Eric Lee / smarc-fsl-linux-kernel

04 Dec, 2011

1 commit

  • 75f2811c6   ipv6: Add fragment reporting to ipv6_skip_exthdr(). ... Browse Code »

    While parsing through IPv6 extension headers, fragment headers are
    skipped making them invisible to the caller. This reports the
    fragment offset of the last header in order to make it possible to
    determine whether the packet is fragmented and, if so whether it is
    a first or last fragment.

    Signed-off-by: Jesse Gross

    Jesse Gross
     

30 Jun, 2011

1 commit

  • 131ad62d8   netfilter: add SELinux context support to AUDIT target ... Browse Code »

    In this revision the conversion of secid to SELinux context and adding it
    to the audit log is moved from xt_AUDIT.c to audit.c with the aid of a
    separate helper function - audit_log_secctx - which does both the conversion
    and logging of SELinux context, thus also preventing internal secid number
    being leaked to userspace. If conversion is not successful an error is raised.

    With the introduction of this helper function the work done in xt_AUDIT.c is
    much more simplified. It also opens the possibility of this helper function
    being used by other modules (including auditd itself), if desired. With this
    addition, typical (raw auditd) output after applying the patch would be:

    type=NETFILTER_PKT msg=audit(1305852240.082:31012): action=0 hook=1 len=52 inif=? outif=eth0 saddr=10.1.1.7 daddr=10.1.2.1 ipid=16312 proto=6 sport=56150 dport=22 obj=system_u:object_r:ssh_client_packet_t:s0
    type=NETFILTER_PKT msg=audit(1306772064.079:56): action=0 hook=3 len=48 inif=eth0 outif=? smac=00:05:5d:7c:27:0b dmac=00:02:b3:0a:7f:81 macproto=0x0800 saddr=10.1.2.1 daddr=10.1.1.7 ipid=462 proto=6 sport=22 dport=3561 obj=system_u:object_r:ssh_server_packet_t:s0

    Acked-by: Eric Paris
    Signed-off-by: Mr Dash Four
    Signed-off-by: Patrick McHardy

    Mr Dash Four
     

17 Mar, 2011

1 commit

  • 400b871ba   netfilter ebtables: fix xt_AUDIT to work with ebtables ... Browse Code »

    Even though ebtables uses xtables it still requires targets to
    return EBT_CONTINUE instead of XT_CONTINUE. This prevented
    xt_AUDIT to work as ebt module.

    Upon Jan's suggestion, use a separate struct xt_target for
    NFPROTO_BRIDGE having its own target callback returning
    EBT_CONTINUE instead of cloning the module.

    Signed-off-by: Thomas Graf
    Signed-off-by: Patrick McHardy

    Thomas Graf
     

17 Jan, 2011

1 commit

  • 43f393cae   netfilter: audit target to record accepted/dropped packets ... Browse Code »

    This patch adds a new netfilter target which creates audit records
    for packets traversing a certain chain.

    It can be used to record packets which are rejected administraively
    as follows:

    -N AUDIT_DROP
    -A AUDIT_DROP -j AUDIT --type DROP
    -A AUDIT_DROP -j DROP

    a rule which would typically drop or reject a packet would then
    invoke the new chain to record packets before dropping them.

    -j AUDIT_DROP

    The module is protocol independant and works for iptables, ip6tables
    and ebtables.

    The following information is logged:
    - netfilter hook
    - packet length
    - incomming/outgoing interface
    - MAC src/dst/proto for ethernet packets
    - src/dst/protocol address for IPv4/IPv6
    - src/dst port for TCP/UDP/UDPLITE
    - icmp type/code

    Cc: Patrick McHardy
    Cc: Eric Paris
    Cc: Al Viro
    Signed-off-by: Thomas Graf
    Signed-off-by: Patrick McHardy

    Thomas Graf