diff options
| author | Phil Sutter <phil@nwl.cc> | 2018-06-01 17:15:07 +0200 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2018-06-03 11:53:06 +0200 |
| commit | a24552c165346f087e82a52807d134e3910387a8 (patch) | |
| tree | 378f69e8fe6c10ac6fd0d111313c3b0ed14371d5 | |
| parent | efc8a83e943d54e0ca88548a0eaff056ad2a650d (diff) | |
log: Add support for audit logging
This is implemented via a pseudo log level. The kernel ignores any other
parameter, so reject those at evaluation stage. Audit logging is
therefore simply a matter of:
| log level audit
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| -rw-r--r-- | include/linux/netfilter/nf_tables.h | 5 | ||||
| -rw-r--r-- | src/evaluate.c | 4 | ||||
| -rw-r--r-- | src/parser_bison.y | 2 | ||||
| -rw-r--r-- | src/statement.c | 7 | ||||
| -rw-r--r-- | tests/py/any/log.t | 8 | ||||
| -rw-r--r-- | tests/py/any/log.t.json | 9 | ||||
| -rw-r--r-- | tests/py/any/log.t.payload | 4 |
7 files changed, 36 insertions, 3 deletions
diff --git a/include/linux/netfilter/nf_tables.h b/include/linux/netfilter/nf_tables.h index 660168ab..51d54d67 100644 --- a/include/linux/netfilter/nf_tables.h +++ b/include/linux/netfilter/nf_tables.h @@ -1056,6 +1056,11 @@ enum nft_log_attributes { #define NFTA_LOG_MAX (__NFTA_LOG_MAX - 1) /** + * LOGLEVEL_AUDIT - a pseudo log level enabling audit logging + */ +#define LOGLEVEL_AUDIT 8 + +/** * enum nft_queue_attributes - nf_tables queue expression netlink attributes * * @NFTA_QUEUE_NUM: netlink queue to send messages to (NLA_U16) diff --git a/src/evaluate.c b/src/evaluate.c index 4eb36e2d..33733c0e 100644 --- a/src/evaluate.c +++ b/src/evaluate.c @@ -2562,6 +2562,10 @@ static int stmt_evaluate_log(struct eval_ctx *ctx, struct stmt *stmt) return stmt_error(ctx, stmt, "flags and group are mutually exclusive"); } + if (stmt->log.level == LOGLEVEL_AUDIT && + (stmt->log.flags & ~STMT_LOG_LEVEL || stmt->log.logflags)) + return stmt_error(ctx, stmt, + "log level audit doesn't support any further options"); return 0; } diff --git a/src/parser_bison.y b/src/parser_bison.y index b67dc69d..d13eaa66 100644 --- a/src/parser_bison.y +++ b/src/parser_bison.y @@ -2227,6 +2227,8 @@ level_type : string $$ = LOG_INFO; else if (!strcmp("debug", $1)) $$ = LOG_DEBUG; + else if (!strcmp("audit", $1)) + $$ = LOGLEVEL_AUDIT; else { erec_queue(error(&@1, "invalid log level"), state->msgs); diff --git a/src/statement.c b/src/statement.c index ff4c8eb6..4a646e06 100644 --- a/src/statement.c +++ b/src/statement.c @@ -220,7 +220,7 @@ struct stmt *objref_stmt_alloc(const struct location *loc) return stmt; } -static const char *syslog_level[LOG_DEBUG + 1] = { +static const char *syslog_level[LOGLEVEL_AUDIT + 1] = { [LOG_EMERG] = "emerg", [LOG_ALERT] = "alert", [LOG_CRIT] = "crit", @@ -229,11 +229,12 @@ static const char *syslog_level[LOG_DEBUG + 1] = { [LOG_NOTICE] = "notice", [LOG_INFO] = "info", [LOG_DEBUG] = "debug", + [LOGLEVEL_AUDIT] = "audit" }; const char *log_level(uint32_t level) { - if (level > LOG_DEBUG) + if (level > LOGLEVEL_AUDIT) return "unknown"; return syslog_level[level]; @@ -243,7 +244,7 @@ int log_level_parse(const char *level) { int i; - for (i = 0; i <= LOG_DEBUG; i++) { + for (i = 0; i <= LOGLEVEL_AUDIT; i++) { if (syslog_level[i] && !strcmp(level, syslog_level[i])) return i; diff --git a/tests/py/any/log.t b/tests/py/any/log.t index d1b4ab62..f4ccaf05 100644 --- a/tests/py/any/log.t +++ b/tests/py/any/log.t @@ -15,10 +15,18 @@ log level warn;ok;log log level notice;ok log level info;ok log level debug;ok +log level audit;ok log level emerg group 2;fail log level alert group 2 prefix "log test2";fail +# log level audit must reject all other parameters +log level audit prefix "foo";fail +log level audit group 42;fail +log level audit snaplen 23;fail +log level audit queue-threshold 1337;fail +log level audit flags all;fail + log prefix aaaaa-aaaaaa group 2 snaplen 33;ok;log prefix "aaaaa-aaaaaa" group 2 snaplen 33 # TODO: Add an exception: 'queue-threshold' attribute needs 'group' attribute # The correct rule is log group 2 queue-threshold 2 diff --git a/tests/py/any/log.t.json b/tests/py/any/log.t.json index 9c89dff8..7bcc20e8 100644 --- a/tests/py/any/log.t.json +++ b/tests/py/any/log.t.json @@ -77,6 +77,15 @@ } ] +# log level audit +[ + { + "log": { + "level": "audit" + } + } +] + # log prefix aaaaa-aaaaaa group 2 snaplen 33 [ { diff --git a/tests/py/any/log.t.payload b/tests/py/any/log.t.payload index ffb914d2..1330445b 100644 --- a/tests/py/any/log.t.payload +++ b/tests/py/any/log.t.payload @@ -34,6 +34,10 @@ ip test-ip4 output ip test-ip4 output [ log level 7 ] +# log level audit +ip test-ip4 output + [ log level 8 ] + # log prefix aaaaa-aaaaaa group 2 snaplen 33 ip test-ip4 output [ log prefix aaaaa-aaaaaa group 2 snaplen 33 qthreshold 0 ] |