Netfilter ARP log

Definition ARP Log structure of the protocol nf_arp_logger, The type is NF_LOG_TYPE_LOG, The processing function is nf_log_arp_packet. At present, another log type supported by the kernel is NF_LOG_TYPE_ULOG.

static struct nf_logger nf_arp_logger __read_mostly = {
    .name       = "nf_log_arp",
    .type       = NF_LOG_TYPE_LOG,
    .logfn      = nf_log_arp_packet,
    .me     = THIS_MODULE,
};

from nf_log_register Add the above log structure to the global loggers Array . For each namespace , from nf_log_set Add it to a namespace independent nf_loggers Array .

static int __net_init nf_log_arp_net_init(struct net *net)
{   
    return nf_log_set(net, NFPROTO_ARP, &nf_arp_logger);
}
static struct pernet_operations nf_log_arp_net_ops = {
    .init = nf_log_arp_net_init,
    .exit = nf_log_arp_net_exit,
};

static int __init nf_log_arp_init(void)
{
    int ret;

    ret = register_pernet_subsys(&nf_log_arp_net_ops);
    if (ret < 0)
        return ret;

    ret = nf_log_register(NFPROTO_ARP, &nf_arp_logger);

Log processing

The default log type 、 Level and flag bit NF_LOG_DEFAULT_MASK（0xf）.

static const struct nf_loginfo default_loginfo = {
    .type   = NF_LOG_TYPE_LOG,
    .u = {
        .log = {
            .level    = LOGLEVEL_NOTICE,
            .logflags = NF_LOG_DEFAULT_MASK,
        },
    },
};

By default , Record only init_net Namespace log information , Record other namespace logs , Need to open nf_log_all_netns switch .

# sysctl -a | grep nf_log_all_netns
net.netfilter.nf_log_all_netns = 0
#
# sysctl net.netfilter.nf_log_all_netns=1
net.netfilter.nf_log_all_netns = 1

Log processing function , First allocate the log cache structure nf_log_buf. after , Print the input and output interface information of the message , as well as ARP Agreement information . Last , stay nf_log_buf_close Function to print the information in the cache , Release the allocated log cache .

static void nf_log_arp_packet(struct net *net, u_int8_t pf,
                  unsigned int hooknum, const struct sk_buff *skb,
                  const struct net_device *in,
                  const struct net_device *out,
                  const struct nf_loginfo *loginfo,
                  const char *prefix)
{
    struct nf_log_buf *m;

    /* FIXME: Disabled from containers until syslog ns is supported */
    if (!net_eq(net, &init_net) && !sysctl_nf_log_all_netns)
        return;

    m = nf_log_buf_open();

    if (!loginfo)
        loginfo = &default_loginfo;

    nf_log_dump_packet_common(m, pf, hooknum, skb, in, out, loginfo, prefix);
    dump_arp_packet(m, loginfo, skb, 0);

    nf_log_buf_close(m);

about ARP agreement , If the message length is less than ARP The length of the protocol header , It indicates that the message is truncated . If set NF_LOG_MACDECODE, Record the source and destination of the message MAC Address , as well as VLAN Information and agreement .

static void dump_arp_packet(struct nf_log_buf *m,
                const struct nf_loginfo *info,
                const struct sk_buff *skb, unsigned int nhoff)
{
    const struct arppayload *ap;
    struct arppayload _arpp;
    const struct arphdr *ah;
    struct arphdr _arph;

    ah = skb_header_pointer(skb, 0, sizeof(_arph), &_arph);
    if (ah == NULL) {
        nf_log_buf_add(m, "TRUNCATED");
        return;
    }

    if (info->type == NF_LOG_TYPE_LOG)
        logflags = info->u.log.logflags;
    else
        logflags = NF_LOG_DEFAULT_MASK;

    if (logflags & NF_LOG_MACDECODE) {
        nf_log_buf_add(m, "MACSRC=%pM MACDST=%pM ",
                   eth_hdr(skb)->h_source, eth_hdr(skb)->h_dest);
        nf_log_dump_vlan(m, skb);
        nf_log_buf_add(m, "MACPROTO=%04x ", ntohs(eth_hdr(skb)->h_proto));
    }

Record the hardware address type （ Such as Ethernet=1）, Protocol address type （ Such as IPv4=0x800） And opcodes （ Such as Request=1）. If the hardware address type is equal to Ethernet, And the length of the hardware address is equal to 6, The protocol address type is equal to 4, Record ARP Load information of the Protocol .

ARP The load information includes the sender （sender） Of MAC Address and IP Address , And the goal （target） Of MAC Address and IP Address .

    nf_log_buf_add(m, "ARP HTYPE=%d PTYPE=0x%04x OPCODE=%d",
               ntohs(ah->ar_hrd), ntohs(ah->ar_pro), ntohs(ah->ar_op));

    /* If it's for Ethernet and the lengths are OK, then log the ARP payload.
     */
    if (ah->ar_hrd != htons(ARPHRD_ETHER) ||
        ah->ar_hln != ETH_ALEN ||
        ah->ar_pln != sizeof(__be32))
        return;

    ap = skb_header_pointer(skb, sizeof(_arph), sizeof(_arpp), &_arpp);
    if (ap == NULL) {
        nf_log_buf_add(m, " INCOMPLETE [%zu bytes]", skb->len - sizeof(_arph));
        return;
    }
    nf_log_buf_add(m, " MACSRC=%pM IPSRC=%pI4 MACDST=%pM IPDST=%pI4",
               ap->mac_src, ap->ip_src, ap->mac_dst, ap->ip_dst);

ARP The log shows

Load module , take ARP agreement （NFPROTO_ARP=3） Of logger Set to nf_log_arp.

# modprobe nf_log_arp
#
# sysctl net.netfilter.nf_log.3=nf_log_arp
net.netfilter.nf_log.3 = nf_log_arp

Loaded modules ：

$ lsmod | grep arp        
nf_log_arp             16384  0
nf_log_common          16384  2 nf_log_ipv4,nf_log_arp

nftables The rules are configured as follows ：

# nft add table arp raw
# nft add chain arp raw input { type filter hook input priority 0 \; }
# nft add rule arp raw input log
#
# nft list table arp raw        
table arp raw {
        chain input {
                type filter hook input priority filter; policy accept;
                log
        }
}

see /var/log/kern.log, Which records ARP Message log , as follows ：

# tail -f /var/log/kern.log
Feb 13 14:39:42 advanced kernel: [ 8232.798264] IN=ens33 OUT= ARP HTYPE=1 PTYPE=0x0800 OPCODE=1 MACSRC=54:a7:03:16:55:c2 IPSRC=192.168.3.123 MACDST=00:00:00:00:00:00 IPDST=192.168.3.36
Feb 13 14:39:42 advanced kernel: [ 8232.801235] IN=ens33 OUT= ARP HTYPE=1 PTYPE=0x0800 OPCODE=1 MACSRC=54:a7:03:16:55:c2 IPSRC=192.168.3.123 MACDST=00:00:00:00:00:00 IPDST=192.168.3.1

Kernel version 5.10