netfilter: nf_log: add packet logging for netdev family

Move layer 2 packet logging into nf_log_l2packet() that resides in
nf_log_common.c, so this can be shared by both bridge and netdev
families.

This patch adds the boiler plate code to register the netdev logging
family.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/include/net/netfilter/nf_log.h b/include/net/netfilter/nf_log.h
index 309cd267be4faf589927478c39615e1eef144fd6..a559aa41253cee6680ee7f626df523af287ae08d 100644 (file)
--- a/include/net/netfilter/nf_log.h
+++ b/include/net/netfilter/nf_log.h
@@ -109,5 +109,10 @@ void nf_log_dump_packet_common(struct nf_log_buf *m, u_int8_t pf,
                               const struct net_device *out,
                               const struct nf_loginfo *loginfo,
                               const char *prefix);
+void nf_log_l2packet(struct net *net, u_int8_t pf, unsigned int hooknum,
+                    const struct sk_buff *skb,
+                    const struct net_device *in,
+                    const struct net_device *out,
+                    const struct nf_loginfo *loginfo, const char *prefix);
 
 #endif /* _NF_LOG_H */

diff --git a/net/bridge/netfilter/Kconfig b/net/bridge/netfilter/Kconfig
index 9cebf47ac840722d0294713f98ef98595272f0be..e7ef1a1ef3a6af942e511b6385fed7c08b0561ed 100644 (file)
--- a/net/bridge/netfilter/Kconfig
+++ b/net/bridge/netfilter/Kconfig
@@ -22,6 +22,7 @@ config NFT_BRIDGE_REJECT
 
 config NF_LOG_BRIDGE
        tristate "Bridge packet logging"
+       select NF_LOG_COMMON
 
 endif # NF_TABLES_BRIDGE
 

diff --git a/net/bridge/netfilter/nf_log_bridge.c b/net/bridge/netfilter/nf_log_bridge.c
index 1663df59854502b997d9bc56bb49712c0b99f28a..c197b1f844eee9896b20e790df7dce4fbfeb4ea6 100644 (file)
--- a/net/bridge/netfilter/nf_log_bridge.c
+++ b/net/bridge/netfilter/nf_log_bridge.c
@@ -24,21 +24,7 @@ static void nf_log_bridge_packet(struct net *net, u_int8_t pf,
                                 const struct nf_loginfo *loginfo,
                                 const char *prefix)
 {
-       switch (eth_hdr(skb)->h_proto) {
-       case htons(ETH_P_IP):
-               nf_log_packet(net, NFPROTO_IPV4, hooknum, skb, in, out,
-                             loginfo, "%s", prefix);
-               break;
-       case htons(ETH_P_IPV6):
-               nf_log_packet(net, NFPROTO_IPV6, hooknum, skb, in, out,
-                             loginfo, "%s", prefix);
-               break;
-       case htons(ETH_P_ARP):
-       case htons(ETH_P_RARP):
-               nf_log_packet(net, NFPROTO_ARP, hooknum, skb, in, out,
-                             loginfo, "%s", prefix);
-               break;
-       }
+       nf_log_l2packet(net, pf, hooknum, skb, in, out, loginfo, prefix);
 }
 
 static struct nf_logger nf_bridge_logger __read_mostly = {

diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index 9bcf899ce16e65473c4980b1ba812838f5e9b713..854dadb196a1d542ce4a00ad56f0dcfa63efa656 100644 (file)
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@@ -57,6 +57,10 @@ config NF_CONNTRACK
 config NF_LOG_COMMON
        tristate
 
+config NF_LOG_NETDEV
+       tristate "Netdev packet logging"
+       select NF_LOG_COMMON
+
 if NF_CONNTRACK
 
 config NF_CONNTRACK_MARK

diff --git a/net/netfilter/Makefile b/net/netfilter/Makefile
index 8faa36c0686d9f223299a578846624c3f2b37b3f..8edd791743fe7dfec72609f0401dab24e5692131 100644 (file)
--- a/net/netfilter/Makefile
+++ b/net/netfilter/Makefile
@@ -48,6 +48,9 @@ nf_nat-y      := nf_nat_core.o nf_nat_proto_unknown.o nf_nat_proto_common.o \
 # generic transport layer logging
 obj-$(CONFIG_NF_LOG_COMMON) += nf_log_common.o
 
+# packet logging for netdev family
+obj-$(CONFIG_NF_LOG_NETDEV) += nf_log_netdev.o
+
 obj-$(CONFIG_NF_NAT) += nf_nat.o
 obj-$(CONFIG_NF_NAT_REDIRECT) += nf_nat_redirect.o
 

diff --git a/net/netfilter/nf_log_common.c b/net/netfilter/nf_log_common.c
index 119fe1cb1ea917918d586e96c1e034d82e0d151a..ed9b80815fa0b5ca5eea8b807fe59a8432839711 100644 (file)
--- a/net/netfilter/nf_log_common.c
+++ b/net/netfilter/nf_log_common.c
@@ -175,6 +175,33 @@ nf_log_dump_packet_common(struct nf_log_buf *m, u_int8_t pf,
 }
 EXPORT_SYMBOL_GPL(nf_log_dump_packet_common);
 
