kernel.patches/3.2.34/net-netfilter-IFWLOG.patch

---
 include/linux/netfilter_ipv4/ipt_IFWLOG.h |   26 +++
 net/ipv4/netfilter/Kconfig                |   11 +
 net/ipv4/netfilter/Makefile               |    1 
 net/ipv4/netfilter/ipt_IFWLOG.c           |  200 ++++++++++++++++++++++++++++++
 4 files changed, 238 insertions(+)

--- /dev/null
+++ b/net/ipv4/netfilter/ipt_IFWLOG.c
@@ -0,0 +1,200 @@
+/* Interactive Firewall for Mandriva
+ * Samir Bellabes <sbellabes@mandriva.com>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ */
+
+#include <linux/module.h>
+#include <asm/types.h>
+#include <linux/jiffies.h>
+#include <linux/skbuff.h>
+#include <linux/ip.h>
+#include <net/icmp.h>
+#include <net/udp.h>
+#include <net/tcp.h>
+#include <net/sock.h>
+#include <linux/netlink.h>
+#include <linux/string.h>
+
+#include <linux/netfilter.h>
+#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter_ipv4/ipt_IFWLOG.h>
+
+MODULE_LICENSE("GPL");
+MODULE_AUTHOR("Samir Bellabes <sbellabes@mandriva.com>");
+MODULE_DESCRIPTION("Interactive firewall logging and module");
+
+#if 0
+#define DEBUGP PRINTR
+#else
+#define DEBUGP(format, args...)
+#endif
+
+#define PRINTR(format, args...) do { if(net_ratelimit()) printk(format, ##args); } while(0)
+
+static struct sock *nl;
+
+#define GROUP 10
+
+/* send struct to userspace */
+static void send_packet(struct nl_msg msg)
+{
+	struct sk_buff *skb = NULL;
+	struct nlmsghdr *nlh;
+
+	skb = alloc_skb(NLMSG_SPACE(sizeof(struct nl_msg)), GFP_ATOMIC);
+	if (!skb) {
+		PRINTR(KERN_WARNING "IFWLOG: OOM can't allocate skb\n");
+		return ;
+	}
+
+	nlh = NLMSG_PUT(skb, 0, 0, 0, sizeof(struct nl_msg) - sizeof(*nlh));
+
+	memcpy(NLMSG_DATA(nlh), (const void*)&msg, sizeof(struct nl_msg));
+
+	NETLINK_CB(skb).pid = 0;  /* from kernel */
+	NETLINK_CB(skb).dst_pid = 0;  /* multicast */
+	NETLINK_CB(skb).dst_group = 10;
+
+	if (nl) {
+		DEBUGP(KERN_WARNING
+		       "IFWLOG: nlmsg_len=%ld\nnlmsg_type=%d nlmsg_flags=%d\nnlmsg_seq=%ld nlmsg_pid = %ld\n",
+		       (long)nlh->nlmsg_len,  nlh->nlmsg_type, nlh->nlmsg_flags,
+		       (long)nlh->nlmsg_seq, (long)nlh->nlmsg_pid);
+		DEBUGP(KERN_WARNING "prefix : %s\n", msg.prefix);
+
+		netlink_broadcast(nl, skb, 0, 10, GFP_ATOMIC);
+		return ;
+	}
+
+ nlmsg_failure:
+        if (skb)
+                kfree_skb(skb);
+        PRINTR(KERN_WARNING "IFWLOG: Error sending netlink packet\n");
+        return ;
+}
+
+/* fill struct for userspace */
+static void ipt_IFWLOG_packet(const struct sk_buff *skb,
+			      const struct net_device *in,
+			      const struct net_device *out,
+			      const struct ipt_IFWLOG_info *info)
+{
+	struct iphdr iph;
+	struct tcphdr tcph;
+	struct udphdr udph;
+	struct nl_msg msg;
+	struct iphdr _iph, *ih;
+	struct timeval tv;
+
+	memset(&msg, 0, sizeof(struct nl_msg));
+
+	ih = skb_header_pointer(skb, 0, sizeof(_iph), &_iph);
+	if (ih == NULL) {
+		PRINTR(KERN_WARNING "IFWLOG: skb truncated");
+		return;
+	}
+
+	/* save interface name */
+	if (in)
