Commit 7eced5ab authored by Pablo Neira Ayuso's avatar Pablo Neira Ayuso Committed by David S. Miller

netfilter: nf_tables: add NFT_LOGLEVEL_* enumeration and use it

This is internal, not exposed through uapi, and although it maps with
userspace LOG_*, with the introduction of LOGLEVEL_AUDIT we are
incurring in namespace pollution.

This patch adds the NFT_LOGLEVEL_ enumeration and use it from nft_log.

Fixes: 1a893b44 ("netfilter: nf_tables: Add audit support to log statement")
Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
Acked-by: default avatarPhil Sutter <phil@nwl.cc>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 3036bc45
...@@ -1099,9 +1099,31 @@ enum nft_log_attributes { ...@@ -1099,9 +1099,31 @@ enum nft_log_attributes {
#define NFTA_LOG_MAX (__NFTA_LOG_MAX - 1) #define NFTA_LOG_MAX (__NFTA_LOG_MAX - 1)
/** /**
* LOGLEVEL_AUDIT - a pseudo log level enabling audit logging * enum nft_log_level - nf_tables log levels
*/ *
#define LOGLEVEL_AUDIT 8 * @NFT_LOGLEVEL_EMERG: system is unusable
* @NFT_LOGLEVEL_ALERT: action must be taken immediately
* @NFT_LOGLEVEL_CRIT: critical conditions
* @NFT_LOGLEVEL_ERR: error conditions
* @NFT_LOGLEVEL_WARNING: warning conditions
* @NFT_LOGLEVEL_NOTICE: normal but significant condition
* @NFT_LOGLEVEL_INFO: informational
* @NFT_LOGLEVEL_DEBUG: debug-level messages
* @NFT_LOGLEVEL_AUDIT: enabling audit logging
*/
enum nft_log_level {
NFT_LOGLEVEL_EMERG,
NFT_LOGLEVEL_ALERT,
NFT_LOGLEVEL_CRIT,
NFT_LOGLEVEL_ERR,
NFT_LOGLEVEL_WARNING,
NFT_LOGLEVEL_NOTICE,
NFT_LOGLEVEL_INFO,
NFT_LOGLEVEL_DEBUG,
NFT_LOGLEVEL_AUDIT,
__NFT_LOGLEVEL_MAX
};
#define NFT_LOGLEVEL_MAX (__NFT_LOGLEVEL_MAX + 1)
/** /**
* enum nft_queue_attributes - nf_tables queue expression netlink attributes * enum nft_queue_attributes - nf_tables queue expression netlink attributes
......
...@@ -111,7 +111,7 @@ static void nft_log_eval(const struct nft_expr *expr, ...@@ -111,7 +111,7 @@ static void nft_log_eval(const struct nft_expr *expr,
const struct nft_log *priv = nft_expr_priv(expr); const struct nft_log *priv = nft_expr_priv(expr);
if (priv->loginfo.type == NF_LOG_TYPE_LOG && if (priv->loginfo.type == NF_LOG_TYPE_LOG &&
priv->loginfo.u.log.level == LOGLEVEL_AUDIT) { priv->loginfo.u.log.level == NFT_LOGLEVEL_AUDIT) {
nft_log_eval_audit(pkt); nft_log_eval_audit(pkt);
return; return;
} }
...@@ -166,9 +166,9 @@ static int nft_log_init(const struct nft_ctx *ctx, ...@@ -166,9 +166,9 @@ static int nft_log_init(const struct nft_ctx *ctx,
li->u.log.level = li->u.log.level =
ntohl(nla_get_be32(tb[NFTA_LOG_LEVEL])); ntohl(nla_get_be32(tb[NFTA_LOG_LEVEL]));
} else { } else {
li->u.log.level = LOGLEVEL_WARNING; li->u.log.level = NFT_LOGLEVEL_WARNING;
} }
if (li->u.log.level > LOGLEVEL_AUDIT) { if (li->u.log.level > NFT_LOGLEVEL_AUDIT) {
err = -EINVAL; err = -EINVAL;
goto err1; goto err1;
} }
...@@ -196,7 +196,7 @@ static int nft_log_init(const struct nft_ctx *ctx, ...@@ -196,7 +196,7 @@ static int nft_log_init(const struct nft_ctx *ctx,
break; break;
} }
if (li->u.log.level == LOGLEVEL_AUDIT) if (li->u.log.level == NFT_LOGLEVEL_AUDIT)
return 0; return 0;
err = nf_logger_find_get(ctx->family, li->type); err = nf_logger_find_get(ctx->family, li->type);
...@@ -220,7 +220,7 @@ static void nft_log_destroy(const struct nft_ctx *ctx, ...@@ -220,7 +220,7 @@ static void nft_log_destroy(const struct nft_ctx *ctx,
if (priv->prefix != nft_log_null_prefix) if (priv->prefix != nft_log_null_prefix)
kfree(priv->prefix); kfree(priv->prefix);
if (li->u.log.level == LOGLEVEL_AUDIT) if (li->u.log.level == NFT_LOGLEVEL_AUDIT)
return; return;
nf_logger_put(ctx->family, li->type); nf_logger_put(ctx->family, li->type);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment