Received: by 2002:a25:1506:0:0:0:0:0 with SMTP id 6csp500873ybv; Thu, 13 Feb 2020 04:35:46 -0800 (PST) X-Google-Smtp-Source: APXvYqyYnaauMABrGxk0ZVWzxTVAwYCLlqpQ4A+kxn4BomM5ErYRsuGZdTKwEEWnd+KzqonPcw+s X-Received: by 2002:a9d:7dc9:: with SMTP id k9mr13097636otn.117.1581597346847; Thu, 13 Feb 2020 04:35:46 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1581597346; cv=none; d=google.com; s=arc-20160816; b=FPs69sJXdT2p922Oj7d7J5koP8jRJHR1mpI5HS632Ox2uO670GZhM+3jOnkeIPoaaQ V7395UVCT+fWFs79lMYlq9mlKMsF9Likjoqv8e7q7CX696zku/85fjzvb/b4qkCvyIQ+ t5l5G2t/sRj/HIvksOg/P5LN3c7cxliJERYdgriLt0Kx7NRx3qs7Me3XZsK4/jrq218C ZVi8l09jQcn3p8zYRVLyi4Uxltc39mHiNwV0mC8nvxD/bTvsMvzcrIqxk7g1yqMhSGxP u4rR1GbqpGLBcnem4LX6x7WpCo8WNWkn0MpiGGtOqrCxo5DFPqQ5EstzFYfShaUNl3B7 RnCQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date; bh=h9wAqib9iqVYLkkLvlnIO/ufS+be4vtM/+sGXWZ0HBc=; b=Oby3OMmazh/7dkB7Qqkhj/kMa6DBnV1kWtYuH7GlppLmbylXYy9P7rt5yT09lAbhBp EsjmNWDGxJ53x9ttKf0+TSKQl81QArRV3SBBIr6J5A/IpfNkCttqNLMb0M9geVyaiaQZ DiU59H5di1aIurKeCjogOwd8golLtBB8q64mYoEv7RUVubMxFD9wgJl4UHm4Ys/XQDeJ caSzejIsFm5oqKbNn1clUbnIv+zVtaGVKD05g6PqMHAmXXmCXZDeKWRk7XjcnfMARvQ/ xmgLRjALLQftjtweSawAdRIveuQ14wfYC4qmWD+/ASn80w5LxO6xWTewYKdjWZlwNfyq kraA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id v22si1081900oia.30.2020.02.13.04.35.33; Thu, 13 Feb 2020 04:35:46 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729880AbgBMMfA (ORCPT + 99 others); Thu, 13 Feb 2020 07:35:00 -0500 Received: from Chamillionaire.breakpoint.cc ([193.142.43.52]:47840 "EHLO Chamillionaire.breakpoint.cc" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729531AbgBMMfA (ORCPT ); Thu, 13 Feb 2020 07:35:00 -0500 Received: from fw by Chamillionaire.breakpoint.cc with local (Exim 4.92) (envelope-from ) id 1j2Dhp-0004oY-Ks; Thu, 13 Feb 2020 13:34:57 +0100 Date: Thu, 13 Feb 2020 13:34:57 +0100 From: Florian Westphal To: Richard Guy Briggs Cc: Florian Westphal , LKML , Linux-Audit Mailing List , netfilter-devel@vger.kernel.org, ebiederm@xmission.com, twoerner@redhat.com, eparis@parisplace.org, tgraf@infradead.org Subject: Re: [PATCH ghak25 v2 8/9] netfilter: add audit operation field Message-ID: <20200213123457.GO2991@breakpoint.cc> References: <6768f7c7d9804216853e6e9c59e44f8a10f46b99.1577830902.git.rgb@redhat.com> <20200106202306.GO795@breakpoint.cc> <20200213121410.b2dsh2kwg3k7xg7e@madcap2.tricolour.ca> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20200213121410.b2dsh2kwg3k7xg7e@madcap2.tricolour.ca> User-Agent: Mutt/1.10.1 (2018-07-13) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Richard Guy Briggs wrote: > The default policy is NF_ACCEPT (because Rusty didn't want > more email, go figure...). It occurred to me later that some table > loads took a command line parameter to be able to change the default > policy verdict from NF_ACCEPT to NF_DROP. In particular, filter FORWARD > hook tables. Is there a straightforward way to be able to detect this > in all the audit_nf_cfg() callers to be able to log it? In particular, > in: > net/bridge/netfilter/ebtables.c: ebt_register_table() > net/bridge/netfilter/ebtables.c: do_replace_finish() > net/bridge/netfilter/ebtables.c: __ebt_unregister_table() > net/netfilter/x_tables.c: xt_replace_table() > net/netfilter/x_tables.c: xt_unregister_table() The module parameter or the policy? The poliy can be changed via the xtables tools. Given you can have: *filter :INPUT ACCEPT [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [0:0] -A FORWARD -j ACCEPT COMMIT ... which effectily gives a FORWARD ACCEPT policy I'm not sure logging the policy is useful. Furthermore, ebtables has polices even for user-defined chains. > Both potential solutions are awkward, adding a parameter to pass that > value in, but also trying to reach into the protocol-specific entry > table to find that value. Would you have a recommendation? This > assumes that reporting that default policy value is even desired or > required. See above, I don't think its useful. If it is needed, its probably best to define an informational struct containing the policy (accept/drop) value for the each hook points (prerouting to postrouting), fill that from the backend specific code (as thats the only place that exposes the backend specific structs ...) and then pass that to the audit logging functions.