Re: [PATCH v5] audit: log nftables configuration change events once per table
On Fri, Mar 26, 2021 at 01:38:59PM -0400, Richard Guy Briggs wrote: > Reduce logging of nftables events to a level similar to iptables. > Restore the table field to list the table, adding the generation. > > Indicate the op as the most significant operation in the event. > > A couple of sample events: > > type=PROCTITLE msg=audit(2021-03-18 09:30:49.801:143) : > proctitle=/usr/bin/python3 -s /usr/sbin/firewalld --nofork --nopid > type=SYSCALL msg=audit(2021-03-18 09:30:49.801:143) : arch=x86_64 > syscall=sendmsg success=yes exit=172 a0=0x6 a1=0x7ffdcfcbe650 a2=0x0 > a3=0x7ffdcfcbd52c items=0 ppid=1 pid=367 auid=unset uid=root gid=root > euid=root suid=root fsuid=root egid=roo > t sgid=root fsgid=root tty=(none) ses=unset comm=firewalld > exe=/usr/bin/python3.9 subj=system_u:system_r:firewalld_t:s0 key=(null) > type=NETFILTER_CFG msg=audit(2021-03-18 09:30:49.801:143) : table=firewalld:2 > family=ipv6 entries=1 op=nft_register_table pid=367 > subj=system_u:system_r:firewalld_t:s0 comm=firewalld > type=NETFILTER_CFG msg=audit(2021-03-18 09:30:49.801:143) : table=firewalld:2 > family=ipv4 entries=1 op=nft_register_table pid=367 > subj=system_u:system_r:firewalld_t:s0 comm=firewalld > type=NETFILTER_CFG msg=audit(2021-03-18 09:30:49.801:143) : table=firewalld:2 > family=inet entries=1 op=nft_register_table pid=367 > subj=system_u:system_r:firewalld_t:s0 comm=firewalld > > type=PROCTITLE msg=audit(2021-03-18 09:30:49.839:144) : > proctitle=/usr/bin/python3 -s /usr/sbin/firewalld --nofork --nopid > type=SYSCALL msg=audit(2021-03-18 09:30:49.839:144) : arch=x86_64 > syscall=sendmsg success=yes exit=22792 a0=0x6 a1=0x7ffdcfcbe650 a2=0x0 > a3=0x7ffdcfcbd52c items=0 ppid=1 pid=367 auid=unset uid=root gid=root > euid=root suid=root fsuid=root egid=r > oot sgid=root fsgid=root tty=(none) ses=unset comm=firewalld > exe=/usr/bin/python3.9 subj=system_u:system_r:firewalld_t:s0 key=(null) > type=NETFILTER_CFG msg=audit(2021-03-18 09:30:49.839:144) : table=firewalld:3 > family=ipv6 entries=30 op=nft_register_chain pid=367 > subj=system_u:system_r:firewalld_t:s0 comm=firewalld > type=NETFILTER_CFG msg=audit(2021-03-18 09:30:49.839:144) : table=firewalld:3 > family=ipv4 entries=30 op=nft_register_chain pid=367 > subj=system_u:system_r:firewalld_t:s0 comm=firewalld > type=NETFILTER_CFG msg=audit(2021-03-18 09:30:49.839:144) : table=firewalld:3 > family=inet entries=165 op=nft_register_chain pid=367 > subj=system_u:system_r:firewalld_t:s0 comm=firewalld > > The issue was originally documented in > https://github.com/linux-audit/audit-kernel/issues/124 > > Signed-off-by: Richard Guy Briggs Tested this patch to make sure it eliminates the slowdown of iptables-nft when auditd is running. With this applied, neither iptables-nft-restore nor 'iptables-nft -F' show a significant difference in run-time between running or stopped auditd, at least for large rulesets. Individual calls suffer from added audit logging, but that's expected of course. Tested-by: Phil Sutter Thanks, Phil
Re: [PATCH v5] audit: log nftables configuration change events once per table
On 2021-04-01 15:24, Phil Sutter wrote: > On Fri, Mar 26, 2021 at 01:38:59PM -0400, Richard Guy Briggs wrote: > > Reduce logging of nftables events to a level similar to iptables. > > Restore the table field to list the table, adding the generation. > > > > Indicate the op as the most significant operation in the event. > > > > A couple of sample events: > > > > type=PROCTITLE msg=audit(2021-03-18 09:30:49.801:143) : > > proctitle=/usr/bin/python3 -s /usr/sbin/firewalld --nofork --nopid > > type=SYSCALL msg=audit(2021-03-18 09:30:49.801:143) : arch=x86_64 > > syscall=sendmsg success=yes exit=172 a0=0x6 a1=0x7ffdcfcbe650 a2=0x0 > > a3=0x7ffdcfcbd52c items=0 ppid=1 pid=367 auid=unset uid=root gid=root > > euid=root suid=root fsuid=root egid=roo > > t sgid=root fsgid=root tty=(none) ses=unset comm=firewalld > > exe=/usr/bin/python3.9 subj=system_u:system_r:firewalld_t:s0 key=(null) > > type=NETFILTER_CFG msg=audit(2021-03-18 09:30:49.801:143) : > > table=firewalld:2 family=ipv6 entries=1 op=nft_register_table pid=367 > > subj=system_u:system_r:firewalld_t:s0 comm=firewalld > > type=NETFILTER_CFG msg=audit(2021-03-18 09:30:49.801:143) : > > table=firewalld:2 family=ipv4 entries=1 op=nft_register_table pid=367 > > subj=system_u:system_r:firewalld_t:s0 comm=firewalld > > type=NETFILTER_CFG msg=audit(2021-03-18 09:30:49.801:143) : > > table=firewalld:2 family=inet entries=1 op=nft_register_table pid=367 > > subj=system_u:system_r:firewalld_t:s0 comm=firewalld > > > > type=PROCTITLE msg=audit(2021-03-18 09:30:49.839:144) : > > proctitle=/usr/bin/python3 -s /usr/sbin/firewalld --nofork --nopid > > type=SYSCALL msg=audit(2021-03-18 09:30:49.839:144) : arch=x86_64 > > syscall=sendmsg success=yes exit=22792 a0=0x6 a1=0x7ffdcfcbe650 a2=0x0 > > a3=0x7ffdcfcbd52c items=0 ppid=1 pid=367 auid=unset uid=root gid=root > > euid=root suid=root fsuid=root egid=r > > oot sgid=root fsgid=root tty=(none) ses=unset comm=firewalld > > exe=/usr/bin/python3.9 subj=system_u:system_r:firewalld_t:s0 key=(null) > > type=NETFILTER_CFG msg=audit(2021-03-18 09:30:49.839:144) : > > table=firewalld:3 family=ipv6 entries=30 op=nft_register_chain pid=367 > > subj=system_u:system_r:firewalld_t:s0 comm=firewalld > > type=NETFILTER_CFG msg=audit(2021-03-18 09:30:49.839:144) : > > table=firewalld:3 family=ipv4 entries=30 op=nft_register_chain pid=367 > > subj=system_u:system_r:firewalld_t:s0 comm=firewalld > > type=NETFILTER_CFG msg=audit(2021-03-18 09:30:49.839:144) : > > table=firewalld:3 family=inet entries=165 op=nft_register_chain pid=367 > > subj=system_u:system_r:firewalld_t:s0 comm=firewalld > > > > The issue was originally documented in > > https://github.com/linux-audit/audit-kernel/issues/124 > > > > Signed-off-by: Richard Guy Briggs > > Tested this patch to make sure it eliminates the slowdown of > iptables-nft when auditd is running. With this applied, neither > iptables-nft-restore nor 'iptables-nft -F' show a significant > difference in run-time between running or stopped auditd, at least for > large rulesets. Individual calls suffer from added audit logging, but > that's expected of course. > > Tested-by: Phil Sutter Excellent, thanks Phil for helping nail this one down and confirming the fix. > Thanks, Phil - RGB -- Richard Guy Briggs Sr. S/W Engineer, Kernel Security, Base Operating Systems Remote, Ottawa, Red Hat Canada IRC: rgb, SunRaycer Voice: +1.647.777.2635, Internal: (81) 32635
Re: [PATCH v5] audit: log nftables configuration change events once per table
On Wed, Mar 31, 2021 at 04:53:10PM -0400, Richard Guy Briggs wrote: > On 2021-03-31 22:22, Pablo Neira Ayuso wrote: > > On Fri, Mar 26, 2021 at 01:38:59PM -0400, Richard Guy Briggs wrote: > > > Reduce logging of nftables events to a level similar to iptables. > > > Restore the table field to list the table, adding the generation. > > > > > > Indicate the op as the most significant operation in the event. > > > > There's a UAF, Florian reported. I'm attaching an incremental fix. > > > > nf_tables_commit_audit_collect() refers to the trans object which > > might have been already released. > > Got it. Thanks Pablo. I didn't see it when running nft-test.py Where > was it reported? CONFIG_KASAN. > Here I tried to stay out of the way by putting that > call at the end of the loop but that was obviously a mistake in > hindsight. :-) No problem, I'll squash this incremental fix into your audit patch.
Re: [PATCH v5] audit: log nftables configuration change events once per table
On 2021-03-31 22:46, Pablo Neira Ayuso wrote:
> On Fri, Mar 26, 2021 at 01:38:59PM -0400, Richard Guy Briggs wrote:
> > @@ -8006,12 +7966,65 @@ static void nft_commit_notify(struct net *net, u32
> > portid)
> > WARN_ON_ONCE(!list_empty(>nft.notify_list));
> > }
> >
> > +static int nf_tables_commit_audit_alloc(struct list_head *adl,
> > +struct nft_table *table)
> > +{
> > + struct nft_audit_data *adp;
> > +
> > + list_for_each_entry(adp, adl, list) {
> > + if (adp->table == table)
> > + return 0;
> > + }
> > + adp = kzalloc(sizeof(*adp), GFP_KERNEL);
> > + if (!adp)
> > + return -ENOMEM;
> > + adp->table = table;
> > + INIT_LIST_HEAD(>list);
>
> This INIT_LIST_HEAD is not required for an object that is going to be
> inserted into the 'adl' list.
>
> > + list_add(>list, adl);
>
> If no objections, I'll amend this patch. I'll include the UAF fix and
> remove this unnecessary INIT_LIST_HEAD.
Ok, so it is harmless other than being code noise and overhead, thanks again.
- RGB
--
Richard Guy Briggs
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635
Re: [PATCH v5] audit: log nftables configuration change events once per table
On 2021-03-31 22:22, Pablo Neira Ayuso wrote:
> On Fri, Mar 26, 2021 at 01:38:59PM -0400, Richard Guy Briggs wrote:
> > Reduce logging of nftables events to a level similar to iptables.
> > Restore the table field to list the table, adding the generation.
> >
> > Indicate the op as the most significant operation in the event.
>
> There's a UAF, Florian reported. I'm attaching an incremental fix.
>
> nf_tables_commit_audit_collect() refers to the trans object which
> might have been already released.
