Linux Kernel  3.7.1
 All Data Structures Namespaces Files Functions Variables Typedefs Enumerations Enumerator Macros Groups Pages
xt_AUDIT.c
Go to the documentation of this file.
1 /*
2  * Creates audit record for dropped/accepted packets
3  *
4  * (C) 2010-2011 Thomas Graf <[email protected]>
5  * (C) 2010-2011 Red Hat, Inc.
6  *
7  * This program is free software; you can redistribute it and/or modify
8  * it under the terms of the GNU General Public License version 2 as
9  * published by the Free Software Foundation.
10 */
11 
12 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
13 
14 #include <linux/audit.h>
15 #include <linux/module.h>
16 #include <linux/skbuff.h>
17 #include <linux/tcp.h>
18 #include <linux/udp.h>
19 #include <linux/if_arp.h>
20 #include <linux/netfilter/x_tables.h>
21 #include <linux/netfilter/xt_AUDIT.h>
22 #include <linux/netfilter_bridge/ebtables.h>
23 #include <net/ipv6.h>
24 #include <net/ip.h>
25 
26 MODULE_LICENSE("GPL");
27 MODULE_AUTHOR("Thomas Graf <[email protected]>");
28 MODULE_DESCRIPTION("Xtables: creates audit records for dropped/accepted packets");
29 MODULE_ALIAS("ipt_AUDIT");
30 MODULE_ALIAS("ip6t_AUDIT");
31 MODULE_ALIAS("ebt_AUDIT");
32 MODULE_ALIAS("arpt_AUDIT");
33 
34 static void audit_proto(struct audit_buffer *ab, struct sk_buff *skb,
35  unsigned int proto, unsigned int offset)
36 {
37  switch (proto) {
38  case IPPROTO_TCP:
39  case IPPROTO_UDP:
40  case IPPROTO_UDPLITE: {
41  const __be16 *pptr;
42  __be16 _ports[2];
43 
44  pptr = skb_header_pointer(skb, offset, sizeof(_ports), _ports);
45  if (pptr == NULL) {
46  audit_log_format(ab, " truncated=1");
47  return;
48  }
49 
50  audit_log_format(ab, " sport=%hu dport=%hu",
51  ntohs(pptr[0]), ntohs(pptr[1]));
52  }
53  break;
54 
55  case IPPROTO_ICMP:
56  case IPPROTO_ICMPV6: {
57  const u8 *iptr;
58  u8 _ih[2];
59 
60  iptr = skb_header_pointer(skb, offset, sizeof(_ih), &_ih);
61  if (iptr == NULL) {
62  audit_log_format(ab, " truncated=1");
63  return;
64  }
65 
66  audit_log_format(ab, " icmptype=%hhu icmpcode=%hhu",
67  iptr[0], iptr[1]);
68 
69  }
70  break;
71  }
72 }
73 
74 static void audit_ip4(struct audit_buffer *ab, struct sk_buff *skb)
75 {
76  struct iphdr _iph;
77  const struct iphdr *ih;
78 
79  ih = skb_header_pointer(skb, 0, sizeof(_iph), &_iph);
80  if (!ih) {
81  audit_log_format(ab, " truncated=1");
82  return;
83  }
84 
85  audit_log_format(ab, " saddr=%pI4 daddr=%pI4 ipid=%hu proto=%hhu",
86  &ih->saddr, &ih->daddr, ntohs(ih->id), ih->protocol);
87 
88  if (ntohs(ih->frag_off) & IP_OFFSET) {
89  audit_log_format(ab, " frag=1");
90  return;
91  }
92 
93  audit_proto(ab, skb, ih->protocol, ih->ihl * 4);
94 }
95 
96 static void audit_ip6(struct audit_buffer *ab, struct sk_buff *skb)
97 {
98  struct ipv6hdr _ip6h;
99  const struct ipv6hdr *ih;
100  u8 nexthdr;
101  __be16 frag_off;
102  int offset;
103 
104  ih = skb_header_pointer(skb, skb_network_offset(skb), sizeof(_ip6h), &_ip6h);
105  if (!ih) {
106  audit_log_format(ab, " truncated=1");
107  return;
108  }
109 
110  nexthdr = ih->nexthdr;
