Branch data Line data Source code
1 : : /* SPDX-License-Identifier: GPL-2.0-only */
2 : : /*
3 : : * Copyright (c) 2022 Meta Platforms, Inc. and affiliates.
4 : : */
5 : :
6 : : #include "dump.h"
7 : :
8 : : #include <linux/netfilter.h>
9 : : #include <linux/netfilter/x_tables.h>
10 : : #include <linux/netfilter_ipv4/ip_tables.h>
11 : :
12 : : #include <stdbool.h>
13 : : #include <stdint.h>
14 : : #include <stdio.h>
15 : :
16 : : #include <bpfilter/dump.h>
17 : : #include <bpfilter/helper.h>
18 : :
19 : : #include "xlate/ipt/helpers.h"
20 : :
21 : : /**
22 : : * Map each hook to its name as a string.
23 : : */
24 : : static const char *hook_name[] = {
25 : : [NF_INET_PRE_ROUTING] = "PRE_ROUTING", [NF_INET_LOCAL_IN] = "LOCAL_IN",
26 : : [NF_INET_FORWARD] = "FORWARD", [NF_INET_LOCAL_OUT] = "LOCAL_OUT",
27 : : [NF_INET_POST_ROUTING] = "POST_ROUTING",
28 : : };
29 : :
30 : : /**
31 : : * Map each target to its name as a string.
32 : : */
33 : : static const char *target_name[] = {
34 : : [NF_DROP] = "DROP", [NF_ACCEPT] = "ACCEPT", [NF_STOLEN] = "STOLEN",
35 : : [NF_QUEUE] = "QUEUE", [NF_REPEAT] = "REPEAT", [NF_STOP] = "STOP",
36 : : };
37 : :
38 : : /**
39 : : * Dump content of @p ipt_counters structure.
40 : : *
41 : : * @param counters @p ipt_counters structure. Must be non-NULL.
42 : : * @param prefix @p log_prefix structure.
43 : : */
44 : 0 : static inline void ipt_dump_counters(const struct ipt_counters *counters,
45 : : prefix_t *prefix)
46 : : {
47 : : bf_assert(counters && prefix);
48 : :
49 [ # # ]: 0 : DUMP(prefix, "struct ipt_counters at %p", counters);
50 : 0 : }
51 : :
52 : : /**
53 : : * Dump content of @p ipt_ip structure.
54 : : *
55 : : * @param ip @p ipt_ip structure. Must be non-NULL.
56 : : * @param prefix @p log_prefix structure.
57 : : */
58 : 0 : static void ipt_dump_ip(const struct ipt_ip *ip, prefix_t *prefix)
59 : : {
60 : : bf_assert(ip && prefix);
61 : :
62 [ # # ]: 0 : DUMP(prefix, "struct ipt_ip at %p", ip);
63 : :
64 : 0 : bf_dump_prefix_push(prefix);
65 [ # # ]: 0 : DUMP(prefix, "src: " IP4_FMT, IP4_SPLIT(ip->src));
66 [ # # ]: 0 : DUMP(prefix, "dst: " IP4_FMT, IP4_SPLIT(ip->dst));
67 [ # # ]: 0 : DUMP(prefix, "src_mask: " IP4_FMT, IP4_SPLIT(ip->smsk));
68 [ # # ]: 0 : DUMP(prefix, "dst_mask: " IP4_FMT, IP4_SPLIT(ip->dmsk));
69 [ # # ]: 0 : DUMP(prefix, "in_iface: %s", ip->iniface);
70 [ # # ]: 0 : DUMP(prefix, "out_iface: %s", ip->outiface);
71 [ # # ]: 0 : DUMP(prefix, "in_iface_mask: %s", ip->iniface_mask);
72 [ # # ]: 0 : DUMP(prefix, "out_iface_mask: %s", ip->outiface_mask);
73 [ # # ]: 0 : DUMP(prefix, "protocol: %d", ip->proto);
74 [ # # ]: 0 : DUMP(prefix, "flags: %d", ip->flags);
75 [ # # ]: 0 : DUMP(bf_dump_prefix_last(prefix), "invflags: %d", ip->invflags);
76 : 0 : bf_dump_prefix_pop(prefix);
77 : 0 : }
78 : :
79 : : /**
80 : : * Dump content of @p ipt_entry_match structure.