Got it. Thanks Pablo. I didn't see it when running nft-test.py Where
was it reported? Here I tried to stay out of the way by putting that
call at the end of the loop but that was obviously a mistake in
hindsight. :-)
> commit e4d272948d25b66d86fc241cefd95281bfb1079e
> Author: Pablo Neira Ayuso
> Date: Wed Mar 31 22:19:51 2021 +0200
>
> netfilter: nf_tables: use-after-free
>
> Signed-off-by: Pablo Neira Ayuso
>
> diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
> index 5dd4bb7cabf5..01674c0d9103 100644
> --- a/net/netfilter/nf_tables_api.c
> +++ b/net/netfilter/nf_tables_api.c
> @@ -8063,6 +8063,8 @@ static int nf_tables_commit(struct net *net, struct
> sk_buff *skb)
> net->nft.gencursor = nft_gencursor_next(net);
>
> list_for_each_entry_safe(trans, next, >nft.commit_list, list) {
> + nf_tables_commit_audit_collect(, trans->ctx.table,
> +trans->msg_type);
> switch (trans->msg_type) {
> case NFT_MSG_NEWTABLE:
> if (nft_trans_table_update(trans)) {
> @@ -8211,8 +8213,6 @@ static int nf_tables_commit(struct net *net, struct
> sk_buff *skb)
> }
> break;
> }
> - nf_tables_commit_audit_collect(, trans->ctx.table,
> -trans->msg_type);
> }
>
> nft_commit_notify(net, NETLINK_CB(skb).portid);
- RGB
--
Richard Guy Briggs
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635
Re: [PATCH v5] audit: log nftables configuration change events once per table
On Fri, Mar 26, 2021 at 01:38:59PM -0400, Richard Guy Briggs wrote:
> @@ -8006,12 +7966,65 @@ static void nft_commit_notify(struct net *net, u32
> portid)
> WARN_ON_ONCE(!list_empty(>nft.notify_list));
> }
>
> +static int nf_tables_commit_audit_alloc(struct list_head *adl,
> + struct nft_table *table)
> +{
> + struct nft_audit_data *adp;
> +
> + list_for_each_entry(adp, adl, list) {
> + if (adp->table == table)
> + return 0;
> + }
> + adp = kzalloc(sizeof(*adp), GFP_KERNEL);
> + if (!adp)
> + return -ENOMEM;
> + adp->table = table;
> + INIT_LIST_HEAD(>list);
This INIT_LIST_HEAD is not required for an object that is going to be
inserted into the 'adl' list.
> + list_add(>list, adl);
If no objections, I'll amend this patch. I'll include the UAF fix and
remove this unnecessary INIT_LIST_HEAD.
Re: [PATCH v5] audit: log nftables configuration change events once per table
On Fri, Mar 26, 2021 at 01:38:59PM -0400, Richard Guy Briggs wrote:
> Reduce logging of nftables events to a level similar to iptables.
> Restore the table field to list the table, adding the generation.
>
> Indicate the op as the most significant operation in the event.
There's a UAF, Florian reported. I'm attaching an incremental fix.
nf_tables_commit_audit_collect() refers to the trans object which
might have been already released.
commit e4d272948d25b66d86fc241cefd95281bfb1079e
Author: Pablo Neira Ayuso
Date: Wed Mar 31 22:19:51 2021 +0200
netfilter: nf_tables: use-after-free
Signed-off-by: Pablo Neira Ayuso
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 5dd4bb7cabf5..01674c0d9103 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -8063,6 +8063,8 @@ static int nf_tables_commit(struct net *net, struct sk_buff *skb)
net->nft.gencursor = nft_gencursor_next(net);
list_for_each_entry_safe(trans, next, >nft.commit_list, list) {
+ nf_tables_commit_audit_collect(, trans->ctx.table,
+ trans->msg_type);
switch (trans->msg_type) {
case NFT_MSG_NEWTABLE:
if (nft_trans_table_update(trans)) {
@@ -8211,8 +8213,6 @@ static int nf_tables_commit(struct net *net, struct sk_buff *skb)
}
break;
}
- nf_tables_commit_audit_collect(, trans->ctx.table,
- trans->msg_type);
}
nft_commit_notify(net, NETLINK_CB(skb).portid);
Re: [PATCH v5] audit: log nftables configuration change events once per table
On Tue, Mar 30, 2021 at 6:53 PM Pablo Neira Ayuso wrote: > On Sun, Mar 28, 2021 at 08:50:45PM -0400, Paul Moore wrote: > [...] > > Netfilter folks, were you planning to pull this via your tree/netdev > > or would you like me to merge this via the audit tree? If the latter, > > I would appreciate it if I could get an ACK from one of you; if the > > former, my ACK is below. > > > > Acked-by: Paul Moore > > I'll merge this one into nf-next, this might simplify possible > conflict resolution later on. Yep, I think that's the best choice. Thanks. -- paul moore www.paul-moore.com
Re: [PATCH v5] audit: log nftables configuration change events once per table
On Sun, Mar 28, 2021 at 08:50:45PM -0400, Paul Moore wrote: [...] > Netfilter folks, were you planning to pull this via your tree/netdev > or would you like me to merge this via the audit tree? If the latter, > I would appreciate it if I could get an ACK from one of you; if the > former, my ACK is below. > > Acked-by: Paul Moore I'll merge this one into nf-next, this might simplify possible conflict resolution later on. Thanks for acking.
Re: [PATCH v5] audit: log nftables configuration change events once per table
On Fri, Mar 26, 2021 at 1:39 PM Richard Guy Briggs wrote:
>
> Reduce logging of nftables events to a level similar to iptables.
> Restore the table field to list the table, adding the generation.
>
> Indicate the op as the most significant operation in the event.
>
> A couple of sample events:
>
> type=PROCTITLE msg=audit(2021-03-18 09:30:49.801:143) :
> proctitle=/usr/bin/python3 -s /usr/sbin/firewalld --nofork --nopid
> type=SYSCALL msg=audit(2021-03-18 09:30:49.801:143) : arch=x86_64
> syscall=sendmsg success=yes exit=172 a0=0x6 a1=0x7ffdcfcbe650 a2=0x0
> a3=0x7ffdcfcbd52c items=0 ppid=1 pid=367 auid=unset uid=root gid=root
> euid=root suid=root fsuid=root egid=roo
> t sgid=root fsgid=root tty=(none) ses=unset comm=firewalld
> exe=/usr/bin/python3.9 subj=system_u:system_r:firewalld_t:s0 key=(null)
> type=NETFILTER_CFG msg=audit(2021-03-18 09:30:49.801:143) : table=firewalld:2
> family=ipv6 entries=1 op=nft_register_table pid=367
> subj=system_u:system_r:firewalld_t:s0 comm=firewalld
> type=NETFILTER_CFG msg=audit(2021-03-18 09:30:49.801:143) : table=firewalld:2
> family=ipv4 entries=1 op=nft_register_table pid=367
> subj=system_u:system_r:firewalld_t:s0 comm=firewalld
> type=NETFILTER_CFG msg=audit(2021-03-18 09:30:49.801:143) : table=firewalld:2
> family=inet entries=1 op=nft_register_table pid=367
> subj=system_u:system_r:firewalld_t:s0 comm=firewalld
>
> type=PROCTITLE msg=audit(2021-03-18 09:30:49.839:144) :
> proctitle=/usr/bin/python3 -s /usr/sbin/firewalld --nofork --nopid
> type=SYSCALL msg=audit(2021-03-18 09:30:49.839:144) : arch=x86_64
> syscall=sendmsg success=yes exit=22792 a0=0x6 a1=0x7ffdcfcbe650 a2=0x0
> a3=0x7ffdcfcbd52c items=0 ppid=1 pid=367 auid=unset uid=root gid=root
> euid=root suid=root fsuid=root egid=r
> oot sgid=root fsgid=root tty=(none) ses=unset comm=firewalld
> exe=/usr/bin/python3.9 subj=system_u:system_r:firewalld_t:s0 key=(null)
> type=NETFILTER_CFG msg=audit(2021-03-18 09:30:49.839:144) : table=firewalld:3
> family=ipv6 entries=30 op=nft_register_chain pid=367
> subj=system_u:system_r:firewalld_t:s0 comm=firewalld
> type=NETFILTER_CFG msg=audit(2021-03-18 09:30:49.839:144) : table=firewalld:3
> family=ipv4 entries=30 op=nft_register_chain pid=367
> subj=system_u:system_r:firewalld_t:s0 comm=firewalld
> type=NETFILTER_CFG msg=audit(2021-03-18 09:30:49.839:144) : table=firewalld:3
> family=inet entries=165 op=nft_register_chain pid=367
> subj=system_u:system_r:firewalld_t:s0 comm=firewalld
>
> The issue was originally documented in
> https://github.com/linux-audit/audit-kernel/issues/124
>
> Signed-off-by: Richard Guy Briggs
> ---
> Changelog:
> v5:
> (sorry for all the noise...)
