02 May, 2017

2 commits

• 2173c519d   audit: normalize NETFILTER_PKT ... Browse Code »

  Eliminate flipping in and out of message fields, dropping fields in the
  process.

  Sample raw message format IPv4 UDP:
  type=NETFILTER_PKT msg=audit(1487874761.386:228): mark=0xae8a2732 saddr=127.0.0.1 daddr=127.0.0.1 proto=17^]
  Sample raw message format IPv6 ICMP6:
  type=NETFILTER_PKT msg=audit(1487874761.381:227): mark=0x223894b7 saddr=::1 daddr=::1 proto=58^]

  Issue: https://github.com/linux-audit/audit-kernel/issues/11
  Test case: https://github.com/linux-audit/audit-testsuite/issues/43

  Signed-off-by: Richard Guy Briggs
  Signed-off-by: Paul Moore

  Richard Guy Briggs

  2017-05-02 22:16:04 +0800  
• 0cb88b6ff   netfilter: use consistent ipv4 network offset in xt_AUDIT ... Browse Code »

  Even though the skb->data pointer has been moved from the link layer
  header to the network layer header, use the same method to calculate the
  offset in ipv4 and ipv6 routines.

  Signed-off-by: Richard Guy Briggs
  [PM: munged subject line]
  Signed-off-by: Paul Moore

  Richard Guy Briggs

  2017-05-02 22:16:04 +0800  

03 Nov, 2016

1 commit

• 613dbd957   netfilter: x_tables: move hook state into xt_action_param structure ... Browse Code »

  Place pointer to hook state in xt_action_param structure instead of
  copying the fields that we need. After this change xt_action_param fits
  into one cacheline.

  This patch also adds a set of new wrapper functions to fetch relevant
  hook state structure fields.

  Signed-off-by: Pablo Neira Ayuso

  Pablo Neira Ayuso

  2016-11-03 17:56:21 +0800  

13 Mar, 2014

1 commit

• b80edf0b5   netfilter: Convert uses of __constant_<foo> to <foo> ... Browse Code »

  The use of __constant_ has been unnecessary for quite awhile now.

  Make these uses consistent with the rest of the kernel.

  Signed-off-by: Joe Perches
  Acked-by: Jozsef Kadlecsik
  Signed-off-by: Pablo Neira Ayuso

  Joe Perches

  2014-03-13 21:13:19 +0800  

04 Mar, 2013

1 commit

• ed018fa4d   netfilter: xt_AUDIT: only generate audit log when audit enabled ... Browse Code »

  We should stop generting audit log if audit is disabled.

  Signed-off-by: Gao feng
  Acked-by: Thomas Graf
  Signed-off-by: Pablo Neira Ayuso

  Gao feng

  2013-03-04 21:45:25 +0800  

04 Dec, 2011

1 commit

• 75f2811c6   ipv6: Add fragment reporting to ipv6_skip_exthdr(). ... Browse Code »

  While parsing through IPv6 extension headers, fragment headers are
  skipped making them invisible to the caller. This reports the
  fragment offset of the last header in order to make it possible to
  determine whether the packet is fragmented and, if so whether it is
  a first or last fragment.

  Signed-off-by: Jesse Gross

  Jesse Gross

  2011-12-04 01:35:10 +0800  

30 Jun, 2011

1 commit

• 131ad62d8   netfilter: add SELinux context support to AUDIT target ... Browse Code »

  In this revision the conversion of secid to SELinux context and adding it
  to the audit log is moved from xt_AUDIT.c to audit.c with the aid of a
  separate helper function - audit_log_secctx - which does both the conversion
  and logging of SELinux context, thus also preventing internal secid number
  being leaked to userspace. If conversion is not successful an error is raised.

  With the introduction of this helper function the work done in xt_AUDIT.c is
  much more simplified. It also opens the possibility of this helper function
  being used by other modules (including auditd itself), if desired. With this
  addition, typical (raw auditd) output after applying the patch would be:

  type=NETFILTER_PKT msg=audit(1305852240.082:31012): action=0 hook=1 len=52 inif=? outif=eth0 saddr=10.1.1.7 daddr=10.1.2.1 ipid=16312 proto=6 sport=56150 dport=22 obj=system_u:object_r:ssh_client_packet_t:s0
  type=NETFILTER_PKT msg=audit(1306772064.079:56): action=0 hook=3 len=48 inif=eth0 outif=? smac=00:05:5d:7c:27:0b dmac=00:02:b3:0a:7f:81 macproto=0x0800 saddr=10.1.2.1 daddr=10.1.1.7 ipid=462 proto=6 sport=22 dport=3561 obj=system_u:object_r:ssh_server_packet_t:s0

  Acked-by: Eric Paris
  Signed-off-by: Mr Dash Four
  Signed-off-by: Patrick McHardy

  Mr Dash Four

  2011-06-30 19:31:57 +0800  

17 Mar, 2011

1 commit

• 400b871ba   netfilter ebtables: fix xt_AUDIT to work with ebtables ... Browse Code »

  Even though ebtables uses xtables it still requires targets to
  return EBT_CONTINUE instead of XT_CONTINUE. This prevented
  xt_AUDIT to work as ebt module.

  Upon Jan's suggestion, use a separate struct xt_target for
  NFPROTO_BRIDGE having its own target callback returning
  EBT_CONTINUE instead of cloning the module.

  Signed-off-by: Thomas Graf
  Signed-off-by: Patrick McHardy

  Thomas Graf

  2011-03-17 01:32:13 +0800  

17 Jan, 2011

1 commit

• 43f393cae   netfilter: audit target to record accepted/dropped packets ... Browse Code »

  This patch adds a new netfilter target which creates audit records
  for packets traversing a certain chain.

  It can be used to record packets which are rejected administraively
  as follows:

  -N AUDIT_DROP
  -A AUDIT_DROP -j AUDIT --type DROP
  -A AUDIT_DROP -j DROP

  a rule which would typically drop or reject a packet would then
  invoke the new chain to record packets before dropping them.

  -j AUDIT_DROP

  The module is protocol independant and works for iptables, ip6tables
  and ebtables.

  The following information is logged:
  - netfilter hook
  - packet length
  - incomming/outgoing interface
  - MAC src/dst/proto for ethernet packets
  - src/dst/protocol address for IPv4/IPv6
  - src/dst port for TCP/UDP/UDPLITE
  - icmp type/code

  Cc: Patrick McHardy
  Cc: Eric Paris
  Cc: Al Viro
  Signed-off-by: Thomas Graf
  Signed-off-by: Patrick McHardy

  Thomas Graf

  2011-01-17 01:10:28 +0800