netfilter: nft_log: complete NFTA_LOG_FLAGS attr support

NFTA_LOG_FLAGS attribute is already supported, but the related
NF_LOG_XXX flags are not exposed to the userspace. So we cannot
explicitly enable log flags to log uid, tcp sequence, ip options
and so on, i.e. such rule "nft add rule filter output log uid"
is not supported yet.

So move NF_LOG_XXX macro definitions to the uapi/../nf_log.h. In
order to keep consistent with other modules, change NF_LOG_MASK to
refer to all supported log flags. On the other hand, add a new
NF_LOG_DEFAULT_MASK to refer to the original default log flags.

Finally, if user specify the unsupported log flags or NFTA_LOG_GROUP
and NFTA_LOG_FLAGS are set at the same time, report EINVAL to the
userspace.

Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/include/net/netfilter/nf_log.h b/include/net/netfilter/nf_log.h
index ee07dc8b0a7bd06c2f563657dde75a11315e8497..309cd267be4faf589927478c39615e1eef144fd6 100644 (file)
--- a/include/net/netfilter/nf_log.h
+++ b/include/net/netfilter/nf_log.h
@@ -2,15 +2,10 @@
 #define _NF_LOG_H
 
 #include <linux/netfilter.h>
+#include <linux/netfilter/nf_log.h>
 
-/* those NF_LOG_* defines and struct nf_loginfo are legacy definitios that will
- * disappear once iptables is replaced with pkttables.  Please DO NOT use them
- * for any new code! */
-#define NF_LOG_TCPSEQ          0x01    /* Log TCP sequence numbers */
-#define NF_LOG_TCPOPT          0x02    /* Log TCP options */
-#define NF_LOG_IPOPT           0x04    /* Log IP options */
-#define NF_LOG_UID             0x08    /* Log UID owning local socket */
-#define NF_LOG_MASK            0x0f
+/* Log tcp sequence, tcp options, ip options and uid owning local socket */
+#define NF_LOG_DEFAULT_MASK    0x0f
 
 /* This flag indicates that copy_len field in nf_loginfo is set */
 #define NF_LOG_F_COPY_LEN      0x1

diff --git a/include/uapi/linux/netfilter/nf_log.h b/include/uapi/linux/netfilter/nf_log.h
new file mode 100644 (file)
index 0000000..8be21e0
--- /dev/null
+++ b/include/uapi/linux/netfilter/nf_log.h
@@ -0,0 +1,12 @@
+#ifndef _NETFILTER_NF_LOG_H
+#define _NETFILTER_NF_LOG_H
+
+#define NF_LOG_TCPSEQ          0x01    /* Log TCP sequence numbers */
+#define NF_LOG_TCPOPT          0x02    /* Log TCP options */
+#define NF_LOG_IPOPT           0x04    /* Log IP options */
+#define NF_LOG_UID             0x08    /* Log UID owning local socket */
+#define NF_LOG_NFLOG           0x10    /* Unsupported, don't reuse */
+#define NF_LOG_MACDECODE       0x20    /* Decode MAC header */
+#define NF_LOG_MASK            0x2f
+
+#endif /* _NETFILTER_NF_LOG_H */

diff --git a/net/bridge/netfilter/ebt_log.c b/net/bridge/netfilter/ebt_log.c
index 152300d164acd1bb9702aa60db5f7a3ccc4752fe..9a11086ba6ff4a966e551ea650bc15df1b4483ac 100644 (file)
--- a/net/bridge/netfilter/ebt_log.c
+++ b/net/bridge/netfilter/ebt_log.c
@@ -91,7 +91,7 @@ ebt_log_packet(struct net *net, u_int8_t pf, unsigned int hooknum,
        if (loginfo->type == NF_LOG_TYPE_LOG)
                bitmask = loginfo->u.log.logflags;
        else
-               bitmask = NF_LOG_MASK;
+               bitmask = NF_LOG_DEFAULT_MASK;
 
        if ((bitmask & EBT_LOG_IP) && eth_hdr(skb)->h_proto ==
           htons(ETH_P_IP)) {

diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
index f993545a337342d2fbb912b7560cd1529c0b8145..7c00ce90adb8496ed9fb97894163f783b158e7cf 100644 (file)
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -156,7 +156,7 @@ static struct nf_loginfo trace_loginfo = {
        .u = {
                .log = {
                        .level = 4,
-                       .logflags = NF_LOG_MASK,
+                       .logflags = NF_LOG_DEFAULT_MASK,
                },
        },
 };

diff --git a/net/ipv4/netfilter/nf_log_arp.c b/net/ipv4/netfilter/nf_log_arp.c
index 8945c26538149110c979ce58abd4f56461908718..b24795e2ee6d486c871149811b7916145345f6ea 100644 (file)
--- a/net/ipv4/netfilter/nf_log_arp.c
+++ b/net/ipv4/netfilter/nf_log_arp.c
@@ -30,7 +30,7 @@ static struct nf_loginfo default_loginfo = {
        .u = {
                .log = {
                        .level    = LOGLEVEL_NOTICE,
-                       .logflags = NF_LOG_MASK,
+                       .logflags = NF_LOG_DEFAULT_MASK,
                },
        },
 };

