Commit 09d27b88f15f08fcfbaf57d9b0b4489816264815
1 parent
85d30e2416
netfilter: nft_log: complete logging support
Use the unified nf_log_packet() interface that allows us explicit logger selection through the nf_loginfo structure. If you specify the group attribute, this means you want to receive logging messages through nfnetlink_log. In that case, the snaplen and qthreshold attributes allows you to tune internal aspects of the netlink logging infrastructure. On the other hand, if the level is specified, then the plain text format through the kernel logging ring is used instead, which is also used by default if neither group nor level are indicated. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Showing 2 changed files with 63 additions and 17 deletions Side-by-side Diff
include/uapi/linux/netfilter/nf_tables.h
| ... | ... | @@ -697,6 +697,8 @@ |
| 697 | 697 | * @NFTA_LOG_PREFIX: prefix to prepend to log messages (NLA_STRING) |
| 698 | 698 | * @NFTA_LOG_SNAPLEN: length of payload to include in netlink message (NLA_U32) |
| 699 | 699 | * @NFTA_LOG_QTHRESHOLD: queue threshold (NLA_U32) |
| 700 | + * @NFTA_LOG_LEVEL: log level (NLA_U32) | |
| 701 | + * @NFTA_LOG_FLAGS: logging flags (NLA_U32) | |
| 700 | 702 | */ |
| 701 | 703 | enum nft_log_attributes { |
| 702 | 704 | NFTA_LOG_UNSPEC, |
| ... | ... | @@ -704,6 +706,8 @@ |
| 704 | 706 | NFTA_LOG_PREFIX, |
| 705 | 707 | NFTA_LOG_SNAPLEN, |
| 706 | 708 | NFTA_LOG_QTHRESHOLD, |
| 709 | + NFTA_LOG_LEVEL, | |
| 710 | + NFTA_LOG_FLAGS, | |
| 707 | 711 | __NFTA_LOG_MAX |
| 708 | 712 | }; |
| 709 | 713 | #define NFTA_LOG_MAX (__NFTA_LOG_MAX - 1) |
net/netfilter/nft_log.c
| 1 | 1 | /* |
| 2 | 2 | * Copyright (c) 2008-2009 Patrick McHardy <kaber@trash.net> |
| 3 | + * Copyright (c) 2012-2014 Pablo Neira Ayuso <pablo@netfilter.org> | |
| 3 | 4 | * |
| 4 | 5 | * This program is free software; you can redistribute it and/or modify |
| 5 | 6 | * it under the terms of the GNU General Public License version 2 as |
| ... | ... | @@ -41,6 +42,8 @@ |
| 41 | 42 | [NFTA_LOG_PREFIX] = { .type = NLA_STRING }, |
| 42 | 43 | [NFTA_LOG_SNAPLEN] = { .type = NLA_U32 }, |
| 43 | 44 | [NFTA_LOG_QTHRESHOLD] = { .type = NLA_U16 }, |
| 45 | + [NFTA_LOG_LEVEL] = { .type = NLA_U32 }, | |
| 46 | + [NFTA_LOG_FLAGS] = { .type = NLA_U32 }, | |
| 44 | 47 | }; |
| 45 | 48 | |
| 46 | 49 | static int nft_log_init(const struct nft_ctx *ctx, |
| 47 | 50 | |
| 48 | 51 | |
| 49 | 52 | |
| 50 | 53 | |
| ... | ... | @@ -58,18 +61,41 @@ |
| 58 | 61 | if (priv->prefix == NULL) |
| 59 | 62 | return -ENOMEM; |
| 60 | 63 | nla_strlcpy(priv->prefix, nla, nla_len(nla) + 1); |
| 61 | - } else | |
| 64 | + } else { | |
| 62 | 65 | priv->prefix = (char *)nft_log_null_prefix; |
| 66 | + } | |
| 63 | 67 | |
| 64 | - li->type = NF_LOG_TYPE_ULOG; | |
| 68 | + li->type = NF_LOG_TYPE_LOG; | |
| 69 | + if (tb[NFTA_LOG_LEVEL] != NULL && | |
| 70 | + tb[NFTA_LOG_GROUP] != NULL) | |
| 71 | + return -EINVAL; | |
| 65 | 72 | if (tb[NFTA_LOG_GROUP] != NULL) |
