PERFORCE change 146176 for review
Diego Giagio
diego at FreeBSD.org
Tue Jul 29 02:49:41 UTC 2008
http://perforce.freebsd.org/chv.cgi?CH=146176
Change 146176 by diego at diego_black on 2008/07/29 02:49:28
Add connection events auditing support to ipfw.
Affected files ...
.. //depot/projects/soc2008/diego-audit/src/sys/netinet/ip_fw2.c#6 edit
.. //depot/projects/soc2008/diego-audit/src/sys/security/audit/audit.h#12 edit
.. //depot/projects/soc2008/diego-audit/src/sys/security/audit/audit_pfil.c#9 edit
Differences ...
==== //depot/projects/soc2008/diego-audit/src/sys/netinet/ip_fw2.c#6 (text+ko) ====
@@ -1230,6 +1230,15 @@
break;
case BOTH_SYN: /* move to established */
+ if (IS_IP6_FLOW_ID(pkt)) {
+ AUDIT_CALL(audit_ipfw_flow6_begin(&pkt->src_ip6,
+ pkt->src_port, &pkt->dst_ip6,
+ pkt->dst_port, 0));
+ } else {
+ AUDIT_CALL(audit_ipfw_flow4_begin(pkt->src_ip,
+ pkt->src_port, pkt->dst_ip, pkt->dst_port,
+ 0));
+ }
case BOTH_SYN | TH_FIN : /* one side tries to close */
case BOTH_SYN | (TH_FIN << 8) :
if (tcp) {
==== //depot/projects/soc2008/diego-audit/src/sys/security/audit/audit.h#12 (text) ====
@@ -135,6 +135,11 @@
void audit_ipfw_addtable(u_int table, int error);
void audit_ipfw_deltable(u_int table, int error);
void audit_ipfw_flushtable(u_int table, int error);
+void audit_ipfw_flow4_begin(u_int32_t src, u_int16_t src_port,
+ u_int32_t dst, u_int16_t dst_port, int error);
+struct in6_addr;
+void audit_ipfw_flow6_begin(struct in6_addr *src, u_int16_t src_port,
+ struct in6_addr *dst, u_int16_t dst_port, int error);
void audit_pf_enable(int error);
void audit_pf_disable(int error);
==== //depot/projects/soc2008/diego-audit/src/sys/security/audit/audit_pfil.c#9 (text+ko) ====
@@ -34,6 +34,7 @@
#include <net/if.h>
#include <netinet/in.h>
#include <netinet/ip_fw.h>
+#include <netinet6/scope6_var.h>
#include <sys/sbuf.h>
@@ -320,3 +321,46 @@
audit_commit(ar, error, 0);
}
+static void
+addr_to_sin(u_int32_t addr, struct sockaddr_in *sin)
+{
+ sin->sin_len = sizeof(struct sockaddr_in);
+ sin->sin_family = PF_INET;
+ sin->sin_port = 0;
+ sin->sin_addr.s_addr = addr;
+}
+
+void
+audit_ipfw_flow4_begin(u_int32_t src, u_int16_t src_port, u_int32_t dst,
+ u_int16_t dst_port, int error)
+{
+ struct kaudit_record *ar;
+ struct sockaddr_in lsin;
+ struct sockaddr_in rsin;
+
+ ar = audit_begin(AUE_PFIL_FLOW_BEGIN, curthread);
+ if (ar == NULL)
+ return;
+
+ /* XXXDG: need to check which address is local. for now, we're
+ * assuming src address is local.
+ *
+ * TODO: check MATCH_FORWARD / MATCH_REVERSE on ip_fw2.c
+ */
+ addr_to_sin(src, &lsin);
+ addr_to_sin(dst, &rsin);
+
+ audit_record_arg_text(ar, "ipfw");
+ audit_record_arg_socket_ex(ar, PF_INET, SOCK_STREAM, src_port, dst_port,
+ (struct sockaddr*)&lsin, (struct sockaddr*)&rsin);
+ audit_commit(ar, error, 0);
+}
+
+void
+audit_ipfw_flow6_begin(struct in6_addr *src, u_int16_t src_port,
+ struct in6_addr *dst, u_int16_t dst_port, int error)
+{
+ /* XXXDG: implement IPv6 support.
+ */
+}
+
More information about the p4-projects
mailing list