Signed-off-by: Jan Engelhardt <jengelh@xxxxxxxxxx>
---
net/netfilter/x_tables.c | 76 ++++++++++++++++++++++++++++++++++++++++++++++
1 files changed, 76 insertions(+), 0 deletions(-)
diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
index 5303ae3..f4fce99 100644
--- a/net/netfilter/x_tables.c
+++ b/net/netfilter/x_tables.c
@@ -31,6 +31,7 @@
#include <linux/netfilter_ipv4/ip_tables.h>
#include <linux/netfilter_ipv6/ip6_tables.h>
#include <linux/netfilter_arp/arp_tables.h>
+#include <net/netfilter/nf_log.h>
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Harald Welte <laforge@xxxxxxxxxxxxx>");
@@ -1730,6 +1731,73 @@ void xt2_table_destroy(struct net *net, struct xt2_table *table)
}
EXPORT_SYMBOL_GPL(xt2_table_destroy);
+#if defined(CONFIG_NETFILTER_XT_TARGET_TRACE) || \
+ defined(CONFIG_NETFILTER_XT_TARGET_TRACE_MODULE)
+static struct nf_loginfo xt2_trace_loginfo __read_mostly = {
+ .type = NF_LOG_TYPE_LOG,
+ .u.log = {
+ .level = 4,
+ .logflags = NF_LOG_MASK,
+ },
+};
+
+static const char *xt2_verdict_string(unsigned int verdict)
+{
+ switch (verdict) {
+ case XT_RETURN: return "RETURN"; break;
+ case XT_START_CHAIN: return "GOTO/JUMP"; break;
+ case XT_CONTINUE: return "CONTINUE"; break;
+ }
+ switch (verdict & NF_VERDICT_MASK) {
+ case NF_ACCEPT: return "ACCEPT"; break;
+ case NF_DROP: return "DROP"; break;
+ case NF_STOLEN: return "STOLEN"; break;
+ case NF_QUEUE: return "QUEUE"; break;
+ case NF_STOP: return "STOP"; break;
+ default: return "?"; break;
+ }
+}
+
+static void
+xt2_trace_packet(const struct sk_buff *skb, unsigned int hook,
+ const struct net_device *in, const struct net_device *out,
+ const struct xt2_chain *chain, const struct xt2_rule *rule,
+ unsigned int verdict)
+{
+ static const char *const builtin_chain_names[] = {
+ [NF_INET_PRE_ROUTING] = "PREROUTING",
+ [NF_INET_LOCAL_IN] = "INPUT",
+ [NF_INET_FORWARD] = "FORWARD",
+ [NF_INET_LOCAL_OUT] = "OUTPUT",
+ [NF_INET_POST_ROUTING] = "POSTROUTING",
+ };
+ const struct xt2_table *table = chain->table;
+ const struct xt2_rule *zrule;
+ unsigned int rule_index = 0;
+ const char *chain_name, *comment;
+
+ chain_name = xt2_builtin_chain(chain) ?
+ builtin_chain_names[hook] : chain->name;
+ if (rule != NULL)
+ list_for_each_entry(zrule, &chain->rule_list, anchor) {
+ ++rule_index;
+ if (zrule == rule)
+ break;
+ }
+
+ if (rule == NULL)
+ comment = "return"; /* end-of-chain */
+ else if (rule == chain->table->underflow[hook])
+ comment = "policy";
+ else
+ comment = "rule";
+
+ nf_log_packet(table->nfproto, hook, skb, in, out, &xt2_trace_loginfo,
+ "TRACE: %s:%s:%s:%u:%s ", table->name, chain_name,
+ comment, rule_index, xt2_verdict_string(verdict));
+}
+#endif
+
static unsigned int
xt2_do_actions(struct sk_buff *skb, struct xt_action_param *acpar,
const struct xt2_rule *rule, const struct xt2_chain **chain_ptr,
@@ -1805,6 +1873,14 @@ xt2_do_table(struct sk_buff *skb, unsigned int hook,
verdict = xt2_do_actions(skb, &acpar, rule, &chain, stackptr,
table->stacksize, jumpstack);
+#if defined(CONFIG_NETFILTER_XT_TARGET_TRACE) || \
+ defined(CONFIG_NETFILTER_XT_TARGET_TRACE_MODULE)
+ if (unlikely(skb->nf_trace))
+ xt2_trace_packet(skb, hook, in, out, rule->chain,
+ (&rule->anchor == &chain->rule_list) ? NULL : rule,
+ verdict);
+#endif
+
switch (verdict) {
case XT_START_CHAIN:
goto do_chain;
--
1.7.1
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
