Re: [PATCH v5] audit: log nftables configuration change events once per table
On Fri, Mar 26, 2021 at 01:38:59PM -0400, Richard Guy Briggs wrote: > Reduce logging of nftables events to a level similar to iptables. > Restore the table field to list the table, adding the generation. > > Indicate the op as the most significant operation in the event. > > A couple of sample events: > > type=PROCTITLE msg=audit(2021-03-18 09:30:49.801:143) : > proctitle=/usr/bin/python3 -s /usr/sbin/firewalld --nofork --nopid > type=SYSCALL msg=audit(2021-03-18 09:30:49.801:143) : arch=x86_64 > syscall=sendmsg success=yes exit=172 a0=0x6 a1=0x7ffdcfcbe650 a2=0x0 > a3=0x7ffdcfcbd52c items=0 ppid=1 pid=367 auid=unset uid=root gid=root > euid=root suid=root fsuid=root egid=roo > t sgid=root fsgid=root tty=(none) ses=unset comm=firewalld > exe=/usr/bin/python3.9 subj=system_u:system_r:firewalld_t:s0 key=(null) > type=NETFILTER_CFG msg=audit(2021-03-18 09:30:49.801:143) : table=firewalld:2 > family=ipv6 entries=1 op=nft_register_table pid=367 > subj=system_u:system_r:firewalld_t:s0 comm=firewalld > type=NETFILTER_CFG msg=audit(2021-03-18 09:30:49.801:143) : table=firewalld:2 > family=ipv4 entries=1 op=nft_register_table pid=367 > subj=system_u:system_r:firewalld_t:s0 comm=firewalld > type=NETFILTER_CFG msg=audit(2021-03-18 09:30:49.801:143) : table=firewalld:2 > family=inet entries=1 op=nft_register_table pid=367 > subj=system_u:system_r:firewalld_t:s0 comm=firewalld > > type=PROCTITLE msg=audit(2021-03-18 09:30:49.839:144) : > proctitle=/usr/bin/python3 -s /usr/sbin/firewalld --nofork --nopid > type=SYSCALL msg=audit(2021-03-18 09:30:49.839:144) : arch=x86_64 > syscall=sendmsg success=yes exit=22792 a0=0x6 a1=0x7ffdcfcbe650 a2=0x0 > a3=0x7ffdcfcbd52c items=0 ppid=1 pid=367 auid=unset uid=root gid=root > euid=root suid=root fsuid=root egid=r > oot sgid=root fsgid=root tty=(none) ses=unset comm=firewalld > exe=/usr/bin/python3.9 subj=system_u:system_r:firewalld_t:s0 key=(null) > type=NETFILTER_CFG msg=audit(2021-03-18 09:30:49.839:144) : table=firewalld:3 > family=ipv6 entries=30 op=nft_register_chain pid=367 > subj=system_u:system_r:firewalld_t:s0 comm=firewalld > type=NETFILTER_CFG msg=audit(2021-03-18 09:30:49.839:144) : table=firewalld:3 > family=ipv4 entries=30 op=nft_register_chain pid=367 > subj=system_u:system_r:firewalld_t:s0 comm=firewalld > type=NETFILTER_CFG msg=audit(2021-03-18 09:30:49.839:144) : table=firewalld:3 > family=inet entries=165 op=nft_register_chain pid=367 > subj=system_u:system_r:firewalld_t:s0 comm=firewalld > > The issue was originally documented in > https://github.com/linux-audit/audit-kernel/issues/124 > > Signed-off-by: Richard Guy Briggs Tested this patch to make sure it eliminates the slowdown of iptables-nft when auditd is running. With this applied, neither iptables-nft-restore nor 'iptables-nft -F' show a significant difference in run-time between running or stopped auditd, at least for large rulesets. Individual calls suffer from added audit logging, but that's expected of course. Tested-by: Phil Sutter Thanks, Phil
Re: [PATCH v5] audit: log nftables configuration change events once per table
