From: Pablo Neira Ayuso <pablo@netfilter.org>
To: netfilter-devel@vger.kernel.org
Cc: davem@davemloft.net, netdev@vger.kernel.org
Subject: [PATCH 09/35] netfilter: nfnetlink_log: allow to attach conntrack
Date: Sat, 17 Oct 2015 13:32:44 +0200 [thread overview]
Message-ID: <1445081590-2924-10-git-send-email-pablo@netfilter.org> (raw)
In-Reply-To: <1445081590-2924-1-git-send-email-pablo@netfilter.org>
From: Ken-ichirou MATSUZAWA <chamaken@gmail.com>
This patch enables to include the conntrack information together
with the packet that is sent to user-space via NFLOG, then a
user-space program can acquire NATed information by this NFULA_CT
attribute.
Including the conntrack information is optional, you can set it
via NFULNL_CFG_F_CONNTRACK flag with the NFULA_CFG_FLAGS attribute
like NFQUEUE.
Signed-off-by: Ken-ichirou MATSUZAWA <chamas@h4.dion.ne.jp>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
include/uapi/linux/netfilter/nfnetlink_log.h | 3 +++
net/netfilter/Kconfig | 9 ++++---
net/netfilter/nfnetlink_log.c | 37 ++++++++++++++++++++++++----
3 files changed, 40 insertions(+), 9 deletions(-)
diff --git a/include/uapi/linux/netfilter/nfnetlink_log.h b/include/uapi/linux/netfilter/nfnetlink_log.h
index 90c2c95..fb21f0c 100644
--- a/include/uapi/linux/netfilter/nfnetlink_log.h
+++ b/include/uapi/linux/netfilter/nfnetlink_log.h
@@ -51,6 +51,8 @@ enum nfulnl_attr_type {
NFULA_HWTYPE, /* hardware type */
NFULA_HWHEADER, /* hardware header */
NFULA_HWLEN, /* hardware header length */
+ NFULA_CT, /* nf_conntrack_netlink.h */
+ NFULA_CT_INFO, /* enum ip_conntrack_info */
__NFULA_MAX
};
@@ -93,5 +95,6 @@ enum nfulnl_attr_config {
#define NFULNL_CFG_F_SEQ 0x0001
#define NFULNL_CFG_F_SEQ_GLOBAL 0x0002
+#define NFULNL_CFG_F_CONNTRACK 0x0004
#endif /* _NFNETLINK_LOG_H */
diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index d287818..e22349e 100644
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@@ -363,12 +363,13 @@ config NF_CT_NETLINK_HELPER
If unsure, say `N'.
config NETFILTER_NETLINK_GLUE_CT
- bool "NFQUEUE integration with Connection Tracking"
+ bool "NFQUEUE and NFLOG integration with Connection Tracking"
default n
- depends on NETFILTER_NETLINK_QUEUE && NF_CT_NETLINK
+ depends on (NETFILTER_NETLINK_QUEUE || NETFILTER_NETLINK_LOG) && NF_CT_NETLINK
help
- If this option is enabled, NFQUEUE can include Connection Tracking
- information together with the packet is the enqueued via NFNETLINK.
+ If this option is enabled, NFQUEUE and NFLOG can include
+ Connection Tracking information together with the packet is
+ the enqueued via NFNETLINK.
config NF_NAT
tristate
diff --git a/net/netfilter/nfnetlink_log.c b/net/netfilter/nfnetlink_log.c
index 4670821..e1d1187 100644
--- a/net/netfilter/nfnetlink_log.c
+++ b/net/netfilter/nfnetlink_log.c
@@ -27,6 +27,7 @@
#include <net/netlink.h>
#include <linux/netfilter/nfnetlink.h>
#include <linux/netfilter/nfnetlink_log.h>
+#include <linux/netfilter/nf_conntrack_common.h>
#include <linux/spinlock.h>
#include <linux/sysctl.h>
#include <linux/proc_fs.h>
@@ -401,7 +402,9 @@ __build_packet_message(struct nfnl_log_net *log,
unsigned int hooknum,
const struct net_device *indev,
const struct net_device *outdev,
- const char *prefix, unsigned int plen)
+ const char *prefix, unsigned int plen,
+ const struct nfnl_ct_hook *nfnl_ct,
+ struct nf_conn *ct, enum ip_conntrack_info ctinfo)
{
struct nfulnl_msg_packet_hdr pmsg;
struct nlmsghdr *nlh;
@@ -575,6 +578,10 @@ __build_packet_message(struct nfnl_log_net *log,
htonl(atomic_inc_return(&log->global_seq))))
goto nla_put_failure;
+ if (ct && nfnl_ct->build(inst->skb, ct, ctinfo,
+ NFULA_CT, NFULA_CT_INFO) < 0)
+ goto nla_put_failure;
+
if (data_len) {
struct nlattr *nla;
int size = nla_attr_size(data_len);
@@ -620,12 +627,16 @@ nfulnl_log_packet(struct net *net,
const struct nf_loginfo *li_user,
const char *prefix)
{
- unsigned int size, data_len;
+ size_t size;
+ unsigned int data_len;
struct nfulnl_instance *inst;
const struct nf_loginfo *li;
unsigned int qthreshold;
unsigned int plen;
struct nfnl_log_net *log = nfnl_log_pernet(net);
+ const struct nfnl_ct_hook *nfnl_ct = NULL;
+ struct nf_conn *ct = NULL;
+ enum ip_conntrack_info uninitialized_var(ctinfo);
if (li_user && li_user->type == NF_LOG_TYPE_ULOG)
li = li_user;
@@ -671,6 +682,14 @@ nfulnl_log_packet(struct net *net,
size += nla_total_size(sizeof(u_int32_t));
if (inst->flags & NFULNL_CFG_F_SEQ_GLOBAL)
size += nla_total_size(sizeof(u_int32_t));
+ if (inst->flags & NFULNL_CFG_F_CONNTRACK) {
+ nfnl_ct = rcu_dereference(nfnl_ct_hook);
+ if (nfnl_ct != NULL) {
+ ct = nfnl_ct->get_ct(skb, &ctinfo);
+ if (ct != NULL)
+ size += nfnl_ct->build_size(ct);
+ }
+ }
qthreshold = inst->qthreshold;
/* per-rule qthreshold overrides per-instance */
@@ -715,7 +734,8 @@ nfulnl_log_packet(struct net *net,
inst->qlen++;
__build_packet_message(log, inst, skb, data_len, pf,
- hooknum, in, out, prefix, plen);
+ hooknum, in, out, prefix, plen,
+ nfnl_ct, ct, ctinfo);
if (inst->qlen >= qthreshold)
__nfulnl_flush(inst);
@@ -899,13 +919,20 @@ nfulnl_recv_config(struct sock *ctnl, struct sk_buff *skb,
}
if (nfula[NFULA_CFG_FLAGS]) {
- __be16 flags = nla_get_be16(nfula[NFULA_CFG_FLAGS]);
+ u16 flags = ntohs(nla_get_be16(nfula[NFULA_CFG_FLAGS]));
if (!inst) {
ret = -ENODEV;
goto out;
}
- nfulnl_set_flags(inst, ntohs(flags));
+
+ if (flags & NFULNL_CFG_F_CONNTRACK &&
+ rcu_access_pointer(nfnl_ct_hook) == NULL) {
+ ret = -EOPNOTSUPP;
+ goto out;
+ }
+
+ nfulnl_set_flags(inst, flags);
}
out_put:
--
2.1.4
next prev parent reply other threads:[~2015-10-17 11:26 UTC|newest]
Thread overview: 38+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-10-17 11:32 [PATCH 00/35] Netfilter/IPVS updates for net-next Pablo Neira Ayuso
2015-10-17 11:32 ` [PATCH 01/35] ipvs: Don't protect ip_vs_addr_is_unicast with CONFIG_SYSCTL Pablo Neira Ayuso
2015-10-17 11:32 ` [PATCH 02/35] netfilter: nfnetlink_queue: get rid of nfnetlink_queue_ct.c Pablo Neira Ayuso
2015-10-17 11:32 ` [PATCH 03/35] netfilter: rename nfnetlink_queue_core.c to nfnetlink_queue.c Pablo Neira Ayuso
2015-10-17 11:32 ` [PATCH 04/35] netfilter: nfnetlink_queue: use y2038 safe timestamp Pablo Neira Ayuso
2015-10-17 11:32 ` [PATCH 05/35] netfilter: remove dead code Pablo Neira Ayuso
2015-10-17 11:32 ` [PATCH 06/35] netfilter: nfnetlink_queue: rename related to nfqueue attaching conntrack info Pablo Neira Ayuso
2015-10-17 11:32 ` [PATCH 07/35] netfilter: Kconfig rename QUEUE_CT to GLUE_CT Pablo Neira Ayuso
2015-10-17 11:32 ` [PATCH 08/35] netfilter: ctnetlink: add const qualifier to nfnl_hook.get_ct Pablo Neira Ayuso
2015-10-17 11:32 ` Pablo Neira Ayuso [this message]
2015-10-17 11:32 ` [PATCH 10/35] ipvs: Remove possibly unused variable from ip_vs_out Pablo Neira Ayuso
2015-10-17 11:32 ` [PATCH 11/35] ipvs: Remove possibly unused variables from ip_vs_conn_net_{init,cleanup} Pablo Neira Ayuso
2015-10-17 11:32 ` [PATCH 12/35] netfilter: xt_CT: don't put back reference to timeout policy object Pablo Neira Ayuso
2015-10-17 11:32 ` [PATCH 13/35] netfilter: conntrack: fix crash on timeout object removal Pablo Neira Ayuso
2015-10-17 11:32 ` [PATCH 14/35] nfnetlink_cttimeout: add rcu_barrier() on module removal Pablo Neira Ayuso
2015-10-17 11:32 ` [PATCH 15/35] netfilter: bridge: avoid unused label warning Pablo Neira Ayuso
2015-10-17 11:32 ` [PATCH 16/35] netfilter: nfnetlink_log: autoload nf_conntrack_netlink module NFQA_CFG_F_CONNTRACK config flag Pablo Neira Ayuso
2015-10-17 11:32 ` [PATCH 17/35] netfilter: nfqueue: don't use prev pointer Pablo Neira Ayuso
2015-10-17 11:32 ` [PATCH 18/35] netfilter: ip6_tables: label placement Pablo Neira Ayuso
2015-10-17 11:32 ` [PATCH 19/35] netfilter: ip6_tables: function definition layout Pablo Neira Ayuso
2015-10-17 11:32 ` [PATCH 20/35] netfilter: ipv6: code indentation Pablo Neira Ayuso
2015-10-17 11:32 ` [PATCH 21/35] netfilter: ipv6: whitespace around operators Pablo Neira Ayuso
2015-10-17 11:32 ` [PATCH 22/35] netfilter: ip6_tables: ternary operator layout Pablo Neira Ayuso
2015-10-17 11:32 ` [PATCH 23/35] netfilter: ip6_tables: improve if statements Pablo Neira Ayuso
2015-10-17 11:32 ` [PATCH 24/35] netfilter: ipv6: pointer cast layout Pablo Neira Ayuso
2015-10-17 11:33 ` [PATCH 25/35] netfilter: nfnetlink_log: consolidate check for instance in nfulnl_recv_config() Pablo Neira Ayuso
2015-10-17 11:33 ` [PATCH 26/35] netfilter: nfnetlink_log: validate dependencies to avoid breaking atomicity Pablo Neira Ayuso
2015-10-17 11:33 ` [PATCH 27/35] netfilter: remove hook owner refcounting Pablo Neira Ayuso
2015-10-17 11:33 ` [PATCH 28/35] netfilter: make nf_queue_entry_get_refs return void Pablo Neira Ayuso
2015-10-17 11:33 ` [PATCH 29/35] netfilter: nf_queue: remove rcu_read_lock calls Pablo Neira Ayuso
2015-10-17 11:33 ` [PATCH 30/35] netfilter: turn NF_HOOK into an inline function Pablo Neira Ayuso
2015-10-17 11:33 ` [PATCH 31/35] netfilter: ipv4: label placement Pablo Neira Ayuso
2015-10-17 11:33 ` [PATCH 32/35] netfilter: ipv4: ternary operator layout Pablo Neira Ayuso
2015-10-17 11:33 ` [PATCH 33/35] netfilter: ipv4: function definition layout Pablo Neira Ayuso
2015-10-17 11:33 ` [PATCH 34/35] netfilter: ipv4: code indentation Pablo Neira Ayuso
2015-10-17 11:33 ` [PATCH 35/35] netfilter: ipv4: whitespace around operators Pablo Neira Ayuso
2015-10-17 13:07 ` [PATCH 00/35] Netfilter/IPVS updates for net-next David Miller
2015-10-17 13:38 ` Pablo Neira Ayuso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1445081590-2924-10-git-send-email-pablo@netfilter.org \
--to=pablo@netfilter.org \
--cc=davem@davemloft.net \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).