diff options
| author | Liping Zhang <zlpnobody@gmail.com> | 2016-11-19 19:31:15 +0800 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2016-11-24 13:32:52 +0100 |
| commit | 1419b0003fccca32bf61ed40265a5539e2465497 (patch) | |
| tree | c35bd0c06398f71f26c8a81d49152920c84e22cd /src | |
| parent | 9e20fcb72dbf25fd41e4636aa580d05e4791650d (diff) | |
src: add log flags syntax support
Now NF_LOG_XXX is exposed to the userspace, we can set it explicitly.
Like iptables LOG target, we can log TCP sequence numbers, TCP options,
IP options, UID owning local socket and decode MAC header. Note the
log flags are mutually exclusive with group.
Some examples are listed below:
# nft add rule t c log flags tcp sequence,options
# nft add rule t c log flags ip options
# nft add rule t c log flags skuid
# nft add rule t c log flags ether
# nft add rule t c log flags all
# nft add rule t c log flags all group 1
<cmdline>:1:14-16: Error: flags and group are mutually exclusive
add rule t c log flags all group 1
^^^
Signed-off-by: Liping Zhang <zlpnobody@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'src')
| -rw-r--r-- | src/evaluate.c | 12 | ||||
| -rw-r--r-- | src/netlink_delinearize.c | 4 | ||||
| -rw-r--r-- | src/netlink_linearize.c | 3 | ||||
| -rw-r--r-- | src/parser_bison.y | 50 | ||||
| -rw-r--r-- | src/scanner.l | 3 | ||||
| -rw-r--r-- | src/statement.c | 23 |
6 files changed, 89 insertions, 6 deletions
diff --git a/src/evaluate.c b/src/evaluate.c index c60e0f11..8b113c8c 100644 --- a/src/evaluate.c +++ b/src/evaluate.c @@ -2429,12 +2429,14 @@ static int stmt_evaluate_queue(struct eval_ctx *ctx, struct stmt *stmt) static int stmt_evaluate_log(struct eval_ctx *ctx, struct stmt *stmt) { - if (stmt->log.flags & STMT_LOG_LEVEL && - (stmt->log.flags & STMT_LOG_GROUP || - stmt->log.flags & STMT_LOG_SNAPLEN || - stmt->log.flags & STMT_LOG_QTHRESHOLD)) { - return stmt_error(ctx, stmt, + if (stmt->log.flags & (STMT_LOG_GROUP | STMT_LOG_SNAPLEN | + STMT_LOG_QTHRESHOLD)) { + if (stmt->log.flags & STMT_LOG_LEVEL) + return stmt_error(ctx, stmt, "level and group are mutually exclusive"); + if (stmt->log.logflags) + return stmt_error(ctx, stmt, + "flags and group are mutually exclusive"); } return 0; } diff --git a/src/netlink_delinearize.c b/src/netlink_delinearize.c index 66d38caa..0ebe3683 100644 --- a/src/netlink_delinearize.c +++ b/src/netlink_delinearize.c @@ -738,6 +738,10 @@ static void netlink_parse_log(struct netlink_parse_ctx *ctx, nftnl_expr_get_u32(nle, NFTNL_EXPR_LOG_LEVEL); stmt->log.flags |= STMT_LOG_LEVEL; } + if (nftnl_expr_is_set(nle, NFTNL_EXPR_LOG_FLAGS)) { + stmt->log.logflags = + nftnl_expr_get_u32(nle, NFTNL_EXPR_LOG_FLAGS); + } ctx->stmt = stmt; } diff --git a/src/netlink_linearize.c b/src/netlink_linearize.c index 2bee6844..2945392b 100644 --- a/src/netlink_linearize.c +++ b/src/netlink_linearize.c @@ -833,6 +833,9 @@ static void netlink_gen_log_stmt(struct netlink_linearize_ctx *ctx, if (stmt->log.flags & STMT_LOG_LEVEL) nftnl_expr_set_u32(nle, NFTNL_EXPR_LOG_LEVEL, stmt->log.level); + if (stmt->log.logflags) + nftnl_expr_set_u32(nle, NFTNL_EXPR_LOG_FLAGS, + stmt->log.logflags); } nftnl_rule_add_expr(ctx->nlr, nle); } diff --git a/src/parser_bison.y b/src/parser_bison.y index 91955c18..981ffc81 100644 --- a/src/parser_bison.y +++ b/src/parser_bison.y @@ -20,6 +20,7 @@ #include <linux/netfilter/nf_tables.h> #include <linux/netfilter/nf_conntrack_tuple_common.h> #include <linux/netfilter/nf_nat.h> +#include <linux/netfilter/nf_log.h> #include <netinet/ip_icmp.h> #include <netinet/icmp6.h> #include <libnftnl/common.h> @@ -201,6 +202,8 @@ static void location_update(struct location *loc, struct location *rhs, int n) %token EXPORT "export" %token MONITOR "monitor" +%token ALL "all" + %token ACCEPT "accept" %token DROP "drop" %token CONTINUE "continue" @@ -268,6 +271,8 @@ static void location_update(struct location *loc, struct location *rhs, int n) %token GATEWAY "gateway" %token MTU "mtu" +%token OPTIONS "options" + %token IP6 "ip6" %token PRIORITY "priority" %token FLOWLABEL "flowlabel" @@ -481,7 +486,7 @@ static void location_update(struct location *loc, struct location *rhs, int n) %destructor { stmt_free($$); } meta_stmt %type <stmt> log_stmt log_stmt_alloc %destructor { stmt_free($$); } log_stmt log_stmt_alloc -%type <val> level_type +%type <val> level_type log_flags log_flags_tcp log_flag_tcp %type <stmt> limit_stmt quota_stmt %destructor { stmt_free($$); } limit_stmt quota_stmt %type <val> limit_burst limit_mode time_unit quota_mode @@ -1530,6 +1535,10 @@ log_arg : PREFIX string $<stmt>0->log.level = $2; $<stmt>0->log.flags |= STMT_LOG_LEVEL; } + | FLAGS log_flags + { + $<stmt>0->log.logflags |= $2; + } ; level_type : string @@ -1558,6 +1567,45 @@ level_type : string } ; +log_flags : TCP log_flags_tcp + { + $$ = $2; + } + | IP OPTIONS + { + $$ = NF_LOG_IPOPT; + } + | SKUID + { + $$ = NF_LOG_UID; + } + | ETHER + { + $$ = NF_LOG_MACDECODE; + } + | ALL + { + $$ = NF_LOG_MASK; + } + ; + +log_flags_tcp : log_flags_tcp COMMA log_flag_tcp + { + $$ = $1 | $3; + } + | log_flag_tcp + ; + +log_flag_tcp : SEQUENCE + { + $$ = NF_LOG_TCPSEQ; + } + | OPTIONS + { + $$ = NF_LOG_TCPOPT; + } + ; + limit_stmt : LIMIT RATE limit_mode NUM SLASH time_unit limit_burst { $$ = limit_stmt_alloc(&@$); diff --git a/src/scanner.l b/src/scanner.l index cd7398b4..625023f5 100644 --- a/src/scanner.l +++ b/src/scanner.l @@ -469,6 +469,9 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr}) "notrack" { return NOTRACK; } +"options" { return OPTIONS; } +"all" { return ALL; } + "xml" { return XML; } "json" { return JSON; } diff --git a/src/statement.c b/src/statement.c index 8ccd4891..e70eb51e 100644 --- a/src/statement.c +++ b/src/statement.c @@ -27,6 +27,7 @@ #include <netinet/in.h> #include <linux/netfilter/nf_nat.h> +#include <linux/netfilter/nf_log.h> struct stmt *stmt_alloc(const struct location *loc, const struct stmt_ops *ops) @@ -193,6 +194,28 @@ static void log_stmt_print(const struct stmt *stmt) if ((stmt->log.flags & STMT_LOG_LEVEL) && stmt->log.level != LOG_WARNING) printf(" level %s", log_level(stmt->log.level)); + + if ((stmt->log.logflags & NF_LOG_MASK) == NF_LOG_MASK) { + printf(" flags all"); + } else { + if (stmt->log.logflags & (NF_LOG_TCPSEQ | NF_LOG_TCPOPT)) { + const char *delim = " "; + + printf(" flags tcp"); + if (stmt->log.logflags & NF_LOG_TCPSEQ) { + printf(" sequence"); + delim = ","; + } + if (stmt->log.logflags & NF_LOG_TCPOPT) + printf("%soptions", delim); + } + if (stmt->log.logflags & NF_LOG_IPOPT) + printf(" flags ip options"); + if (stmt->log.logflags & NF_LOG_UID) + printf(" flags skuid"); + if (stmt->log.logflags & NF_LOG_MACDECODE) + printf(" flags ether"); + } } static void log_stmt_destroy(struct stmt *stmt) |