On 2021-04-01 15:24, Phil Sutter wrote: > On Fri, Mar 26, 2021 at 01:38:59PM -0400, Richard Guy Briggs wrote: > > Reduce logging of nftables events to a level similar to iptables. > > Restore the table field to list the table, adding the generation. > > > > Indicate the op as the most significant operation in the event. > > > > A couple of sample events: > > > > type=PROCTITLE msg=audit(2021-03-18 09:30:49.801:143) : > > proctitle=/usr/bin/python3 -s /usr/sbin/firewalld --nofork --nopid > > type=SYSCALL msg=audit(2021-03-18 09:30:49.801:143) : arch=x86_64 > > syscall=sendmsg success=yes exit=172 a0=0x6 a1=0x7ffdcfcbe650 a2=0x0 > > a3=0x7ffdcfcbd52c items=0 ppid=1 pid=367 auid=unset uid=root gid=root > > euid=root suid=root fsuid=root egid=roo > > t sgid=root fsgid=root tty=(none) ses=unset comm=firewalld > > exe=/usr/bin/python3.9 subj=system_u:system_r:firewalld_t:s0 key=(null) > > type=NETFILTER_CFG msg=audit(2021-03-18 09:30:49.801:143) : > > table=firewalld:2 family=ipv6 entries=1 op=nft_register_table pid=367 > > subj=system_u:system_r:firewalld_t:s0 comm=firewalld > > type=NETFILTER_CFG msg=audit(2021-03-18 09:30:49.801:143) : > > table=firewalld:2 family=ipv4 entries=1 op=nft_register_table pid=367 > > subj=system_u:system_r:firewalld_t:s0 comm=firewalld > > type=NETFILTER_CFG msg=audit(2021-03-18 09:30:49.801:143) : > > table=firewalld:2 family=inet entries=1 op=nft_register_table pid=367 > > subj=system_u:system_r:firewalld_t:s0 comm=firewalld > > > > type=PROCTITLE msg=audit(2021-03-18 09:30:49.839:144) : > > proctitle=/usr/bin/python3 -s /usr/sbin/firewalld --nofork --nopid > > type=SYSCALL msg=audit(2021-03-18 09:30:49.839:144) : arch=x86_64 > > syscall=sendmsg success=yes exit=22792 a0=0x6 a1=0x7ffdcfcbe650 a2=0x0 > > a3=0x7ffdcfcbd52c items=0 ppid=1 pid=367 auid=unset uid=root gid=root > > euid=root suid=root fsuid=root egid=r > > oot sgid=root fsgid=root tty=(none) ses=unset comm=firewalld > > exe=/usr/bin/python3.9 subj=system_u:system_r:firewalld_t:s0 key=(null) > > type=NETFILTER_CFG msg=audit(2021-03-18 09:30:49.839:144) : > > table=firewalld:3 family=ipv6 entries=30 op=nft_register_chain pid=367 > > subj=system_u:system_r:firewalld_t:s0 comm=firewalld > > type=NETFILTER_CFG msg=audit(2021-03-18 09:30:49.839:144) : > > table=firewalld:3 family=ipv4 entries=30 op=nft_register_chain pid=367 > > subj=system_u:system_r:firewalld_t:s0 comm=firewalld > > type=NETFILTER_CFG msg=audit(2021-03-18 09:30:49.839:144) : > > table=firewalld:3 family=inet entries=165 op=nft_register_chain pid=367 > > subj=system_u:system_r:firewalld_t:s0 comm=firewalld > > > > The issue was originally documented in > > https://github.com/linux-audit/audit-kernel/issues/124 > > > > Signed-off-by: Richard Guy Briggs > > Tested this patch to make sure it eliminates the slowdown of > iptables-nft when auditd is running. With this applied, neither > iptables-nft-restore nor 'iptables-nft -F' show a significant > difference in run-time between running or stopped auditd, at least for > large rulesets. Individual calls suffer from added audit logging, but > that's expected of course. > > Tested-by: Phil Sutter Excellent, thanks Phil for helping nail this one down and confirming the fix. > Thanks, Phil - RGB -- Richard Guy Briggs Sr. S/W Engineer, Kernel Security, Base Operating Systems Remote, Ottawa, Red Hat Canada IRC: rgb, SunRaycer Voice: +1.647.777.2635, Internal: (81) 32635
Re: [PATCH v5] audit: log nftables configuration change events once per table
On Wed, Mar 31, 2021 at 04:53:10PM -0400, Richard Guy Briggs wrote: > On 2021-03-31 22:22, Pablo Neira Ayuso wrote: > > On Fri, Mar 26, 2021 at 01:38:59PM -0400, Richard Guy Briggs wrote: > > > Reduce logging of nftables events to a level similar to iptables. > > > Restore the table field to list the table, adding the generation. > > > > > > Indicate the op as the most significant operation in the event. > > > > There's a UAF, Florian reported. I'm attaching an incremental fix. > > > > nf_tables_commit_audit_collect() refers to the trans object which > > might have been already released. > > Got it. Thanks Pablo. I didn't see it when running nft-test.py Where > was it reported? CONFIG_KASAN. > Here I tried to stay out of the way by putting that > call at the end of the loop but that was obviously a mistake in > hindsight. :-) No problem, I'll squash this incremental fix into your audit patch.
