17 Mar, 2011
1 commit
-
Even though ebtables uses xtables it still requires targets to
return EBT_CONTINUE instead of XT_CONTINUE. This prevented
xt_AUDIT to work as ebt module.Upon Jan's suggestion, use a separate struct xt_target for
NFPROTO_BRIDGE having its own target callback returning
EBT_CONTINUE instead of cloning the module.Signed-off-by: Thomas Graf
Signed-off-by: Patrick McHardy
17 Jan, 2011
1 commit
-
This patch adds a new netfilter target which creates audit records
for packets traversing a certain chain.It can be used to record packets which are rejected administraively
as follows:-N AUDIT_DROP
-A AUDIT_DROP -j AUDIT --type DROP
-A AUDIT_DROP -j DROPa rule which would typically drop or reject a packet would then
invoke the new chain to record packets before dropping them.-j AUDIT_DROP
The module is protocol independant and works for iptables, ip6tables
and ebtables.The following information is logged:
- netfilter hook
- packet length
- incomming/outgoing interface
- MAC src/dst/proto for ethernet packets
- src/dst/protocol address for IPv4/IPv6
- src/dst port for TCP/UDP/UDPLITE
- icmp type/codeCc: Patrick McHardy
Cc: Eric Paris
Cc: Al Viro
Signed-off-by: Thomas Graf
Signed-off-by: Patrick McHardy