81 : : *
82 : : * @param match @p ipt_entry_match structure. Must be non-NULL.
83 : : * @param prefix @p log_prefix structure.
84 : : */
85 : 0 : static void ipt_dump_match(const struct ipt_entry_match *match,
86 : : prefix_t *prefix)
87 : : {
88 : : bf_assert(match && prefix);
89 : :
90 [ # # ]: 0 : DUMP(prefix, "struct ipt_entry_match at %p", match);
91 : :
92 : 0 : bf_dump_prefix_push(prefix);
93 [ # # ]: 0 : DUMP(prefix, "user:");
94 [ # # ]: 0 : DUMP(prefix, "match_size: %d", match->u.user.match_size);
95 [ # # ]: 0 : DUMP(prefix, "name: %s", match->u.user.name);
96 [ # # ]: 0 : DUMP(prefix, "revision: %d", match->u.user.revision);
97 [ # # ]: 0 : DUMP(prefix, "kernel:");
98 [ # # ]: 0 : DUMP(prefix, "match_size: %d", match->u.kernel.match_size);
99 [ # # ]: 0 : DUMP(prefix, "match at %p", match->u.kernel.match);
100 [ # # ]: 0 : DUMP(bf_dump_prefix_last(prefix), "match_size: %d", match->u.match_size);
101 : 0 : bf_dump_prefix_pop(prefix);
102 : 0 : }
103 : :
104 : : static inline int _bf_ipt_convert_verdict(int verdict)
105 : : {
106 : 0 : return -verdict - 1;
107 : : }
108 : :
109 : : /**
110 : : * Dump content of @p ipt_entry_target structure.
111 : : *
112 : : * @param target @p ipt_entry_target structure. Must be non-NULL.
113 : : * @param prefix @p log_prefix structure.
114 : : */
115 : 0 : static void ipt_dump_target(const struct ipt_entry_target *target,
116 : : prefix_t *prefix)
117 : : {
118 : : bool is_standard;
119 : : struct ipt_standard_target *std_target = (void *)target;
120 : :
121 : : bf_assert(target && prefix);
122 : :
123 : 0 : is_standard = bf_streq(target->u.user.name, "");
124 : :
125 [ # # ]: 0 : DUMP(prefix, "struct ipt_entry_target at %p", target);
126 : :
127 : 0 : bf_dump_prefix_push(prefix);
128 [ # # ]: 0 : DUMP(prefix, "user:");
129 : :
130 : 0 : bf_dump_prefix_push(prefix);
131 [ # # ]: 0 : DUMP(prefix, "target_size: %d", target->u.user.target_size);
132 [ # # ]: 0 : DUMP(prefix, "name: '%s'", target->u.user.name);
133 [ # # ]: 0 : DUMP(bf_dump_prefix_last(prefix), "revision: %d", target->u.user.revision);
134 : 0 : bf_dump_prefix_pop(prefix);
135 : :
136 [ # # ]: 0 : DUMP(prefix, "kernel:");
137 : :
138 : 0 : bf_dump_prefix_push(prefix);
139 [ # # ]: 0 : DUMP(prefix, "target_size: %d", target->u.kernel.target_size);
140 [ # # ]: 0 : DUMP(bf_dump_prefix_last(prefix), "target: %p", target->u.kernel.target);
141 : 0 : bf_dump_prefix_pop(prefix);
142 : :
143 [ # # # # ]: 0 : DUMP((is_standard ? prefix : bf_dump_prefix_last(prefix)),
144 : : "target_size: %d", target->u.target_size);
145 [ # # ]: 0 : if (is_standard) {
146 [ # # ]: 0 : DUMP(bf_dump_prefix_last(prefix), "verdict: %s",
147 : : target_name[_bf_ipt_convert_verdict(std_target->verdict)]);
148 : : }
149 : :
150 : 0 : bf_dump_prefix_pop(prefix);
151 : 0 : }
152 : :
153 : 0 : void bf_ipt_dump_replace(const struct ipt_replace *ipt, prefix_t *prefix)
154 : : {
155 : : int i;
156 : : uint32_t offset;
157 : : struct ipt_entry *first_rule;
158 : : struct ipt_entry *last_rule;
159 : :
160 : : bf_assert(ipt && prefix);
161 : :
162 [ # # ]: 0 : DUMP(prefix, "struct ipt_replace at %p", ipt);
163 : :
164 : 0 : bf_dump_prefix_push(prefix);
165 : :
166 [ # # ]: 0 : DUMP(prefix, "name: '%s'", ipt->name);
167 [ # # ]: 0 : DUMP(prefix, "valid_hooks: " BIN_FMT "", BIN_SPLIT(ipt->valid_hooks));
168 [ # # ]: 0 : DUMP(prefix, "num_entries: %d", ipt->num_entries);
169 [ # # ]: 0 : DUMP(prefix, "size: %d", ipt->size);
170 [ # # ]: 0 : DUMP(bf_dump_prefix_last(prefix), "struct ipt_entry at %p", ipt->entries);
171 : :
172 : 0 : bf_dump_prefix_push(prefix);
173 : :
174 : : // Loop over each hook to print its rules (if defined).
