#include <stdio.h> #include <string.h> #include <syslog.h> #include <xtables.h> #include <linux/netfilter_ipv4/ipt_LOG.h> #define LOG_DEFAULT_LEVEL LOG_WARNING #ifndef IPT_LOG_UID /* Old kernel */ #define IPT_LOG_UID 0x08 /* Log UID owning local socket */ #undef IPT_LOG_MASK #define IPT_LOG_MASK 0x0f #endif enum { O_LOG_LEVEL = 0, O_LOG_PREFIX, O_LOG_TCPSEQ, O_LOG_TCPOPTS, O_LOG_IPOPTS, O_LOG_UID, O_LOG_MAC, }; static void LOG_help(void) { printf( "LOG target options:\n" " --log-level level Level of logging (numeric or see syslog.conf)\n" " --log-prefix prefix Prefix log messages with this prefix.\n\n" " --log-tcp-sequence Log TCP sequence numbers.\n\n" " --log-tcp-options Log TCP options.\n\n" " --log-ip-options Log IP options.\n\n" " --log-uid Log UID owning the local socket.\n\n" " --log-macdecode Decode MAC addresses and protocol.\n\n"); } #define s struct ipt_log_info static const struct xt_option_entry LOG_opts[] = { {.name = "log-level", .id = O_LOG_LEVEL, .type = XTTYPE_SYSLOGLEVEL, .flags = XTOPT_PUT, XTOPT_POINTER(s, level)}, {.name = "log-prefix", .id = O_LOG_PREFIX, .type = XTTYPE_STRING, .flags = XTOPT_PUT, XTOPT_POINTER(s, prefix), .min = 1}, {.name = "log-tcp-sequence", .id = O_LOG_TCPSEQ, .type = XTTYPE_NONE}, {.name = "log-tcp-options", .id = O_LOG_TCPOPTS, .type = XTTYPE_NONE}, {.name = "log-ip-options", .id = O_LOG_IPOPTS, .type = XTTYPE_NONE}, {.name = "log-uid", .id = O_LOG_UID, .type = XTTYPE_NONE}, {.name = "log-macdecode", .id = O_LOG_MAC, .type = XTTYPE_NONE}, XTOPT_TABLEEND, }; #undef s static void LOG_init(struct xt_entry_target *t) { struct ipt_log_info *loginfo = (struct ipt_log_info *)t->data; loginfo->level = LOG_DEFAULT_LEVEL; } struct ipt_log_names { const char *name; unsigned int level; }; struct ipt_log_xlate { const char *name; unsigned int level; }; static const struct ipt_log_names ipt_log_names[] = { { .name = "alert", .level = LOG_ALERT }, { .name = "crit", .level = LOG_CRIT }, { .name = "debug", .level = LOG_DEBUG }, { .name = "emerg", .level = LOG_EMERG }, { .name = "error", .level = LOG_ERR }, /* DEPRECATED */ { .name = "info", .level = LOG_INFO }, { .name = "notice", .level = LOG_NOTICE }, { .name = "panic", .level = LOG_EMERG }, /* DEPRECATED */ { .name = "warning", .level = LOG_WARNING } }; static void LOG_parse(struct xt_option_call *cb) { struct ipt_log_info *info = cb->data; xtables_option_parse(cb); switch (cb->entry->id) { case O_LOG_PREFIX: if (strchr(cb->arg, '\n') != NULL) xtables_error(PARAMETER_PROBLEM, "Newlines not allowed in --log-prefix"); break; case O_LOG_TCPSEQ: info->logflags |= IPT_LOG_TCPSEQ; break; case O_LOG_TCPOPTS: info->logflags |= IPT_LOG_TCPOPT; break; case O_LOG_IPOPTS: info->logflags |= IPT_LOG_IPOPT; break; case O_LOG_UID: info->logflags |= IPT_LOG_UID; break; case O_LOG_MAC: info->logflags |= IPT_LOG_MACDECODE; break; } } static void LOG_print(const void *ip, const struct xt_entry_target *target, int numeric) { const struct ipt_log_info *loginfo = (const struct ipt_log_info *)target->data; unsigned int i = 0; printf(" LOG"); if (numeric) printf(" flags %u level %u", loginfo->logflags, loginfo->level); else { for (i = 0; i < ARRAY_SIZE(ipt_log_names); ++i) if (loginfo->level == ipt_log_names[i].level) { printf(" level %s", ipt_log_names[i].name); break; } if (i == ARRAY_SIZE(ipt_log_names)) printf(" UNKNOWN level %u", loginfo->level); if (loginfo->logflags & IPT_LOG_TCPSEQ) printf(" tcp-sequence"); if (loginfo->logflags & IPT_LOG_TCPOPT) printf(" tcp-options"); if (loginfo->logflags & IPT_LOG_IPOPT) printf(" ip-options"); if (loginfo->logflags & IPT_LOG_UID) printf(" uid"); if (loginfo->logflags & IPT_LOG_MACDECODE) printf(" macdecode"); if (loginfo->logflags & ~(IPT_LOG_MASK)) printf(" unknown-flags"); } if (strcmp(loginfo->prefix, "") != 0) printf(" prefix \"%s\"", loginfo->prefix); } static void LOG_save(const void *ip, const struct xt_entry_target *target) { const struct ipt_log_info *loginfo = (const struct ipt_log_info *)target->data; if (strcmp(loginfo->prefix, "") != 0) { printf(" --log-prefix"); xtables_save_string(loginfo->prefix); } if (loginfo->level != LOG_DEFAULT_LEVEL) printf(" --log-level %d", loginfo->level); if (loginfo->logflags & IPT_LOG_TCPSEQ) printf(" --log-tcp-sequence"); if (loginfo->logflags & IPT_LOG_TCPOPT) printf(" --log-tcp-options"); if (loginfo->logflags & IPT_LOG_IPOPT) printf(" --log-ip-options"); if (loginfo->logflags & IPT_LOG_UID) printf(" --log-uid"); if (loginfo->logflags & IPT_LOG_MACDECODE) printf(" --log-macdecode"); } static const struct ipt_log_xlate ipt_log_xlate_names[] = { {"alert", LOG_ALERT }, {"crit", LOG_CRIT }, {"debug", LOG_DEBUG }, {"emerg", LOG_EMERG }, {"err", LOG_ERR }, {"info", LOG_INFO }, {"notice", LOG_NOTICE }, {"warn", LOG_WARNING } }; static int LOG_xlate(struct xt_xlate *xl, const struct xt_xlate_tg_params *params) { const struct ipt_log_info *loginfo = (const struct ipt_log_info *)params->target->data; unsigned int i = 0; xt_xlate_add(xl, "log"); if (strcmp(loginfo->prefix, "") != 0) { if (params->escape_quotes) xt_xlate_add(xl, " prefix \\\"%s\\\"", loginfo->prefix); else xt_xlate_add(xl, " prefix \"%s\"", loginfo->prefix); } for (i = 0; i < ARRAY_SIZE(ipt_log_xlate_names); ++i) if (loginfo->level != LOG_DEFAULT_LEVEL && loginfo->level == ipt_log_xlate_names[i].level) { xt_xlate_add(xl, " level %s", ipt_log_xlate_names[i].name); break; } if ((loginfo->logflags & IPT_LOG_MASK) == IPT_LOG_MASK) { xt_xlate_add(xl, " flags all"); } else { if (loginfo->logflags & (IPT_LOG_TCPSEQ | IPT_LOG_TCPOPT)) { const char *delim = " "; xt_xlate_add(xl, " flags tcp"); if (loginfo->logflags & IPT_LOG_TCPSEQ) { xt_xlate_add(xl, " sequence"); delim = ","; } if (loginfo->logflags & IPT_LOG_TCPOPT) xt_xlate_add(xl, "%soptions", delim); } if (loginfo->logflags & IPT_LOG_IPOPT) xt_xlate_add(xl, " flags ip options"); if (loginfo->logflags & IPT_LOG_UID) xt_xlate_add(xl, " flags skuid"); if (loginfo->logflags & IPT_LOG_MACDECODE) xt_xlate_add(xl, " flags ether"); } return 1; } static struct xtables_target log_tg_reg = { .name = "LOG", .version = XTABLES_VERSION, .family = NFPROTO_IPV4, .size = XT_ALIGN(sizeof(struct ipt_log_info)), .userspacesize = XT_ALIGN(sizeof(struct ipt_log_info)), .help = LOG_help, .init = LOG_init, .print = LOG_print, .save = LOG_save, .x6_parse = LOG_parse, .x6_options = LOG_opts, .xlate = LOG_xlate, }; void _init(void) { xtables_register_target(&log_tg_reg); }