Re: [PATCH v5 1/2] audit: add audit_log_packet_ip4 and audit_log_packet_ip6 helper functions

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Paul Moore <paul@paul-moore.com>
To: Ricardo Robaina <rrobaina@redhat.com>,
	audit@vger.kernel.org, linux-kernel@vger.kernel.org,
	netfilter-devel@vger.kernel.org, coreteam@netfilter.org
Cc: eparis@redhat.com, fw@strlen.de, pablo@netfilter.org,
	kadlec@netfilter.org, Ricardo Robaina <rrobaina@redhat.com>
Subject: Re: [PATCH v5 1/2] audit: add audit_log_packet_ip4 and  audit_log_packet_ip6 helper functions
Date: Fri, 07 Nov 2025 17:46:18 -0500	[thread overview]
Message-ID: <e92df5b09f0907f78bb07467b38d2330@paul-moore.com> (raw)
In-Reply-To: <acd8109245882afd78cdf2805a2344c20fef1a08.1762434837.git.rrobaina@redhat.com>

On Nov  6, 2025 Ricardo Robaina <rrobaina@redhat.com> wrote:
> 
> Netfilter code (net/netfilter/nft_log.c and net/netfilter/xt_AUDIT.c)
> have to be kept in sync. Both source files had duplicated versions of
> audit_ip4() and audit_ip6() functions, which can result in lack of
> consistency and/or duplicated work.
> 
> This patch adds two helper functions in audit.c that can be called by
> netfilter code commonly, aiming to improve maintainability and
> consistency.
> 
> Signed-off-by: Ricardo Robaina <rrobaina@redhat.com>
> Acked-by: Florian Westphal <fw@strlen.de>
> ---
>  include/linux/audit.h    | 12 +++++++++++
>  kernel/audit.c           | 39 ++++++++++++++++++++++++++++++++++++
>  net/netfilter/nft_log.c  | 43 ++++------------------------------------
>  net/netfilter/xt_AUDIT.c | 43 ++++------------------------------------
>  4 files changed, 59 insertions(+), 78 deletions(-)

...

> diff --git a/net/netfilter/nft_log.c b/net/netfilter/nft_log.c
> index e35588137995..f53fb4222134 100644
> --- a/net/netfilter/nft_log.c
> +++ b/net/netfilter/nft_log.c
> @@ -26,41 +26,6 @@ struct nft_log {
>  	char			*prefix;
>  };
>  
> -static bool audit_ip4(struct audit_buffer *ab, struct sk_buff *skb)
> -{
> -	struct iphdr _iph;
> -	const struct iphdr *ih;
> -
> -	ih = skb_header_pointer(skb, skb_network_offset(skb), sizeof(_iph), &_iph);
> -	if (!ih)
> -		return false;
> -
> -	audit_log_format(ab, " saddr=%pI4 daddr=%pI4 proto=%hhu",
> -			 &ih->saddr, &ih->daddr, ih->protocol);
> -
> -	return true;
> -}
> -
> -static bool audit_ip6(struct audit_buffer *ab, struct sk_buff *skb)
> -{
> -	struct ipv6hdr _ip6h;
> -	const struct ipv6hdr *ih;
> -	u8 nexthdr;
> -	__be16 frag_off;
> -
> -	ih = skb_header_pointer(skb, skb_network_offset(skb), sizeof(_ip6h), &_ip6h);
> -	if (!ih)
> -		return false;
> -
> -	nexthdr = ih->nexthdr;
> -	ipv6_skip_exthdr(skb, skb_network_offset(skb) + sizeof(_ip6h), &nexthdr, &frag_off);
> -
> -	audit_log_format(ab, " saddr=%pI6c daddr=%pI6c proto=%hhu",
> -			 &ih->saddr, &ih->daddr, nexthdr);
> -
> -	return true;
> -}
> -
>  static void nft_log_eval_audit(const struct nft_pktinfo *pkt)
>  {
>  	struct sk_buff *skb = pkt->skb;
> @@ -80,18 +45,18 @@ static void nft_log_eval_audit(const struct nft_pktinfo *pkt)
>  	case NFPROTO_BRIDGE:
>  		switch (eth_hdr(skb)->h_proto) {
>  		case htons(ETH_P_IP):
> -			fam = audit_ip4(ab, skb) ? NFPROTO_IPV4 : -1;
> +			fam = audit_log_packet_ip4(ab, skb) ? NFPROTO_IPV4 : -1;
>  			break;
>  		case htons(ETH_P_IPV6):
> -			fam = audit_ip6(ab, skb) ? NFPROTO_IPV6 : -1;
> +			fam = audit_log_packet_ip6(ab, skb) ? NFPROTO_IPV6 : -1;
>  			break;
>  		}
>  		break;
>  	case NFPROTO_IPV4:
> -		fam = audit_ip4(ab, skb) ? NFPROTO_IPV4 : -1;
> +		fam = audit_log_packet_ip4(ab, skb) ? NFPROTO_IPV4 : -1;
>  		break;
>  	case NFPROTO_IPV6:
> -		fam = audit_ip6(ab, skb) ? NFPROTO_IPV6 : -1;
> +		fam = audit_log_packet_ip6(ab, skb) ? NFPROTO_IPV6 : -1;
>  		break;
>  	}

We can probably take this a step further by moving the case statements
into the audit functions too.  I think this will make some of the other
changes a bit cleaner and should reduce the amount of audit code in the
NFT code.

If we don't want to do that, it might be worthwhile to take the
NFPROTO_BRIDGE protocol family reset shown below in audit_log_nft_skb()
and use that in the nft_log_eval_audit() function so we aren't
duplicating calls into the audit code.