175 [ # # ]: 0 : for (i = 0; i < NF_INET_NUMHOOKS; ++i) {
176 [ # # ]: 0 : if (i == NF_INET_POST_ROUTING)
177 : 0 : bf_dump_prefix_last(prefix);
178 : :
179 [ # # ]: 0 : if (!ipt_is_hook_enabled(ipt, i)) {
180 [ # # ]: 0 : DUMP(prefix, "%s: no rule defined", hook_name[i]);
181 : 0 : continue;
182 : : }
183 : :
184 [ # # ]: 0 : DUMP(prefix, "%s (from %x to %x):", hook_name[i], ipt->hook_entry[i],
185 : : ipt->underflow[i]);
186 : :
187 : 0 : bf_dump_prefix_push(prefix);
188 : :
189 : 0 : first_rule = ipt_get_first_rule(ipt, i);
190 : 0 : last_rule = ipt_get_last_rule(ipt, i);
191 : : offset = sizeof(*first_rule);
192 : :
193 : : // Loop over the rules for the current hook.
194 [ # # ]: 0 : while (first_rule <= last_rule) {
195 [ # # ]: 0 : if (first_rule == last_rule)
196 : 0 : bf_dump_prefix_last(prefix);
197 : :
198 [ # # ]: 0 : DUMP(prefix, "struct ipt_entry at %p", first_rule);
199 : :
200 : 0 : bf_dump_prefix_push(prefix);
201 : :
202 : 0 : ipt_dump_ip(&first_rule->ip, prefix);
203 : :
204 [ # # ]: 0 : DUMP(prefix, "target_offset: %d", first_rule->target_offset);
205 [ # # ]: 0 : DUMP(prefix, "next_offset: %d", first_rule->next_offset);
206 [ # # ]: 0 : DUMP(prefix, "comefrom: %d", first_rule->comefrom);
207 : :
208 : 0 : ipt_dump_counters(&first_rule->counters, prefix);
209 : :
210 : : // Loop over the matches for the current rule.
211 [ # # ]: 0 : while (offset < first_rule->target_offset) {
212 : 0 : ipt_dump_match(ipt_get_match(first_rule, offset), prefix);
213 : 0 : offset += ipt_get_match(first_rule, offset)->u.match_size;
214 : : }
215 : :
216 : 0 : ipt_dump_target(ipt_get_target(first_rule),
217 : : bf_dump_prefix_last(prefix));
218 : :
219 : 0 : bf_dump_prefix_pop(prefix);
220 : :
221 [ # # ]: 0 : if (!first_rule->next_offset)
222 : : break;
223 : :
224 : 0 : first_rule = ipt_get_next_rule(first_rule);
225 : : }
226 : 0 : bf_dump_prefix_pop(prefix);
227 : : }
228 : :
229 : 0 : bf_dump_prefix_pop(prefix);
230 : :
231 : : // Force flush, otherwise output on stderr might appear.
232 : 0 : (void)fflush(stdout);
233 : 0 : }
|
