From: Pablo Neira Ayuso <pablo@netfilter.org>
To: netfilter-devel@vger.kernel.org
Cc: davem@davemloft.net, netdev@vger.kernel.org
Subject: [PATCH 14/20] netfilter: nf_tables: Add audit support to log statement
Date: Sat, 2 Jun 2018 02:22:53 +0200 [thread overview]
Message-ID: <20180602002259.4024-15-pablo@netfilter.org> (raw)
In-Reply-To: <20180602002259.4024-1-pablo@netfilter.org>
From: Phil Sutter <phil@nwl.cc>
This extends log statement to support the behaviour achieved with
AUDIT target in iptables.
Audit logging is enabled via a pseudo log level 8. In this case any
other settings like log prefix are ignored since audit log format is
fixed.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
include/uapi/linux/netfilter/nf_tables.h | 5 ++
net/netfilter/nft_log.c | 92 +++++++++++++++++++++++++++++++-
2 files changed, 96 insertions(+), 1 deletion(-)
diff --git a/include/uapi/linux/netfilter/nf_tables.h b/include/uapi/linux/netfilter/nf_tables.h
index 3d46c82a5ebd..5c7eb9b9f6d6 100644
--- a/include/uapi/linux/netfilter/nf_tables.h
+++ b/include/uapi/linux/netfilter/nf_tables.h
@@ -1081,6 +1081,11 @@ enum nft_log_attributes {
#define NFTA_LOG_MAX (__NFTA_LOG_MAX - 1)
/**
+ * LOGLEVEL_AUDIT - a pseudo log level enabling audit logging
+ */
+#define LOGLEVEL_AUDIT 8
+
+/**
* enum nft_queue_attributes - nf_tables queue expression netlink attributes
*
* @NFTA_QUEUE_NUM: netlink queue to send messages to (NLA_U16)
diff --git a/net/netfilter/nft_log.c b/net/netfilter/nft_log.c
index a27be36dc0af..7eef1cffbf1b 100644
--- a/net/netfilter/nft_log.c
+++ b/net/netfilter/nft_log.c
@@ -9,12 +9,15 @@
* Development of this code funded by Astaro AG (http://www.astaro.com/)
*/
+#include <linux/audit.h>
#include <linux/kernel.h>
#include <linux/init.h>
#include <linux/module.h>
#include <linux/netlink.h>
#include <linux/netfilter.h>
#include <linux/netfilter/nf_tables.h>
+#include <net/ipv6.h>
+#include <net/ip.h>
#include <net/netfilter/nf_tables.h>
#include <net/netfilter/nf_log.h>
#include <linux/netdevice.h>
@@ -26,12 +29,93 @@ struct nft_log {
char *prefix;
};
+static bool audit_ip4(struct audit_buffer *ab, struct sk_buff *skb)
+{
+ struct iphdr _iph;
+ const struct iphdr *ih;
+
+ ih = skb_header_pointer(skb, skb_network_offset(skb), sizeof(_iph), &_iph);
+ if (!ih)
+ return false;
+
+ audit_log_format(ab, " saddr=%pI4 daddr=%pI4 proto=%hhu",
+ &ih->saddr, &ih->daddr, ih->protocol);
+
+ return true;
+}
+
+static bool audit_ip6(struct audit_buffer *ab, struct sk_buff *skb)
+{
+ struct ipv6hdr _ip6h;
+ const struct ipv6hdr *ih;
+ u8 nexthdr;
+ __be16 frag_off;
+
+ ih = skb_header_pointer(skb, skb_network_offset(skb), sizeof(_ip6h), &_ip6h);
+ if (!ih)
+ return false;
+
+ nexthdr = ih->nexthdr;
+ ipv6_skip_exthdr(skb, skb_network_offset(skb) + sizeof(_ip6h), &nexthdr, &frag_off);
+
+ audit_log_format(ab, " saddr=%pI6c daddr=%pI6c proto=%hhu",
+ &ih->saddr, &ih->daddr, nexthdr);
+
+ return true;
+}
+
+static void nft_log_eval_audit(const struct nft_pktinfo *pkt)
+{
+ struct sk_buff *skb = pkt->skb;
+ struct audit_buffer *ab;
+ int fam = -1;
+
+ if (!audit_enabled)
+ return;
+
+ ab = audit_log_start(NULL, GFP_ATOMIC, AUDIT_NETFILTER_PKT);
+ if (!ab)
+ return;
+
+ audit_log_format(ab, "mark=%#x", skb->mark);
+
+ switch (nft_pf(pkt)) {
+ case NFPROTO_BRIDGE:
+ switch (eth_hdr(skb)->h_proto) {
+ case htons(ETH_P_IP):
+ fam = audit_ip4(ab, skb) ? NFPROTO_IPV4 : -1;
+ break;
+ case htons(ETH_P_IPV6):
+ fam = audit_ip6(ab, skb) ? NFPROTO_IPV6 : -1;
+ break;
+ }
+ break;
+ case NFPROTO_IPV4:
+ fam = audit_ip4(ab, skb) ? NFPROTO_IPV4 : -1;
+ break;
+ case NFPROTO_IPV6:
+ fam = audit_ip6(ab, skb) ? NFPROTO_IPV6 : -1;
