From nobody Fri Dec 19 18:52:37 2025 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 77E22223DC1 for ; Fri, 14 Nov 2025 12:36:35 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=170.10.133.124 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1763123797; cv=none; b=IT2jzTgNbagDH9AfMyRxBwaL9S8x0EUJVBDWHhCz5LCNCdGe7b9zz/GvfMf2aWCiHF8b4Q1r6z2g4uh1+Eygo96DC7S1gcgtUiNF/MEMRUlg/Z0X5yhxBxw7lD0dNNuIAn1kdpnKpzeWHkJUEGq05GE7u6Qd+pWrnI3lMmO/U3A= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1763123797; c=relaxed/simple; bh=ctzmgdv+X/SJ8Zwy2RoIL9PPUMeIq5tVF/tfzIbCvfk=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=bRgQgS2+KBbhrRwJIVpKX3Fyxi/29MqZ8pHMZ5S0rEElA/cgi63DLoNPP5RNAmu0XBMoHX94OBJx8ECw/OeqqMmS0cL7vFYNesNyQLXTmi2N6wFlGgUolU9ARnpLa58cQ4AoEKkI/VIued/9DaLWKx1DMzVvAlmkFNWHoaEsot8= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com; spf=pass smtp.mailfrom=redhat.com; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b=AqLOG3VB; arc=none smtp.client-ip=170.10.133.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=redhat.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="AqLOG3VB" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1763123794; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=+RGKcOMEwMKJmGYggmkDrWzpjL7pQBH/4yNJhxQVQ0w=; b=AqLOG3VBH5ArPdpDqmZmsbJfb+UdTNBVsLnfHO5S01UYRpdPCTes1Tn6lGIT5qlpISYr+m 7BVkSjuAjtxYdI6aRRn8OvewvRwV7aqOmUpKYcoOAitj/HqjGRiEyilqzCL9o/y8Wagd4Q 9snUEBqMW0xM111uhH5S6fqX/hccYjY= Received: from mx-prod-mc-01.mail-002.prod.us-west-2.aws.redhat.com (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-442-t_Q1LGIbMI2w-47iNduFUw-1; Fri, 14 Nov 2025 07:36:31 -0500 X-MC-Unique: t_Q1LGIbMI2w-47iNduFUw-1 X-Mimecast-MFC-AGG-ID: t_Q1LGIbMI2w-47iNduFUw_1763123789 Received: from mx-prod-int-08.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-08.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.111]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-01.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 5AF2C19560A5; Fri, 14 Nov 2025 12:36:29 +0000 (UTC) Received: from wsxc.redhat.com (unknown [10.96.134.52]) by mx-prod-int-08.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id E49C0180094B; Fri, 14 Nov 2025 12:36:25 +0000 (UTC) From: Ricardo Robaina To: audit@vger.kernel.org, linux-kernel@vger.kernel.org, netfilter-devel@vger.kernel.org, coreteam@netfilter.org Cc: paul@paul-moore.com, eparis@redhat.com, fw@strlen.de, pablo@netfilter.org, kadlec@netfilter.org, Ricardo Robaina Subject: [PATCH v7 1/2] audit: add audit_log_nf_skb helper function Date: Fri, 14 Nov 2025 09:36:16 -0300 Message-ID: In-Reply-To: References: Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 3.4.1 on 10.30.177.111 Content-Type: text/plain; charset="utf-8" Netfilter code (net/netfilter/nft_log.c and net/netfilter/xt_AUDIT.c) have to be kept in sync. Both source files had duplicated versions of audit_ip4() and audit_ip6() functions, which can result in lack of consistency and/or duplicated work. This patch adds a helper function in audit.c that can be called by netfilter code commonly, aiming to improve maintainability and consistency. Suggested-by: Florian Westphal Suggested-by: Paul Moore Signed-off-by: Ricardo Robaina Acked-by: Florian Westphal --- include/linux/audit.h | 8 +++++ kernel/audit.c | 64 ++++++++++++++++++++++++++++++++++++++++ net/netfilter/nft_log.c | 58 +----------------------------------- net/netfilter/xt_AUDIT.c | 58 +----------------------------------- 4 files changed, 74 insertions(+), 114 deletions(-) diff --git a/include/linux/audit.h b/include/linux/audit.h index 536f8ee8da81..d8173af498ba 100644 --- a/include/linux/audit.h +++ b/include/linux/audit.h @@ -195,6 +195,8 @@ extern int audit_log_subj_ctx(struct audit_buffer *ab, = struct lsm_prop *prop); extern int audit_log_obj_ctx(struct audit_buffer *ab, struct lsm_prop *pro= p); extern int audit_log_task_context(struct audit_buffer *ab); extern void audit_log_task_info(struct audit_buffer *ab); +extern int audit_log_nf_skb(struct audit_buffer *ab, + const struct sk_buff *skb, u8 nfproto); =20 extern int audit_update_lsm_rules(void); =20 @@ -272,6 +274,12 @@ static inline int audit_log_task_context(struct audit_= buffer *ab) static inline void audit_log_task_info(struct audit_buffer *ab) { } =20 +static inline int audit_log_nf_skb(struct audit_buffer *ab, + const struct sk_buff *skb, u8 nfproto) +{ + return 0; +} + static inline kuid_t audit_get_loginuid(struct task_struct *tsk) { return INVALID_UID; diff --git a/kernel/audit.c b/kernel/audit.c index 26a332ffb1b8..5c302c4592db 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -58,6 +58,8 @@ #include #include #include +#include +#include =20 #include "audit.h" =20 @@ -2488,6 +2490,68 @@ void audit_log_path_denied(int type, const char *ope= ration) audit_log_end(ab); } =20 +int audit_log_nf_skb(struct audit_buffer *ab, + const struct sk_buff *skb, u8 nfproto) +{ + /* find the IP protocol in the case of NFPROTO_BRIDGE */ + if (nfproto =3D=3D NFPROTO_BRIDGE) { + switch (eth_hdr(skb)->h_proto) { + case htons(ETH_P_IP): + nfproto =3D NFPROTO_IPV4; + break; + case htons(ETH_P_IPV6): + nfproto =3D NFPROTO_IPV6; + break; + default: + goto unknown_proto; + } + } + + switch (nfproto) { + case NFPROTO_IPV4: { + struct iphdr iph; + const struct iphdr *ih; + + ih =3D skb_header_pointer(skb, skb_network_offset(skb), + sizeof(iph), &iph); + if (!ih) + return -ENOMEM; + + audit_log_format(ab, " saddr=3D%pI4 daddr=3D%pI4 proto=3D%hhu", + &ih->saddr, &ih->daddr, ih->protocol); + break; + } + case NFPROTO_IPV6: { + struct ipv6hdr iph; + const struct ipv6hdr *ih; + u8 nexthdr; + __be16 frag_off; + + ih =3D skb_header_pointer(skb, skb_network_offset(skb), + sizeof(iph), &iph); + if (!ih) + return -ENOMEM; + + nexthdr =3D ih->nexthdr; + ipv6_skip_exthdr(skb, skb_network_offset(skb) + sizeof(iph), + &nexthdr, &frag_off); + + audit_log_format(ab, " saddr=3D%pI6c daddr=3D%pI6c proto=3D%hhu", + &ih->saddr, &ih->daddr, nexthdr); + break; + } + default: + goto unknown_proto; + } + + return 0; + +unknown_proto: + audit_log_format(ab, " saddr=3D? daddr=3D? proto=3D?"); + return -EPFNOSUPPORT; +} +EXPORT_SYMBOL(audit_log_nf_skb); + /* global counter which is incremented every time something logs in */ static atomic_t session_id =3D ATOMIC_INIT(0); =20 diff --git a/net/netfilter/nft_log.c b/net/netfilter/nft_log.c index e35588137995..bf01cf8a8907 100644 --- a/net/netfilter/nft_log.c +++ b/net/netfilter/nft_log.c @@ -26,46 +26,10 @@ struct nft_log { char *prefix; }; =20 -static bool audit_ip4(struct audit_buffer *ab, struct sk_buff *skb) -{ - struct iphdr _iph; - const struct iphdr *ih; - - ih =3D skb_header_pointer(skb, skb_network_offset(skb), sizeof(_iph), &_i= ph); - if (!ih) - return false; - - audit_log_format(ab, " saddr=3D%pI4 daddr=3D%pI4 proto=3D%hhu", - &ih->saddr, &ih->daddr, ih->protocol); - - return true; -} - -static bool