Closed rgbriggs closed 3 years ago
post v1: 2020-05-27 https://www.redhat.com/archives/linux-audit/2020-May/msg00093.html https://lkml.org/lkml/2020/5/27/768
post v2: 2020-05-28 https://www.redhat.com/archives/linux-audit/2020-May/msg00101.html https://lkml.org/lkml/2020/5/28/1689
post v3: https://www.redhat.com/archives/linux-audit/2020-June/msg00008.html https://lkml.org/lkml/2020/6/4/460
v3fix merged upstream: 142240398e50 ("audit: add gfp parameter to audit_log_nfcfg")
This can be closed since it is upstream in v5.9-rc1 8e6cf365e1d5 ("audit: log nftables configuration change events") 142240398e50 ("audit: add gfp parameter to audit_log_nfcfg") 68df2ed54487 ("audit: use the proper gfp flags in the audit_log_nfcfg() calls")
2021-03-18 v1 update patch posted upstream https://listman.redhat.com/archives/linux-audit/2021-March/msg00109.html 2021-03-22 v2 update patch posted upstream https://listman.redhat.com/archives/linux-audit/2021-March/msg00149.html 2021-03-23 v3 update patch posted upstream https://listman.redhat.com/archives/linux-audit/2021-March/msg00152.html 2021-03-24 v4 update patch posted upstream https://listman.redhat.com/archives/linux-audit/2021-March/msg00157.html 2021-03-26 v5 update patch posted upstream https://listman.redhat.com/archives/linux-audit/2021-March/msg00159.html 2021-03-31 v5 merged upstream in nf-next bb4052e57b5b ("audit: log nftables configuration change events once per table") 2021-03-31 FW found UAF: nf-next fix e4d272948d25 pablo@netfilter.org ("netfilter: nf_tables: use-after-free") 2021-03-31 v5 merged upstream in nf-next forced update c520292f29b8 ("audit: log nftables configuration change events once per table") 2021-04-02 07:45 Dan Carpenter dadf33c9f6b5 ("netfilter: nftables: fix a warning message in nf_tables_commit_audit_collect()")
Currently, iptables, ip6tables, arptables and ebtables table registration/replacement/unregistration configuration information is logged for the native (legacy) iptables setsockopt api, but not for the nftables netlink api which is used by the nft-variant of iptables in addition to nftables itself.
Add calls to log the config actions in the nftables netlink api. It may require a new record type since the operations appear to be per rule rather than per table.
The likely candidate would be net/netfilter/nf_tables_api.c:nf_tables_commit().
See the previous issues for record format discussions and commits: https://github.com/linux-audit/audit-kernel/issues/25 https://github.com/linux-audit/audit-kernel/issues/35 https://github.com/linux-audit/audit-kernel/issues/43 https://github.com/linux-audit/audit-kernel/issues/44