+		strcpy(msg.indev_name, in->name);
+	if (out)
+		strcpy(msg.outdev_name, out->name);
+
+	/* save log-prefix */
+	strcpy(msg.prefix, info->prefix);
+
+	/* save ip header */
+	skb_copy_bits(skb, 0, &iph, sizeof(iph));
+	memcpy(&msg.ip, &iph, sizeof(struct iphdr));
+
+	/* save transport header */
+	switch (iph.protocol){
+	case IPPROTO_TCP:
+		skb_copy_bits(skb, iph.ihl*4 , &tcph, sizeof(tcph));
+		memcpy(&msg.h.th, &tcph, sizeof(struct tcphdr));
+		break;
+	case IPPROTO_UDP:
+		skb_copy_bits(skb, iph.ihl*4 , &udph, sizeof(udph));
+		memcpy(&msg.h.uh, &udph, sizeof(struct udphdr));
+		break;
+	default:
+		break;
+	}
+
+	/* save timetamp */
+	do_gettimeofday((struct timeval *)&tv);
+        msg.timestamp_sec = tv.tv_sec;
+
+	send_packet(msg);
+}
+
+static unsigned int ipt_IFWLOG_target(struct sk_buff **pskb,
+				      const struct net_device *in,
+				      const struct net_device *out,
+				      unsigned int hooknum,
+				      const void *targinfo,
+				      void *userinfo)
+{
+	const struct ipt_IFWLOG_info *info = targinfo;
+
+	ipt_IFWLOG_packet(*pskb, in, out, info);
+
+	return IPT_CONTINUE;
+}
+
+static int ipt_IFWLOG_checkentry(const char *tablename,
+				 const struct ipt_entry *e,
+				 void *targinfo,
+				 unsigned int targinfosize,
+				 unsigned int hook_mask)
+{
+	const struct ipt_IFWLOG_info *info = targinfo;
+
+	if (info->prefix[sizeof(info->prefix)-1] != '\0') {
+		DEBUGP("IFWLOG: prefix term %i\n",
+		       info->prefix[sizeof(info->prefix)-1]);
+		return 0;
+	}
+
+	return 1;
+}
+
+static struct ipt_target ipt_IFWLOG = {
+	.name		= "IFWLOG",
+	.target		= ipt_IFWLOG_target,
+	.targetsize	= sizeof(struct ipt_IFWLOG_info),
+	.checkentry	= ipt_IFWLOG_checkentry,
+	.me		= THIS_MODULE,
+};
+
+static int __init init(void)
+{
+	nl = (struct sock*) netlink_kernel_create(NETLINK_IFWLOG, GROUP, NULL, THIS_MODULE);
+        if (!nl) {
+                PRINTR(KERN_WARNING "IFWLOG: cannot create netlink socket\n");
+                return -EINVAL;
+        }
+
+	if (ipt_register_target(&ipt_IFWLOG)) {
+		if (nl && nl->sk_socket)
+			sock_release(nl->sk_socket);
+		return -EINVAL;
+	}
+
+	PRINTR(KERN_INFO "IFWLOG: register target\n");
+	return 0;
+}
+
+static void __exit fini(void)
+{
+	if (nl && nl->sk_socket)
+                sock_release(nl->sk_socket);
+	PRINTR(KERN_INFO "IFWLOG: unregister target\n");
+	ipt_unregister_target(&ipt_IFWLOG);
+}
+
+module_init(init);
+module_exit(fini);
--- a/net/ipv4/netfilter/Kconfig
+++ b/net/ipv4/netfilter/Kconfig
@@ -331,6 +331,17 @@ config IP_NF_TARGET_TTL
 	(e.g. when running oldconfig). It selects
 	CONFIG_NETFILTER_XT_TARGET_HL.
 
+config IP_NF_TARGET_IFWLOG
+	tristate  'IFWLOG target support'
+	depends on IP_NF_IPTABLES
+	help
+	  This option adds a `IFWLOG' target, which is used by
+	  Interactive Firewall for sending informations to a userspace
+	  daemon
+
+	  If you want to compile it as a module, say M here and read
+	  Documentation/modules.txt.  If unsure, say `N'.
