ACK: [SRU][Xenial][PATCH 1/1] netfilter: allow logging from non-init namespaces
Kleber Souza
kleber.souza at canonical.com
Tue May 8 13:38:04 UTC 2018
On 04/27/18 21:11, Joseph Salisbury wrote:
> From: Michal Kubeček <mkubecek at suse.cz>
>
> BugLink: http://bugs.launchpad.net/bugs/1766573
>
> Commit 69b34fb996b2 ("netfilter: xt_LOG: add net namespace support for
> xt_LOG") disabled logging packets using the LOG target from non-init
> namespaces. The motivation was to prevent containers from flooding
> kernel log of the host. The plan was to keep it that way until syslog
> namespace implementation allows containers to log in a safe way.
>
> However, the work on syslog namespace seems to have hit a dead end
> somewhere in 2013 and there are users who want to use xt_LOG in all
> network namespaces. This patch allows to do so by setting
>
> /proc/sys/net/netfilter/nf_log_all_netns
>
> to a nonzero value. This sysctl is only accessible from init_net so that
> one cannot switch the behaviour from inside a container.
>
> Signed-off-by: Michal Kubecek <mkubecek at suse.cz>
> Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
> (cherry picked from commit 2851940ffee313e0ff12540a8e11a8c54dea9c65)
> Signed-off-by: Joseph Salisbury <joseph.salisbury at canonical.com>
Acked-by: Kleber Sacilotto de Souza <kleber.souza at canonical.com>
> ---
> Documentation/networking/netfilter-sysctl.txt | 10 ++++++++++
> include/net/netfilter/nf_log.h | 3 +++
> net/bridge/netfilter/ebt_log.c | 2 +-
> net/ipv4/netfilter/nf_log_arp.c | 2 +-
> net/ipv4/netfilter/nf_log_ipv4.c | 2 +-
> net/ipv6/netfilter/nf_log_ipv6.c | 2 +-
> net/netfilter/nf_log.c | 24 ++++++++++++++++++++++++
> 7 files changed, 41 insertions(+), 4 deletions(-)
> create mode 100644 Documentation/networking/netfilter-sysctl.txt
>
> diff --git a/Documentation/networking/netfilter-sysctl.txt b/Documentation/networking/netfilter-sysctl.txt
> new file mode 100644
> index 0000000..55791e5
> --- /dev/null
> +++ b/Documentation/networking/netfilter-sysctl.txt
> @@ -0,0 +1,10 @@
> +/proc/sys/net/netfilter/* Variables:
> +
> +nf_log_all_netns - BOOLEAN
> + 0 - disabled (default)
> + not 0 - enabled
> +
> + By default, only init_net namespace can log packets into kernel log
> + with LOG target; this aims to prevent containers from flooding host
> + kernel log. If enabled, this target also works in other network
> + namespaces. This variable is only accessible from init_net.
> diff --git a/include/net/netfilter/nf_log.h b/include/net/netfilter/nf_log.h
> index 57639fc..8c4b018 100644
> --- a/include/net/netfilter/nf_log.h
> +++ b/include/net/netfilter/nf_log.h
> @@ -49,6 +49,9 @@ struct nf_logger {
> struct module *me;
> };
>
> +/* sysctl_nf_log_all_netns - allow LOG target in all network namespaces */
> +extern int sysctl_nf_log_all_netns;
> +
> /* Function to register/unregister log function. */
> int nf_log_register(u_int8_t pf, struct nf_logger *logger);
> void nf_log_unregister(struct nf_logger *logger);
> diff --git a/net/bridge/netfilter/ebt_log.c b/net/bridge/netfilter/ebt_log.c
> index 0ad639a..0a2d0e3 100644
> --- a/net/bridge/netfilter/ebt_log.c
> +++ b/net/bridge/netfilter/ebt_log.c
> @@ -80,7 +80,7 @@ ebt_log_packet(struct net *net, u_int8_t pf, unsigned int hooknum,
> unsigned int bitmask;
>
> /* FIXME: Disabled from containers until syslog ns is supported */
> - if (!net_eq(net, &init_net))
> + if (!net_eq(net, &init_net) && !sysctl_nf_log_all_netns)
> return;
>
> spin_lock_bh(&ebt_log_lock);
> diff --git a/net/ipv4/netfilter/nf_log_arp.c b/net/ipv4/netfilter/nf_log_arp.c
