git.openpandora.org / pandora-kernel.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: d862a66) | patch
netfilter: audit target to record accepted/dropped packets
authorThomas Graf <tgraf@infradead.org>
Sun, 16 Jan 2011 17:10:28 +0000 (18:10 +0100)
committerPatrick McHardy <kaber@trash.net>
Sun, 16 Jan 2011 17:10:28 +0000 (18:10 +0100)
commit43f393caec0362abe03c72799d3f342af3973070
tree7ff979877f3d8e725709d7455ef4f977df605d78tree | snapshot
parentd862a6622e9db508d4b28cc7c5bc28bd548cc24ecommit | diff
netfilter: audit target to record accepted/dropped packets

This patch adds a new netfilter target which creates audit records
for packets traversing a certain chain.

It can be used to record packets which are rejected administraively
as follows:

  -N AUDIT_DROP
  -A AUDIT_DROP -j AUDIT --type DROP
  -A AUDIT_DROP -j DROP

a rule which would typically drop or reject a packet would then
invoke the new chain to record packets before dropping them.

  -j AUDIT_DROP

The module is protocol independant and works for iptables, ip6tables
and ebtables.

The following information is logged:
 - netfilter hook
 - packet length
 - incomming/outgoing interface
 - MAC src/dst/proto for ethernet packets
 - src/dst/protocol address for IPv4/IPv6
 - src/dst port for TCP/UDP/UDPLITE
 - icmp type/code

Cc: Patrick McHardy <kaber@trash.net>
Cc: Eric Paris <eparis@parisplace.org>
Cc: Al Viro <viro@ZenIV.linux.org.uk>
Signed-off-by: Thomas Graf <tgraf@redhat.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
include/linux/audit.h diff | blob | history
include/linux/netfilter/Kbuild diff | blob | history
include/linux/netfilter/xt_AUDIT.h [new file with mode: 0644] blob
net/netfilter/Kconfig diff | blob | history
net/netfilter/Makefile diff | blob | history
net/netfilter/xt_AUDIT.c [new file with mode: 0644] blob
Pandora Kernel Repository