[WARNING: completely untested code, but you should get the basic idea]

diff --git a/kernel/audit.c b/kernel/audit.c
index 26a332ffb1b8..72ba3f51f859 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -2538,6 +2538,59 @@ static void audit_log_set_loginuid(kuid_t koldloginuid, kuid_t kloginuid,
        audit_log_end(ab);
 }
 
+int audit_log_nft_skb(struct audit_buffer *ab,
+                     struct sk_buff *skb, u8 nfproto)
+{
+       /* find the IP protocol in the case of NFPROTO_BRIDGE */
+       if (nfproto == NFPROTO_BRIDGE) {
+               switch (eth_hdr(skb)->h_proto) {
+               case htons(ETH_P_IP):
+                       nfproto = NFPROTO_IPV4;
+               case htons(ETH_P_IPV6):
+                       nfproto = NFPROTO_IPV6;
+               default:
+                       goto unknown_proto;
+               }
+       }
+
+       switch (nfproto) {
+       case NFPROTO_IPV4: {
+               struct iphdr iph;
+               const struct iphdr *ih;
+
+               ih = skb_header_pointer(skb, skb_network_offset(skb),
+                                       sizeof(_iph), &_iph);
+               if (!ih)
+                       return -ENOMEM;
+
+               audit_log_format(ab, " saddr=%pI4 daddr=%pI4 proto=%hhu",
+                                &ih->saddr, &ih->daddr, ih->protocol);
+               break;
+       }
+       case NFPROTO_IPV6: {
+               struct ipv6hdr iph;
+               const struct ipv6hdr *ih;
+
+               ih = skb_header_pointer(skb, skb_network_offset(skb),
+                                       sizeof(_iph), &_iph);
+               if (!ih)
+                       return -ENOMEM;
+
+               audit_log_format(ab, " saddr=%pI6 daddr=%pI6 proto=%hhu",
+                                &ih->saddr, &ih->daddr, ih->protocol);
+               break;
+       }
+       default:
+               goto unknown_proto;
+       }
+
+       return 0;
+
+unknown_proto:
+       audit_log_format(ab, " saddr=? daddr=? proto=?");
+       return -EPFNOSUPPORT;
+}
+
 /**
  * audit_set_loginuid - set current task's loginuid
  * @loginuid: loginuid value
diff --git a/net/netfilter/nft_log.c b/net/netfilter/nft_log.c
index e35588137995..6f444e2ad70a 100644
--- a/net/netfilter/nft_log.c
+++ b/net/netfilter/nft_log.c
@@ -75,28 +75,7 @@ static void nft_log_eval_audit(const struct nft_pktinfo *pkt)
                return;
 
        audit_log_format(ab, "mark=%#x", skb->mark);
-
-       switch (nft_pf(pkt)) {
-       case NFPROTO_BRIDGE:
-               switch (eth_hdr(skb)->h_proto) {
-               case htons(ETH_P_IP):
-                       fam = audit_ip4(ab, skb) ? NFPROTO_IPV4 : -1;
-                       break;
-               case htons(ETH_P_IPV6):
-                       fam = audit_ip6(ab, skb) ? NFPROTO_IPV6 : -1;
-                       break;
-               }
-               break;
-       case NFPROTO_IPV4:
-               fam = audit_ip4(ab, skb) ? NFPROTO_IPV4 : -1;
-               break;
-       case NFPROTO_IPV6:
-               fam = audit_ip6(ab, skb) ? NFPROTO_IPV6 : -1;
-               break;
-       }
-
-       if (fam == -1)
-               audit_log_format(ab, " saddr=? daddr=? proto=-1");
+       audit_log_nft_skb(ab, skb, nft_pf(pkt));
 
        audit_log_end(ab);
 }

--
paul-moore.com

next prev parent reply	other threads:[~2025-11-07 22:46 UTC|newest]

Thread overview: 10+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-11-06 16:53 [PATCH v5 0/2] audit: improve NETFILTER_PKT records Ricardo Robaina
2025-11-06 16:53 ` [PATCH v5 1/2] audit: add audit_log_packet_ip4 and audit_log_packet_ip6 helper functions Ricardo Robaina
2025-11-07 22:46   ` Paul Moore [this message]
2025-11-10 12:16     ` Ricardo Robaina
2025-11-10 12:43       ` Florian Westphal
2025-11-11 11:05         ` Ricardo Robaina
2025-11-06 16:53 ` [PATCH v5 2/2] audit: include source and destination ports to NETFILTER_PKT Ricardo Robaina
2025-11-07 22:46   ` Paul Moore
2025-11-10 12:30     ` Ricardo Robaina
2025-11-06 23:21 ` [PATCH v5 0/2] audit: improve NETFILTER_PKT records Florian Westphal

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:26a332ffb1b dfblob:72ba3f51f85 dfblob:e3558813799
dfblob:6f444e2ad70 )
 OR (
bs:"Re: [PATCH v5 1/2] audit: add audit_log_packet_ip4 and  audit_log_packet_ip6 helper functions" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=e92df5b09f0907f78bb07467b38d2330@paul-moore.com \
    --to=paul@paul-moore.com \
    --cc=audit@vger.kernel.org \
    --cc=coreteam@netfilter.org \
    --cc=eparis@redhat.com \
    --cc=fw@strlen.de \
    --cc=kadlec@netfilter.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=netfilter-devel@vger.kernel.org \
    --cc=pablo@netfilter.org \
    --cc=rrobaina@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.