> index e7ad950..39e1348 100644
> --- a/net/ipv4/netfilter/nf_log_arp.c
> +++ b/net/ipv4/netfilter/nf_log_arp.c
> @@ -87,7 +87,7 @@ static void nf_log_arp_packet(struct net *net, u_int8_t pf,
> struct nf_log_buf *m;
>
> /* FIXME: Disabled from containers until syslog ns is supported */
> - if (!net_eq(net, &init_net))
> + if (!net_eq(net, &init_net) && !sysctl_nf_log_all_netns)
> return;
>
> m = nf_log_buf_open();
> diff --git a/net/ipv4/netfilter/nf_log_ipv4.c b/net/ipv4/netfilter/nf_log_ipv4.c
> index 076aadd..2b00831 100644
> --- a/net/ipv4/netfilter/nf_log_ipv4.c
> +++ b/net/ipv4/netfilter/nf_log_ipv4.c
> @@ -319,7 +319,7 @@ static void nf_log_ip_packet(struct net *net, u_int8_t pf,
> struct nf_log_buf *m;
>
> /* FIXME: Disabled from containers until syslog ns is supported */
> - if (!net_eq(net, &init_net))
> + if (!net_eq(net, &init_net) && !sysctl_nf_log_all_netns)
> return;
>
> m = nf_log_buf_open();
> diff --git a/net/ipv6/netfilter/nf_log_ipv6.c b/net/ipv6/netfilter/nf_log_ipv6.c
> index 8dd8696..0496048 100644
> --- a/net/ipv6/netfilter/nf_log_ipv6.c
> +++ b/net/ipv6/netfilter/nf_log_ipv6.c
> @@ -351,7 +351,7 @@ static void nf_log_ip6_packet(struct net *net, u_int8_t pf,
> struct nf_log_buf *m;
>
> /* FIXME: Disabled from containers until syslog ns is supported */
> - if (!net_eq(net, &init_net))
> + if (!net_eq(net, &init_net) && !sysctl_nf_log_all_netns)
> return;
>
> m = nf_log_buf_open();
> diff --git a/net/netfilter/nf_log.c b/net/netfilter/nf_log.c
> index 2c89f90..d84e11a 100644
> --- a/net/netfilter/nf_log.c
> +++ b/net/netfilter/nf_log.c
> @@ -16,6 +16,9 @@
> #define NF_LOG_PREFIXLEN 128
> #define NFLOGGER_NAME_LEN 64
>
> +int sysctl_nf_log_all_netns __read_mostly;
> +EXPORT_SYMBOL(sysctl_nf_log_all_netns);
> +
> static struct nf_logger __rcu *loggers[NFPROTO_NUMPROTO][NF_LOG_TYPE_MAX] __read_mostly;
> static DEFINE_MUTEX(nf_log_mutex);
>
> @@ -392,6 +395,18 @@ static const struct file_operations nflog_file_ops = {
> #ifdef CONFIG_SYSCTL
> static char nf_log_sysctl_fnames[NFPROTO_NUMPROTO-NFPROTO_UNSPEC][3];
> static struct ctl_table nf_log_sysctl_table[NFPROTO_NUMPROTO+1];
> +static struct ctl_table_header *nf_log_sysctl_fhdr;
> +
> +static struct ctl_table nf_log_sysctl_ftable[] = {
> + {
> + .procname = "nf_log_all_netns",
> + .data = &sysctl_nf_log_all_netns,
> + .maxlen = sizeof(sysctl_nf_log_all_netns),
> + .mode = 0644,
> + .proc_handler = proc_dointvec,
> + },
> + { }
> +};
>
> static int nf_log_proc_dostring(struct ctl_table *table, int write,
> void __user *buffer, size_t *lenp, loff_t *ppos)
> @@ -460,6 +475,10 @@ static int netfilter_log_sysctl_init(struct net *net)
> nf_log_sysctl_table[i].extra1 =
> (void *)(unsigned long) i;
> }
> + nf_log_sysctl_fhdr = register_net_sysctl(net, "net/netfilter",
> + nf_log_sysctl_ftable);
> + if (!nf_log_sysctl_fhdr)
> + goto err_freg;
> }
>
> for (i = NFPROTO_UNSPEC; i < NFPROTO_NUMPROTO; i++)
> @@ -476,6 +495,9 @@ static int netfilter_log_sysctl_init(struct net *net)
> err_reg:
> if (!net_eq(net, &init_net))
> kfree(table);
> + else
> + unregister_net_sysctl_table(nf_log_sysctl_fhdr);
> +err_freg:
> err_alloc:
> return -ENOMEM;
> }
> @@ -488,6 +510,8 @@ static void netfilter_log_sysctl_exit(struct net *net)
> unregister_net_sysctl_table(net->nf.nf_log_dir_header);
> if (!net_eq(net, &init_net))
> kfree(table);
> + else
> + unregister_net_sysctl_table(nf_log_sysctl_fhdr);
> }
> #else
> static int netfilter_log_sysctl_init(struct net *net)
>
More information about the kernel-team
mailing list