Date: Tue, 29 Jul 2008 02:49:40 GMT From: Diego Giagio <diego@FreeBSD.org> To: Perforce Change Reviews <perforce@FreeBSD.org> Subject: PERFORCE change 146176 for review Message-ID: <200807290249.m6T2ne2E032762@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=146176 Change 146176 by diego@diego_black on 2008/07/29 02:49:28 Add connection events auditing support to ipfw. Affected files ... .. //depot/projects/soc2008/diego-audit/src/sys/netinet/ip_fw2.c#6 edit .. //depot/projects/soc2008/diego-audit/src/sys/security/audit/audit.h#12 edit .. //depot/projects/soc2008/diego-audit/src/sys/security/audit/audit_pfil.c#9 edit Differences ... ==== //depot/projects/soc2008/diego-audit/src/sys/netinet/ip_fw2.c#6 (text+ko) ==== @@ -1230,6 +1230,15 @@ break; case BOTH_SYN: /* move to established */ + if (IS_IP6_FLOW_ID(pkt)) { + AUDIT_CALL(audit_ipfw_flow6_begin(&pkt->src_ip6, + pkt->src_port, &pkt->dst_ip6, + pkt->dst_port, 0)); + } else { + AUDIT_CALL(audit_ipfw_flow4_begin(pkt->src_ip, + pkt->src_port, pkt->dst_ip, pkt->dst_port, + 0)); + } case BOTH_SYN | TH_FIN : /* one side tries to close */ case BOTH_SYN | (TH_FIN << 8) : if (tcp) { ==== //depot/projects/soc2008/diego-audit/src/sys/security/audit/audit.h#12 (text) ==== @@ -135,6 +135,11 @@ void audit_ipfw_addtable(u_int table, int error); void audit_ipfw_deltable(u_int table, int error); void audit_ipfw_flushtable(u_int table, int error); +void audit_ipfw_flow4_begin(u_int32_t src, u_int16_t src_port, + u_int32_t dst, u_int16_t dst_port, int error); +struct in6_addr; +void audit_ipfw_flow6_begin(struct in6_addr *src, u_int16_t src_port, + struct in6_addr *dst, u_int16_t dst_port, int error); void audit_pf_enable(int error); void audit_pf_disable(int error); ==== //depot/projects/soc2008/diego-audit/src/sys/security/audit/audit_pfil.c#9 (text+ko) ==== @@ -34,6 +34,7 @@ #include <net/if.h> #include <netinet/in.h> #include <netinet/ip_fw.h> +#include <netinet6/scope6_var.h> #include <sys/sbuf.h> @@ -320,3 +321,46 @@ audit_commit(ar, error, 0); } +static void +addr_to_sin(u_int32_t addr, struct sockaddr_in *sin) +{ + sin->sin_len = sizeof(struct sockaddr_in); + sin->sin_family = PF_INET; + sin->sin_port = 0; + sin->sin_addr.s_addr = addr; +} + +void +audit_ipfw_flow4_begin(u_int32_t src, u_int16_t src_port, u_int32_t dst, + u_int16_t dst_port, int error) +{ + struct kaudit_record *ar; + struct sockaddr_in lsin; + struct sockaddr_in rsin; + + ar = audit_begin(AUE_PFIL_FLOW_BEGIN, curthread); + if (ar == NULL) + return; + + /* XXXDG: need to check which address is local. for now, we're + * assuming src address is local. + * + * TODO: check MATCH_FORWARD / MATCH_REVERSE on ip_fw2.c + */ + addr_to_sin(src, &lsin); + addr_to_sin(dst, &rsin); + + audit_record_arg_text(ar, "ipfw"); + audit_record_arg_socket_ex(ar, PF_INET, SOCK_STREAM, src_port, dst_port, + (struct sockaddr*)&lsin, (struct sockaddr*)&rsin); + audit_commit(ar, error, 0); +} + +void +audit_ipfw_flow6_begin(struct in6_addr *src, u_int16_t src_port, + struct in6_addr *dst, u_int16_t dst_port, int error) +{ + /* XXXDG: implement IPv6 support. + */ +} +
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200807290249.m6T2ne2E032762>