netfilter: nf_tables: Open-code audit log call in nf_tables_getrule()

The table lookup will be dropped from that function, so remove that
dependency from audit logging code. Using whatever is in
nla[NFTA_RULE_TABLE] is sufficient as long as the previous rule info
filling succeded.

Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 38f9b224098ee0e4e42f903934639e84edb147ff..ce3bb38262c4485b5fdda716f83eb6864b89f8b8 100644 (file)
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -3589,15 +3589,18 @@ static int nf_tables_dump_rules_done(struct netlink_callback *cb)
 static int nf_tables_getrule(struct sk_buff *skb, const struct nfnl_info *info,
                             const struct nlattr * const nla[])
 {
+       struct nftables_pernet *nft_net = nft_pernet(info->net);
        struct netlink_ext_ack *extack = info->extack;
        u8 genmask = nft_genmask_cur(info->net);
        u8 family = info->nfmsg->nfgen_family;
+       u32 portid = NETLINK_CB(skb).portid;
        const struct nft_chain *chain;
        const struct nft_rule *rule;
        struct net *net = info->net;
        struct nft_table *table;
        struct sk_buff *skb2;
        bool reset = false;
+       char *buf;
        int err;
 
        if (info->nlh->nlmsg_flags & NLM_F_DUMP) {
@@ -3637,16 +3640,24 @@ static int nf_tables_getrule(struct sk_buff *skb, const struct nfnl_info *info,
        if (NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_GETRULE_RESET)
                reset = true;
 
-       err = nf_tables_fill_rule_info(skb2, net, NETLINK_CB(skb).portid,
+       err = nf_tables_fill_rule_info(skb2, net, portid,
                                       info->nlh->nlmsg_seq, NFT_MSG_NEWRULE, 0,
                                       family, table, chain, rule, 0, reset);
        if (err < 0)
                goto err_fill_rule_info;
 
-       if (reset)
-               audit_log_rule_reset(table, nft_pernet(net)->base_seq, 1);
+       if (!reset)
+               return nfnetlink_unicast(skb2, net, portid);
 
-       return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
+       buf = kasprintf(GFP_ATOMIC, "%.*s:%u",
+                       nla_len(nla[NFTA_RULE_TABLE]),
+                       (char *)nla_data(nla[NFTA_RULE_TABLE]),
+                       nft_net->base_seq);
+       audit_log_nfcfg(buf, info->nfmsg->nfgen_family, 1,
+                       AUDIT_NFT_OP_RULE_RESET, GFP_ATOMIC);
+       kfree(buf);
+
+       return nfnetlink_unicast(skb2, net, portid);
 
 err_fill_rule_info:
        kfree_skb(skb2);