extensions: AUDIT: Provide translation

With audit logging being supported by nftables as a simple (fake) log
level, translating AUDIT target is easy. Especially since xt_AUDIT in
kernel doesn't quite care about --type parameter.

Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/extensions/libxt_AUDIT.c b/extensions/libxt_AUDIT.c
index 86a61cbe72022b1b07644a89ab0b76e99a683aba..f7832dee72d56609fa5eb3cb69a9494c3eb9d437 100644 (file)
--- a/extensions/libxt_AUDIT.c
+++ b/extensions/libxt_AUDIT.c
@@ -82,6 +82,16 @@ static void audit_save(const void *ip, const struct xt_entry_target *target)
        }
 }
 
+static int audit_xlate(struct xt_xlate *xl,
+                      const struct xt_xlate_tg_params *params)
+{
+       /* audit type is merely sanity checked by xt_AUDIT.ko,
+        * so nftables doesn't even support it */
+
+       xt_xlate_add(xl, "log level audit");
+       return 1;
+}
+
 static struct xtables_target audit_tg_reg = {
        .name           = "AUDIT",
        .version        = XTABLES_VERSION,
@@ -93,6 +103,7 @@ static struct xtables_target audit_tg_reg = {
        .save           = audit_save,
        .x6_parse       = audit_parse,
        .x6_options     = audit_opts,
+       .xlate          = audit_xlate,
 };
 
 void _init(void)

diff --git a/extensions/libxt_AUDIT.txlate b/extensions/libxt_AUDIT.txlate
new file mode 100644 (file)
index 0000000..abd11ea
--- /dev/null
+++ b/extensions/libxt_AUDIT.txlate
@@ -0,0 +1,8 @@
+iptables-translate -t filter -A INPUT -j AUDIT --type accept
+nft add rule ip filter INPUT counter log level audit
+
+iptables-translate -t filter -A INPUT -j AUDIT --type drop
+nft add rule ip filter INPUT counter log level audit
+
+iptables-translate -t filter -A INPUT -j AUDIT --type reject
+nft add rule ip filter INPUT counter log level audit