diff -Nru linux-2.4.0-test4-plain/Documentation/Configure.help linux-2.4.0-test4-work/Documentation/Configure.help --- linux-2.4.0-test4-plain/Documentation/Configure.help Thu Jul 13 18:42:51 2000 +++ linux-2.4.0-test4-work/Documentation/Configure.help Mon Jul 31 17:23:30 2000 @@ -2010,6 +2010,16 @@ If you want to compile it as a module, say M here and read Documentation/modules.txt. If unsure, say `N'. +ULOG target support +CONFIG_IP_NF_TARGET_ULOG + This option adds a `ULOG' target, which allows you to create rules in + any iptables table. The packet is passed to a userspace logging + daemon using netlink multicast sockets; unlike the LOG target + which can only be viewed through syslog. + + If you want to compile it as a module, say M here and read + Documentation/modules.txt. If unsure, say `N'. + ipchains (2.2-style) support CONFIG_IP_NF_COMPAT_IPCHAINS This option places ipchains (with masquerading and redirection diff -Nru linux-2.4.0-test4-plain/include/linux/netfilter_ipv4/ipt_ULOG.h linux-2.4.0-test4-work/include/linux/netfilter_ipv4/ipt_ULOG.h --- linux-2.4.0-test4-plain/include/linux/netfilter_ipv4/ipt_ULOG.h Thu Jan 1 01:00:00 1970 +++ linux-2.4.0-test4-work/include/linux/netfilter_ipv4/ipt_ULOG.h Mon Jul 31 17:23:31 2000 @@ -0,0 +1,29 @@ +#ifndef _IPT_ULOG_H +#define _IPT_ULOG_H + +#define ULOG_MAC_LEN 80 +#define ULOG_PREFIX_LEN 32 + +struct ipt_ulog_info +{ + unsigned int nl_group; + size_t copy_range; + char prefix[ULOG_PREFIX_LEN]; +}; + +typedef struct ulog_packet_msg +{ + unsigned long mark; + long timestamp_sec; + long timestamp_usec; + unsigned int hook; + char indev_name[IFNAMSIZ]; + char outdev_name[IFNAMSIZ]; + size_t data_len; + char prefix[ULOG_PREFIX_LEN]; + unsigned char mac_len; + unsigned char mac[ULOG_MAC_LEN]; + unsigned char payload[0]; +} ulog_packet_msg_t; + +#endif /*_IPT_ULOG_H*/ diff -Nru linux-2.4.0-test4-plain/include/linux/netlink.h linux-2.4.0-test4-work/include/linux/netlink.h --- linux-2.4.0-test4-plain/include/linux/netlink.h Fri Aug 28 04:33:08 1998 +++ linux-2.4.0-test4-work/include/linux/netlink.h Mon Jul 31 17:23:30 2000 @@ -5,6 +5,7 @@ #define NETLINK_SKIP 1 /* Reserved for ENskip */ #define NETLINK_USERSOCK 2 /* Reserved for user mode socket protocols */ #define NETLINK_FIREWALL 3 /* Firewalling hook */ +#define NETLINK_NFLOG 4 /* Firewall logging */ #define NETLINK_ARPD 8 #define NETLINK_ROUTE6 11 /* af_inet6 route comm channel */ #define NETLINK_IP6_FW 13 diff -Nru linux-2.4.0-test4-plain/net/ipv4/netfilter/Config.in linux-2.4.0-test4-work/net/ipv4/netfilter/Config.in --- linux-2.4.0-test4-plain/net/ipv4/netfilter/Config.in Mon Mar 27 20:35:56 2000 +++ linux-2.4.0-test4-work/net/ipv4/netfilter/Config.in Mon Jul 31 17:23:30 2000 @@ -51,6 +51,7 @@ dep_tristate ' MARK target support' CONFIG_IP_NF_TARGET_MARK $CONFIG_IP_NF_MANGLE fi dep_tristate ' LOG target support' CONFIG_IP_NF_TARGET_LOG $CONFIG_IP_NF_IPTABLES + dep_tristate ' ULOG target support' CONFIG_IP_NF_TARGET_ULOG $CONFIG_IP_NF_IPTABLES fi # Backwards compatibility modules: only if you don't build in the others. diff -Nru linux-2.4.0-test4-plain/net/ipv4/netfilter/Makefile linux-2.4.0-test4-work/net/ipv4/netfilter/Makefile --- linux-2.4.0-test4-plain/net/ipv4/netfilter/Makefile Mon Mar 27 20:35:56 2000 +++ linux-2.4.0-test4-work/net/ipv4/netfilter/Makefile Mon Jul 31 17:23:30 2000 @@ -197,6 +197,14 @@ endif endif +ifeq ($(CONFIG_IP_NF_TARGET_ULOG),y) +O_OBJS += ipt_ULOG.o +else + ifeq ($(CONFIG_IP_NF_TARGET_ULOG),m) + M_OBJS += ipt_ULOG.o + endif +endif + ifeq ($(CONFIG_IP_NF_COMPAT_IPCHAINS),y) O_OBJS += ipchains_core.o $(IP_NF_COMPAT_LAYER) else diff -Nru linux-2.4.0-test4-plain/net/ipv4/netfilter/ipt_ULOG.c linux-2.4.0-test4-work/net/ipv4/netfilter/ipt_ULOG.c --- linux-2.4.0-test4-plain/net/ipv4/netfilter/ipt_ULOG.c Thu Jan 1 01:00:00 