+ break;
+ }
+
+ if (fam == -1)
+ audit_log_format(ab, " saddr=? daddr=? proto=-1");
+
+ audit_log_end(ab);
+}
+
static void nft_log_eval(const struct nft_expr *expr,
struct nft_regs *regs,
const struct nft_pktinfo *pkt)
{
const struct nft_log *priv = nft_expr_priv(expr);
+ if (priv->loginfo.type == NF_LOG_TYPE_LOG &&
+ priv->loginfo.u.log.level == LOGLEVEL_AUDIT) {
+ nft_log_eval_audit(pkt);
+ return;
+ }
+
nf_log_packet(nft_net(pkt), nft_pf(pkt), nft_hook(pkt), pkt->skb,
nft_in(pkt), nft_out(pkt), &priv->loginfo, "%s",
priv->prefix);
@@ -84,7 +168,7 @@ static int nft_log_init(const struct nft_ctx *ctx,
} else {
li->u.log.level = LOGLEVEL_WARNING;
}
- if (li->u.log.level > LOGLEVEL_DEBUG) {
+ if (li->u.log.level > LOGLEVEL_AUDIT) {
err = -EINVAL;
goto err1;
}
@@ -112,6 +196,9 @@ static int nft_log_init(const struct nft_ctx *ctx,
break;
}
+ if (li->u.log.level == LOGLEVEL_AUDIT)
+ return 0;
+
err = nf_logger_find_get(ctx->family, li->type);
if (err < 0)
goto err1;
@@ -133,6 +220,9 @@ static void nft_log_destroy(const struct nft_ctx *ctx,
if (priv->prefix != nft_log_null_prefix)
kfree(priv->prefix);
+ if (li->u.log.level == LOGLEVEL_AUDIT)
+ return;
+
nf_logger_put(ctx->family, li->type);
}
--
2.11.0
next prev parent reply other threads:[~2018-06-02 0:22 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-06-02 0:22 [PATCH 00/20] Netfilter/IPVS updates for net-next Pablo Neira Ayuso
2018-06-02 0:22 ` [PATCH 01/20] netfilter: add includes to nf_socket.h Pablo Neira Ayuso
2018-06-02 0:22 ` [PATCH 02/20] netfilter: nat: merge ipv4/ipv6 masquerade code into main nat module Pablo Neira Ayuso
2018-06-02 0:22 ` [PATCH 03/20] netfilter: nat: merge nf_nat_redirect into nf_nat Pablo Neira Ayuso
2018-06-02 0:22 ` [PATCH 04/20] netfilter: nfnetlink: allow commit to fail Pablo Neira Ayuso
2018-06-02 0:22 ` [PATCH 05/20] netfilter: nf_tables: remove synchronize_rcu in commit phase Pablo Neira Ayuso
2018-06-02 0:22 ` [PATCH 06/20] netfilter: nat: make symbol nat_hook static Pablo Neira Ayuso
2018-06-02 0:22 ` [PATCH 07/20] netfilter: nft_compat: use call_rcu for nfnl_compat_get Pablo Neira Ayuso
2018-06-02 0:22 ` [PATCH 08/20] netfilter: nf_tables: fix endian mismatch in return type Pablo Neira Ayuso
2018-06-02 0:22 ` [PATCH 09/20] netfilter: nf_tables: fail batch if fatal signal is pending Pablo Neira Ayuso
2018-06-02 0:22 ` [PATCH 10/20] netfilter: nf_tables: use call_rcu in netlink dumps Pablo Neira Ayuso
2018-06-02 0:22 ` [PATCH 11/20] netfilter: nf_tables: remove unused variables Pablo Neira Ayuso
2018-06-02 0:22 ` [PATCH 12/20] netfilter: fix ptr_ret.cocci warnings Pablo Neira Ayuso
2018-06-02 0:22 ` [PATCH 13/20] netfilter: nf_tables: add support for native socket matching Pablo Neira Ayuso
2018-06-02 0:22 ` Pablo Neira Ayuso [this message]
2018-06-02 0:22 ` [PATCH 15/20] netfilter: nf_tables: fix chain dependency validation Pablo Neira Ayuso
2018-06-02 0:22 ` [PATCH 16/20] netfilter: nf_flow_table: attach dst to skbs Pablo Neira Ayuso
2018-06-02 0:22 ` [PATCH 17/20] netfilter: nfnetlink: Remove VLA usage Pablo Neira Ayuso
2018-06-02 0:22 ` [PATCH 18/20] netfilter: nft_fwd_netdev: allow to forward packets via neighbour layer Pablo Neira Ayuso
2018-06-02 0:22 ` [PATCH 19/20] ipvs: add full ipv6 support to nfct Pablo Neira Ayuso
2018-06-02 0:22 ` [PATCH 20/20] ipvs: add ipv6 support to ftp Pablo Neira Ayuso
2018-06-02 13:04 ` [PATCH 00/20] Netfilter/IPVS updates for net-next David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180602002259.4024-15-pablo@netfilter.org \
--to=pablo@netfilter.org \
--cc=davem@davemloft.net \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.