Re: [PATCH v5] audit: log nftables configuration change events once per table
On 2021-03-31 22:46, Pablo Neira Ayuso wrote: > On Fri, Mar 26, 2021 at 01:38:59PM -0400, Richard Guy Briggs wrote: > > @@ -8006,12 +7966,65 @@ static void nft_commit_notify(struct net *net, u32 > > portid) > > WARN_ON_ONCE(!list_empty(>nft.notify_list)); > > } > > > > +static int nf_tables_commit_audit_alloc(struct list_head *adl, > > +struct nft_table *table) > > +{ > > + struct nft_audit_data *adp; > > + > > + list_for_each_entry(adp, adl, list) { > > + if (adp->table == table) > > + return 0; > > + } > > + adp = kzalloc(sizeof(*adp), GFP_KERNEL); > > + if (!adp) > > + return -ENOMEM; > > + adp->table = table; > > + INIT_LIST_HEAD(>list); > > This INIT_LIST_HEAD is not required for an object that is going to be > inserted into the 'adl' list. > > > + list_add(>list, adl); > > If no objections, I'll amend this patch. I'll include the UAF fix and > remove this unnecessary INIT_LIST_HEAD. Ok, so it is harmless other than being code noise and overhead, thanks again. - RGB -- Richard Guy Briggs Sr. S/W Engineer, Kernel Security, Base Operating Systems Remote, Ottawa, Red Hat Canada IRC: rgb, SunRaycer Voice: +1.647.777.2635, Internal: (81) 32635
Re: [PATCH v5] audit: log nftables configuration change events once per table
On 2021-03-31 22:22, Pablo Neira Ayuso wrote: > On Fri, Mar 26, 2021 at 01:38:59PM -0400, Richard Guy Briggs wrote: > > Reduce logging of nftables events to a level similar to iptables. > > Restore the table field to list the table, adding the generation. > > > > Indicate the op as the most significant operation in the event. > > There's a UAF, Florian reported. I'm attaching an incremental fix. > > nf_tables_commit_audit_collect() refers to the trans object which > might have been already released. Got it. Thanks Pablo. I didn't see it when running nft-test.py Where was it reported? Here I tried to stay out of the way by putting that call at the end of the loop but that was obviously a mistake in hindsight. :-) > commit e4d272948d25b66d86fc241cefd95281bfb1079e > Author: Pablo Neira Ayuso > Date: Wed Mar 31 22:19:51 2021 +0200 > > netfilter: nf_tables: use-after-free > > Signed-off-by: Pablo Neira Ayuso > > diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c > index 5dd4bb7cabf5..01674c0d9103 100644 > --- a/net/netfilter/nf_tables_api.c > +++ b/net/netfilter/nf_tables_api.c > @@ -8063,6 +8063,8 @@ static int nf_tables_commit(struct net *net, struct > sk_buff *skb) > net->nft.gencursor = nft_gencursor_next(net); > > list_for_each_entry_safe(trans, next, >nft.commit_list, list) { > + nf_tables_commit_audit_collect(, trans->ctx.table, > +trans->msg_type); > switch (trans->msg_type) { > case NFT_MSG_NEWTABLE: > if (nft_trans_table_update(trans)) { > @@ -8211,8 +8213,6 @@ static int nf_tables_commit(struct net *net, struct > sk_buff *skb) > } > break; > } > - nf_tables_commit_audit_collect(, trans->ctx.table, > -trans->msg_type); > } > > nft_commit_notify(net, NETLINK_CB(skb).portid); - RGB -- Richard Guy Briggs Sr. S/W Engineer, Kernel Security, Base Operating Systems Remote, Ottawa, Red Hat Canada IRC: rgb, SunRaycer Voice: +1.647.777.2635, Internal: (81) 32635
Re: [PATCH v5] audit: log nftables configuration change events once per table
On Fri, Mar 26, 2021 at 01:38:59PM -0400, Richard Guy Briggs wrote: > @@ -8006,12 +7966,65 @@ static void nft_commit_notify(struct net *net, u32 > portid) > WARN_ON_ONCE(!list_empty(>nft.notify_list)); > } > > +static int nf_tables_commit_audit_alloc(struct list_head *adl, > + struct nft_table *table) > +{ > + struct nft_audit_data *adp; > + > + list_for_each_entry(adp, adl, list) { > + if (adp->table == table) > + return 0; > + } > + adp = kzalloc(sizeof(*adp), GFP_KERNEL); > + if (!adp) > + return -ENOMEM; > + adp->table = table; > + INIT_LIST_HEAD(>list); This INIT_LIST_HEAD is not required for an object that is going to be inserted into the 'adl' list. > + list_add(>list, adl); If no objections, I'll amend this patch. I'll include the UAF fix and remove this unnecessary INIT_LIST_HEAD.
Re: [PATCH v5] audit: log nftables configuration change events once per table
On Fri, Mar 26, 2021 at 01:38:59PM -0400, Richard Guy Briggs wrote: > Reduce logging of nftables events to a level similar to iptables. > Restore the table field to list the table, adding the generation. > > Indicate the op as the most significant operation in the event. There's a UAF, Florian reported. I'm attaching an incremental fix. nf_tables_commit_audit_collect() refers to the trans object which might have been already released. commit e4d272948d25b66d86fc241cefd95281bfb1079e Author: Pablo Neira Ayuso Date: Wed Mar 31 22:19:51 2021 +0200 netfilter: nf_tables: use-after-free Signed-off-by: Pablo Neira Ayuso diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c index 5dd4bb7cabf5..01674c0d9103 100644 --- a/net/netfilter/nf_tables_api.c +++ b/net/netfilter/nf_tables_api.c @@ -8063,6 +8063,8 @@ static int nf_tables_commit(struct net *net, struct sk_buff *skb) net->nft.gencursor = nft_gencursor_next(net); list_for_each_entry_safe(trans, next, >nft.commit_list, list) { + nf_tables_commit_audit_collect(, trans->ctx.table, + trans->msg_type); switch (trans->msg_type) { case NFT_MSG_NEWTABLE: if (nft_trans_table_update(trans)) { @@ -8211,8 +8213,6 @@ static int nf_tables_commit(struct net *net, struct sk_buff *skb) } break; } - nf_tables_commit_audit_collect(, trans->ctx.table, - trans->msg_type); } nft_commit_notify(net, NETLINK_CB(skb).portid);
Re: [PATCH v5] audit: log nftables configuration change events once per table
On Tue, Mar 30, 2021 at 6:53 PM Pablo Neira Ayuso wrote: > On Sun, Mar 28, 2021 at 08:50:45PM -0400, Paul Moore wrote: > [...] > > Netfilter folks, were you planning to pull this via your tree/netdev > > or would you like me to merge this via the audit tree? If the latter, > > I would appreciate it if I could get an ACK from one of you; if the > > former, my ACK is below. > > > > Acked-by: Paul Moore > > I'll merge this one into nf-next, this might simplify possible > conflict resolution later on. Yep, I think that's the best choice. Thanks. -- paul moore www.paul-moore.com
Re: [PATCH v5] audit: log nftables configuration change events once per table
On Sun, Mar 28, 2021 at 08:50:45PM -0400, Paul Moore wrote: [...] > Netfilter folks, were you planning to pull this via your tree/netdev > or would you like me to merge this via the audit tree? If the latter, > I would appreciate it if I could get an ACK from one of you; if the > former, my ACK is below. > > Acked-by: Paul Moore I'll merge this one into nf-next, this might simplify possible conflict resolution later on. Thanks for acking.
Re: [PATCH v5] audit: log nftables configuration change events once per table
On Fri, Mar 26, 2021 at 1:39 PM Richard Guy Briggs wrote: > > Reduce logging of nftables events to a level similar to iptables. > Restore the table field to list the table, adding the generation. > > Indicate the op as the most significant operation in the event. > > A couple of sample events: > > type=PROCTITLE msg=audit(2021-03-18 09:30:49.801:143) : > proctitle=/usr/bin/python3 -s /usr/sbin/firewalld --nofork --nopid > type=SYSCALL msg=audit(2021-03-18 09:30:49.801:143) : arch=x86_64 > syscall=sendmsg success=yes exit=172 a0=0x6 a1=0x7ffdcfcbe650 a2=0x0 > a3=0x7ffdcfcbd52c items=0 ppid=1 pid=367 auid=unset uid=root gid=root > euid=root suid=root fsuid=root egid=roo > t sgid=root fsgid=root tty=(none) ses=unset comm=firewalld > exe=/usr/bin/python3.9 subj=system_u:system_r:firewalld_t:s0 key=(null) > type=NETFILTER_CFG msg=audit(2021-03-18 09:30:49.801:143) : table=firewalld:2 > family=ipv6 entries=1 op=nft_register_table pid=367 > subj=system_u:system_r:firewalld_t:s0 comm=firewalld > type=NETFILTER_CFG msg=audit(2021-03-18 09:30:49.801:143) : table=firewalld:2 > family=ipv4 entries=1 op=nft_register_table pid=367 > subj=system_u:system_r:firewalld_t:s0 comm=firewalld > type=NETFILTER_CFG msg=audit(2021-03-18 09:30:49.801:143) : table=firewalld:2 > family=inet entries=1 op=nft_register_table pid=367 > subj=system_u:system_r:firewalld_t:s0 comm=firewalld > > type=PROCTITLE msg=audit(2021-03-18 09:30:49.839:144) : > proctitle=/usr/bin/python3 -s /usr/sbin/firewalld --nofork --nopid > type=SYSCALL msg=audit(2021-03-18 09:30:49.839:144) : arch=x86_64 > syscall=sendmsg success=yes exit=22792 a0=0x6 a1=0x7ffdcfcbe650 a2=0x0 > a3=0x7ffdcfcbd52c items=0 ppid=1 pid=367 auid=unset uid=root gid=root > euid=root suid=root fsuid=root egid=r > oot sgid=root fsgid=root tty=(none) ses=unset comm=firewalld > exe=/usr/bin/python3.9 subj=system_u:system_r:firewalld_t:s0 key=(null) > type=NETFILTER_CFG msg=audit(2021-03-18 09:30:49.839:144) : table=firewalld:3 > family=ipv6 entries=30 op=nft_register_chain pid=367 > subj=system_u:system_r:firewalld_t:s0 comm=firewalld > type=NETFILTER_CFG msg=audit(2021-03-18 09:30:49.839:144) : table=firewalld:3 > family=ipv4 entries=30 op=nft_register_chain pid=367 > subj=system_u:system_r:firewalld_t:s0 comm=firewalld > type=NETFILTER_CFG msg=audit(2021-03-18 09:30:49.839:144) : table=firewalld:3 > family=inet entries=165 op=nft_register_chain pid=367 > subj=system_u:system_r:firewalld_t:s0 comm=firewalld > > The issue was originally documented in > https://github.com/linux-audit/audit-kernel/issues/124 > > Signed-off-by: Richard Guy Briggs > --- > Changelog: > v5: > (sorry for all the noise...) > - fix kbuild missing prototype warning in > nf_tables_commit_audit_{alloc,collect,log}() > > v4: > - move nf_tables_commit_audit_log() before nf_tables_commit_release() [fw] > - move nft2audit_op[] from audit.h to nf_tables_api.c > > v3: > - fix function braces, reduce parameter scope [pna] > - pre-allocate nft_audit_data per table in step 1, bail on ENOMEM [pna] > > v2: > - convert NFT ops to array indicies in nft2audit_op[] [ps] > - use linux lists [pna] > - use functions for each of collection and logging of audit data [pna] > --- > net/netfilter/nf_tables_api.c | 187 +++--- > 1 file changed, 104 insertions(+), 83 deletions(-) Netfilter folks, were you planning to pull this via your tree/netdev or would you like me to merge this via the audit tree? If the latter, I would appreciate it if I could get an ACK from one of you; if the former, my ACK is below. Acked-by: Paul Moore -- paul moore www.paul-moore.com
[PATCH v5] audit: log nftables configuration change events once per table
Reduce logging of nftables events to a level similar to iptables. Restore the table field to list the table, adding the generation. Indicate the op as the most significant operation in the event. A couple of sample events: type=PROCTITLE msg=audit(2021-03-18 09:30:49.801:143) : proctitle=/usr/bin/python3 -s /usr/sbin/firewalld --nofork --nopid type=SYSCALL msg=audit(2021-03-18 09:30:49.801:143) : arch=x86_64 syscall=sendmsg success=yes exit=172 a0=0x6 a1=0x7ffdcfcbe650 a2=0x0 a3=0x7ffdcfcbd52c items=0 ppid=1 pid=367 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=roo t sgid=root fsgid=root tty=(none) ses=unset comm=firewalld exe=/usr/bin/python3.9 subj=system_u:system_r:firewalld_t:s0 key=(null) type=NETFILTER_CFG msg=audit(2021-03-18 09:30:49.801:143) : table=firewalld:2 family=ipv6 entries=1 op=nft_register_table pid=367 subj=system_u:system_r:firewalld_t:s0 comm=firewalld type=NETFILTER_CFG msg=audit(2021-03-18 09:30:49.801:143) : table=firewalld:2 family=ipv4 entries=1 op=nft_register_table pid=367 subj=system_u:system_r:firewalld_t:s0 comm=firewalld type=NETFILTER_CFG msg=audit(2021-03-18 09:30:49.801:143) : table=firewalld:2 family=inet entries=1 op=nft_register_table pid=367 subj=system_u:system_r:firewalld_t:s0 comm=firewalld type=PROCTITLE msg=audit(2021-03-18 09:30:49.839:144) : proctitle=/usr/bin/python3 -s /usr/sbin/firewalld --nofork --nopid type=SYSCALL msg=audit(2021-03-18 09:30:49.839:144) : arch=x86_64 syscall=sendmsg success=yes exit=22792 a0=0x6 a1=0x7ffdcfcbe650 a2=0x0 a3=0x7ffdcfcbd52c items=0 ppid=1 pid=367 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=r oot sgid=root fsgid=root tty=(none) ses=unset comm=firewalld exe=/usr/bin/python3.9 subj=system_u:system_r:firewalld_t:s0 key=(null) type=NETFILTER_CFG msg=audit(2021-03-18 09:30:49.839:144) : table=firewalld:3 