From nobody Fri Dec 19 18:53:12 2025 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 071FE33CEBD for ; Thu, 6 Nov 2025 16:53:25 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=170.10.129.124 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1762448007; cv=none; b=jiXJ0qx9Tyd+8A2YKuIgBWH5T5Yczlgzpo0o4a8tNcMP6tG1F2AD+cHdQTrafsFhd7PJ2BWkauuRa619WxI3jnp1Ag8sG8zur2A6h18UTX/QSb24wnedy381YF1eZjgEhBAIPYDshUpctamqdI1CwLFQ5gYUA7b4xRcqa4xz3us= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1762448007; c=relaxed/simple; bh=pS1lFCWx5tuvC5+eu474zjoAAD+SpYjnhcsbSqP//f8=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=PgiKYF3vGOq7CV+tUOtZdwoAbjv9hvdtTYcWGtGqPn69cwHPaYyAnlMagmAEWCwX7LEitOn37bdCeg7TbVO4xG5kd0u5BESWZZzKw6UZ8o+kLEGNYyGym3BuWOUo1fCWw873CLg2Py+Zjoekn73FFmaSRm2eV7idpSr0R4lQTV4= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com; spf=pass smtp.mailfrom=redhat.com; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b=Kea55saz; arc=none smtp.client-ip=170.10.129.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=redhat.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="Kea55saz" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1762448005; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=XeA958fGMLqZccrumOoOPagI0ws0mF6lRuKP6lhDsH4=; b=Kea55sazMMacLPrv1qwtiL44dwgthx5s/4OpdlL9z5d74xxFDOTSjh7r+52VfL+P08vXLm m2HLJHBe7MiTrEbWQUNNDiYV86rJWYoZG1oWBoe6RI0giZ73H2UY5wwmKyHLi1V4b4L+ME flUlsNa4MavqUd7kZcLQBL6lEZ4mSLQ= Received: from mx-prod-mc-06.mail-002.prod.us-west-2.aws.redhat.com (ec2-35-165-154-97.us-west-2.compute.amazonaws.com [35.165.154.97]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-649-BDqGrPTGOpecwmde_szCIQ-1; Thu, 06 Nov 2025 11:53:21 -0500 X-MC-Unique: BDqGrPTGOpecwmde_szCIQ-1 X-Mimecast-MFC-AGG-ID: BDqGrPTGOpecwmde_szCIQ_1762448000 Received: from mx-prod-int-06.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-06.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.93]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-06.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id F06E81801235; Thu, 6 Nov 2025 16:53:19 +0000 (UTC) Received: from wsxc.redhat.com (unknown [10.96.134.113]) by mx-prod-int-06.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id 27DCC18004D8; Thu, 6 Nov 2025 16:53:15 +0000 (UTC) From: Ricardo Robaina To: audit@vger.kernel.org, linux-kernel@vger.kernel.org, netfilter-devel@vger.kernel.org, coreteam@netfilter.org Cc: paul@paul-moore.com, eparis@redhat.com, fw@strlen.de, pablo@netfilter.org, kadlec@netfilter.org, Ricardo Robaina Subject: [PATCH v5 1/2] audit: add audit_log_packet_ip4 and audit_log_packet_ip6 helper functions Date: Thu, 6 Nov 2025 13:53:04 -0300 Message-ID: In-Reply-To: References: Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 3.4.1 on 10.30.177.93 Content-Type: text/plain; charset="utf-8" Netfilter code (net/netfilter/nft_log.c and net/netfilter/xt_AUDIT.c) have to be kept in sync. Both source files had duplicated versions of audit_ip4() and audit_ip6() functions, which can result in lack of consistency and/or duplicated work. This patch adds two helper functions in audit.c that can be called by netfilter code commonly, aiming to improve maintainability and consistency. Signed-off-by: Ricardo Robaina --- include/linux/audit.h | 12 +++++++++++ kernel/audit.c | 39 ++++++++++++++++++++++++++++++++++++ net/netfilter/nft_log.c | 43 ++++------------------------------------ net/netfilter/xt_AUDIT.c | 43 ++++------------------------------------ 4 files changed, 59 insertions(+), 78 deletions(-) diff --git a/include/linux/audit.h b/include/linux/audit.h index 536f8ee8da81..0f16ced08fdb 100644 --- a/include/linux/audit.h +++ b/include/linux/audit.h @@ -195,6 +195,8 @@ extern int audit_log_subj_ctx(struct audit_buffer *ab, = struct lsm_prop *prop); extern int audit_log_obj_ctx(struct audit_buffer *ab, struct lsm_prop *pro= p); extern int audit_log_task_context(struct audit_buffer *ab); extern void audit_log_task_info(struct audit_buffer *ab); +extern bool audit_log_packet_ip4(struct audit_buffer *ab, struct sk_buff *= skb); +extern bool audit_log_packet_ip6(struct audit_buffer *ab, struct sk_buff *= skb); =20 extern int audit_update_lsm_rules(void); =20 @@ -272,6 +274,16 @@ static inline int audit_log_task_context(struct audit_= buffer *ab) static inline void audit_log_task_info(struct audit_buffer *ab) { } =20 +static inline bool audit_log_packet_ip4(struct audit_buffer *ab, struct sk= _buff *skb) +{ + return false; +} + +static inline bool audit_log_packet_ip6(struct audit_buffer *ab, struct sk= _buff *skb) +{ + return false; +} + static inline kuid_t audit_get_loginuid(struct task_struct *tsk) { return INVALID_UID; diff --git a/kernel/audit.c b/kernel/audit.c index 26a332ffb1b8..09764003db74 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -58,6 +58,8 @@ #include #include #include +#include +#include =20 #include "audit.h" =20 @@ -2538,6 +2540,43 @@ static void audit_log_set_loginuid(kuid_t koldloginu= id, kuid_t kloginuid, audit_log_end(ab); } =20 +bool audit_log_packet_ip4(struct audit_buffer *ab, struct sk_buff *skb) +{ + struct iphdr _iph; + const struct iphdr *ih; + + ih =3D skb_header_pointer(skb, skb_network_offset(skb), sizeof(_iph), &_i= ph); + if (!ih) + return false; + + audit_log_format(ab, " saddr=3D%pI4 daddr=3D%pI4 proto=3D%hhu", + &ih->saddr, &ih->daddr, ih->protocol); + + return true; +} +EXPORT_SYMBOL(audit_log_packet_ip4); + +bool audit_log_packet_ip6(struct audit_buffer *ab, struct sk_buff *skb) +{ + struct ipv6hdr _ip6h; + const struct ipv6hdr *ih; + u8 nexthdr; + __be16 frag_off; + + ih =3D skb_header_pointer(skb, skb_network_offset(skb), sizeof(_ip6h), &_= ip6h); + if (!ih) + return false; + + nexthdr =3D ih->nexthdr; + ipv6_skip_exthdr(skb, skb_network_offset(skb) + sizeof(_ip6h), &nexthdr, = &frag_off); + + audit_log_format(ab, " saddr=3D%pI6c daddr=3D%pI6c proto=3D%hhu", + &ih->saddr, &ih->daddr, nexthdr); + + return true; +} +EXPORT_SYMBOL(audit_log_packet_ip6); + /** * audit_set_loginuid - set current task's loginuid * @loginuid: loginuid value diff --git a/net/netfilter/nft_log.c b/net/netfilter/nft_log.c index e35588137995..f53fb4222134 100644 --- a/net/netfilter/nft_log.c +++ b/net/netfilter/nft_log.c @@ -26,41 +26,6 @@ struct nft_log { char *prefix; }; =20 -static bool audit_ip4(struct audit_buffer *ab, struct sk_buff *skb) -{ - struct iphdr _iph; - const struct iphdr *ih; - - ih =3D skb_header_pointer(skb, skb_network_offset(skb), sizeof(_iph), &_i= ph); - if (!ih) - return false; - - audit_log_format(ab, " saddr=3D%pI4 daddr=3D%pI4 proto=3D%hhu", - &ih->saddr, &ih->daddr, ih->protocol); - - return true; -} - -static bool audit_ip6(struct audit_buffer *ab, struct sk_buff *skb) -{ - struct ipv6hdr _ip6h; - const struct ipv6hdr *ih; - u8 nexthdr; - __be16 frag_off; - - ih =3D skb_header_pointer(skb, skb_network_offset(skb), sizeof(_ip6h), &_= ip6h); - if (!ih) - return false; - - nexthdr =3D ih->nexthdr; - ipv6_skip_exthdr(skb, skb_network_offset(skb) + sizeof(_ip6h), &nexthdr, = &frag_off); - - audit_log_format(ab, " saddr=3D%pI6c daddr=3D%pI6c proto=3D%hhu", - &ih->saddr, &ih->daddr, nexthdr); - - return true; -} - static void nft_log_eval_audit(const struct nft_pktinfo *pkt) { struct sk_buff *skb =3D pkt->skb; @@ -80,18 +45,18 @@ static void nft_log_eval_audit(const struct nft_pktinfo= *pkt) case NFPROTO_BRIDGE: switch (eth_hdr(skb)->h_proto) { case htons(ETH_P_IP): - fam =3D audit_ip4(ab, skb) ? NFPROTO_IPV4 : -1; + fam =3D audit_log_packet_ip4(ab, skb) ? NFPROTO_IPV4 : -1; break; case htons(ETH_P_IPV6): - fam =3D audit_ip6(ab, skb) ? NFPROTO_IPV6 : -1; + fam =3D audit_log_packet_ip6(ab, skb) ? NFPROTO_IPV6 : -1; break; } break; case NFPROTO_IPV4: - fam =3D audit_ip4(ab, skb) ? NFPROTO_IPV4 : -1; + fam =3D audit_log_packet_ip4(ab, skb) ? NFPROTO_IPV4 : -1; break; case NFPROTO_IPV6: - fam =3D audit_ip6(ab, skb) ? NFPROTO_IPV6 : -1; + fam =3D audit_log_packet_ip6(ab, skb) ? NFPROTO_IPV6 : -1; break; } =20 diff --git a/net/netfilter/xt_AUDIT.c b/net/netfilter/xt_AUDIT.c index b6a015aee0ce..28cdd6435d56 100644 --- a/net/netfilter/xt_AUDIT.c +++ b/net/netfilter/xt_AUDIT.c @@ -28,41 +28,6 @@ MODULE_ALIAS("ip6t_AUDIT"); MODULE_ALIAS("ebt_AUDIT"); MODULE_ALIAS("arpt_AUDIT"); =20 -static bool audit_ip4(struct audit_buffer *ab, struct sk_buff *skb) -{ - struct iphdr _iph; - const struct iphdr *ih; - - ih =3D skb_header_pointer(skb, skb_network_offset(skb), sizeof(_iph), &_i= ph); - if (!ih) - return false; - - audit_log_format(ab, " saddr=3D%pI4 daddr=3D%pI4 proto=3D%hhu", - &ih->saddr, &ih->daddr, ih->protocol); - - return true; -} - -static bool audit_ip6(struct audit_buffer *ab, struct sk_buff *skb) -{ - struct ipv6hdr _ip6h; - const struct ipv6hdr *ih; - u8 nexthdr; - __be16 frag_off; - - ih =3D skb_header_pointer(skb, skb_network_offset(skb), sizeof(_ip6h), &_= ip6h); - if (!ih) - return false; - - nexthdr =3D ih->nexthdr; - ipv6_skip_exthdr(skb, skb_network_offset(skb) + sizeof(_ip6h), &nexthdr, = &frag_off); - - audit_log_format(ab, " saddr=3D%pI6c daddr=3D%pI6c proto=3D%hhu", - &ih->saddr, &ih->daddr, nexthdr); - - return true; -} - static unsigned int audit_tg(struct sk_buff *skb, const struct xt_action_param *par) { @@ -81,18 +46,18 @@ audit_tg(struct sk_buff *skb, const struct xt_action_pa= ram *par) case NFPROTO_BRIDGE: switch (eth_hdr(skb)->h_proto) { case htons(ETH_P_IP): - fam =3D audit_ip4(ab, skb) ? NFPROTO_IPV4 : -1; + fam =3D audit_log_packet_ip4(ab, skb) ? NFPROTO_IPV4 : -1; break; case htons(ETH_P_IPV6): - fam =3D audit_ip6(ab, skb) ? NFPROTO_IPV6 : -1; + fam =3D audit_log_packet_ip6(ab, skb) ? NFPROTO_IPV6 : -1; break; } break; case NFPROTO_IPV4: - fam =3D audit_ip4(ab, skb) ? NFPROTO_IPV4 : -1; + fam =3D audit_log_packet_ip4(ab, skb) ? NFPROTO_IPV4 : -1; break; case NFPROTO_IPV6: - fam =3D audit_ip6(ab, skb) ? NFPROTO_IPV6 : -1; + fam =3D audit_log_packet_ip6(ab, skb) ? NFPROTO_IPV6 : -1; break; } =20 --=20 2.51.1