netfilter: nf_log_ipv4: rename to nf_log_syslog

Netfilter has multiple log modules:
 nf_log_arp
 nf_log_bridge
 nf_log_ipv4
 nf_log_ipv6
 nf_log_netdev
 nfnetlink_log
 nf_log_common

With the exception of nfnetlink_log (packet is sent to userspace for
dissection/logging), all of them log to the kernel ringbuffer.

This is the first part of a series to merge all modules except
nfnetlink_log into a single module: nf_log_syslog.

This allows to reduce code.  After the series, only two log modules remain:
nfnetlink_log and nf_log_syslog. The latter provides the same
functionality as the old per-af log modules.

This renames nf_log_ipv4 to nf_log_syslog.

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/net/ipv4/netfilter/Kconfig b/net/ipv4/netfilter/Kconfig
index a2f4f89..aadb98e 100644 (file)
--- a/net/ipv4/netfilter/Kconfig
+++ b/net/ipv4/netfilter/Kconfig
@@ -81,7 +81,10 @@ config NF_LOG_ARP
 config NF_LOG_IPV4
        tristate "IPv4 packet logging"
        default m if NETFILTER_ADVANCED=n
-       select NF_LOG_COMMON
+       select NF_LOG_SYSLOG
+       help
+       This is a backwards-compat option for the user's convenience
+       (e.g. when running oldconfig). It selects CONFIG_NF_LOG_SYSLOG.
 
 config NF_REJECT_IPV4
        tristate "IPv4 packet rejection"

diff --git a/net/ipv4/netfilter/Makefile b/net/ipv4/netfilter/Makefile
index 7c497c7..abd1330 100644 (file)
--- a/net/ipv4/netfilter/Makefile
+++ b/net/ipv4/netfilter/Makefile
@@ -11,7 +11,6 @@ obj-$(CONFIG_NF_TPROXY_IPV4) += nf_tproxy_ipv4.o
 
 # logging
 obj-$(CONFIG_NF_LOG_ARP) += nf_log_arp.o
-obj-$(CONFIG_NF_LOG_IPV4) += nf_log_ipv4.o
 
 # reject
 obj-$(CONFIG_NF_REJECT_IPV4) += nf_reject_ipv4.o

diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index 1a92063..d5c0471 100644 (file)
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@@ -78,6 +78,18 @@ config NF_LOG_NETDEV
        tristate "Netdev packet logging"
        select NF_LOG_COMMON
 
+config NF_LOG_SYSLOG
+       tristate "Syslog packet logging"
+       default m if NETFILTER_ADVANCED=n
+       select NF_LOG_COMMON
+       help
+         This option enable support for packet logging via syslog.
+         It supports IPv4 and common transport protocols such as TCP and UDP.
+         This is a simpler but less flexible logging method compared to
+         CONFIG_NETFILTER_NETLINK_LOG.
+         If both are enabled the backend to use can be configured at run-time
+         by means of per-address-family sysctl tunables.
+
 if NF_CONNTRACK
 config NETFILTER_CONNCOUNT
        tristate
@@ -923,7 +935,7 @@ config NETFILTER_XT_TARGET_LED
 config NETFILTER_XT_TARGET_LOG
        tristate "LOG target support"
        select NF_LOG_COMMON
-       select NF_LOG_IPV4
+       select NF_LOG_SYSLOG
        select NF_LOG_IPV6 if IP6_NF_IPTABLES
        default m if NETFILTER_ADVANCED=n
        help

diff --git a/net/netfilter/Makefile b/net/netfilter/Makefile
index 33da7bf..59642d9 100644 (file)
--- a/net/netfilter/Makefile
+++ b/net/netfilter/Makefile
@@ -50,6 +50,7 @@ nf_nat-y      := nf_nat_core.o nf_nat_proto.o nf_nat_helper.o
 
 # generic transport layer logging
 obj-$(CONFIG_NF_LOG_COMMON) += nf_log_common.o
+obj-$(CONFIG_NF_LOG_SYSLOG) += nf_log_syslog.o
 
 # packet logging for netdev family
 obj-$(CONFIG_NF_LOG_NETDEV) += nf_log_netdev.o

diff --git a/net/ipv4/netfilter/nf_log_ipv4.c b/net/netfilter/nf_log_syslog.c
similarity index 78%
rename from net/ipv4/netfilter/nf_log_ipv4.c
rename to net/netfilter/nf_log_syslog.c
index d07583f..e6fe156 100644 (file)
--- a/net/ipv4/netfilter/nf_log_ipv4.c
+++ b/net/netfilter/nf_log_syslog.c
@@ -32,13 +32,14 @@ static const struct nf_loginfo default_loginfo = {
 };
 
 /* One level of recursion won't kill us */
-static void dump_ipv4_packet(struct net *net, struct nf_log_buf *m,
-                            const struct nf_loginfo *info,
-                            const struct sk_buff *skb, unsigned int iphoff)
+static noinline_for_stack void
+dump_ipv4_packet(struct net *net, struct nf_log_buf *m,
+                const struct nf_loginfo *info,
+                const struct sk_buff *skb, unsigned int iphoff)
 {
-       struct iphdr _iph;
        const struct iphdr *ih;
        unsigned int logflags;
+       struct iphdr _iph;
 
        if (info->type == NF_LOG_TYPE_LOG)
                logflags = info->u.log.logflags;
@@ -46,14 +47,15 @@ static void dump_ipv4_packet(struct net *net, struct nf_log_buf *m,
                logflags = NF_LOG_DEFAULT_MASK;
 
        ih = skb_header_pointer(skb, iphoff, sizeof(_iph), &_iph);
-       if (ih == NULL) {
+       if (!ih) {
                nf_log_buf_add(m, "TRUNCATED");
                return;
        }
 
        /* Important fields:
-        * TOS, len, DF/MF, fragment offset, TTL, src, dst, options. */
-       /* Max length: 40 "SRC=255.255.255.255 DST=255.255.255.255 " */
+        * TOS, len, DF/MF, fragment offset, TTL, src, dst, options.
+        * Max length: 40 "SRC=255.255.255.255 DST=255.255.255.255 "
+        */
        nf_log_buf_add(m, "SRC=%pI4 DST=%pI4 ", &ih->saddr, &ih->daddr);
 
        /* Max length: 46 "LEN=65535 TOS=0xFF PREC=0xFF TTL=255 ID=65535 " */
@@ -75,14 +77,14 @@ static void dump_ipv4_packet(struct net *net, struct nf_log_buf *m,
 
        if ((logflags & NF_LOG_IPOPT) &&
            ih->ihl * 4 > sizeof(struct iphdr)) {
-               const unsigned char *op;
                unsigned char _opt[4 * 15 - sizeof(struct iphdr)];
+               const unsigned char *op;
                unsigned int i, optsize;
 
                optsize = ih->ihl * 4 - sizeof(struct iphdr);
-               op = skb_header_pointer(skb, iphoff+sizeof(_iph),
+               op = skb_header_pointer(skb, iphoff + sizeof(_iph),
                                        optsize, _opt);
-               if (op == NULL) {
+               if (!op) {
                        nf_log_buf_add(m, "TRUNCATED");
                        return;
                }
@@ -98,36 +100,31 @@ static void dump_ipv4_packet(struct net *net, struct nf_log_buf *m,
        case IPPROTO_TCP:
                if (nf_log_dump_tcp_header(m, skb, ih->protocol,
                                           ntohs(ih->frag_off) & IP_OFFSET,
-                                          iphoff+ih->ihl*4, logflags))
+                                          iphoff + ih->ihl * 4, logflags))
                        return;
                break;
        case IPPROTO_UDP:
        case IPPROTO_UDPLITE:
                if (nf_log_dump_udp_header(m, skb, ih->protocol,
                                           ntohs(ih->frag_off) & IP_OFFSET,
-                                          iphoff+ih->ihl*4))
+                                          iphoff + ih->ihl * 4))
                        return;
                break;
        case IPPROTO_ICMP: {
-               struct icmphdr _icmph;
+               static const size_t required_len[NR_ICMP_TYPES + 1] = {
+                       [ICMP_ECHOREPLY] = 4,
+                       [ICMP_DEST_UNREACH] = 8 + sizeof(struct iphdr),
+                       [ICMP_SOURCE_QUENCH] = 8 + sizeof(struct iphdr),
+                       [ICMP_REDIRECT] = 8 + sizeof(struct iphdr),
+                       [ICMP_ECHO] = 4,
+                       [ICMP_TIME_EXCEEDED] = 8 + sizeof(struct iphdr),
+                       [ICMP_PARAMETERPROB] = 8 + sizeof(struct iphdr),
+                       [ICMP_TIMESTAMP] = 20,
+                       [ICMP_TIMESTAMPREPLY] = 20,
+                       [ICMP_ADDRESS] = 12,
+                       [ICMP_ADDRESSREPLY] = 12 };
                const struct icmphdr *ich;
-               static const size_t required_len[NR_ICMP_TYPES+1]
-                       = { [ICMP_ECHOREPLY] = 4,
-                           [ICMP_DEST_UNREACH]
-                           = 8 + sizeof(struct iphdr),
-                           [ICMP_SOURCE_QUENCH]
-                           = 8 + sizeof(struct iphdr),
-                           [ICMP_REDIRECT]
-                           = 8 + sizeof(struct iphdr),
-                           [ICMP_ECHO] = 4,
-                           [ICMP_TIME_EXCEEDED]
-                           = 8 + sizeof(struct iphdr),
-                           [ICMP_PARAMETERPROB]
-                           = 8 + sizeof(struct iphdr),
-                           [ICMP_TIMESTAMP] = 20,
-                           [ICMP_TIMESTAMPREPLY] = 20,
-                           [ICMP_ADDRESS] = 12,
-                           [ICMP_ADDRESSREPLY] = 12 };
+               struct icmphdr _icmph;
 
                /* Max length: 11 "PROTO=ICMP " */
                nf_log_buf_add(m, "PROTO=ICMP ");
@@ -138,9 +135,9 @@ static void dump_ipv4_packet(struct net *net, struct nf_log_buf *m,
                /* Max length: 25 "INCOMPLETE [65535 bytes] " */
                ich = skb_header_pointer(skb, iphoff + ih->ihl * 4,
                                         sizeof(_icmph), &_icmph);
-               if (ich == NULL) {
+               if (!ich) {
                        nf_log_buf_add(m, "INCOMPLETE [%u bytes] ",
-                                      skb->len - iphoff - ih->ihl*4);
+                                      skb->len - iphoff - ih->ihl * 4);
                        break;
                }
 
@@ -150,9 +147,9 @@ static void dump_ipv4_packet(struct net *net, struct nf_log_buf *m,
                /* Max length: 25 "INCOMPLETE [65535 bytes] " */
                if (ich->type <= NR_ICMP_TYPES &&
                    required_len[ich->type] &&
-                   skb->len-iphoff-ih->ihl*4 < required_len[ich->type]) {
+                   skb->len - iphoff - ih->ihl * 4 < required_len[ich->type]) {
                        nf_log_buf_add(m, "INCOMPLETE [%u bytes] ",
-                                      skb->len - iphoff - ih->ihl*4);
+                                      skb->len - iphoff - ih->ihl * 4);
                        break;
                }
 
@@ -181,7 +178,7 @@ static void dump_ipv4_packet(struct net *net, struct nf_log_buf *m,
                        if (!iphoff) { /* Only recurse once. */
                                nf_log_buf_add(m, "[");
                                dump_ipv4_packet(net, m, info, skb,
-                                           iphoff + ih->ihl*4+sizeof(_icmph));
+                                                iphoff + ih->ihl * 4 + sizeof(_icmph));
                                nf_log_buf_add(m, "] ");
                        }
 
@@ -196,8 +193,8 @@ static void dump_ipv4_packet(struct net *net, struct nf_log_buf *m,
        }
        /* Max Length */
        case IPPROTO_AH: {
-               struct ip_auth_hdr _ahdr;
                const struct ip_auth_hdr *ah;
+               struct ip_auth_hdr _ahdr;
 
                if (ntohs(ih->frag_off) & IP_OFFSET)
                        break;
@@ -206,11 +203,11 @@ static void dump_ipv4_packet(struct net *net, struct nf_log_buf *m,
                nf_log_buf_add(m, "PROTO=AH ");
 
                /* Max length: 25 "INCOMPLETE [65535 bytes] " */
-               ah = skb_header_pointer(skb, iphoff+ih->ihl*4,
+               ah = skb_header_pointer(skb, iphoff + ih->ihl * 4,
                                        sizeof(_ahdr), &_ahdr);
-               if (ah == NULL) {
+               if (!ah) {
                        nf_log_buf_add(m, "INCOMPLETE [%u bytes] ",
-                                      skb->len - iphoff - ih->ihl*4);
+                                      skb->len - iphoff - ih->ihl * 4);
                        break;
                }
 
@@ -219,8 +216,8 @@ static void dump_ipv4_packet(struct net *net, struct nf_log_buf *m,
                break;
        }
        case IPPROTO_ESP: {
-               struct ip_esp_hdr _esph;
                const struct ip_esp_hdr *eh;
+               struct ip_esp_hdr _esph;
 
                /* Max length: 10 "PROTO=ESP " */
                nf_log_buf_add(m, "PROTO=ESP ");
@@ -229,11 +226,11 @@ static void dump_ipv4_packet(struct net *net, struct nf_log_buf *m,
                        break;
 
                /* Max length: 25 "INCOMPLETE [65535 bytes] " */
-               eh = skb_header_pointer(skb, iphoff+ih->ihl*4,
+               eh = skb_header_pointer(skb, iphoff + ih->ihl * 4,
                                        sizeof(_esph), &_esph);
-               if (eh == NULL) {
+               if (!eh) {
                        nf_log_buf_add(m, "INCOMPLETE [%u bytes] ",
-                                      skb->len - iphoff - ih->ihl*4);
+                                      skb->len - iphoff - ih->ihl * 4);
                        break;
                }
 
@@ -270,8 +267,8 @@ static void dump_ipv4_packet(struct net *net, struct nf_log_buf *m,
 }
 
 static void dump_ipv4_mac_header(struct nf_log_buf *m,
-                           const struct nf_loginfo *info,
-                           const struct sk_buff *skb)
+                                const struct nf_loginfo *info,
+                                const struct sk_buff *skb)
 {
        struct net_device *dev = skb->dev;
        unsigned int logflags = 0;
@@ -329,7 +326,7 @@ static void nf_log_ip_packet(struct net *net, u_int8_t pf,
        nf_log_dump_packet_common(m, pf, hooknum, skb, in,
                                  out, loginfo, prefix);
 
-       if (in != NULL)
+       if (in)
                dump_ipv4_mac_header(m, loginfo, skb);
 
        dump_ipv4_packet(net, m, loginfo, skb, 0);
@@ -344,52 +341,51 @@ static struct nf_logger nf_ip_logger __read_mostly = {
        .me             = THIS_MODULE,
 };
 
-static int __net_init nf_log_ipv4_net_init(struct net *net)
+static int __net_init nf_log_syslog_net_init(struct net *net)
 {
        return nf_log_set(net, NFPROTO_IPV4, &nf_ip_logger);
 }
 
-static void __net_exit nf_log_ipv4_net_exit(struct net *net)
+static void __net_exit nf_log_syslog_net_exit(struct net *net)
 {
        nf_log_unset(net, &nf_ip_logger);
 }
 
-static struct pernet_operations nf_log_ipv4_net_ops = {
-       .init = nf_log_ipv4_net_init,
-       .exit = nf_log_ipv4_net_exit,
+static struct pernet_operations nf_log_syslog_net_ops = {
+       .init = nf_log_syslog_net_init,
+       .exit = nf_log_syslog_net_exit,
 };
 
-static int __init nf_log_ipv4_init(void)
+static int __init nf_log_syslog_init(void)
 {
        int ret;
 
-       ret = register_pernet_subsys(&nf_log_ipv4_net_ops);
+       ret = register_pernet_subsys(&nf_log_syslog_net_ops);
        if (ret < 0)
                return ret;
 
        ret = nf_log_register(NFPROTO_IPV4, &nf_ip_logger);
-       if (ret < 0) {
-               pr_err("failed to register logger\n");
+       if (ret < 0)
                goto err1;
-       }
 
        return 0;
 
 err1:
-       unregister_pernet_subsys(&nf_log_ipv4_net_ops);
+       unregister_pernet_subsys(&nf_log_syslog_net_ops);
        return ret;
 }
 
-static void __exit nf_log_ipv4_exit(void)
+static void __exit nf_log_syslog_exit(void)
 {
-       unregister_pernet_subsys(&nf_log_ipv4_net_ops);
+       unregister_pernet_subsys(&nf_log_syslog_net_ops);
        nf_log_unregister(&nf_ip_logger);
 }
 
-module_init(nf_log_ipv4_init);
-module_exit(nf_log_ipv4_exit);
+module_init(nf_log_syslog_init);
+module_exit(nf_log_syslog_exit);
 
 MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>");
-MODULE_DESCRIPTION("Netfilter IPv4 packet logging");
+MODULE_DESCRIPTION("Netfilter syslog packet logging");
 MODULE_LICENSE("GPL");
+MODULE_ALIAS("nf_log_ipv4");
 MODULE_ALIAS_NF_LOGGER(AF_INET, 0);