family=ipv6 entries=30 op=nft_register_chain pid=367 subj=system_u:system_r:firewalld_t:s0 comm=firewalld type=NETFILTER_CFG msg=audit(2021-03-18 09:30:49.839:144) : table=firewalld:3 family=ipv4 entries=30 op=nft_register_chain pid=367 subj=system_u:system_r:firewalld_t:s0 comm=firewalld type=NETFILTER_CFG msg=audit(2021-03-18 09:30:49.839:144) : table=firewalld:3 family=inet entries=165 op=nft_register_chain pid=367 subj=system_u:system_r:firewalld_t:s0 comm=firewalld The issue was originally documented in https://github.com/linux-audit/audit-kernel/issues/124 Signed-off-by: Richard Guy Briggs --- Changelog: v5: (sorry for all the noise...) - fix kbuild missing prototype warning in nf_tables_commit_audit_{alloc,collect,log}() v4: - move nf_tables_commit_audit_log() before nf_tables_commit_release() [fw] - move nft2audit_op[] from audit.h to nf_tables_api.c v3: - fix function braces, reduce parameter scope [pna] - pre-allocate nft_audit_data per table in step 1, bail on ENOMEM [pna] v2: - convert NFT ops to array indicies in nft2audit_op[] [ps] - use linux lists [pna] - use functions for each of collection and logging of audit data [pna] --- net/netfilter/nf_tables_api.c | 187 +++--- 1 file changed, 104 insertions(+), 83 deletions(-) diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c index c1eb5cdb3033..ef51abe3a6d7 100644 --- a/net/netfilter/nf_tables_api.c +++ b/net/netfilter/nf_tables_api.c @@ -66,6 +66,41 @@ static const struct rhashtable_params nft_objname_ht_params = { .automatic_shrinking= true, }; +struct nft_audit_data { + struct nft_table *table; + int entries; + int op; + struct list_head list; +}; + +static const u8 nft2audit_op[NFT_MSG_MAX] = { // enum nf_tables_msg_types + [NFT_MSG_NEWTABLE] = AUDIT_NFT_OP_TABLE_REGISTER, + [NFT_MSG_GETTABLE] = AUDIT_NFT_OP_INVALID, + [NFT_MSG_DELTABLE] = AUDIT_NFT_OP_TABLE_UNREGISTER, + [NFT_MSG_NEWCHAIN] = AUDIT_NFT_OP_CHAIN_REGISTER, + [NFT_MSG_GETCHAIN] = AUDIT_NFT_OP_INVALID, + [NFT_MSG_DELCHAIN] = AUDIT_NFT_OP_CHAIN_UNREGISTER, + [NFT_MSG_NEWRULE] = AUDIT_NFT_OP_RULE_REGISTER, + [NFT_MSG_GETRULE] = AUDIT_NFT_OP_INVALID, + [NFT_MSG_DELRULE] = AUDIT_NFT_OP_RULE_UNREGISTER, + [NFT_MSG_NEWSET]= AUDIT_NFT_OP_SET_REGISTER, + [NFT_MSG_GETSET]= AUDIT_NFT_OP_INVALID, + [NFT_MSG_DELSET]= AUDIT_NFT_OP_SET_UNREGISTER, + [NFT_MSG_NEWSETELEM]= AUDIT_NFT_OP_SETELEM_REGISTER, + [NFT_MSG_GETSETELEM]= AUDIT_NFT_OP_INVALID, + [NFT_MSG_DELSETELEM]= AUDIT_NFT_OP_SETELEM_UNREGISTER, + [NFT_MSG_NEWGEN]= AUDIT_NFT_OP_GEN_REGISTER, + [NFT_MSG_GETGEN]= AUDIT_NFT_OP_INVALID, + [NFT_MSG_TRACE] = AUDIT_NFT_OP_INVALID, + [NFT_MSG_NEWOBJ]= AUDIT_NFT_OP_OBJ_REGISTER, + [NFT_MSG_GETOBJ]= AUDIT_NFT_OP_INVALID, + [NFT_MSG_DELOBJ]= AUDIT_NFT_OP_OBJ_UNREGISTER, + [NFT_MSG_GETOBJ_RESET] =