[iptables PATCH 01/10] extensions: AUDIT: Provide translation

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

With audit logging being supported by nftables as a simple (fake) log
level, translating AUDIT target is easy. Especially since xt_AUDIT in
kernel doesn't quite care about --type parameter.

Signed-off-by: Phil Sutter <phil@xxxxxx>
---
 extensions/libxt_AUDIT.c      | 11 +++++++++++
 extensions/libxt_AUDIT.txlate |  8 ++++++++
 2 files changed, 19 insertions(+)
 create mode 100644 extensions/libxt_AUDIT.txlate

diff --git a/extensions/libxt_AUDIT.c b/extensions/libxt_AUDIT.c
index 86a61cbe72022..f7832dee72d56 100644
--- a/extensions/libxt_AUDIT.c
+++ b/extensions/libxt_AUDIT.c
@@ -82,6 +82,16 @@ static void audit_save(const void *ip, const struct xt_entry_target *target)
 	}
 }
 
+static int audit_xlate(struct xt_xlate *xl,
+		       const struct xt_xlate_tg_params *params)
+{
+	/* audit type is merely sanity checked by xt_AUDIT.ko,
+	 * so nftables doesn't even support it */
+
+	xt_xlate_add(xl, "log level audit");
+	return 1;
+}
+
 static struct xtables_target audit_tg_reg = {
 	.name		= "AUDIT",
 	.version	= XTABLES_VERSION,
@@ -93,6 +103,7 @@ static struct xtables_target audit_tg_reg = {
 	.save		= audit_save,
 	.x6_parse	= audit_parse,
 	.x6_options	= audit_opts,
+	.xlate		= audit_xlate,
 };
 
 void _init(void)
diff --git a/extensions/libxt_AUDIT.txlate b/extensions/libxt_AUDIT.txlate
new file mode 100644
index 0000000000000..abd11eaeb0a25
--- /dev/null
+++ b/extensions/libxt_AUDIT.txlate
@@ -0,0 +1,8 @@
+iptables-translate -t filter -A INPUT -j AUDIT --type accept
+nft add rule ip filter INPUT counter log level audit
+
+iptables-translate -t filter -A INPUT -j AUDIT --type drop
+nft add rule ip filter INPUT counter log level audit
+
+iptables-translate -t filter -A INPUT -j AUDIT --type reject
+nft add rule ip filter INPUT counter log level audit
-- 
2.18.0
[Index of Archives]     [Netfitler Users]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux