当前位置:网站首页>Netfilter ARP log
Netfilter ARP log
2022-07-03 21:20:00 【redwingz】
Definition ARP Log structure of the protocol nf_arp_logger, The type is NF_LOG_TYPE_LOG, The processing function is nf_log_arp_packet. At present, another log type supported by the kernel is NF_LOG_TYPE_ULOG.
static struct nf_logger nf_arp_logger __read_mostly = {
.name = "nf_log_arp",
.type = NF_LOG_TYPE_LOG,
.logfn = nf_log_arp_packet,
.me = THIS_MODULE,
};
from nf_log_register Add the above log structure to the global loggers Array . For each namespace , from nf_log_set Add it to a namespace independent nf_loggers Array .
static int __net_init nf_log_arp_net_init(struct net *net)
{
return nf_log_set(net, NFPROTO_ARP, &nf_arp_logger);
}
static struct pernet_operations nf_log_arp_net_ops = {
.init = nf_log_arp_net_init,
.exit = nf_log_arp_net_exit,
};
static int __init nf_log_arp_init(void)
{
int ret;
ret = register_pernet_subsys(&nf_log_arp_net_ops);
if (ret < 0)
return ret;
ret = nf_log_register(NFPROTO_ARP, &nf_arp_logger);
Log processing
The default log type 、 Level and flag bit NF_LOG_DEFAULT_MASK(0xf).
static const struct nf_loginfo default_loginfo = {
.type = NF_LOG_TYPE_LOG,
.u = {
.log = {
.level = LOGLEVEL_NOTICE,
.logflags = NF_LOG_DEFAULT_MASK,
},
},
};
By default , Record only init_net Namespace log information , Record other namespace logs , Need to open nf_log_all_netns switch .
# sysctl -a | grep nf_log_all_netns
net.netfilter.nf_log_all_netns = 0
#
# sysctl net.netfilter.nf_log_all_netns=1
net.netfilter.nf_log_all_netns = 1
Log processing function , First allocate the log cache structure nf_log_buf. after , Print the input and output interface information of the message , as well as ARP Agreement information . Last , stay nf_log_buf_close Function to print the information in the cache , Release the allocated log cache .
static void nf_log_arp_packet(struct net *net, u_int8_t pf,
unsigned int hooknum, const struct sk_buff *skb,
const struct net_device *in,
const struct net_device *out,
const struct nf_loginfo *loginfo,
const char *prefix)
{
struct nf_log_buf *m;
/* FIXME: Disabled from containers until syslog ns is supported */
if (!net_eq(net, &init_net) && !sysctl_nf_log_all_netns)
return;
m = nf_log_buf_open();
if (!loginfo)
loginfo = &default_loginfo;
nf_log_dump_packet_common(m, pf, hooknum, skb, in, out, loginfo, prefix);
dump_arp_packet(m, loginfo, skb, 0);
nf_log_buf_close(m);
about ARP agreement , If the message length is less than ARP The length of the protocol header , It indicates that the message is truncated . If set NF_LOG_MACDECODE, Record the source and destination of the message MAC Address , as well as VLAN Information and agreement .
static void dump_arp_packet(struct nf_log_buf *m,
const struct nf_loginfo *info,
const struct sk_buff *skb, unsigned int nhoff)
{
const struct arppayload *ap;
struct arppayload _arpp;
const struct arphdr *ah;
struct arphdr _arph;
ah = skb_header_pointer(skb, 0, sizeof(_arph), &_arph);
if (ah == NULL) {
nf_log_buf_add(m, "TRUNCATED");
return;
}
if (info->type == NF_LOG_TYPE_LOG)
logflags = info->u.log.logflags;
else
logflags = NF_LOG_DEFAULT_MASK;
if (logflags & NF_LOG_MACDECODE) {
nf_log_buf_add(m, "MACSRC=%pM MACDST=%pM ",
eth_hdr(skb)->h_source, eth_hdr(skb)->h_dest);
nf_log_dump_vlan(m, skb);
nf_log_buf_add(m, "MACPROTO=%04x ", ntohs(eth_hdr(skb)->h_proto));
}
Record the hardware address type ( Such as Ethernet=1), Protocol address type ( Such as IPv4=0x800) And opcodes ( Such as Request=1). If the hardware address type is equal to Ethernet, And the length of the hardware address is equal to 6, The protocol address type is equal to 4, Record ARP Load information of the Protocol .
ARP The load information includes the sender (sender) Of MAC Address and IP Address , And the goal (target) Of MAC Address and IP Address .
nf_log_buf_add(m, "ARP HTYPE=%d PTYPE=0x%04x OPCODE=%d",
ntohs(ah->ar_hrd), ntohs(ah->ar_pro), ntohs(ah->ar_op));
/* If it's for Ethernet and the lengths are OK, then log the ARP payload.