+
 # raw + specific targets
 config IP_NF_RAW
 	tristate  'raw table support (required for NOTRACK/TRACE)'
--- /dev/null
+++ b/include/linux/netfilter_ipv4/ipt_IFWLOG.h
@@ -0,0 +1,26 @@
+#ifndef _IPT_IFWLOG_H
+#define _IPT_IFWLOG_H
+
+#ifndef NETLINK_IFWLOG
+#define NETLINK_IFWLOG  19
+#endif
+
+#define PREFSIZ         32
+
+struct nl_msg {				/* Netlink message */
+	long timestamp_sec;             /* time packet */
+	char indev_name[IFNAMSIZ];      /* name of the ingoing interface */
+	char outdev_name[IFNAMSIZ];     /* name of the outgoing interface */
+	unsigned char prefix[PREFSIZ];  /* informations on the logging reason */
+	struct iphdr ip;
+	union {
+		struct tcphdr th;
+		struct udphdr uh;
+	} h;
+};
+
+struct ipt_IFWLOG_info {
+	char prefix[PREFSIZ];
+};
+
+#endif /* _IPT_IFWLOG_H */
--- linux/net/ipv4/netfilter/Makefile.net-netfilter-IFWLOG.orig	2012-05-21 01:29:13.000000000 +0300
+++ linux/net/ipv4/netfilter/Makefile	2012-05-26 01:23:57.511514194 +0300
@@ -53,6 +53,7 @@ obj-$(CONFIG_IP_NF_MATCH_RPFILTER) += ip
 
 # targets
 obj-$(CONFIG_IP_NF_TARGET_CLUSTERIP) += ipt_CLUSTERIP.o
+obj-$(CONFIG_IP_NF_TARGET_IFWLOG) += ipt_IFWLOG.o
 obj-$(CONFIG_IP_NF_TARGET_ECN) += ipt_ECN.o
 obj-$(CONFIG_IP_NF_TARGET_MASQUERADE) += ipt_MASQUERADE.o
 obj-$(CONFIG_IP_NF_TARGET_NETMAP) += ipt_NETMAP.o
Initial patches commit 2012-11-24 17:08:51 +01:00			`---`
			`include/linux/netfilter_ipv4/ipt_IFWLOG.h \| 26 +++`
			`net/ipv4/netfilter/Kconfig \| 11 +`
			`net/ipv4/netfilter/Makefile \| 1`
			`net/ipv4/netfilter/ipt_IFWLOG.c \| 200 ++++++++++++++++++++++++++++++`
			`4 files changed, 238 insertions(+)`

			`--- /dev/null`
			`+++ b/net/ipv4/netfilter/ipt_IFWLOG.c`
			`@@ -0,0 +1,200 @@`
			`+/* Interactive Firewall for Mandriva`
			`+ * Samir Bellabes <sbellabes@mandriva.com>`
			`+ *`
			`+ * This program is free software; you can redistribute it and/or modify`
			`+ * it under the terms of the GNU General Public License version 2 as`
			`+ * published by the Free Software Foundation.`
			`+ */`
			`+`
			`+#include <linux/module.h>`
			`+#include <asm/types.h>`
			`+#include <linux/jiffies.h>`
			`+#include <linux/skbuff.h>`
			`+#include <linux/ip.h>`
			`+#include <net/icmp.h>`
			`+#include <net/udp.h>`
			`+#include <net/tcp.h>`
			`+#include <net/sock.h>`
			`+#include <linux/netlink.h>`
			`+#include <linux/string.h>`
			`+`
			`+#include <linux/netfilter.h>`
			`+#include <linux/netfilter_ipv4/ip_tables.h>`
			`+#include <linux/netfilter_ipv4/ipt_IFWLOG.h>`
			`+`
			`+MODULE_LICENSE("GPL");`
			`+MODULE_AUTHOR("Samir Bellabes <sbellabes@mandriva.com>");`
			`+MODULE_DESCRIPTION("Interactive firewall logging and module");`
			`+`
			`+#if 0`
			`+#define DEBUGP PRINTR`
			`+#else`
			`+#define DEBUGP(format, args...)`
			`+#endif`
			`+`
			`+#define PRINTR(format, args...) do { if(net_ratelimit()) printk(format, ##args); } while(0)`
			`+`
			`+static struct sock *nl;`
			`+`
			`+#define GROUP 10`
			`+`
			`+/* send struct to userspace */`
			`+static void send_packet(struct nl_msg msg)`
			`+{`
			`+ struct sk_buff *skb = NULL;`
			`+ struct nlmsghdr *nlh;`
			`+`
			`+ skb = alloc_skb(NLMSG_SPACE(sizeof(struct nl_msg)), GFP_ATOMIC);`
			`+ if (!skb) {`
