2
* Creates audit record for dropped/accepted packets
4
* (C) 2010-2011 Thomas Graf <tgraf@redhat.com>
5
* (C) 2010-2011 Red Hat, Inc.
7
* This program is free software; you can redistribute it and/or modify
8
* it under the terms of the GNU General Public License version 2 as
9
* published by the Free Software Foundation.
12
#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
14
#include <linux/audit.h>
15
#include <linux/module.h>
16
#include <linux/skbuff.h>
17
#include <linux/tcp.h>
18
#include <linux/udp.h>
19
#include <linux/if_arp.h>
20
#include <linux/netfilter/x_tables.h>
21
#include <linux/netfilter/xt_AUDIT.h>
22
#include <linux/netfilter_bridge/ebtables.h>
26
MODULE_LICENSE("GPL");
27
MODULE_AUTHOR("Thomas Graf <tgraf@redhat.com>");
28
MODULE_DESCRIPTION("Xtables: creates audit records for dropped/accepted packets");
29
MODULE_ALIAS("ipt_AUDIT");
30
MODULE_ALIAS("ip6t_AUDIT");
31
MODULE_ALIAS("ebt_AUDIT");
32
MODULE_ALIAS("arpt_AUDIT");
34
static void audit_proto(struct audit_buffer *ab, struct sk_buff *skb,
35
unsigned int proto, unsigned int offset)
40
case IPPROTO_UDPLITE: {
44
pptr = skb_header_pointer(skb, offset, sizeof(_ports), _ports);
46
audit_log_format(ab, " truncated=1");
50
audit_log_format(ab, " sport=%hu dport=%hu",
51
ntohs(pptr[0]), ntohs(pptr[1]));
56
case IPPROTO_ICMPV6: {
60
iptr = skb_header_pointer(skb, offset, sizeof(_ih), &_ih);
62
audit_log_format(ab, " truncated=1");
66
audit_log_format(ab, " icmptype=%hhu icmpcode=%hhu",
74
static void audit_ip4(struct audit_buffer *ab, struct sk_buff *skb)
77
const struct iphdr *ih;
79
ih = skb_header_pointer(skb, 0, sizeof(_iph), &_iph);
81
audit_log_format(ab, " truncated=1");
85
audit_log_format(ab, " saddr=%pI4 daddr=%pI4 ipid=%hu proto=%hhu",
86
&ih->saddr, &ih->daddr, ntohs(ih->id), ih->protocol);
88
if (ntohs(ih->frag_off) & IP_OFFSET) {
89
audit_log_format(ab, " frag=1");
93
audit_proto(ab, skb, ih->protocol, ih->ihl * 4);
96
static void audit_ip6(struct audit_buffer *ab, struct sk_buff *skb)
99
const struct ipv6hdr *ih;
103
ih = skb_header_pointer(skb, skb_network_offset(skb), sizeof(_ip6h), &_ip6h);
105
audit_log_format(ab, " truncated=1");
109
nexthdr = ih->nexthdr;
110
offset = ipv6_skip_exthdr(skb, skb_network_offset(skb) + sizeof(_ip6h),
113
audit_log_format(ab, " saddr=%pI6c daddr=%pI6c proto=%hhu",
114
&ih->saddr, &ih->daddr, nexthdr);
117
audit_proto(ab, skb, nexthdr, offset);
121
audit_tg(struct sk_buff *skb, const struct xt_action_param *par)
123
const struct xt_audit_info *info = par->targinfo;
124
struct audit_buffer *ab;
126
ab = audit_log_start(NULL, GFP_ATOMIC, AUDIT_NETFILTER_PKT);
130
audit_log_format(ab, "action=%hhu hook=%u len=%u inif=%s outif=%s",
131
info->type, par->hooknum, skb->len,
132
par->in ? par->in->name : "?",
133
par->out ? par->out->name : "?");
136
audit_log_format(ab, " mark=%#x", skb->mark);
138
if (skb->dev && skb->dev->type == ARPHRD_ETHER) {
139
audit_log_format(ab, " smac=%pM dmac=%pM macproto=0x%04x",
140
eth_hdr(skb)->h_source, eth_hdr(skb)->h_dest,
141
ntohs(eth_hdr(skb)->h_proto));
143
if (par->family == NFPROTO_BRIDGE) {
144
switch (eth_hdr(skb)->h_proto) {
145
case __constant_htons(ETH_P_IP):
149
case __constant_htons(ETH_P_IPV6):
156
switch (par->family) {
173
audit_tg_ebt(struct sk_buff *skb, const struct xt_action_param *par)
179
static int audit_tg_check(const struct xt_tgchk_param *par)
181
const struct xt_audit_info *info = par->targinfo;
183
if (info->type > XT_AUDIT_TYPE_MAX) {
184
pr_info("Audit type out of range (valid range: 0..%hhu)\n",
192
static struct xt_target audit_tg_reg[] __read_mostly = {
195
.family = NFPROTO_UNSPEC,
197
.targetsize = sizeof(struct xt_audit_info),
198
.checkentry = audit_tg_check,
203
.family = NFPROTO_BRIDGE,
204
.target = audit_tg_ebt,
205
.targetsize = sizeof(struct xt_audit_info),
206
.checkentry = audit_tg_check,
211
static int __init audit_tg_init(void)
213
return xt_register_targets(audit_tg_reg, ARRAY_SIZE(audit_tg_reg));
216
static void __exit audit_tg_exit(void)
218
xt_unregister_targets(audit_tg_reg, ARRAY_SIZE(audit_tg_reg));
221
module_init(audit_tg_init);
222
module_exit(audit_tg_exit);