From: Phil Sutter <phil@nwl.cc>
To: Richard Guy Briggs <rgb@redhat.com>
Cc: Linux-Audit Mailing List <linux-audit@redhat.com>,
LKML <linux-kernel@vger.kernel.org>,
netfilter-devel@vger.kernel.org, Paul Moore <paul@paul-moore.com>,
Eric Paris <eparis@parisplace.org>,
Steve Grubb <sgrubb@redhat.com>, Florian Westphal <fw@strlen.de>,
twoerner@redhat.com, tgraf@infradead.org,
dan.carpenter@oracle.com,
Jones Desougi <jones.desougi+netfilter@gmail.com>
Subject: Re: [PATCH] audit: log nftables configuration change events once per table
Date: Thu, 18 Mar 2021 17:30:32 +0100 [thread overview]
Message-ID: <20210318163032.GS5298@orbyte.nwl.cc> (raw)
In-Reply-To: <7e73ce4aa84b2e46e650b5727ee7a8244ec4a0ac.1616078123.git.rgb@redhat.com>
Hi,
On Thu, Mar 18, 2021 at 11:39:52AM -0400, Richard Guy Briggs wrote:
> Reduce logging of nftables events to a level similar to iptables.
> Restore the table field to list the table, adding the generation.
This looks much better, a few remarks below:
[...]
> +static const u8 nft2audit_op[] = { // enum nf_tables_msg_types
> + /* NFT_MSG_NEWTABLE */ AUDIT_NFT_OP_TABLE_REGISTER,
> + /* NFT_MSG_GETTABLE */ AUDIT_NFT_OP_INVALID,
> + /* NFT_MSG_DELTABLE */ AUDIT_NFT_OP_TABLE_UNREGISTER,
> + /* NFT_MSG_NEWCHAIN */ AUDIT_NFT_OP_CHAIN_REGISTER,
> + /* NFT_MSG_GETCHAIN */ AUDIT_NFT_OP_INVALID,
> + /* NFT_MSG_DELCHAIN */ AUDIT_NFT_OP_CHAIN_UNREGISTER,
> + /* NFT_MSG_NEWRULE */ AUDIT_NFT_OP_RULE_REGISTER,
> + /* NFT_MSG_GETRULE */ AUDIT_NFT_OP_INVALID,
> + /* NFT_MSG_DELRULE */ AUDIT_NFT_OP_RULE_UNREGISTER,
> + /* NFT_MSG_NEWSET */ AUDIT_NFT_OP_SET_REGISTER,
> + /* NFT_MSG_GETSET */ AUDIT_NFT_OP_INVALID,
> + /* NFT_MSG_DELSET */ AUDIT_NFT_OP_SET_UNREGISTER,
> + /* NFT_MSG_NEWSETELEM */ AUDIT_NFT_OP_SETELEM_REGISTER,
> + /* NFT_MSG_GETSETELEM */ AUDIT_NFT_OP_INVALID,
> + /* NFT_MSG_DELSETELEM */ AUDIT_NFT_OP_SETELEM_UNREGISTER,
> + /* NFT_MSG_NEWGEN */ AUDIT_NFT_OP_GEN_REGISTER,
> + /* NFT_MSG_GETGEN */ AUDIT_NFT_OP_INVALID,
> + /* NFT_MSG_TRACE */ AUDIT_NFT_OP_INVALID,
> + /* NFT_MSG_NEWOBJ */ AUDIT_NFT_OP_OBJ_REGISTER,
> + /* NFT_MSG_GETOBJ */ AUDIT_NFT_OP_INVALID,
> + /* NFT_MSG_DELOBJ */ AUDIT_NFT_OP_OBJ_UNREGISTER,
> + /* NFT_MSG_GETOBJ_RESET */ AUDIT_NFT_OP_OBJ_RESET,
> + /* NFT_MSG_NEWFLOWTABLE */ AUDIT_NFT_OP_FLOWTABLE_REGISTER,
> + /* NFT_MSG_GETFLOWTABLE */ AUDIT_NFT_OP_INVALID,
> + /* NFT_MSG_DELFLOWTABLE */ AUDIT_NFT_OP_FLOWTABLE_UNREGISTER,
> + /* NFT_MSG_MAX */ AUDIT_NFT_OP_INVALID,
> +};
NFT_MSG_MAX is itself not a valid message, it serves merely as an upper
bound for arrays, loops or sanity checks. You will never see it in
trans->msg_type.
Since enum nf_tables_msg_types contains consecutive values from 0 to
NFT_MSG_MAX, you could write the above more explicitly:
| static const u8 nft2audit_op[NFT_MSG_MAX] = {
| [NFT_MSG_NEWTABLE] = AUDIT_NFT_OP_TABLE_REGISTER,
| [NFT_MSG_GETTABLE] = AUDIT_NFT_OP_INVALID,
| [NFT_MSG_DELTABLE] = AUDIT_NFT_OP_TABLE_UNREGISTER,
(And so forth.)
Not a must, but it clarifies the 1:1 mapping between index and said
enum. Sadly, AUDIT_NFT_OP_INVALID is non-zero. Otherwise one could skip
all uninteresting ones.
[...]
> @@ -6278,12 +6219,11 @@ static int nf_tables_dump_obj(struct sk_buff *skb, struct netlink_callback *cb)
> filter->type != NFT_OBJECT_UNSPEC &&
> obj->ops->type->type != filter->type)
> goto cont;
> -
> if (reset) {
> char *buf = kasprintf(GFP_ATOMIC,
> - "%s:%llu;?:0",
> + "%s:%u",
> table->name,
> - table->handle);
> + net->nft.base_seq);
>
> audit_log_nfcfg(buf,
> family,
Why did you leave the object-related logs in place? They should reappear
at commit time just like chains and sets for instance, no?
Thanks, Phil
next prev parent reply other threads:[~2021-03-18 16:31 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-03-18 15:39 [PATCH] audit: log nftables configuration change events once per table Richard Guy Briggs
2021-03-18 16:29 ` Pablo Neira Ayuso
2021-03-18 16:30 ` Phil Sutter [this message]
2021-03-18 18:37 ` Richard Guy Briggs
2021-03-19 12:52 ` Phil Sutter
2021-03-19 12:57 ` Richard Guy Briggs
2021-03-18 19:39 ` kernel test robot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210318163032.GS5298@orbyte.nwl.cc \
--to=phil@nwl.cc \
--cc=dan.carpenter@oracle.com \
--cc=eparis@parisplace.org \
--cc=fw@strlen.de \
--cc=jones.desougi+netfilter@gmail.com \
--cc=linux-audit@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=paul@paul-moore.com \
--cc=rgb@redhat.com \
--cc=sgrubb@redhat.com \
--cc=tgraf@infradead.org \
--cc=twoerner@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).