111  offset = ipv6_skip_exthdr(skb, skb_network_offset(skb) + sizeof(_ip6h),
112  &nexthdr, &frag_off);
113 
114  audit_log_format(ab, " saddr=%pI6c daddr=%pI6c proto=%hhu",
115  &ih->saddr, &ih->daddr, nexthdr);
116 
117  if (offset)
118  audit_proto(ab, skb, nexthdr, offset);
119 }
120 
121 static unsigned int
122 audit_tg(struct sk_buff *skb, const struct xt_action_param *par)
123 {
124  const struct xt_audit_info *info = par->targinfo;
125  struct audit_buffer *ab;
126 
127  ab = audit_log_start(NULL, GFP_ATOMIC, AUDIT_NETFILTER_PKT);
128  if (ab == NULL)
129  goto errout;
130 
131  audit_log_format(ab, "action=%hhu hook=%u len=%u inif=%s outif=%s",
132  info->type, par->hooknum, skb->len,
133  par->in ? par->in->name : "?",
134  par->out ? par->out->name : "?");
135 
136  if (skb->mark)
137  audit_log_format(ab, " mark=%#x", skb->mark);
138 
139  if (skb->dev && skb->dev->type == ARPHRD_ETHER) {
140  audit_log_format(ab, " smac=%pM dmac=%pM macproto=0x%04x",
141  eth_hdr(skb)->h_source, eth_hdr(skb)->h_dest,
142  ntohs(eth_hdr(skb)->h_proto));
143 
144  if (par->family == NFPROTO_BRIDGE) {
145  switch (eth_hdr(skb)->h_proto) {
146  case __constant_htons(ETH_P_IP):
147  audit_ip4(ab, skb);
148  break;
149 
150  case __constant_htons(ETH_P_IPV6):
151  audit_ip6(ab, skb);
152  break;
153  }
154  }
155  }
156 
157  switch (par->family) {
158  case NFPROTO_IPV4:
159  audit_ip4(ab, skb);
160  break;
161 
162  case NFPROTO_IPV6:
163  audit_ip6(ab, skb);
164  break;
165  }
166 
167 #ifdef CONFIG_NETWORK_SECMARK
168  if (skb->secmark)
169  audit_log_secctx(ab, skb->secmark);
170 #endif
171 
172  audit_log_end(ab);
173 
174 errout:
175  return XT_CONTINUE;
176 }
177 
178 static unsigned int
179 audit_tg_ebt(struct sk_buff *skb, const struct xt_action_param *par)
180 {
181  audit_tg(skb, par);
182  return EBT_CONTINUE;
183 }
184 
185 static int audit_tg_check(const struct xt_tgchk_param *par)
186 {
187  const struct xt_audit_info *info = par->targinfo;
188 
189  if (info->type > XT_AUDIT_TYPE_MAX) {
190  pr_info("Audit type out of range (valid range: 0..%hhu)\n",
191  XT_AUDIT_TYPE_MAX);
192  return -ERANGE;
193  }
194 
195  return 0;
196 }
197 
198 static struct xt_target audit_tg_reg[] __read_mostly = {
199  {
200  .name = "AUDIT",
201  .family = NFPROTO_UNSPEC,
202  .target = audit_tg,
203  .targetsize = sizeof(struct xt_audit_info),
204  .checkentry = audit_tg_check,
205  .me = THIS_MODULE,
206  },
207  {
208  .name = "AUDIT",
209  .family = NFPROTO_BRIDGE,
210  .target = audit_tg_ebt,
211  .targetsize = sizeof(struct xt_audit_info),
212  .checkentry = audit_tg_check,
213  .me = THIS_MODULE,
214  },
215 };
216 
217 static int __init audit_tg_init(void)
218 {
219  return xt_register_targets(audit_tg_reg, ARRAY_SIZE(audit_tg_reg));
220 }
221 
222 static void __exit audit_tg_exit(void)
223 {
224  xt_unregister_targets(audit_tg_reg, ARRAY_SIZE(audit_tg_reg));
225 }
226 
227 module_init(audit_tg_init);
228 module_exit(audit_tg_exit);
Generated on Thu Jan 10 2013 15:00:51 for Linux Kernel by   doxygen 1.8.2