			`+ PRINTR(KERN_WARNING "IFWLOG: OOM can't allocate skb\n");`
			`+ return ;`
			`+ }`
			`+`
			`+ nlh = NLMSG_PUT(skb, 0, 0, 0, sizeof(struct nl_msg) - sizeof(*nlh));`
			`+`
			`+ memcpy(NLMSG_DATA(nlh), (const void*)&msg, sizeof(struct nl_msg));`
			`+`
			`+ NETLINK_CB(skb).pid = 0; /* from kernel */`
			`+ NETLINK_CB(skb).dst_pid = 0; /* multicast */`
			`+ NETLINK_CB(skb).dst_group = 10;`
			`+`
			`+ if (nl) {`
			`+ DEBUGP(KERN_WARNING`
			`+ "IFWLOG: nlmsg_len=%ld\nnlmsg_type=%d nlmsg_flags=%d\nnlmsg_seq=%ld nlmsg_pid = %ld\n",`
			`+ (long)nlh->nlmsg_len, nlh->nlmsg_type, nlh->nlmsg_flags,`
			`+ (long)nlh->nlmsg_seq, (long)nlh->nlmsg_pid);`
			`+ DEBUGP(KERN_WARNING "prefix : %s\n", msg.prefix);`
			`+`
			`+ netlink_broadcast(nl, skb, 0, 10, GFP_ATOMIC);`
			`+ return ;`
			`+ }`
			`+`
			`+ nlmsg_failure:`
			`+ if (skb)`
			`+ kfree_skb(skb);`
			`+ PRINTR(KERN_WARNING "IFWLOG: Error sending netlink packet\n");`
			`+ return ;`
			`+}`
			`+`
			`+/* fill struct for userspace */`
			`+static void ipt_IFWLOG_packet(const struct sk_buff *skb,`
			`+ const struct net_device *in,`
			`+ const struct net_device *out,`
			`+ const struct ipt_IFWLOG_info *info)`
			`+{`
			`+ struct iphdr iph;`
			`+ struct tcphdr tcph;`
			`+ struct udphdr udph;`
			`+ struct nl_msg msg;`
			`+ struct iphdr _iph, *ih;`
			`+ struct timeval tv;`
			`+`
			`+ memset(&msg, 0, sizeof(struct nl_msg));`
			`+`
			`+ ih = skb_header_pointer(skb, 0, sizeof(_iph), &_iph);`
			`+ if (ih == NULL) {`
			`+ PRINTR(KERN_WARNING "IFWLOG: skb truncated");`
			`+ return;`
			`+ }`
			`+`
			`+ /* save interface name */`
			`+ if (in)`
			`+ strcpy(msg.indev_name, in->name);`
			`+ if (out)`
			`+ strcpy(msg.outdev_name, out->name);`
			`+`
			`+ /* save log-prefix */`
			`+ strcpy(msg.prefix, info->prefix);`
			`+`
			`+ /* save ip header */`
			`+ skb_copy_bits(skb, 0, &iph, sizeof(iph));`
			`+ memcpy(&msg.ip, &iph, sizeof(struct iphdr));`
			`+`
			`+ /* save transport header */`
			`+ switch (iph.protocol){`
			`+ case IPPROTO_TCP:`
			`+ skb_copy_bits(skb, iph.ihl*4 , &tcph, sizeof(tcph));`
			`+ memcpy(&msg.h.th, &tcph, sizeof(struct tcphdr));`
			`+ break;`
			`+ case IPPROTO_UDP:`
			`+ skb_copy_bits(skb, iph.ihl*4 , &udph, sizeof(udph));`
			`+ memcpy(&msg.h.uh, &udph, sizeof(struct udphdr));`
			`+ break;`
			`+ default:`
			`+ break;`
			`+ }`
			`+`
			`+ /* save timetamp */`
			`+ do_gettimeofday((struct timeval *)&tv);`
			`+ msg.timestamp_sec = tv.tv_sec;`
			`+`
			`+ send_packet(msg);`
			`+}`
			`+`
			`+static unsigned int ipt_IFWLOG_target(struct sk_buff **pskb,`
			`+ const struct net_device *in,`
			`+ const struct net_device *out,`
			`+ unsigned int hooknum,`
			`+ const void *targinfo,`
			`+ void *userinfo)`
			`+{`
			`+ const struct ipt_IFWLOG_info *info = targinfo;`
			`+`
			`+ ipt_IFWLOG_packet(*pskb, in, out, info);`
			`+`
			`+ return IPT_CONTINUE;`
			`+}`
			`+`
			`+static int ipt_IFWLOG_checkentry(const char *tablename,`
			`+ const struct ipt_entry *e,`
			`+ void *targinfo,`
			`+ unsigned int targinfosize,`
			`+ unsigned int hook_mask)`
			`+{`
			`+ const struct ipt_IFWLOG_info *info = targinfo;`
			`+`
			`+ if (info->prefix[sizeof(info->prefix)-1] != '\0') {`