*/
if (ah->ar_hrd != htons(ARPHRD_ETHER) ||
ah->ar_hln != ETH_ALEN ||
ah->ar_pln != sizeof(__be32))
return;
ap = skb_header_pointer(skb, sizeof(_arph), sizeof(_arpp), &_arpp);
if (ap == NULL) {
nf_log_buf_add(m, " INCOMPLETE [%zu bytes]", skb->len - sizeof(_arph));
return;
}
nf_log_buf_add(m, " MACSRC=%pM IPSRC=%pI4 MACDST=%pM IPDST=%pI4",
ap->mac_src, ap->ip_src, ap->mac_dst, ap->ip_dst);
ARP The log shows
Load module , take ARP agreement (NFPROTO_ARP=3) Of logger Set to nf_log_arp.
# modprobe nf_log_arp
#
# sysctl net.netfilter.nf_log.3=nf_log_arp
net.netfilter.nf_log.3 = nf_log_arp
Loaded modules :
$ lsmod | grep arp
nf_log_arp 16384 0
nf_log_common 16384 2 nf_log_ipv4,nf_log_arp
nftables The rules are configured as follows :
# nft add table arp raw
# nft add chain arp raw input { type filter hook input priority 0 \; }
# nft add rule arp raw input log
#
# nft list table arp raw
table arp raw {
chain input {
type filter hook input priority filter; policy accept;
log
}
}
see /var/log/kern.log, Which records ARP Message log , as follows :
# tail -f /var/log/kern.log
Feb 13 14:39:42 advanced kernel: [ 8232.798264] IN=ens33 OUT= ARP HTYPE=1 PTYPE=0x0800 OPCODE=1 MACSRC=54:a7:03:16:55:c2 IPSRC=192.168.3.123 MACDST=00:00:00:00:00:00 IPDST=192.168.3.36
Feb 13 14:39:42 advanced kernel: [ 8232.801235] IN=ens33 OUT= ARP HTYPE=1 PTYPE=0x0800 OPCODE=1 MACSRC=54:a7:03:16:55:c2 IPSRC=192.168.3.123 MACDST=00:00:00:00:00:00 IPDST=192.168.3.1
Kernel version 5.10
边栏推荐
- Use nodejs+express+mongodb to complete the data persistence project (with modified source code)
- Transformation between yaml, Jason and Dict
- Experience summary of database storage selection
- [gd32l233c-start] 5. FLASH read / write - use internal flash to store data
- The "boss management manual" that is wildly spread all over the network (turn)
- Baohong industry | good habits that Internet finance needs to develop
- MySQL——规范数据库设计
- Compilation Principle -- syntax analysis
- Leetcode daily question 540 A single element in an ordered array Valentine's Day special article looking for a single dog in a pile of lovers ~ the clown is myself
- Selenium has three waiting methods (forced waiting, implicit waiting, and display waiting)
猜你喜欢
2022 melting welding and thermal cutting examination materials and free melting welding and thermal cutting examination questions
Reinforcement learning - learning notes 1 | basic concepts
Visiontransformer (I) -- embedded patched and word embedded
Rhcsa third day operation
Borui data and Sina Finance released the 2021 credit card industry development report
QFileDialog
Après 90 ans, j'ai démissionné pour démarrer une entreprise et j'ai dit que j'allais détruire la base de données Cloud.
Selenium has three waiting methods (forced waiting, implicit waiting, and display waiting)
Memory analyzer (MAT)
MySQL——JDBC
随机推荐
Interval product of zhinai sauce (prefix product + inverse element)
Scientific research document management Zotero
Advanced collaboration: coroutinecontext
Borui data and Sina Finance released the 2021 credit card industry development report
Etcd 基于Raft的一致性保证
MySQL——idea连接MySQL
treevalue——Master Nested Data Like Tensor
Rhcsa third day operation
Brief analysis of ref nerf
浅议.NET遗留应用改造
Summary of common operation and maintenance commands
Measurement fitting based on Halcon learning -- Practice [1]
Global and Chinese market of recycled yarn 2022-2028: Research Report on technology, participants, trends, market size and share
"Designer universe" APEC safety and health +: environmental protection Panda "xiaobaobao" Happy Valentine's Day 2022 | ChinaBrand | Asia Pacific Economic media
Set, weakset, map, weakmap in ES6
Day 9 HomeWrok-ClassHierarchyAnalysis
Transformation between yaml, Jason and Dict
Link aggregation based on team mechanism
Kubernetes abnormal communication network fault solution ideas
Transformer structure analysis and the principle of blocks in it