diff --git a/net/ipv4/netfilter/nf_log_ipv4.c b/net/ipv4/netfilter/nf_log_ipv4.c
index 20f225593a8b14563d68f13685d571aa2cfc47b8..5b571e1b5f1502ccae773f8430d7034280a70923 100644 (file)
--- a/net/ipv4/netfilter/nf_log_ipv4.c
+++ b/net/ipv4/netfilter/nf_log_ipv4.c
@@ -29,7 +29,7 @@ static struct nf_loginfo default_loginfo = {
        .u = {
                .log = {
                        .level    = LOGLEVEL_NOTICE,
-                       .logflags = NF_LOG_MASK,
+                       .logflags = NF_LOG_DEFAULT_MASK,
                },
        },
 };
@@ -46,7 +46,7 @@ static void dump_ipv4_packet(struct nf_log_buf *m,
        if (info->type == NF_LOG_TYPE_LOG)
                logflags = info->u.log.logflags;
        else
-               logflags = NF_LOG_MASK;
+               logflags = NF_LOG_DEFAULT_MASK;
 
        ih = skb_header_pointer(skb, iphoff, sizeof(_iph), &_iph);
        if (ih == NULL) {

diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
index 552fac2f390a2747c3ca9821fbb06d52ccaf0d9e..55aacea24396dc17d429896c5ff77e5e8162a52e 100644 (file)
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -190,7 +190,7 @@ static struct nf_loginfo trace_loginfo = {
        .u = {
                .log = {
                        .level = LOGLEVEL_WARNING,
-                       .logflags = NF_LOG_MASK,
+                       .logflags = NF_LOG_DEFAULT_MASK,
                },
        },
 };

diff --git a/net/ipv6/netfilter/nf_log_ipv6.c b/net/ipv6/netfilter/nf_log_ipv6.c
index c1bcf699a23d1fb00f4d389bcdf6bcbe286d9e7d..f6aee2895fee0328efe959fe3c4a60b84ef5bd8b 100644 (file)
--- a/net/ipv6/netfilter/nf_log_ipv6.c
+++ b/net/ipv6/netfilter/nf_log_ipv6.c
@@ -30,7 +30,7 @@ static struct nf_loginfo default_loginfo = {
        .u = {
                .log = {
                        .level    = LOGLEVEL_NOTICE,
-                       .logflags = NF_LOG_MASK,
+                       .logflags = NF_LOG_DEFAULT_MASK,
                },
        },
 };
@@ -52,7 +52,7 @@ static void dump_ipv6_packet(struct nf_log_buf *m,
        if (info->type == NF_LOG_TYPE_LOG)
                logflags = info->u.log.logflags;
        else
-               logflags = NF_LOG_MASK;
+               logflags = NF_LOG_DEFAULT_MASK;
 
        ih = skb_header_pointer(skb, ip6hoff, sizeof(_ip6h), &_ip6h);
        if (ih == NULL) {

diff --git a/net/netfilter/nf_tables_core.c b/net/netfilter/nf_tables_core.c
index 7c94ce0080d500712f8c668ecc52875ef833e5e4..0dd5c695482f64b248de0906fcbbd1dcb8df6364 100644 (file)
--- a/net/netfilter/nf_tables_core.c
+++ b/net/netfilter/nf_tables_core.c
@@ -34,7 +34,7 @@ static struct nf_loginfo trace_loginfo = {
        .u = {
                .log = {
                        .level = LOGLEVEL_WARNING,
-                       .logflags = NF_LOG_MASK,
+                       .logflags = NF_LOG_DEFAULT_MASK,
                },
        },
 };

diff --git a/net/netfilter/nft_log.c b/net/netfilter/nft_log.c
index 24a73bb26e94471d00491cdf0211a791c9518533..1b01404bb33fa7832b9cbe14ba9ad24142f363f9 100644 (file)
--- a/net/netfilter/nft_log.c
+++ b/net/netfilter/nft_log.c
@@ -58,8 +58,11 @@ static int nft_log_init(const struct nft_ctx *ctx,
        if (tb[NFTA_LOG_LEVEL] != NULL &&
            tb[NFTA_LOG_GROUP] != NULL)
                return -EINVAL;
-       if (tb[NFTA_LOG_GROUP] != NULL)
+       if (tb[NFTA_LOG_GROUP] != NULL) {
                li->type = NF_LOG_TYPE_ULOG;
+               if (tb[NFTA_LOG_FLAGS] != NULL)
+                       return -EINVAL;
+       }
 
        nla = tb[NFTA_LOG_PREFIX];
        if (nla != NULL) {
@@ -87,6 +90,10 @@ static int nft_log_init(const struct nft_ctx *ctx,
                if (tb[NFTA_LOG_FLAGS] != NULL) {
                        li->u.log.logflags =
                                ntohl(nla_get_be32(tb[NFTA_LOG_FLAGS]));
+                       if (li->u.log.logflags & ~NF_LOG_MASK) {
+                               err = -EINVAL;
+                               goto err1;
+                       }
                }
                break;
        case NF_LOG_TYPE_ULOG: