[ebtables PATCH 0/3] Misc items found in Fedora package

[ebtables PATCH 0/3] Misc items found in Fedora package

[Phil Sutter]

Patch 1 is something I discovered when dealing with the rest. Patches 2
and 3 stem from Fedora package. Actually, I wrote patch 2 from scratch
(to avoid patching Makefile) and slightly adjusted patch 3 so it
compiles with current sources.

Phil Sutter (3):
  extensions: Drop Makefile
  Allow customizing lockfile location at configure time
  extensions: Add AUDIT target

 Makefile.am                        |   6 +-
 configure.ac                       |   3 +
 extensions/Makefile                |  30 --------
 extensions/ebt_AUDIT.c             | 110 +++++++++++++++++++++++++++++
 include/linux/netfilter/xt_AUDIT.h |  30 ++++++++
 libebtc.c                          |   7 +-
 6 files changed, 147 insertions(+), 39 deletions(-)
 delete mode 100644 extensions/Makefile
 create mode 100644 extensions/ebt_AUDIT.c
 create mode 100644 include/linux/netfilter/xt_AUDIT.h

-- 
2.21.0

[ebtables PATCH 1/3] extensions: Drop Makefile

[Phil Sutter]

Sources contained in there are built from toplevel Makefile.am. This
seems like a leftover from commit 131920089dc21 ("build: move to
automake").

Signed-off-by: Phil Sutter <phil@nwl.cc>
---
 extensions/Makefile | 30 ------------------------------
 1 file changed, 30 deletions(-)
 delete mode 100644 extensions/Makefile

diff --git a/extensions/Makefile b/extensions/Makefile
deleted file mode 100644
index daa11fce36e5e..0000000000000
--- a/extensions/Makefile
+++ /dev/null
@@ -1,30 +0,0 @@
-#! /usr/bin/make
-
-EXT_FUNC+=802_3 nat arp arpreply ip ip6 standard log redirect vlan mark_m mark \
-          pkttype stp among limit ulog nflog string
-EXT_TABLES+=filter nat broute
-EXT_OBJS+=$(foreach T,$(EXT_FUNC), extensions/ebt_$(T).o)
-EXT_OBJS+=$(foreach T,$(EXT_TABLES), extensions/ebtable_$(T).o)
-EXT_LIBS+=$(foreach T,$(EXT_FUNC), extensions/libebt_$(T).so)
-EXT_LIBS+=$(foreach T,$(EXT_TABLES), extensions/libebtable_$(T).so)
-EXT_LIBSI+=$(foreach T,$(EXT_FUNC), -lebt_$(T))
-EXT_LIBSI+=$(foreach T,$(EXT_TABLES), -lebtable_$(T))
-
-extensions/ebt_%.so: extensions/ebt_%.o
-	$(CC) $(LDFLAGS) -shared -o $@ -lc $<
-
-extensions/libebt_%.so: extensions/ebt_%.so
-	mv $< $@
-
-extensions/ebtable_%.so: extensions/ebtable_%.o
-	$(CC) $(LDFLAGS) -shared -o $@ -lc $<
-
-extensions/libebtable_%.so: extensions/ebtable_%.so
-	mv $< $@
-
-extensions/ebt_%.o: extensions/ebt_%.c include/ebtables_u.h
-	$(CC) $(CFLAGS) $(CFLAGS_SH_LIB) $(PROGSPECS) -c -o $@ $< -I$(KERNEL_INCLUDES)
-
-extensions/ebtable_%.o: extensions/ebtable_%.c
-	$(CC) $(CFLAGS) $(CFLAGS_SH_LIB) $(PROGSPECS) -c -o $@ $< -I$(KERNEL_INCLUDES)
-
-- 
2.21.0

[ebtables PATCH 2/3] Allow customizing lockfile location at configure time

[Phil Sutter]

Users may pass LOCKFILE=/some/path/to/file when calling configure to
make libebtc use that path for its lockfile.

To simplify things, drop LOCKDIR completely and instead call dirname()
when trying to create the parent directory.

Given that we always define LOCKFILE via compiler flag, drop the
fallback define from libebtc.c.

Signed-off-by: Phil Sutter <phil@nwl.cc>
---
 Makefile.am  | 4 +---
 configure.ac | 3 +++
 libebtc.c    | 7 ++-----
 3 files changed, 6 insertions(+), 8 deletions(-)

diff --git a/Makefile.am b/Makefile.am
index 59ae595ee16de..53fcbadbca7b4 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -5,8 +5,6 @@
 PROGNAME = ${PACKAGE_NAME}
 PROGVERSION = ${PACKAGE_VERSION}
 PROGDATE = December\ 2011
-LOCKDIR = /var/lib/ebtables
-LOCKFILE = ${LOCKDIR}/lock
 INITDIR = /etc/rc.d/init.d
 initddir = ${INITDIR}
 sysconfigdir = ${sysconfdir}/sysconfig
@@ -21,7 +19,7 @@ AM_CPPFLAGS = ${regular_CPPFLAGS} -I${top_srcdir}/include \
 	-DPROGVERSION=\"${PACKAGE_VERSION}\" -DPROGNAME=\"${PACKAGE_NAME}\" \
 	-DPROGDATE=\"${PROGDATE}\" \
 	-D_PATH_ETHERTYPES=\"${sysconfdir}/ethertypes\" \
-	-DLOCKFILE=\"${LOCKFILE}\" -DLOCKDIR=\"${LOCKDIR}\" \
+	-DLOCKFILE=\"${LOCKFILE}\" \
 	-DEBTD_ARGC_MAX=${EBTD_ARGC_MAX} -DEBTD_CMDLINE_MAXLN=${EBTD_CMDLINE_MAXLN} \
 	-DEBTD_PIPE=\"${PIPE}\" -DEBTD_PIPE_DIR=\"${PIPE_DIR}\"
 AM_CFLAGS = ${regular_CFLAGS}
diff --git a/configure.ac b/configure.ac
index a3bc3c93a279f..00d97734ff9a9 100644
--- a/configure.ac
+++ b/configure.ac
@@ -10,6 +10,9 @@ AC_DISABLE_STATIC
 m4_ifdef([AM_PROG_AR], [AM_PROG_AR])
 AM_PROG_LIBTOOL
 
+AC_ARG_VAR([LOCKFILE], [Custom libebtc lockfile path (default: /var/lib/ebtables/lock)])
+AS_IF([test "x$LOCKFILE" = x], [LOCKFILE="/var/lib/ebtables/lock"])
+
 regular_CFLAGS="-Wall -Wunused"
 regular_CPPFLAGS=""
 case "$host" in
diff --git a/libebtc.c b/libebtc.c
index 92fd76485c723..f2a2b500ea751 100644
--- a/libebtc.c
+++ b/libebtc.c
@@ -36,6 +36,7 @@
 #include <sys/stat.h>
 #include <sys/types.h>
 #include <errno.h>
+#include <libgen.h>
 
 static void decrease_chain_jumps(struct ebt_u_replace *replace);
 static int iterate_entries(struct ebt_u_replace *replace, int type);
@@ -134,10 +135,6 @@ void ebt_list_extensions()
 	}
 }
 
-#ifndef LOCKFILE
-#define LOCKDIR "/var/lib/ebtables"
-#define LOCKFILE LOCKDIR"/lock"
-#endif
 int use_lockfd;
 /* Returns 0 on success, -1 when the file is locked by another process
  * or -2 on any other error. */
@@ -148,7 +145,7 @@ static int lock_file()
 retry:
 	fd = open(LOCKFILE, O_CREAT, 00600);
 	if (fd < 0) {
-		if (try == 1 || mkdir(LOCKDIR, 00700))
+		if (try == 1 || mkdir(dirname(LOCKFILE), 00700))
 			return -2;
 		try = 1;
 		goto retry;
-- 
2.21.0

[ebtables PATCH 3/3] extensions: Add AUDIT target

[Phil Sutter]

This is a barn find from Fedora package, actually spooking around in
various places in the internet. No idea who wrote it, but it seems to be
used. So add it for the time being.

Signed-off-by: Phil Sutter <phil@nwl.cc>
---
 Makefile.am                        |   2 +-
 extensions/ebt_AUDIT.c             | 110 +++++++++++++++++++++++++++++
 include/linux/netfilter/xt_AUDIT.h |  30 ++++++++
 3 files changed, 141 insertions(+), 1 deletion(-)
 create mode 100644 extensions/ebt_AUDIT.c
 create mode 100644 include/linux/netfilter/xt_AUDIT.h

diff --git a/Makefile.am b/Makefile.am
index 53fcbadbca7b4..904de12773a84 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -40,7 +40,7 @@ libebtc_la_SOURCES = \
 	extensions/ebt_mark_m.c extensions/ebt_nat.c extensions/ebt_nflog.c \
 	extensions/ebt_pkttype.c extensions/ebt_redirect.c \
 	extensions/ebt_standard.c extensions/ebt_stp.c extensions/ebt_string.c \
-	extensions/ebt_ulog.c extensions/ebt_vlan.c \
+	extensions/ebt_ulog.c extensions/ebt_vlan.c extensions/ebt_AUDIT.c \
 	extensions/ebtable_broute.c extensions/ebtable_filter.c \
 	extensions/ebtable_nat.c
 # Make sure ebtables.c can be built twice
diff --git a/extensions/ebt_AUDIT.c b/extensions/ebt_AUDIT.c
new file mode 100644
index 0000000000000..c9befccca94db
--- /dev/null
+++ b/extensions/ebt_AUDIT.c
@@ -0,0 +1,110 @@
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <getopt.h>
+#include "../include/ebtables_u.h"
+#include <linux/netfilter/xt_AUDIT.h>
+
+#define AUDIT_TYPE  '1'
+static struct option opts[] =
+{
+	{ "audit-type" , required_argument, 0, AUDIT_TYPE },
+	{ 0 }
+};
+
+static void print_help()
+{
+	printf(
+	"AUDIT target options:\n"
+	" --audit-type TYPE          : Set action type to record.\n");
+}
+
+static void init(struct ebt_entry_target *target)
+{
+	struct xt_AUDIT_info *info = (struct xt_AUDIT_info *) target->data;
+
+	info->type = 0;
+}
+
+static int parse(int c, char **argv, int argc,
+   const struct ebt_u_entry *entry, unsigned int *flags,
+   struct ebt_entry_target **target)
+{
+	struct xt_AUDIT_info *info = (struct xt_AUDIT_info *) (*target)->data;
+
+	switch (c) {
+	case AUDIT_TYPE:
+		ebt_check_option2(flags, AUDIT_TYPE);
+
+		if (!strcasecmp(optarg, "accept"))
+			info->type = XT_AUDIT_TYPE_ACCEPT;
+		else if (!strcasecmp(optarg, "drop"))
+			info->type = XT_AUDIT_TYPE_DROP;
+		else if (!strcasecmp(optarg, "reject"))
+			info->type = XT_AUDIT_TYPE_REJECT;
+		else
+			ebt_print_error2("Bad action type value `%s'", optarg);
+
+		break;
+	 default:
+		return 0;
+	}
+	return 1;
+}
+
+static void final_check(const struct ebt_u_entry *entry,
+   const struct ebt_entry_target *target, const char *name,
+   unsigned int hookmask, unsigned int time)
+{
+}
+
+static void print(const struct ebt_u_entry *entry,
+   const struct ebt_entry_target *target)
+{
+	const struct xt_AUDIT_info *info =
+		(const struct xt_AUDIT_info *) target->data;
+
+	printf("--audit-type ");
+
+	switch(info->type) {
+	case XT_AUDIT_TYPE_ACCEPT:
+		printf("accept");
+		break;
+	case XT_AUDIT_TYPE_DROP:
+		printf("drop");
+		break;
+	case XT_AUDIT_TYPE_REJECT:
+		printf("reject");
+		break;
+	}
+}
+
+static int compare(const struct ebt_entry_target *t1,
+   const struct ebt_entry_target *t2)
+{
+	const struct xt_AUDIT_info *info1 =
+		(const struct xt_AUDIT_info *) t1->data;
+	const struct xt_AUDIT_info *info2 =
+		(const struct xt_AUDIT_info *) t2->data;
+
+	return info1->type == info2->type;
+}
+
+static struct ebt_u_target AUDIT_target =
+{
+	.name		= "AUDIT",
+	.size		= sizeof(struct xt_AUDIT_info),
+	.help		= print_help,
+	.init		= init,
+	.parse		= parse,
+	.final_check	= final_check,
+	.print		= print,
+	.compare	= compare,
+	.extra_ops	= opts,
+};
+
+static void _INIT(void)
+{
+	ebt_register_target(&AUDIT_target);
+}
diff --git a/include/linux/netfilter/xt_AUDIT.h b/include/linux/netfilter/xt_AUDIT.h
new file mode 100644
index 0000000000000..44111b242b531
--- /dev/null
+++ b/include/linux/netfilter/xt_AUDIT.h
@@ -0,0 +1,30 @@
+/*
+ * Header file for iptables xt_AUDIT target
+ *
+ * (C) 2010-2011 Thomas Graf <tgraf@redhat.com>
+ * (C) 2010-2011 Red Hat, Inc.
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ */
+
+#ifndef _XT_AUDIT_TARGET_H
+#define _XT_AUDIT_TARGET_H
+
+#include <linux/types.h>
+
+enum {
+	XT_AUDIT_TYPE_ACCEPT = 0,
+	XT_AUDIT_TYPE_DROP,
+	XT_AUDIT_TYPE_REJECT,
+	__XT_AUDIT_TYPE_MAX,
+};
+
+#define XT_AUDIT_TYPE_MAX (__XT_AUDIT_TYPE_MAX - 1)
+
+struct xt_AUDIT_info {
+	__u8 type; /* XT_AUDIT_TYPE_* */
+};
+
+#endif /* _XT_AUDIT_TARGET_H */
-- 
2.21.0

Re: [ebtables PATCH 3/3] extensions: Add AUDIT target

[Jan Engelhardt]

On Tuesday 2019-03-19 20:09, Phil Sutter wrote:

>This is a barn find from Fedora package, actually spooking around in
>various places in the internet. No idea who wrote it, but it seems to be
>used. So add it for the time being.

Not sure, but I added some people in the Cc that may know more (and the 
hope is that the ibm address still delivers).


 * xt_AUDIT made its appearance around January 2011 
   https://lwn.net/Articles/423402/ (tgraf@)

 * "ebtables --audit-type" made an appearence in the audit-test code 
   repository https://sourceforge.net/p/audit-test/code/ref/master/ in 
   June 2011 (czyzak@). This means that ebt_audit existed in some form
   at that time already.

 * Fedora ebtables (only) gained the patch 2013-March-21 (spot@)

Re: [ebtables PATCH 3/3] extensions: Add AUDIT target

[Phil Sutter]

Hi Jan,

On Tue, Mar 19, 2019 at 08:44:12PM +0100, Jan Engelhardt wrote:
> On Tuesday 2019-03-19 20:09, Phil Sutter wrote:
> 
> >This is a barn find from Fedora package, actually spooking around in
> >various places in the internet. No idea who wrote it, but it seems to be
> >used. So add it for the time being.
> 
> Not sure, but I added some people in the Cc that may know more (and the 
> hope is that the ibm address still delivers).
> 
> 
>  * xt_AUDIT made its appearance around January 2011 
>    https://lwn.net/Articles/423402/ (tgraf@)
> 
>  * "ebtables --audit-type" made an appearence in the audit-test code 
>    repository https://sourceforge.net/p/audit-test/code/ref/master/ in 
>    June 2011 (czyzak@). This means that ebt_audit existed in some form
>    at that time already.
> 
>  * Fedora ebtables (only) gained the patch 2013-March-21 (spot@)

Thanks a lot for your historic research. In RHEL, ebtables got AUDIT
support with bz#642394 (private). Thomas provided the patch, so
hopefully he either wrote it or knows where it came from.

Thanks, Phil

Re: [ebtables PATCH 0/3] Misc items found in Fedora package

[Pablo Neira Ayuso]

On Tue, Mar 19, 2019 at 08:09:35PM +0100, Phil Sutter wrote:
> Patch 1 is something I discovered when dealing with the rest. Patches 2
> and 3 stem from Fedora package. Actually, I wrote patch 2 from scratch
> (to avoid patching Makefile) and slightly adjusted patch 3 so it
> compiles with current sources.

Series applied, thanks Phil.