extensions: libxt_NFLOG: use nft built-in logging instead of xt_NFLOG

Replaces the use of xt_NFLOG with the nft built-in log statement.

This additionally adds support for using longer log prefixes of 128
characters in size. Until now NFLOG has truncated the log-prefix to the
64-character limit supported by iptables-legacy. We now use the struct
xtables_target's udata member to store the longer 128-character prefix
supported by iptables-nft.

Signed-off-by: Kyle Bowman <kbowman@cloudflare.com>
Signed-off-by: Alex Forster <aforster@cloudflare.com>
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Florian Westphal <fw@strlen.de>

diff --git a/extensions/libxt_NFLOG.c b/extensions/libxt_NFLOG.c
index 02a1b4aa35a3be0381cb37f36f71e603a4b806bd..2b78e27808f886c3c907c877c04830568d7d5bed 100644 (file)
--- a/extensions/libxt_NFLOG.c
+++ b/extensions/libxt_NFLOG.c
@@ -5,6 +5,7 @@
 #include <getopt.h>
 #include <xtables.h>
 
+#include <linux/netfilter/nf_log.h>
 #include <linux/netfilter/x_tables.h>
 #include <linux/netfilter/xt_NFLOG.h>
 
@@ -53,12 +54,16 @@ static void NFLOG_init(struct xt_entry_target *t)
 
 static void NFLOG_parse(struct xt_option_call *cb)
 {
+       char *nf_log_prefix = cb->udata;
+
        xtables_option_parse(cb);
        switch (cb->entry->id) {
        case O_PREFIX:
                if (strchr(cb->arg, '\n') != NULL)
                        xtables_error(PARAMETER_PROBLEM,
                                   "Newlines not allowed in --log-prefix");
+
+               snprintf(nf_log_prefix, NF_LOG_PREFIXLEN, "%s", cb->arg);
                break;
        }
 }
@@ -149,6 +154,7 @@ static struct xtables_target nflog_target = {
        .save           = NFLOG_save,
        .x6_options     = NFLOG_opts,
        .xlate          = NFLOG_xlate,
+       .udata_size     = NF_LOG_PREFIXLEN
 };
 
 void _init(void)

diff --git a/iptables/nft.c b/iptables/nft.c
index daab1b4a75f00922159c10757835e1a86257c3bf..e4932a7a33eacdf4c4d6b0a78177e5abb0f28331 100644 (file)
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@ -39,6 +39,7 @@
 #include <linux/netfilter/nf_tables_compat.h>
 
 #include <linux/netfilter/xt_limit.h>
+#include <linux/netfilter/xt_NFLOG.h>
 
 #include <libmnl/libmnl.h>
 #include <libnftnl/gen.h>
@@ -1346,6 +1347,8 @@ int add_action(struct nftnl_rule *r, struct iptables_command_state *cs,
                        ret = add_verdict(r, NF_DROP);
                else if (strcmp(cs->jumpto, XTC_LABEL_RETURN) == 0)
                        ret = add_verdict(r, NFT_RETURN);
+               else if (strcmp(cs->jumpto, "NFLOG") == 0)
+                       ret = add_log(r, cs);
                else
                        ret = add_target(r, cs->target->t);
        } else if (strlen(cs->jumpto) > 0) {
@@ -1358,6 +1361,31 @@ int add_action(struct nftnl_rule *r, struct iptables_command_state *cs,
        return ret;
 }
 
+int add_log(struct nftnl_rule *r, struct iptables_command_state *cs)
+{
+       struct nftnl_expr *expr;
+       struct xt_nflog_info *info = (struct xt_nflog_info *)cs->target->t->data;
+
+       expr = nftnl_expr_alloc("log");
+       if (!expr)
+               return -ENOMEM;
+
+       if (info->prefix[0] != '\0')
+               nftnl_expr_set_str(expr, NFTNL_EXPR_LOG_PREFIX,
+                                  cs->target->udata);
+
+       nftnl_expr_set_u16(expr, NFTNL_EXPR_LOG_GROUP, info->group);
+       if (info->flags & XT_NFLOG_F_COPY_LEN)
+               nftnl_expr_set_u32(expr, NFTNL_EXPR_LOG_SNAPLEN,
+                                  info->len);
+       if (info->threshold)
+               nftnl_expr_set_u16(expr, NFTNL_EXPR_LOG_QTHRESHOLD,
+                                  info->threshold);
+
+       nftnl_rule_add_expr(r, expr);
+       return 0;
+}
+
 static void nft_rule_print_debug(struct nftnl_rule *r, struct nlmsghdr *nlh)
 {
 #ifdef NLDEBUG

diff --git a/iptables/nft.h b/iptables/nft.h
index f189b03fbc6b9348c606d6f2a73eb7202921f38d..4c78f761e1c4bf088187a3396d56e1cb07d89d02 100644 (file)
--- a/iptables/nft.h
+++ b/iptables/nft.h
@@ -194,6 +194,7 @@ int add_match(struct nft_handle *h, struct nftnl_rule *r, struct xt_entry_match
 int add_target(struct nftnl_rule *r, struct xt_entry_target *t);
 int add_jumpto(struct nftnl_rule *r, const char *name, int verdict);
 int add_action(struct nftnl_rule *r, struct iptables_command_state *cs, bool goto_set);
+int add_log(struct nftnl_rule *r, struct iptables_command_state *cs);
 char *get_comment(const void *data, uint32_t data_len);
 
 enum nft_rule_print {