> - fix kbuild missing prototype warning in
> nf_tables_commit_audit_{alloc,collect,log}()
>
> v4:
> - move nf_tables_commit_audit_log() before nf_tables_commit_release() [fw]
> - move nft2audit_op[] from audit.h to nf_tables_api.c
>
> v3:
> - fix function braces, reduce parameter scope [pna]
> - pre-allocate nft_audit_data per table in step 1, bail on ENOMEM [pna]
>
> v2:
> - convert NFT ops to array indicies in nft2audit_op[] [ps]
> - use linux lists [pna]
> - use functions for each of collection and logging of audit data [pna]
> ---
> net/netfilter/nf_tables_api.c | 187 +++---
> 1 file changed, 104 insertions(+), 83 deletions(-)
Netfilter folks, were you planning to pull this via your tree/netdev
or would you like me to merge this via the audit tree? If the latter,
I would appreciate it if I could get an ACK from one of you; if the
former, my ACK is below.
Acked-by: Paul Moore
--
paul moore
www.paul-moore.com
[PATCH v5] audit: log nftables configuration change events once per table
Reduce logging of nftables events to a level similar to iptables.
Restore the table field to list the table, adding the generation.
Indicate the op as the most significant operation in the event.
A couple of sample events:
type=PROCTITLE msg=audit(2021-03-18 09:30:49.801:143) :
proctitle=/usr/bin/python3 -s /usr/sbin/firewalld --nofork --nopid
type=SYSCALL msg=audit(2021-03-18 09:30:49.801:143) : arch=x86_64
syscall=sendmsg success=yes exit=172 a0=0x6 a1=0x7ffdcfcbe650 a2=0x0
a3=0x7ffdcfcbd52c items=0 ppid=1 pid=367 auid=unset uid=root gid=root euid=root
suid=root fsuid=root egid=roo
t sgid=root fsgid=root tty=(none) ses=unset comm=firewalld
exe=/usr/bin/python3.9 subj=system_u:system_r:firewalld_t:s0 key=(null)
type=NETFILTER_CFG msg=audit(2021-03-18 09:30:49.801:143) : table=firewalld:2
family=ipv6 entries=1 op=nft_register_table pid=367
subj=system_u:system_r:firewalld_t:s0 comm=firewalld
type=NETFILTER_CFG msg=audit(2021-03-18 09:30:49.801:143) : table=firewalld:2
family=ipv4 entries=1 op=nft_register_table pid=367
subj=system_u:system_r:firewalld_t:s0 comm=firewalld
type=NETFILTER_CFG msg=audit(2021-03-18 09:30:49.801:143) : table=firewalld:2
family=inet entries=1 op=nft_register_table pid=367
subj=system_u:system_r:firewalld_t:s0 comm=firewalld
type=PROCTITLE msg=audit(2021-03-18 09:30:49.839:144) :
proctitle=/usr/bin/python3 -s /usr/sbin/firewalld --nofork --nopid
type=SYSCALL msg=audit(2021-03-18 09:30:49.839:144) : arch=x86_64
syscall=sendmsg success=yes exit=22792 a0=0x6 a1=0x7ffdcfcbe650 a2=0x0
a3=0x7ffdcfcbd52c items=0 ppid=1 pid=367 auid=unset uid=root gid=root euid=root
suid=root fsuid=root egid=r
oot sgid=root fsgid=root tty=(none) ses=unset comm=firewalld
exe=/usr/bin/python3.9 subj=system_u:system_r:firewalld_t:s0 key=(null)
type=NETFILTER_CFG msg=audit(2021-03-18 09:30:49.839:144) : table=firewalld:3
family=ipv6 entries=30 op=nft_register_chain pid=367
subj=system_u:system_r:firewalld_t:s0 comm=firewalld
type=NETFILTER_CFG msg=audit(2021-03-18 09:30:49.839:144) : table=firewalld:3
family=ipv4 entries=30 op=nft_register_chain pid=367
subj=system_u:system_r:firewalld_t:s0 comm=firewalld
type=NETFILTER_CFG msg=audit(2021-03-18 09:30:49.839:144) : table=firewalld:3
family=inet entries=165 op=nft_register_chain pid=367
subj=system_u:system_r:firewalld_t:s0 comm=firewalld
The issue was originally documented in
https://github.com/linux-audit/audit-kernel/issues/124
Signed-off-by: Richard Guy Briggs
---
Changelog:
v5:
(sorry for all the noise...)
