On Tue, Aug 29, 2023 at 07:51:58PM +0200, Phil Sutter wrote:
> Resetting rules' stateful data happens outside of the transaction logic,
> so 'get' and 'dump' handlers have to emit audit log entries themselves.
Also applied to nf, thanks
--
Linux-audit mailing list
Linux-audit@redhat.com
https://l
On Tue, Aug 29, 2023 at 07:51:57PM +0200, Phil Sutter wrote:
> Since set element reset is not integrated into nf_tables' transaction
> logic, an explicit log call is needed, similar to NFT_MSG_GETOBJ_RESET
> handling.
>
> For the sake of simplicity, catchall element reset will always generate
> a
On Tue, Aug 29, 2023 at 07:51:58PM +0200, Phil Sutter wrote:
> Resetting rules' stateful data happens outside of the transaction logic,
> so 'get' and 'dump' handlers have to emit audit log entries themselves.
>
> Cc: Richard Guy Briggs
> Fixes: 8daa8fde3fc3f ("netfilter: nf_tables: Introduce NFT
On Tue, Aug 29, 2023 at 07:51:57PM +0200, Phil Sutter wrote:
> Since set element reset is not integrated into nf_tables' transaction
> logic, an explicit log call is needed, similar to NFT_MSG_GETOBJ_RESET
> handling.
>
> For the sake of simplicity, catchall element reset will always generate
> a
On Wed, Mar 31, 2021 at 04:53:10PM -0400, Richard Guy Briggs wrote:
> On 2021-03-31 22:22, Pablo Neira Ayuso wrote:
> > On Fri, Mar 26, 2021 at 01:38:59PM -0400, Richard Guy Briggs wrote:
> > > Reduce logging of nftables events to a level similar to iptables.
> > > Rest
On Fri, Mar 26, 2021 at 01:38:59PM -0400, Richard Guy Briggs wrote:
> @@ -8006,12 +7966,65 @@ static void nft_commit_notify(struct net *net, u32
> portid)
> WARN_ON_ONCE(!list_empty(&net->nft.notify_list));
> }
>
> +static int nf_tables_commit_audit_alloc(struct list_head *adl,
> +
;s a UAF, Florian reported. I'm attaching an incremental fix.
nf_tables_commit_audit_collect() refers to the trans object which
might have been already released.
commit e4d272948d25b66d86fc241cefd95281bfb1079e
Author: Pablo Neira Ayuso
Date: Wed Mar 31 22:19:51 2021 +0200
netfilter: nf_
On Sun, Mar 28, 2021 at 08:50:45PM -0400, Paul Moore wrote:
[...]
> Netfilter folks, were you planning to pull this via your tree/netdev
> or would you like me to merge this via the audit tree? If the latter,
> I would appreciate it if I could get an ACK from one of you; if the
> former, my ACK is
On Mon, Mar 22, 2021 at 04:49:04PM -0400, Richard Guy Briggs wrote:
> diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
> index c1eb5cdb3033..42ba44890523 100644
> --- a/net/netfilter/nf_tables_api.c
> +++ b/net/netfilter/nf_tables_api.c
[...]
> @@ -8006,12 +7938,47 @@ stat
On Thu, Mar 18, 2021 at 11:39:52AM -0400, Richard Guy Briggs wrote:
> Reduce logging of nftables events to a level similar to iptables.
> Restore the table field to list the table, adding the generation.
>
> Indicate the op as the most significant operation in the event.
>
> A couple of sample ev
Casey Schaufler
> Cc: net...@vger.kernel.org
> Cc: netfilter-de...@vger.kernel.org
You can carry this tag in your follow up patches.
Acked-by: Pablo Neira Ayuso
Thanks.
> ---
> net/netfilter/nfnetlink_queue.c | 37 +
> 1 file changed, 14 insertions(+
On Wed, Aug 26, 2020 at 07:52:41AM -0700, Casey Schaufler wrote:
> Change netlink netfilter interfaces to use lsmcontext
> pointers, and remove scaffolding.
>
> Reviewed-by: Kees Cook
> Reviewed-by: John Johansen
> Acked-by: Stephen Smalley
> Signed-off-by: Casey Schaufler
> cc: net...@vger.ke
On Wed, Jun 24, 2020 at 08:34:23AM -0400, Richard Guy Briggs wrote:
> On 2020-06-24 12:03, Pablo Neira Ayuso wrote:
> > On Thu, Jun 04, 2020 at 09:20:49AM -0400, Richard Guy Briggs wrote:
[...]
> > > diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables
On Thu, Jun 04, 2020 at 09:20:49AM -0400, Richard Guy Briggs wrote:
> iptables, ip6tables, arptables and ebtables table registration,
> replacement and unregistration configuration events are logged for the
> native (legacy) iptables setsockopt api, but not for the
> nftables netlink api which is u
On Mon, Jan 06, 2020 at 01:54:01PM -0500, Richard Guy Briggs wrote:
> There were questions about the presence and cause of unsolicited syscall
> events
> in the logs containing NETFILTER_CFG records and sometimes unaccompanied
> NETFILTER_CFG records.