+/* bridge and netdev logging families share this code. */
+void nf_log_l2packet(struct net *net, u_int8_t pf,
+                    unsigned int hooknum,
+                    const struct sk_buff *skb,
+                    const struct net_device *in,
+                    const struct net_device *out,
+                    const struct nf_loginfo *loginfo,
+                    const char *prefix)
+{
+       switch (eth_hdr(skb)->h_proto) {
+       case htons(ETH_P_IP):
+               nf_log_packet(net, NFPROTO_IPV4, hooknum, skb, in, out,
+                             loginfo, "%s", prefix);
+               break;
+       case htons(ETH_P_IPV6):
+               nf_log_packet(net, NFPROTO_IPV6, hooknum, skb, in, out,
+                             loginfo, "%s", prefix);
+               break;
+       case htons(ETH_P_ARP):
+       case htons(ETH_P_RARP):
+               nf_log_packet(net, NFPROTO_ARP, hooknum, skb, in, out,
+                             loginfo, "%s", prefix);
+               break;
+       }
+}
+EXPORT_SYMBOL_GPL(nf_log_l2packet);
+
 static int __init nf_log_common_init(void)
 {
        return 0;

diff --git a/net/netfilter/nf_log_netdev.c b/net/netfilter/nf_log_netdev.c
new file mode 100644 (file)
index 0000000..1f64594
--- /dev/null
+++ b/net/netfilter/nf_log_netdev.c
@@ -0,0 +1,80 @@
+/*
+ * (C) 2016 by Pablo Neira Ayuso <pablo@netfilter.org>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ */
+
+#include <linux/module.h>
+#include <linux/spinlock.h>
+#include <linux/skbuff.h>
+#include <linux/ip.h>
+#include <net/route.h>
+
+#include <linux/netfilter.h>
+#include <net/netfilter/nf_log.h>
+
+static void nf_log_netdev_packet(struct net *net, u_int8_t pf,
+                                unsigned int hooknum,
+                                const struct sk_buff *skb,
+                                const struct net_device *in,
+                                const struct net_device *out,
+                                const struct nf_loginfo *loginfo,
+                                const char *prefix)
+{
+       nf_log_l2packet(net, pf, hooknum, skb, in, out, loginfo, prefix);
+}
+
+static struct nf_logger nf_netdev_logger __read_mostly = {
+       .name           = "nf_log_netdev",
+       .type           = NF_LOG_TYPE_LOG,
+       .logfn          = nf_log_netdev_packet,
+       .me             = THIS_MODULE,
+};
+
+static int __net_init nf_log_netdev_net_init(struct net *net)
+{
+       return nf_log_set(net, NFPROTO_NETDEV, &nf_netdev_logger);
+}
+
+static void __net_exit nf_log_netdev_net_exit(struct net *net)
+{
+       nf_log_unset(net, &nf_netdev_logger);
+}
+
+static struct pernet_operations nf_log_netdev_net_ops = {
+       .init = nf_log_netdev_net_init,
+       .exit = nf_log_netdev_net_exit,
+};
+
+static int __init nf_log_netdev_init(void)
+{
+       int ret;
+
+       /* Request to load the real packet loggers. */
+       nf_logger_request_module(NFPROTO_IPV4, NF_LOG_TYPE_LOG);
+       nf_logger_request_module(NFPROTO_IPV6, NF_LOG_TYPE_LOG);
+       nf_logger_request_module(NFPROTO_ARP, NF_LOG_TYPE_LOG);
+
+       ret = register_pernet_subsys(&nf_log_netdev_net_ops);
+       if (ret < 0)
+               return ret;
+
+       nf_log_register(NFPROTO_NETDEV, &nf_netdev_logger);
+       return 0;
+}
+
+static void __exit nf_log_netdev_exit(void)
+{
+       unregister_pernet_subsys(&nf_log_netdev_net_ops);
+       nf_log_unregister(&nf_netdev_logger);
+}
+
+module_init(nf_log_netdev_init);
+module_exit(nf_log_netdev_exit);
+
+MODULE_AUTHOR("Pablo Neira Ayuso <pablo@netfilter.org>");
+MODULE_DESCRIPTION("Netfilter netdev packet logging");
+MODULE_LICENSE("GPL");
+MODULE_ALIAS_NF_LOGGER(5, 0); /* NFPROTO_NETDEV */