log: Add support for audit logging

This is implemented via a pseudo log level. The kernel ignores any other
parameter, so reject those at evaluation stage. Audit logging is
therefore simply a matter of:

| log level audit

Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/include/linux/netfilter/nf_tables.h b/include/linux/netfilter/nf_tables.h
index 660168ab924a3b7394578b3968254ded125d3c4e..51d54d6780abf16ad8bf97bc5462d2b3a5dac716 100644 (file)
--- a/include/linux/netfilter/nf_tables.h
+++ b/include/linux/netfilter/nf_tables.h
@@ -1055,6 +1055,11 @@ enum nft_log_attributes {
 };
 #define NFTA_LOG_MAX           (__NFTA_LOG_MAX - 1)
 
+/**
+ * LOGLEVEL_AUDIT - a pseudo log level enabling audit logging
+ */
+#define LOGLEVEL_AUDIT         8
+
 /**
  * enum nft_queue_attributes - nf_tables queue expression netlink attributes
  *

diff --git a/src/evaluate.c b/src/evaluate.c
index 4eb36e2d387924afe3b8a31422459217347bc622..33733c0e73075ae2a4680198fbf198dc1fba4897 100644 (file)
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -2562,6 +2562,10 @@ static int stmt_evaluate_log(struct eval_ctx *ctx, struct stmt *stmt)
                        return stmt_error(ctx, stmt,
                                  "flags and group are mutually exclusive");
        }
+       if (stmt->log.level == LOGLEVEL_AUDIT &&
+           (stmt->log.flags & ~STMT_LOG_LEVEL || stmt->log.logflags))
+               return stmt_error(ctx, stmt,
+                                 "log level audit doesn't support any further options");
        return 0;
 }
 

diff --git a/src/parser_bison.y b/src/parser_bison.y
index b67dc69df391379aa2038c22a95b0e6b2fda2444..d13eaa666a1e03869f7bca34c67be13275aefeda 100644 (file)
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -2227,6 +2227,8 @@ level_type                :       string
                                        $$ = LOG_INFO;
                                else if (!strcmp("debug", $1))
                                        $$ = LOG_DEBUG;
+                               else if (!strcmp("audit", $1))
+                                       $$ = LOGLEVEL_AUDIT;
                                else {
                                        erec_queue(error(&@1, "invalid log level"),
                                                   state->msgs);

diff --git a/src/statement.c b/src/statement.c
index ff4c8eb610ac1c696664e8ca51e007d181f33542..4a646e06fc2bd8006b3192e570e72f172ab4b8a8 100644 (file)
--- a/src/statement.c
+++ b/src/statement.c
@@ -220,7 +220,7 @@ struct stmt *objref_stmt_alloc(const struct location *loc)
        return stmt;
 }
 
-static const char *syslog_level[LOG_DEBUG + 1] = {
+static const char *syslog_level[LOGLEVEL_AUDIT + 1] = {
        [LOG_EMERG]     = "emerg",
        [LOG_ALERT]     = "alert",
        [LOG_CRIT]      = "crit",
@@ -229,11 +229,12 @@ static const char *syslog_level[LOG_DEBUG + 1] = {
        [LOG_NOTICE]    = "notice",
        [LOG_INFO]      = "info",
        [LOG_DEBUG]     = "debug",
+       [LOGLEVEL_AUDIT] = "audit"
 };
 
 const char *log_level(uint32_t level)
 {
-       if (level > LOG_DEBUG)
+       if (level > LOGLEVEL_AUDIT)
                return "unknown";
 
        return syslog_level[level];
@@ -243,7 +244,7 @@ int log_level_parse(const char *level)
 {
        int i;
 
-       for (i = 0; i <= LOG_DEBUG; i++) {
+       for (i = 0; i <= LOGLEVEL_AUDIT; i++) {
                if (syslog_level[i] &&
                    !strcmp(level, syslog_level[i]))
                        return i;

diff --git a/tests/py/any/log.t b/tests/py/any/log.t
index d1b4ab623c4de04daca76a68d588b64c56061593..f4ccaf05871357f0a84aebfd3d356cfc8983129f 100644 (file)
--- a/tests/py/any/log.t
+++ b/tests/py/any/log.t
@@ -15,10 +15,18 @@ log level warn;ok;log
 log level notice;ok
 log level info;ok
 log level debug;ok
+log level audit;ok
 
 log level emerg group 2;fail
 log level alert group 2 prefix "log test2";fail
 
+# log level audit must reject all other parameters
+log level audit prefix "foo";fail
+log level audit group 42;fail
+log level audit snaplen 23;fail
+log level audit queue-threshold 1337;fail
+log level audit flags all;fail
+
 log prefix aaaaa-aaaaaa group 2 snaplen 33;ok;log prefix "aaaaa-aaaaaa" group 2 snaplen 33
 # TODO: Add an exception: 'queue-threshold' attribute needs 'group' attribute
 # The correct rule is log group 2 queue-threshold 2

diff --git a/tests/py/any/log.t.json b/tests/py/any/log.t.json
index 9c89dff87531531e5a481ae02d445f232e4821b0..7bcc20e829e3ede701cfe7f98ca952e83a1e67f5 100644 (file)
--- a/tests/py/any/log.t.json
+++ b/tests/py/any/log.t.json
@@ -77,6 +77,15 @@
     }
 ]
 
+# log level audit
+[
+    {
+        "log": {
+            "level": "audit"
+        }
+    }
+]
+
 # log prefix aaaaa-aaaaaa group 2 snaplen 33
 [
     {

diff --git a/tests/py/any/log.t.payload b/tests/py/any/log.t.payload
index ffb914d20de5fa4817e00b08e5ab67b0251d0e46..1330445b8a9ec37885683e041106c4b67bf7df5c 100644 (file)
--- a/tests/py/any/log.t.payload
+++ b/tests/py/any/log.t.payload
@@ -34,6 +34,10 @@ ip test-ip4 output
 ip test-ip4 output
   [ log level 7 ]
 
+# log level audit
+ip test-ip4 output
+  [ log level 8 ]
+
 # log prefix aaaaa-aaaaaa group 2 snaplen 33
 ip test-ip4 output
   [ log prefix aaaaa-aaaaaa group 2 snaplen 33 qthreshold 0 ]