Commit 43f393ca authored by Thomas Graf's avatar Thomas Graf Committed by Patrick McHardy
Browse files

netfilter: audit target to record accepted/dropped packets 



This patch adds a new netfilter target which creates audit records
for packets traversing a certain chain.

It can be used to record packets which are rejected administraively
as follows:

  -N AUDIT_DROP
  -A AUDIT_DROP -j AUDIT --type DROP
  -A AUDIT_DROP -j DROP

a rule which would typically drop or reject a packet would then
invoke the new chain to record packets before dropping them.

  -j AUDIT_DROP

The module is protocol independant and works for iptables, ip6tables
and ebtables.

The following information is logged:
 - netfilter hook
 - packet length
 - incomming/outgoing interface
 - MAC src/dst/proto for ethernet packets
 - src/dst/protocol address for IPv4/IPv6
 - src/dst port for TCP/UDP/UDPLITE
 - icmp type/code

Cc: Patrick McHardy <kaber@trash.net>
Cc: Eric Paris <eparis@parisplace.org>
Cc: Al Viro <viro@ZenIV.linux.org.uk>
Signed-off-by: default avatarThomas Graf <tgraf@redhat.com>
Signed-off-by: default avatarPatrick McHardy <kaber@trash.net>
parent d862a662

include/linux/audit.h

+1 −0
Original line number Diff line number Diff line
@@ -103,6 +103,7 @@ 
#define AUDIT_BPRM_FCAPS	1321	/* Information about fcaps increasing perms */

#define AUDIT_CAPSET		1322	/* Record showing argument to sys_capset */

#define AUDIT_MMAP		1323	/* Record showing descriptor and flags in mmap */

#define AUDIT_NETFILTER_PKT	1324	/* Packets traversing netfilter chains */



#define AUDIT_AVC		1400	/* SE Linux avc denial or grant */

#define AUDIT_SELINUX_ERR	1401	/* Internal SE Linux Errors */

include/linux/netfilter/Kbuild

+1 −0
Original line number Diff line number Diff line
@@ -9,6 +9,7 @@ header-y += nfnetlink_conntrack.h 
header-y += nfnetlink_log.h

header-y += nfnetlink_queue.h

header-y += x_tables.h

header-y += xt_AUDIT.h

header-y += xt_CHECKSUM.h

header-y += xt_CLASSIFY.h

header-y += xt_CONNMARK.h

include/linux/netfilter/xt_AUDIT.h

0 → 100644
+30 −0
Original line number Diff line number Diff line 
/*

 * Header file for iptables xt_AUDIT target

 *

 * (C) 2010-2011 Thomas Graf <tgraf@redhat.com>

 * (C) 2010-2011 Red Hat, Inc.

 *

 * This program is free software; you can redistribute it and/or modify

 * it under the terms of the GNU General Public License version 2 as

 * published by the Free Software Foundation.

 */



#ifndef _XT_AUDIT_TARGET_H

#define _XT_AUDIT_TARGET_H



#include <linux/types.h>



enum {

	XT_AUDIT_TYPE_ACCEPT = 0,

	XT_AUDIT_TYPE_DROP,

	XT_AUDIT_TYPE_REJECT,

	__XT_AUDIT_TYPE_MAX,

};



#define XT_AUDIT_TYPE_MAX (__XT_AUDIT_TYPE_MAX - 1)



struct xt_audit_info {

	__u8 type; /* XT_AUDIT_TYPE_* */

};



#endif /* _XT_AUDIT_TARGET_H */

net/netfilter/Kconfig

+10 −0
Original line number Diff line number Diff line
@@ -326,6 +326,16 @@ config NETFILTER_XT_CONNMARK 


comment "Xtables targets"



config NETFILTER_XT_TARGET_AUDIT

	tristate "AUDIT target support"

	depends on AUDIT

	depends on NETFILTER_ADVANCED

	---help---

	  This option adds a 'AUDIT' target, which can be used to create

	  audit records for packets dropped/accepted.



	  To compileit as a module, choose M here. If unsure, say N.



config NETFILTER_XT_TARGET_CHECKSUM

	tristate "CHECKSUM target support"

	depends on IP_NF_MANGLE || IP6_NF_MANGLE

net/netfilter/Makefile

+1 −0
Original line number Diff line number Diff line
@@ -45,6 +45,7 @@ obj-$(CONFIG_NETFILTER_XT_MARK) += xt_mark.o 
obj-$(CONFIG_NETFILTER_XT_CONNMARK) += xt_connmark.o



# targets

obj-$(CONFIG_NETFILTER_XT_TARGET_AUDIT) += xt_AUDIT.o

obj-$(CONFIG_NETFILTER_XT_TARGET_CHECKSUM) += xt_CHECKSUM.o

obj-$(CONFIG_NETFILTER_XT_TARGET_CLASSIFY) += xt_CLASSIFY.o

obj-$(CONFIG_NETFILTER_XT_TARGET_CONNSECMARK) += xt_CONNSECMARK.o

CRA Git | Maintained and supported by SUSTech CRA and CCSE