1. 31 Mar, 2021 5 commits
    • Richard Guy Briggs's avatar
      audit: log nftables configuration change events once per table · c520292f
      Richard Guy Briggs authored
      Reduce logging of nftables events to a level similar to iptables.
      Restore the table field to list the table, adding the generation.
      
      Indicate the op as the most significant operation in the event.
      
      A couple of sample events:
      
      type=PROCTITLE msg=audit(2021-03-18 09:30:49.801:143) : proctitle=/usr/bin/python3 -s /usr/sbin/firewalld --nofork --nopid
      type=SYSCALL msg=audit(2021-03-18 09:30:49.801:143) : arch=x86_64 syscall=sendmsg success=yes exit=172 a0=0x6 a1=0x7ffdcfcbe650 a2=0x0 a3=0x7ffdcfcbd52c items=0 ppid=1 pid=367 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=roo
      t sgid=root fsgid=root tty=(none) ses=unset comm=firewalld exe=/usr/bin/python3.9 subj=system_u:system_r:firewalld_t:s0 key=(null)
      type=NETFILTER_CFG msg=audit(2021-03-18 09:30:49.801:143) : table=firewalld:2 family=ipv6 entries=1 op=nft_register_table pid=367 subj=system_u:system_r:firewalld_t:s0 comm=firewalld
      type=NETFILTER_CFG msg=audit(2021-03-18 09:30:49.801:143) : table=firewalld:2 family=ipv4 entries=1 op=nft_register_table pid=367 subj=system_u:system_r:firewalld_t:s0 comm=firewalld
      type=NETFILTER_CFG msg=audit(2021-03-18 09:30:49.801:143) : table=firewalld:2 family=inet entries=1 op=nft_register_table pid=367 subj=system_u:system_r:firewalld_t:s0 comm=firewalld
      
      type=PROCTITLE msg=audit(2021-03-18 09:30:49.839:144) : proctitle=/usr/bin/python3 -s /usr/sbin/firewalld --nofork --nopid
      type=SYSCALL msg=audit(2021-03-18 09:30:49.839:144) : arch=x86_64 syscall=sendmsg success=yes exit=22792 a0=0x6 a1=0x7ffdcfcbe650 a2=0x0 a3=0x7ffdcfcbd52c items=0 ppid=1 pid=367 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=r
      oot sgid=root fsgid=root tty=(none) ses=unset comm=firewalld exe=/usr/bin/python3.9 subj=system_u:system_r:firewalld_t:s0 key=(null)
      type=NETFILTER_CFG msg=audit(2021-03-18 09:30:49.839:144) : table=firewalld:3 family=ipv6 entries=30 op=nft_register_chain pid=367 subj=system_u:system_r:firewalld_t:s0 comm=firewalld
      type=NETFILTER_CFG msg=audit(2021-03-18 09:30:49.839:144) : table=firewalld:3 family=ipv4 entries=30 op=nft_register_chain pid=367 subj=system_u:system_r:firewalld_t:s0 comm=firewalld
      type=NETFILTER_CFG msg=audit(2021-03-18 09:30:49.839:144) : table=firewalld:3 family=inet entries=165 op=nft_register_chain pid=367 subj=system_u:system_r:firewalld_t:s0 comm=firewalld
      
      The issue was originally documented in
      https://github.com/linux-audit/audit-kernel/issues/124Signed-off-by: default avatarRichard Guy Briggs <rgb@redhat.com>
      Acked-by: default avatarPaul Moore <paul@paul-moore.com>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      c520292f
    • Florian Westphal's avatar
      netfilter: nft_log: perform module load from nf_tables · cefa31a9
      Florian Westphal authored
      modprobe calls from the nf_logger_find_get() API causes deadlock in very
      special cases because they occur with the nf_tables transaction mutex held.
      
      In the specific case of nf_log, deadlock is via:
      
       A nf_tables -> transaction mutex -> nft_log -> modprobe -> nf_log_syslog \
      	    -> pernet_ops rwsem -> wait for C
       B netlink event -> rtnl_mutex -> nf_tables transaction mutex -> wait for A
       C close() -> ip6mr_sk_done -> rtnl_mutex -> wait for B
      
      Earlier patch added NFLOG/xt_LOG module softdeps to avoid the need to load
      the backend module during a transaction.
      
      For nft_log we would have to add a softdep for both nfnetlink_log or
      nf_log_syslog, since we do not know in advance which of the two backends
      are going to be configured.
      
      This defers the modprobe op until after the transaction mutex is released.
      Tested-by: default avatarPhil Sutter <phil@nwl.cc>
      Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      cefa31a9
    • Florian Westphal's avatar
      netfilter: nf_log: add module softdeps · a38b5b56
      Florian Westphal authored
      xt_LOG has no direct dependency on the syslog-based logger, it relies
      on the nf_log core to probe the requested backend.
      
      Now that all syslog-based loggers reside in the same module, we can
      just add a soft dependency on nf_log_syslog and let modprobe take
      care of it.
      Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      a38b5b56
    • Florian Westphal's avatar
      netfilter: nf_log_common: merge with nf_log_syslog · e465cccd
      Florian Westphal authored
      Remove nf_log_common.  Now that all per-af modules have been merged
      there is no longer a need to provide a helper module.
      Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      e465cccd
    • Florian Westphal's avatar
      netfilter: nf_log_bridge: merge with nf_log_syslog · 77ccee96
      Florian Westphal authored
      Provide bridge log support from nf_log_syslog.
      
      After the merge there is no need to load the "real packet loggers",
      all of them now reside in the same module.
      Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      77ccee96
  2. 30 Mar, 2021 35 commits