[nft PATCH] log: Add support for audit logging

Phil Sutter <phil@xxxxxx> · Fri, 1 Jun 2018 17:15:07 +0200

This is implemented via a pseudo log level. The kernel ignores any other
parameter, so reject those at evaluation stage. Audit logging is
therefore simply a matter of:

| log level audit

Signed-off-by: Phil Sutter <phil@xxxxxx>
---
 include/linux/netfilter/nf_tables.h | 5 +++++
 src/evaluate.c                      | 4 ++++
 src/parser_bison.y                  | 2 ++
 src/statement.c                     | 7 ++++---
 tests/py/any/log.t                  | 8 ++++++++
 tests/py/any/log.t.json             | 9 +++++++++
 tests/py/any/log.t.payload          | 4 ++++
 7 files changed, 36 insertions(+), 3 deletions(-)

diff --git a/include/linux/netfilter/nf_tables.h b/include/linux/netfilter/nf_tables.h
index 660168ab924a3..51d54d6780abf 100644
--- a/include/linux/netfilter/nf_tables.h
+++ b/include/linux/netfilter/nf_tables.h
@@ -1055,6 +1055,11 @@ enum nft_log_attributes {
 };
 #define NFTA_LOG_MAX		(__NFTA_LOG_MAX - 1)
 
+/**
+ * LOGLEVEL_AUDIT - a pseudo log level enabling audit logging
+ */
+#define LOGLEVEL_AUDIT		8
+
 /**
  * enum nft_queue_attributes - nf_tables queue expression netlink attributes
  *
diff --git a/src/evaluate.c b/src/evaluate.c
index 4eb36e2d38792..33733c0e73075 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -2562,6 +2562,10 @@ static int stmt_evaluate_log(struct eval_ctx *ctx, struct stmt *stmt)
 			return stmt_error(ctx, stmt,
 				  "flags and group are mutually exclusive");
 	}
+	if (stmt->log.level == LOGLEVEL_AUDIT &&
+	    (stmt->log.flags & ~STMT_LOG_LEVEL || stmt->log.logflags))
+		return stmt_error(ctx, stmt,
+				  "log level audit doesn't support any further options");
 	return 0;
 }
 
diff --git a/src/parser_bison.y b/src/parser_bison.y
index 1eb6ec6e93f25..bf8b0e93f7438 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -2227,6 +2227,8 @@ level_type		:	string
 					$$ = LOG_INFO;
 				else if (!strcmp("debug", $1))
 					$$ = LOG_DEBUG;
+				else if (!strcmp("audit", $1))
+					$$ = LOGLEVEL_AUDIT;
 				else {
 					erec_queue(error(&@1, "invalid log level"),
 						   state->msgs);
diff --git a/src/statement.c b/src/statement.c
index ff4c8eb610ac1..4a646e06fc2bd 100644
--- a/src/statement.c
+++ b/src/statement.c
@@ -220,7 +220,7 @@ struct stmt *objref_stmt_alloc(const struct location *loc)
 	return stmt;
 }
 
-static const char *syslog_level[LOG_DEBUG + 1] = {
+static const char *syslog_level[LOGLEVEL_AUDIT + 1] = {
 	[LOG_EMERG]	= "emerg",
 	[LOG_ALERT]	= "alert",
 	[LOG_CRIT]	= "crit",
@@ -229,11 +229,12 @@ static const char *syslog_level[LOG_DEBUG + 1] = {
 	[LOG_NOTICE]	= "notice",
 	[LOG_INFO]	= "info",
 	[LOG_DEBUG]	= "debug",
+	[LOGLEVEL_AUDIT] = "audit"
 };
 
 const char *log_level(uint32_t level)
 {
-	if (level > LOG_DEBUG)
+	if (level > LOGLEVEL_AUDIT)
 		return "unknown";
 
 	return syslog_level[level];
@@ -243,7 +244,7 @@ int log_level_parse(const char *level)
 {
 	int i;
 
-	for (i = 0; i <= LOG_DEBUG; i++) {
+	for (i = 0; i <= LOGLEVEL_AUDIT; i++) {
 		if (syslog_level[i] &&
 		    !strcmp(level, syslog_level[i]))
 			return i;
diff --git a/tests/py/any/log.t b/tests/py/any/log.t
index d1b4ab623c4de..f4ccaf0587135 100644
--- a/tests/py/any/log.t
+++ b/tests/py/any/log.t
@@ -15,10 +15,18 @@ log level warn;ok;log
 log level notice;ok
 log level info;ok
 log level debug;ok
+log level audit;ok
 
 log level emerg group 2;fail
 log level alert group 2 prefix "log test2";fail
 
+# log level audit must reject all other parameters
+log level audit prefix "foo";fail
+log level audit group 42;fail
+log level audit snaplen 23;fail
+log level audit queue-threshold 1337;fail
+log level audit flags all;fail
+
 log prefix aaaaa-aaaaaa group 2 snaplen 33;ok;log prefix "aaaaa-aaaaaa" group 2 snaplen 33
 # TODO: Add an exception: 'queue-threshold' attribute needs 'group' attribute
 # The correct rule is log group 2 queue-threshold 2
diff --git a/tests/py/any/log.t.json b/tests/py/any/log.t.json
index 9c89dff875315..7bcc20e829e3e 100644
--- a/tests/py/any/log.t.json
+++ b/tests/py/any/log.t.json
@@ -77,6 +77,15 @@
     }
 ]
 
+# log level audit
+[
+    {
+        "log": {
+            "level": "audit"
+        }
+    }
+]
+
 # log prefix aaaaa-aaaaaa group 2 snaplen 33
 [
     {
diff --git a/tests/py/any/log.t.payload b/tests/py/any/log.t.payload
index ffb914d20de5f..1330445b8a9ec 100644
--- a/tests/py/any/log.t.payload
+++ b/tests/py/any/log.t.payload
@@ -34,6 +34,10 @@ ip test-ip4 output
 ip test-ip4 output
   [ log level 7 ]
 
+# log level audit
+ip test-ip4 output
+  [ log level 8 ]
+
 # log prefix aaaaa-aaaaaa group 2 snaplen 33
 ip test-ip4 output
   [ log prefix aaaaa-aaaaaa group 2 snaplen 33 qthreshold 0 ]
-- 
2.17.0

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html