- fix kbuild missing prototype warning in
nf_tables_commit_audit_{alloc,collect,log}()
v4:
- move nf_tables_commit_audit_log() before nf_tables_commit_release() [fw]
- move nft2audit_op[] from audit.h to nf_tables_api.c
v3:
- fix function braces, reduce parameter scope [pna]
- pre-allocate nft_audit_data per table in step 1, bail on ENOMEM [pna]
v2:
- convert NFT ops to array indicies in nft2audit_op[] [ps]
- use linux lists [pna]
- use functions for each of collection and logging of audit data [pna]
---
net/netfilter/nf_tables_api.c | 187 +++---
1 file changed, 104 insertions(+), 83 deletions(-)
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index c1eb5cdb3033..ef51abe3a6d7 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -66,6 +66,41 @@ static const struct rhashtable_params nft_objname_ht_params
= {
.automatic_shrinking= true,
};
+struct nft_audit_data {
+ struct nft_table *table;
+ int entries;
+ int op;
+ struct list_head list;
+};
+
+static const u8 nft2audit_op[NFT_MSG_MAX] = { // enum nf_tables_msg_types
+ [NFT_MSG_NEWTABLE] = AUDIT_NFT_OP_TABLE_REGISTER,
+ [NFT_MSG_GETTABLE] = AUDIT_NFT_OP_INVALID,
+ [NFT_MSG_DELTABLE] = AUDIT_NFT_OP_TABLE_UNREGISTER,
+ [NFT_MSG_NEWCHAIN] = AUDIT_NFT_OP_CHAIN_REGISTER,
+ [NFT_MSG_GETCHAIN] = AUDIT_NFT_OP_INVALID,
+ [NFT_MSG_DELCHAIN] = AUDIT_NFT_OP_CHAIN_UNREGISTER,
+ [NFT_MSG_NEWRULE] = AUDIT_NFT_OP_RULE_REGISTER,
+ [NFT_MSG_GETRULE] = AUDIT_NFT_OP_INVALID,
+ [NFT_MSG_DELRULE] = AUDIT_NFT_OP_RULE_UNREGISTER,
+ [NFT_MSG_NEWSET]= AUDIT_NFT_OP_SET_REGISTER,
+ [NFT_MSG_GETSET]= AUDIT_NFT_OP_INVALID,
+ [NFT_MSG_DELSET]= AUDIT_NFT_OP_SET_UNREGISTER,
+ [NFT_MSG_NEWSETELEM]= AUDIT_NFT_OP_SETELEM_REGISTER,
+ [NFT_MSG_GETSETELEM]= AUDIT_NFT_OP_INVALID,
+ [NFT_MSG_DELSETELEM]= AUDIT_NFT_OP_SETELEM_UNREGISTER,
+ [NFT_MSG_NEWGEN]= AUDIT_NFT_OP_GEN_REGISTER,
+ [NFT_MSG_GETGEN]= AUDIT_NFT_OP_INVALID,
+ [NFT_MSG_TRACE] = AUDIT_NFT_OP_INVALID,
+ [NFT_MSG_NEWOBJ]= AUDIT_NFT_OP_OBJ_REGISTER,
+ [NFT_MSG_GETOBJ]= AUDIT_NFT_OP_INVALID,
+ [NFT_MSG_DELOBJ]= AUDIT_NFT_OP_OBJ_UNREGISTER,
+ [NFT_MSG_GETOBJ_RESET] =