audit_ip6(struct audit_buffer *ab, struct sk_buff *skb) -{ - struct ipv6hdr _ip6h; - const struct ipv6hdr *ih; - u8 nexthdr; - __be16 frag_off; - - ih =3D skb_header_pointer(skb, skb_network_offset(skb), sizeof(_ip6h), &_= ip6h); - if (!ih) - return false; - - nexthdr =3D ih->nexthdr; - ipv6_skip_exthdr(skb, skb_network_offset(skb) + sizeof(_ip6h), &nexthdr, = &frag_off); - - audit_log_format(ab, " saddr=3D%pI6c daddr=3D%pI6c proto=3D%hhu", - &ih->saddr, &ih->daddr, nexthdr); - - return true; -} - static void nft_log_eval_audit(const struct nft_pktinfo *pkt) { struct sk_buff *skb =3D pkt->skb; struct audit_buffer *ab; - int fam =3D -1; =20 if (!audit_enabled) return; @@ -76,27 +40,7 @@ static void nft_log_eval_audit(const struct nft_pktinfo = *pkt) =20 audit_log_format(ab, "mark=3D%#x", skb->mark); =20 - switch (nft_pf(pkt)) { - case NFPROTO_BRIDGE: - switch (eth_hdr(skb)->h_proto) { - case htons(ETH_P_IP): - fam =3D audit_ip4(ab, skb) ? NFPROTO_IPV4 : -1; - break; - case htons(ETH_P_IPV6): - fam =3D audit_ip6(ab, skb) ? NFPROTO_IPV6 : -1; - break; - } - break; - case NFPROTO_IPV4: - fam =3D audit_ip4(ab, skb) ? NFPROTO_IPV4 : -1; - break; - case NFPROTO_IPV6: - fam =3D audit_ip6(ab, skb) ? NFPROTO_IPV6 : -1; - break; - } - - if (fam =3D=3D -1) - audit_log_format(ab, " saddr=3D? daddr=3D? proto=3D-1"); + audit_log_nf_skb(ab, skb, nft_pf(pkt)); =20 audit_log_end(ab); } diff --git a/net/netfilter/xt_AUDIT.c b/net/netfilter/xt_AUDIT.c index b6a015aee0ce..4c18606b8654 100644 --- a/net/netfilter/xt_AUDIT.c +++ b/net/netfilter/xt_AUDIT.c @@ -28,46 +28,10 @@ MODULE_ALIAS("ip6t_AUDIT"); MODULE_ALIAS("ebt_AUDIT"); MODULE_ALIAS("arpt_AUDIT"); =20 -static bool audit_ip4(struct audit_buffer *ab, struct sk_buff *skb) -{ - struct iphdr _iph; - const struct iphdr *ih; - - ih =3D skb_header_pointer(skb, skb_network_offset(skb), sizeof(_iph), &_i= ph); - if (!ih) - return false; - - audit_log_format(ab, " saddr=3D%pI4 daddr=3D%pI4 proto=3D%hhu", - &ih->saddr, &ih->daddr, ih->protocol); - - return true; -} - -static bool audit_ip6(struct audit_buffer *ab, struct sk_buff *skb) -{ - struct ipv6hdr _ip6h; - const struct ipv6hdr *ih; - u8 nexthdr; - __be16 frag_off; - - ih =3D skb_header_pointer(skb, skb_network_offset(skb), sizeof(_ip6h), &_= ip6h); - if (!ih) - return false; - - nexthdr =3D ih->nexthdr; - ipv6_skip_exthdr(skb, skb_network_offset(skb) + sizeof(_ip6h), &nexthdr, = &frag_off); - - audit_log_format(ab, " saddr=3D%pI6c daddr=3D%pI6c proto=3D%hhu", - &ih->saddr, &ih->daddr, nexthdr); - - return true; -} - static unsigned int audit_tg(struct sk_buff *skb, const struct xt_action_param *par) { struct audit_buffer *ab; - int fam =3D -1; =20 if (audit_enabled =3D=3D AUDIT_OFF) goto errout; @@ -77,27 +41,7 @@ audit_tg(struct sk_buff *skb, const struct xt_action_par= am *par) =20 audit_log_format(ab, "mark=3D%#x", skb->mark); =20 - switch (xt_family(par)) { - case NFPROTO_BRIDGE: - switch (eth_hdr(skb)->h_proto) { - case htons(ETH_P_IP): - fam =3D audit_ip4(ab, skb) ? NFPROTO_IPV4 : -1; - break; - case htons(ETH_P_IPV6): - fam =3D audit_ip6(ab, skb) ? NFPROTO_IPV6 : -1; - break; - } - break; - case NFPROTO_IPV4: - fam =3D audit_ip4(ab, skb) ? NFPROTO_IPV4 : -1; - break; - case NFPROTO_IPV6: - fam =3D audit_ip6(ab, skb) ? NFPROTO_IPV6 : -1; - break; - } - - if (fam =3D=3D -1) - audit_log_format(ab, " saddr=3D? daddr=3D? proto=3D-1"); + audit_log_nf_skb(ab, skb, xt_family(par)); =20 audit_log_end(ab); =20 --=20 2.51.1