>
> During testing at least the following lis
On Thu, May 18, 2017 at 01:21:49PM -0400, Richard Guy Briggs wrote:
> There were syscall events unsolicited by any audit rule caused by a missing
> !audit_dummy_context() check before creating an
> iptables/ip6tables/arptables/ebtables NETFILTER_CFG record. Check
> !audit_dummy_context() before cr
On Thu, May 18, 2017 at 01:21:47PM -0400, Richard Guy Briggs wrote:
> Git context diffs were being produced with unhelpful declaration types in the
> place of function names to help identify the funciton in which changes were
> made.
>
> Normalize x_table function declarations so that git context
Cc'ing Eric Biederman.
On Thu, May 18, 2017 at 01:21:52PM -0400, Richard Guy Briggs wrote:
> diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
> index 59b63a8..0f77b2a 100644
> --- a/net/bridge/netfilter/ebtables.c
> +++ b/net/bridge/netfilter/ebtables.c
> @@ -27,6 +27
On Wed, Mar 22, 2017 at 03:05:36AM -0400, Richard Guy Briggs wrote:
> Even though the skb->data pointer has been moved from the link layer
> header to the network layer header, use the same method to calculate the
> offset in ipv4 and ipv6 routines.
>
> Signed-off-by: Richard Guy Briggs
> ---
>
On Wed, Mar 22, 2017 at 07:43:18AM -0400, Richard Guy Briggs wrote:
> On 2017-03-22 12:11, Pablo Neira Ayuso wrote:
> > On Wed, Mar 22, 2017 at 03:05:36AM -0400, Richard Guy Briggs wrote:
> > > Even though the skb->data pointer has been moved from the link layer
> > &g
On Wed, Mar 01, 2017 at 11:28:02AM -0500, Richard Guy Briggs wrote:
> On 2017-02-28 17:22, Paul Moore wrote:
> > On Sun, Feb 26, 2017 at 3:49 PM, Richard Guy Briggs wrote:
> > > Eliminate flipping in and out of message fields, dropping fields in the
> > > process.
> > >
> > > Sample raw message f
Hi Paul,
On Wed, Feb 08, 2017 at 06:09:07PM -0500, Paul Moore wrote:
> On Wed, Feb 8, 2017 at 11:30 AM, Steve Grubb wrote:
> > On Tuesday, February 7, 2017 10:56:39 PM EST Paul Moore wrote:
> >> On Tue, Feb 7, 2017 at 3:52 PM, Richard Guy Briggs wrote:
> >> > So while I'm not advocating this is
On Mon, Sep 08, 2014 at 02:11:45PM +0200, Nicolas Dichtel wrote:
> This is already done for x_tables (family AF_INET and AF_INET6), let's do it
> for AF_BRIDGE also.
Applied, thanks Nicolas.
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
On Fri, Sep 05, 2014 at 10:50:15AM +0200, Nicolas Dichtel wrote:
> This is already done for x_tables (family AF_INET and AF_INET6), let's do it
> for AF_BRIDGE also.
>
> Signed-off-by: Nicolas Dichtel
> ---
> net/bridge/netfilter/ebtables.c | 15 +++
> 1 file changed, 15 insertions(+
On Fri, Mar 21, 2014 at 12:44:09PM -0400, Richard Guy Briggs wrote:
> Remove duplicity and simplify code flow by moving the rcu_read_unlock() above
> the condition and let the flow control exit naturally at the end of the
> function.
>
> Signed-off-by: Richard Guy Briggs
> ---
> net/netfilter/nf
On 07/06/11 10:18, Mr Dash Four wrote:
>
>>> Is this a style-type requirement I wasn't aware of? Because from a
>>> syntax point of view the left/right braces aren't necessary.
>>>
>>
>> Aware of it, it's just coding style.
>>
> Thanks for pointing it out (now I know)! Would you like me to
On 06/06/11 15:10, Mr Dash Four wrote:
>
>> Exactly my point. There is no leak if its text or numeric.
>>
> No, there is no leak if it is a text, but there *is* a leak if it is a
> numeric. I think I've made that quite clear.
We don't use numeric secmark anymore in nf_conntrack. Not very famil
On 06/06/11 14:02, Mr Dash Four wrote:
>
>> Minor nitpick. This 'if' needs one {
>>
> Is this a style-type requirement I wasn't aware of? Because from a
> syntax point of view the left/right braces aren't necessary.
Aware of it, it's just coding style.
--
Linux-audit mailing list
Linux-audit@
On 04/06/11 17:12, Mr Dash Four wrote:
> Add SELinux context support to AUDIT target (2nd revision). Typical (raw
> auditd) output after applying this patch would be:
>
> type=NETFILTER_PKT msg=audit(1305852240.082:31012): action=0 hook=1 len=52
> inif=? outif=eth0 saddr=10.1.1.7 daddr=10.1.2.1
29 matches
Mail list logo