| 66 | - li->u.ulog.group = ntohs(nla_get_be16(tb[NFTA_LOG_GROUP])); | |
| 73 | + li->type = NF_LOG_TYPE_ULOG; | |
| 67 | 74 | |
| 68 | - if (tb[NFTA_LOG_SNAPLEN] != NULL) | |
| 69 | - li->u.ulog.copy_len = ntohl(nla_get_be32(tb[NFTA_LOG_SNAPLEN])); | |
| 70 | - if (tb[NFTA_LOG_QTHRESHOLD] != NULL) { | |
| 71 | - li->u.ulog.qthreshold = | |
| 72 | - ntohs(nla_get_be16(tb[NFTA_LOG_QTHRESHOLD])); | |
| 75 | + switch (li->type) { | |
| 76 | + case NF_LOG_TYPE_LOG: | |
| 77 | + if (tb[NFTA_LOG_LEVEL] != NULL) { | |
| 78 | + li->u.log.level = | |
| 79 | + ntohl(nla_get_be32(tb[NFTA_LOG_LEVEL]));; | |
| 80 | + } else { | |
| 81 | + li->u.log.level = 4; | |
| 82 | + } | |
| 83 | + if (tb[NFTA_LOG_FLAGS] != NULL) { | |
| 84 | + li->u.log.logflags = | |
| 85 | + ntohl(nla_get_be32(tb[NFTA_LOG_FLAGS])); | |
| 86 | + } | |
| 87 | + break; | |
| 88 | + case NF_LOG_TYPE_ULOG: | |
| 89 | + li->u.ulog.group = ntohs(nla_get_be16(tb[NFTA_LOG_GROUP])); | |
| 90 | + if (tb[NFTA_LOG_SNAPLEN] != NULL) { | |
| 91 | + li->u.ulog.copy_len = | |
| 92 | + ntohl(nla_get_be32(tb[NFTA_LOG_SNAPLEN])); | |
| 93 | + } | |
| 94 | + if (tb[NFTA_LOG_QTHRESHOLD] != NULL) { | |
| 95 | + li->u.ulog.qthreshold = | |
| 96 | + ntohs(nla_get_be16(tb[NFTA_LOG_QTHRESHOLD])); | |
| 97 | + } | |
| 98 | + break; | |
| 73 | 99 | } |
| 74 | 100 | |
| 75 | 101 | if (ctx->afi->family == NFPROTO_INET) { |
| 76 | 102 | |
| ... | ... | @@ -113,17 +139,33 @@ |
| 113 | 139 | if (priv->prefix != nft_log_null_prefix) |
| 114 | 140 | if (nla_put_string(skb, NFTA_LOG_PREFIX, priv->prefix)) |
| 115 | 141 | goto nla_put_failure; |
| 116 | - if (li->u.ulog.group) | |
| 142 | + switch (li->type) { | |
| 143 | + case NF_LOG_TYPE_LOG: | |
| 144 | + if (nla_put_be32(skb, NFTA_LOG_LEVEL, htonl(li->u.log.level))) | |
| 145 | + goto nla_put_failure; | |
| 146 | + | |
| 147 | + if (li->u.log.logflags) { | |
| 148 | + if (nla_put_be32(skb, NFTA_LOG_FLAGS, | |
| 149 | + htonl(li->u.log.logflags))) | |
| 150 | + goto nla_put_failure; | |
| 151 | + } | |
| 152 | + break; | |
| 153 | + case NF_LOG_TYPE_ULOG: | |
| 117 | 154 | if (nla_put_be16(skb, NFTA_LOG_GROUP, htons(li->u.ulog.group))) |
| 118 | 155 | goto nla_put_failure; |
| 119 | - if (li->u.ulog.copy_len) | |
| 120 | - if (nla_put_be32(skb, NFTA_LOG_SNAPLEN, | |
| 121 | - htonl(li->u.ulog.copy_len))) | |
| 122 | - goto nla_put_failure; | |
| 123 | - if (li->u.ulog.qthreshold) | |
| 124 | - if (nla_put_be16(skb, NFTA_LOG_QTHRESHOLD, | |
| 125 | - htons(li->u.ulog.qthreshold))) | |
| 126 | - goto nla_put_failure; | |
| 156 | + | |
| 157 | + if (li->u.ulog.copy_len) { | |
| 158 | + if (nla_put_be32(skb, NFTA_LOG_SNAPLEN, | |
| 159 | + htonl(li->u.ulog.copy_len))) | |
| 160 | + goto nla_put_failure; | |
| 161 | + } | |
| 162 | + if (li->u.ulog.qthreshold) { | |
| 163 | + if (nla_put_be16(skb, NFTA_LOG_QTHRESHOLD, | |
| 164 | + htons(li->u.ulog.qthreshold))) | |
| 165 | + goto nla_put_failure; | |
| 166 | + } | |
| 167 | + break; | |
| 168 | + } | |
| 127 | 169 | return 0; |
| 128 | 170 | |
| 129 | 171 | nla_put_failure: |