aboutsummaryrefslogtreecommitdiffstats
path: root/net/xfrm
diff options
context:
space:
mode:
authorPaul Moore <paul.moore@hp.com>2007-12-01 07:27:18 -0500
committerDavid S. Miller <davem@davemloft.net>2008-01-28 17:55:19 -0500
commit875179fa60ffe2eba1daaefb0af1be97ff5eda6a (patch)
treecc691e83f8dc2e022299362da49673fb31c2de55 /net/xfrm
parent9108d5f4b2cd82f55ad178caa0be66a866a06dcc (diff)
[IPSEC]: SPD auditing fix to include the netmask/prefix-length
Currently the netmask/prefix-length of an IPsec SPD entry is not included in any of the SPD related audit messages. This can cause a problem when the audit log is examined as the netmask/prefix-length is vital in determining what network traffic is affected by a particular SPD entry. This patch fixes this problem by adding two additional fields, "src_prefixlen" and "dst_prefixlen", to the SPD audit messages to indicate the source and destination netmasks. These new fields are only included in the audit message when the netmask/prefix-length is less than the address length, i.e. the SPD entry applies to a network address and not a host address. Example audit message: type=UNKNOWN[1415] msg=audit(1196105849.752:25): auid=0 \ subj=root:system_r:unconfined_t:s0-s0:c0.c1023 op=SPD-add res=1 \ src=192.168.0.0 src_prefixlen=24 dst=192.168.1.0 dst_prefixlen=24 In addition, this patch also fixes a few other things in the xfrm_audit_common_policyinfo() function. The IPv4 string formatting was converted to use the standard NIPQUAD_FMT constant, the memcpy() was removed from the IPv6 code path and replaced with a typecast (the memcpy() was acting as a slow, implicit typecast anyway), and two local variables were created to make referencing the XFRM security context and selector information cleaner. Signed-off-by: Paul Moore <paul.moore@hp.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/xfrm')
-rw-r--r--net/xfrm/xfrm_policy.c44
1 files changed, 26 insertions, 18 deletions
diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
index b153f748205..a76280a14e7 100644
--- a/net/xfrm/xfrm_policy.c
+++ b/net/xfrm/xfrm_policy.c
@@ -2266,29 +2266,37 @@ void __init xfrm_init(void)
2266static inline void xfrm_audit_common_policyinfo(struct xfrm_policy *xp, 2266static inline void xfrm_audit_common_policyinfo(struct xfrm_policy *xp,
2267 struct audit_buffer *audit_buf) 2267 struct audit_buffer *audit_buf)
2268{ 2268{
2269 if (xp->security) 2269 struct xfrm_sec_ctx *ctx = xp->security;
2270 struct xfrm_selector *sel = &xp->selector;
2271
2272 if (ctx)
2270 audit_log_format(audit_buf, " sec_alg=%u sec_doi=%u sec_obj=%s", 2273 audit_log_format(audit_buf, " sec_alg=%u sec_doi=%u sec_obj=%s",
2271 xp->security->ctx_alg, xp->security->ctx_doi, 2274 ctx->ctx_alg, ctx->ctx_doi, ctx->ctx_str);
2272 xp->security->ctx_str);
2273 2275
2274 switch(xp->selector.family) { 2276 switch(sel->family) {
2275 case AF_INET: 2277 case AF_INET:
2276 audit_log_format(audit_buf, " src=%u.%u.%u.%u dst=%u.%u.%u.%u", 2278 audit_log_format(audit_buf, " src=" NIPQUAD_FMT,
2277 NIPQUAD(xp->selector.saddr.a4), 2279 NIPQUAD(sel->saddr.a4));
2278 NIPQUAD(xp->selector.daddr.a4)); 2280 if (sel->prefixlen_s != 32)
2281 audit_log_format(audit_buf, " src_prefixlen=%d",
2282 sel->prefixlen_s);
2283 audit_log_format(audit_buf, " dst=" NIPQUAD_FMT,
2284 NIPQUAD(sel->daddr.a4));
2285 if (sel->prefixlen_d != 32)
2286 audit_log_format(audit_buf, " dst_prefixlen=%d",
2287 sel->prefixlen_d);
2279 break; 2288 break;
2280 case AF_INET6: 2289 case AF_INET6:
2281 { 2290 audit_log_format(audit_buf, " src=" NIP6_FMT,
2282 struct in6_addr saddr6, daddr6; 2291 NIP6(*(struct in6_addr *)sel->saddr.a6));
2283 2292 if (sel->prefixlen_s != 128)
2284 memcpy(&saddr6, xp->selector.saddr.a6, 2293 audit_log_format(audit_buf, " src_prefixlen=%d",
2285 sizeof(struct in6_addr)); 2294 sel->prefixlen_s);
2286 memcpy(&daddr6, xp->selector.daddr.a6, 2295 audit_log_format(audit_buf, " dst=" NIP6_FMT,
2287 sizeof(struct in6_addr)); 2296 NIP6(*(struct in6_addr *)sel->daddr.a6));
2288 audit_log_format(audit_buf, 2297 if (sel->prefixlen_d != 128)
2289 " src=" NIP6_FMT " dst=" NIP6_FMT, 2298 audit_log_format(audit_buf, " dst_prefixlen=%d",
2290 NIP6(saddr6), NIP6(daddr6)); 2299 sel->prefixlen_d);
2291 }
2292 break; 2300 break;
2293 } 2301 }
2294} 2302}