linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Phil Sutter <phil@nwl.cc>
To: Richard Guy Briggs <rgb@redhat.com>
Cc: Linux-Audit Mailing List <linux-audit@redhat.com>,
	LKML <linux-kernel@vger.kernel.org>,
	netfilter-devel@vger.kernel.org, Paul Moore <paul@paul-moore.com>,
	Eric Paris <eparis@parisplace.org>,
	Steve Grubb <sgrubb@redhat.com>, Florian Westphal <fw@strlen.de>,
	twoerner@redhat.com, tgraf@infradead.org,
	dan.carpenter@oracle.com,
	Jones Desougi <jones.desougi+netfilter@gmail.com>
Subject: Re: [PATCH] audit: log nftables configuration change events once per table
Date: Thu, 18 Mar 2021 17:30:32 +0100	[thread overview]
Message-ID: <20210318163032.GS5298@orbyte.nwl.cc> (raw)
In-Reply-To: <7e73ce4aa84b2e46e650b5727ee7a8244ec4a0ac.1616078123.git.rgb@redhat.com>

Hi,

On Thu, Mar 18, 2021 at 11:39:52AM -0400, Richard Guy Briggs wrote:
> Reduce logging of nftables events to a level similar to iptables.
> Restore the table field to list the table, adding the generation.

This looks much better, a few remarks below:

[...]
> +static const u8 nft2audit_op[] = { // enum nf_tables_msg_types
> +	/* NFT_MSG_NEWTABLE	*/	AUDIT_NFT_OP_TABLE_REGISTER,
> +	/* NFT_MSG_GETTABLE	*/	AUDIT_NFT_OP_INVALID,
> +	/* NFT_MSG_DELTABLE	*/	AUDIT_NFT_OP_TABLE_UNREGISTER,
> +	/* NFT_MSG_NEWCHAIN	*/	AUDIT_NFT_OP_CHAIN_REGISTER,
> +	/* NFT_MSG_GETCHAIN	*/	AUDIT_NFT_OP_INVALID,
> +	/* NFT_MSG_DELCHAIN	*/	AUDIT_NFT_OP_CHAIN_UNREGISTER,
> +	/* NFT_MSG_NEWRULE	*/	AUDIT_NFT_OP_RULE_REGISTER,
> +	/* NFT_MSG_GETRULE	*/	AUDIT_NFT_OP_INVALID,
> +	/* NFT_MSG_DELRULE	*/	AUDIT_NFT_OP_RULE_UNREGISTER,
> +	/* NFT_MSG_NEWSET	*/	AUDIT_NFT_OP_SET_REGISTER,
> +	/* NFT_MSG_GETSET	*/	AUDIT_NFT_OP_INVALID,
> +	/* NFT_MSG_DELSET	*/	AUDIT_NFT_OP_SET_UNREGISTER,
> +	/* NFT_MSG_NEWSETELEM	*/	AUDIT_NFT_OP_SETELEM_REGISTER,
> +	/* NFT_MSG_GETSETELEM	*/	AUDIT_NFT_OP_INVALID,
> +	/* NFT_MSG_DELSETELEM	*/	AUDIT_NFT_OP_SETELEM_UNREGISTER,
> +	/* NFT_MSG_NEWGEN	*/	AUDIT_NFT_OP_GEN_REGISTER,
> +	/* NFT_MSG_GETGEN	*/	AUDIT_NFT_OP_INVALID,
> +	/* NFT_MSG_TRACE	*/	AUDIT_NFT_OP_INVALID,
> +	/* NFT_MSG_NEWOBJ	*/	AUDIT_NFT_OP_OBJ_REGISTER,
> +	/* NFT_MSG_GETOBJ	*/	AUDIT_NFT_OP_INVALID,
> +	/* NFT_MSG_DELOBJ	*/	AUDIT_NFT_OP_OBJ_UNREGISTER,
> +	/* NFT_MSG_GETOBJ_RESET	*/	AUDIT_NFT_OP_OBJ_RESET,
> +	/* NFT_MSG_NEWFLOWTABLE	*/	AUDIT_NFT_OP_FLOWTABLE_REGISTER,
> +	/* NFT_MSG_GETFLOWTABLE	*/	AUDIT_NFT_OP_INVALID,
> +	/* NFT_MSG_DELFLOWTABLE	*/	AUDIT_NFT_OP_FLOWTABLE_UNREGISTER,
> +	/* NFT_MSG_MAX		*/	AUDIT_NFT_OP_INVALID,
> +};

NFT_MSG_MAX is itself not a valid message, it serves merely as an upper
bound for arrays, loops or sanity checks. You will never see it in
trans->msg_type.

Since enum nf_tables_msg_types contains consecutive values from 0 to
NFT_MSG_MAX, you could write the above more explicitly:

| static const u8 nft2audit_op[NFT_MSG_MAX] = {
| 	[NFT_MSG_NEWTABLE]	= AUDIT_NFT_OP_TABLE_REGISTER,
| 	[NFT_MSG_GETTABLE]	= AUDIT_NFT_OP_INVALID,
| 	[NFT_MSG_DELTABLE]	= AUDIT_NFT_OP_TABLE_UNREGISTER,
(And so forth.)

Not a must, but it clarifies the 1:1 mapping between index and said
enum. Sadly, AUDIT_NFT_OP_INVALID is non-zero. Otherwise one could skip
all uninteresting ones.

[...]
> @@ -6278,12 +6219,11 @@ static int nf_tables_dump_obj(struct sk_buff *skb, struct netlink_callback *cb)
>  			    filter->type != NFT_OBJECT_UNSPEC &&
>  			    obj->ops->type->type != filter->type)
>  				goto cont;
> -
>  			if (reset) {
>  				char *buf = kasprintf(GFP_ATOMIC,
> -						      "%s:%llu;?:0",
> +						      "%s:%u",
>  						      table->name,
> -						      table->handle);
> +						      net->nft.base_seq);
>  
>  				audit_log_nfcfg(buf,
>  						family,

Why did you leave the object-related logs in place? They should reappear
at commit time just like chains and sets for instance, no?

Thanks, Phil

  parent reply	other threads:[~2021-03-18 16:31 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-03-18 15:39 [PATCH] audit: log nftables configuration change events once per table Richard Guy Briggs
2021-03-18 16:29 ` Pablo Neira Ayuso
2021-03-18 16:30 ` Phil Sutter [this message]
2021-03-18 18:37   ` Richard Guy Briggs
2021-03-19 12:52     ` Phil Sutter
2021-03-19 12:57       ` Richard Guy Briggs
2021-03-18 19:39 ` kernel test robot

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20210318163032.GS5298@orbyte.nwl.cc \
    --to=phil@nwl.cc \
    --cc=dan.carpenter@oracle.com \
    --cc=eparis@parisplace.org \
    --cc=fw@strlen.de \
    --cc=jones.desougi+netfilter@gmail.com \
    --cc=linux-audit@redhat.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=netfilter-devel@vger.kernel.org \
    --cc=paul@paul-moore.com \
    --cc=rgb@redhat.com \
    --cc=sgrubb@redhat.com \
    --cc=tgraf@infradead.org \
    --cc=twoerner@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).