

			    const struct nf_hook_state *state,

			    u8 protonum,

			    const char *fmt, ...);

#else

static inline __printf(5, 6) __cold

void nf_l4proto_log_invalid(const struct sk_buff *skb, struct net *net,

			    u16 pf, u8 protonum, const char *fmt, ...) {}

static inline __printf(3, 4) __cold

static inline __printf(4, 5) __cold

void nf_l4proto_log_invalid(const struct sk_buff *skb,

			    const struct nf_hook_state *state,

			    u8 protonum,

			    const char *fmt, ...) {}

static inline __printf(4, 5) __cold

void nf_ct_l4proto_log_invalid(const struct sk_buff *skb,

			       const struct nf_conn *ct,

			       const struct nf_hook_state *state,

			       const char *fmt, ...) { }

#endif /* CONFIG_SYSCTL */

net/netfilter/nf_conntrack_proto.c

+9 −7
Original line number Diff line number Diff line
@@ -45,12 +45,13 @@ 
static DEFINE_MUTEX(nf_ct_proto_mutex);



#ifdef CONFIG_SYSCTL

__printf(5, 6)

__printf(4, 5)

void nf_l4proto_log_invalid(const struct sk_buff *skb,

			    struct net *net,

			    u16 pf, u8 protonum,

			    const struct nf_hook_state *state,

			    u8 protonum,

			    const char *fmt, ...)

{

	struct net *net = state->net;

	struct va_format vaf;

	va_list args;
@@ -62,15 +63,16 @@ void nf_l4proto_log_invalid(const struct sk_buff *skb, 
	vaf.fmt = fmt;

	vaf.va = &args;



	nf_log_packet(net, pf, 0, skb, NULL, NULL, NULL,

		      "nf_ct_proto_%d: %pV ", protonum, &vaf);

	nf_log_packet(net, state->pf, 0, skb, state->in, state->out,

		      NULL, "nf_ct_proto_%d: %pV ", protonum, &vaf);

	va_end(args);

}

EXPORT_SYMBOL_GPL(nf_l4proto_log_invalid);



__printf(3, 4)

__printf(4, 5)

void nf_ct_l4proto_log_invalid(const struct sk_buff *skb,

			       const struct nf_conn *ct,

			       const struct nf_hook_state *state,

			       const char *fmt, ...)

{

	struct va_format vaf;
@@ -85,7 +87,7 @@ void nf_ct_l4proto_log_invalid(const struct sk_buff *skb, 
	vaf.fmt = fmt;

	vaf.va = &args;



	nf_l4proto_log_invalid(skb, net, nf_ct_l3num(ct),

	nf_l4proto_log_invalid(skb, state,

			       nf_ct_protonum(ct), "%pV", &vaf);

	va_end(args);

}

net/netfilter/nf_conntrack_proto_dccp.c

+7 −7
Original line number Diff line number Diff line
@@ -382,7 +382,8 @@ dccp_state_table[CT_DCCP_ROLE_MAX + 1][DCCP_PKT_SYNCACK + 1][CT_DCCP_MAX + 1] = 


static noinline bool

dccp_new(struct nf_conn *ct, const struct sk_buff *skb,

	 const struct dccp_hdr *dh)

	 const struct dccp_hdr *dh,

	 const struct nf_hook_state *hook_state)

{

	struct net *net = nf_ct_net(ct);

	struct nf_dccp_net *dn;
@@ -414,7 +415,7 @@ dccp_new(struct nf_conn *ct, const struct sk_buff *skb, 
	return true;



out_invalid:

	nf_ct_l4proto_log_invalid(skb, ct, "%s", msg);

	nf_ct_l4proto_log_invalid(skb, ct, hook_state, "%s", msg);

	return false;

}
@@ -464,8 +465,7 @@ static bool dccp_error(const struct dccp_hdr *dh, 
	}

	return false;

out_invalid:

	nf_l4proto_log_invalid(skb, state->net, state->pf,

			       IPPROTO_DCCP, "%s", msg);

	nf_l4proto_log_invalid(skb, state, IPPROTO_DCCP, "%s", msg);

	return true;

}
@@ -488,7 +488,7 @@ int nf_conntrack_dccp_packet(struct nf_conn *ct, struct sk_buff *skb, 
		return -NF_ACCEPT;



	type = dh->dccph_type;

	if (!nf_ct_is_confirmed(ct) && !dccp_new(ct, skb, dh))

	if (!nf_ct_is_confirmed(ct) && !dccp_new(ct, skb, dh, state))

		return -NF_ACCEPT;



	if (type == DCCP_PKT_RESET &&
@@ -543,11 +543,11 @@ int nf_conntrack_dccp_packet(struct nf_conn *ct, struct sk_buff *skb, 
		ct->proto.dccp.last_pkt = type;



		spin_unlock_bh(&ct->lock);

		nf_ct_l4proto_log_invalid(skb, ct, "%s", "invalid packet");

		nf_ct_l4proto_log_invalid(skb, ct, state, "%s", "invalid packet");

		return NF_ACCEPT;

	case CT_DCCP_INVALID:

		spin_unlock_bh(&ct->lock);

		nf_ct_l4proto_log_invalid(skb, ct, "%s", "invalid state transition");

		nf_ct_l4proto_log_invalid(skb, ct, state, "%s", "invalid state transition");

		return -NF_ACCEPT;

	}

net/netfilter/nf_conntrack_proto_icmp.c

+3 −4
Original line number Diff line number Diff line
@@ -170,12 +170,12 @@ int nf_conntrack_inet_error(struct nf_conn *tmpl, struct sk_buff *skb, 
	ct_daddr = &ct->tuplehash[dir].tuple.dst.u3;

	if (!nf_inet_addr_cmp(outer_daddr, ct_daddr)) {

		if (state->pf == AF_INET) {

			nf_l4proto_log_invalid(skb, state->net, state->pf,

			nf_l4proto_log_invalid(skb, state,

					       l4proto,

					       "outer daddr %pI4 != inner %pI4",

					       &outer_daddr->ip, &ct_daddr->ip);

		} else if (state->pf == AF_INET6) {

			nf_l4proto_log_invalid(skb, state->net, state->pf,

			nf_l4proto_log_invalid(skb, state,

					       l4proto,

					       "outer daddr %pI6 != inner %pI6",

					       &outer_daddr->ip6, &ct_daddr->ip6);
@@ -197,8 +197,7 @@ static void icmp_error_log(const struct sk_buff *skb, 
			   const struct nf_hook_state *state,

			   const char *msg)

{

	nf_l4proto_log_invalid(skb, state->net, state->pf,

			       IPPROTO_ICMP, "%s", msg);

	nf_l4proto_log_invalid(skb, state, IPPROTO_ICMP, "%s", msg);

}



/* Small and modified version of icmp_rcv */

net/netfilter/nf_conntrack_proto_icmpv6.c

+1 −2
Original line number Diff line number Diff line
@@ -126,8 +126,7 @@ static void icmpv6_error_log(const struct sk_buff *skb, 
			     const struct nf_hook_state *state,

			     const char *msg)

{

	nf_l4proto_log_invalid(skb, state->net, state->pf,

			       IPPROTO_ICMPV6, "%s", msg);

	nf_l4proto_log_invalid(skb, state, IPPROTO_ICMPV6, "%s", msg);

}



int nf_conntrack_icmpv6_error(struct nf_conn *tmpl,