1970 +++ linux-2.4.0-test4-work/net/ipv4/netfilter/ipt_ULOG.c Mon Jul 31 17:23:31 2000 @@ -0,0 +1,166 @@ +/* + * netfilter module for userspace packet logging daemons + * + * (C) 2000 by Harald Welte + * + * Released under the terms of the GPL + * + * ipt_ULOG.c,v 1.4 2000/07/31 11:41:06 laforge Exp + */ + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#define ULOG_NL_EVENT 111 /* Harald's favorite number */ + +#if 0 +#define DEBUGP printk +#else +#define DEBUGP(format, args...) +#endif + +static struct sock *nflognl; + +static void nflog_rcv(struct sock *sk, int len) +{ + printk("nflog_rcv: did receive netlink message ?!?\n"); +} + +static unsigned int ipt_ulog_target(struct sk_buff **pskb, + unsigned int hooknum, + const struct net_device *in, + const struct net_device *out, + const void *targinfo, void *userinfo) +{ + ulog_packet_msg_t *pm; + size_t size, copy_len; + struct sk_buff *nlskb; + unsigned char *old_tail; + struct nlmsghdr *nlh; + struct ipt_ulog_info *loginfo = (struct ipt_ulog_info *) targinfo; + + /* calculate the size of the skb needed */ + if ((loginfo->copy_range == 0) || + (loginfo->copy_range > (*pskb)->len)) { + copy_len = (*pskb)->len; + } else { + copy_len = loginfo->copy_range; + } + size = NLMSG_SPACE(sizeof(*pm) + copy_len); + nlskb = alloc_skb(size, GFP_ATOMIC); + if (!nlskb) + goto nlmsg_failure; + + old_tail = nlskb->tail; + nlh = NLMSG_PUT(nlskb, 0, 0, ULOG_NL_EVENT, size - sizeof(*nlh)); + pm = NLMSG_DATA(nlh); + + /* copy hook, prefix, timestamp, payload, etc. */ + + pm->data_len = copy_len; + pm->timestamp_sec = (*pskb)->stamp.tv_sec; + pm->timestamp_usec = (*pskb)->stamp.tv_usec; + pm->mark = (*pskb)->nfmark; + pm->hook = hooknum; + if (loginfo->prefix) + strcpy(pm->prefix, loginfo->prefix); + + if (in && in->hard_header_len > 0 + && (*pskb)->mac.raw != (void *) (*pskb)->nh.iph + && in->hard_header_len <= ULOG_MAC_LEN) { + memcpy(pm->mac, (*pskb)->mac.raw, in->hard_header_len); + pm->mac_len = in->hard_header_len; + } + + if (in) + strcpy(pm->indev_name, in->name); + else + pm->indev_name[0] = '\0'; + + if (out) + strcpy(pm->outdev_name, out->name); + else + pm->outdev_name[0] = '\0'; + + if (copy_len) + memcpy(pm->payload, (*pskb)->data, copy_len); + nlh->nlmsg_len = nlskb->tail - old_tail; + NETLINK_CB(nlskb).dst_groups = loginfo->nl_group; + DEBUGP + ("ipt_ULOG: going to throw a packet to netlink groupmask %u\n", + loginfo->nl_group); + netlink_broadcast(nflognl, nlskb, 0, loginfo->nl_group, + GFP_ATOMIC); + + return IPT_CONTINUE; + + nlmsg_failure: + if (nlskb) + kfree(nlskb); + printk("ipt_ULOG: Error building netlink message\n"); + return IPT_CONTINUE; +} + +static int ipt_ulog_checkentry(const char *tablename, + const struct ipt_entry *e, + void *targinfo, + unsigned int targinfosize, + unsigned int hookmask) +{ + struct ipt_ulog_info *loginfo = (struct ipt_ulog_info *) targinfo; + + if (targinfosize != IPT_ALIGN(sizeof(struct ipt_ulog_info))) { + DEBUGP("ULOG: targinfosize %u != 0\n", targinfosize); + return 0; + } + + if (loginfo->prefix[sizeof(loginfo->prefix) - 1] != '\0') { + DEBUGP("ULOG: prefix term %i\n", + loginfo->prefix[sizeof(loginfo->prefix) - 1]); + return 0; + } + + return 1; +} + +static struct ipt_target ipt_ulog_reg = + { {NULL, NULL}, "ULOG", ipt_ulog_target, ipt_ulog_checkentry, NULL, +THIS_MODULE +}; + +static int __init init(void) +{ + DEBUGP("ipt_ULOG: init module\n"); + nflognl = netlink_kernel_create(NETLINK_NFLOG, nflog_rcv); + if (!nflognl) + return -ENOMEM; + + if (ipt_register_target(&ipt_ulog_reg) != 0) { + sock_release(nflognl->socket); + return -EINVAL; + } + + return 0; +} + +static void __exit fini(void) +{ + DEBUGP("ipt_ULOG: cleanup_module\n"); + + ipt_unregister_target(&ipt_ulog_reg); + sock_release(nflognl->socket); +} + +module_init(init); +module_exit(fini);