			`+ DEBUGP("IFWLOG: prefix term %i\n",`
			`+ info->prefix[sizeof(info->prefix)-1]);`
			`+ return 0;`
			`+ }`
			`+`
			`+ return 1;`
			`+}`
			`+`
			`+static struct ipt_target ipt_IFWLOG = {`
			`+ .name = "IFWLOG",`
			`+ .target = ipt_IFWLOG_target,`
			`+ .targetsize = sizeof(struct ipt_IFWLOG_info),`
			`+ .checkentry = ipt_IFWLOG_checkentry,`
			`+ .me = THIS_MODULE,`
			`+};`
			`+`
			`+static int __init init(void)`
			`+{`
			`+ nl = (struct sock*) netlink_kernel_create(NETLINK_IFWLOG, GROUP, NULL, THIS_MODULE);`
			`+ if (!nl) {`
			`+ PRINTR(KERN_WARNING "IFWLOG: cannot create netlink socket\n");`
			`+ return -EINVAL;`
			`+ }`
			`+`
			`+ if (ipt_register_target(&ipt_IFWLOG)) {`
			`+ if (nl && nl->sk_socket)`
			`+ sock_release(nl->sk_socket);`
			`+ return -EINVAL;`
			`+ }`
			`+`
			`+ PRINTR(KERN_INFO "IFWLOG: register target\n");`
			`+ return 0;`
			`+}`
			`+`
			`+static void __exit fini(void)`
			`+{`
			`+ if (nl && nl->sk_socket)`
			`+ sock_release(nl->sk_socket);`
			`+ PRINTR(KERN_INFO "IFWLOG: unregister target\n");`
			`+ ipt_unregister_target(&ipt_IFWLOG);`
			`+}`
			`+`
			`+module_init(init);`
			`+module_exit(fini);`
			`--- a/net/ipv4/netfilter/Kconfig`
			`+++ b/net/ipv4/netfilter/Kconfig`
			`@@ -331,6 +331,17 @@ config IP_NF_TARGET_TTL`
			`(e.g. when running oldconfig). It selects`
			`CONFIG_NETFILTER_XT_TARGET_HL.`

			`+config IP_NF_TARGET_IFWLOG`
			`+ tristate 'IFWLOG target support'`
			`+ depends on IP_NF_IPTABLES`
			`+ help`
			+ This option adds a `IFWLOG' target, which is used by
			`+ Interactive Firewall for sending informations to a userspace`
			`+ daemon`
			`+`
			`+ If you want to compile it as a module, say M here and read`
			+ Documentation/modules.txt. If unsure, say `N'.
			`+`
			`# raw + specific targets`
			`config IP_NF_RAW`
			`tristate 'raw table support (required for NOTRACK/TRACE)'`
			`--- /dev/null`
			`+++ b/include/linux/netfilter_ipv4/ipt_IFWLOG.h`
			`@@ -0,0 +1,26 @@`
			`+#ifndef _IPT_IFWLOG_H`
			`+#define _IPT_IFWLOG_H`
			`+`
			`+#ifndef NETLINK_IFWLOG`
			`+#define NETLINK_IFWLOG 19`
			`+#endif`
			`+`
			`+#define PREFSIZ 32`
			`+`
			`+struct nl_msg { /* Netlink message */`
			`+ long timestamp_sec; /* time packet */`
			`+ char indev_name[IFNAMSIZ]; /* name of the ingoing interface */`
			`+ char outdev_name[IFNAMSIZ]; /* name of the outgoing interface */`
			`+ unsigned char prefix[PREFSIZ]; /* informations on the logging reason */`
			`+ struct iphdr ip;`
			`+ union {`
			`+ struct tcphdr th;`
			`+ struct udphdr uh;`
			`+ } h;`
			`+};`
			`+`
			`+struct ipt_IFWLOG_info {`
			`+ char prefix[PREFSIZ];`
			`+};`
			`+`
			`+#endif /* _IPT_IFWLOG_H */`
			`--- linux/net/ipv4/netfilter/Makefile.net-netfilter-IFWLOG.orig 2012-05-21 01:29:13.000000000 +0300`
			`+++ linux/net/ipv4/netfilter/Makefile 2012-05-26 01:23:57.511514194 +0300`
			`@@ -53,6 +53,7 @@ obj-$(CONFIG_IP_NF_MATCH_RPFILTER) += ip`

			`# targets`
			`obj-$(CONFIG_IP_NF_TARGET_CLUSTERIP) += ipt_CLUSTERIP.o`
			`+obj-$(CONFIG_IP_NF_TARGET_IFWLOG) += ipt_IFWLOG.o`
			`obj-$(CONFIG_IP_NF_TARGET_ECN) += ipt_ECN.o`
			`obj-$(CONFIG_IP_NF_TARGET_MASQUERADE) += ipt_MASQUERADE.o`
			`obj-$(CONFIG_IP_NF_TARGET_NETMAP) += ipt_NETMAP.o`