With audit logging being supported by nftables as a simple (fake) log level, translating AUDIT target is easy. Especially since xt_AUDIT in kernel doesn't quite care about --type parameter. Signed-off-by: Phil Sutter <phil@xxxxxx> --- extensions/libxt_AUDIT.c | 11 +++++++++++ extensions/libxt_AUDIT.txlate | 8 ++++++++ 2 files changed, 19 insertions(+) create mode 100644 extensions/libxt_AUDIT.txlate diff --git a/extensions/libxt_AUDIT.c b/extensions/libxt_AUDIT.c index 86a61cbe72022..f7832dee72d56 100644 --- a/extensions/libxt_AUDIT.c +++ b/extensions/libxt_AUDIT.c @@ -82,6 +82,16 @@ static void audit_save(const void *ip, const struct xt_entry_target *target) } } +static int audit_xlate(struct xt_xlate *xl, + const struct xt_xlate_tg_params *params) +{ + /* audit type is merely sanity checked by xt_AUDIT.ko, + * so nftables doesn't even support it */ + + xt_xlate_add(xl, "log level audit"); + return 1; +} + static struct xtables_target audit_tg_reg = { .name = "AUDIT", .version = XTABLES_VERSION, @@ -93,6 +103,7 @@ static struct xtables_target audit_tg_reg = { .save = audit_save, .x6_parse = audit_parse, .x6_options = audit_opts, + .xlate = audit_xlate, }; void _init(void) diff --git a/extensions/libxt_AUDIT.txlate b/extensions/libxt_AUDIT.txlate new file mode 100644 index 0000000000000..abd11eaeb0a25 --- /dev/null +++ b/extensions/libxt_AUDIT.txlate @@ -0,0 +1,8 @@ +iptables-translate -t filter -A INPUT -j AUDIT --type accept +nft add rule ip filter INPUT counter log level audit + +iptables-translate -t filter -A INPUT -j AUDIT --type drop +nft add rule ip filter INPUT counter log level audit + +iptables-translate -t filter -A INPUT -j AUDIT --type reject +nft add rule ip filter INPUT counter log level audit -- 2.18.0