Netlink notification for iptable modification are not received to application
up vote
0
down vote
favorite
I wrote a program to listen to iptables modification through netlink sockets, for this I used NETLINK_AUDIT
family, when I execute the program and modify the iptables rule, program doesn't receive any message from kernel and it will be in blocking mode only. Could you help me to find what is wrong in this program or what else I need to do to receive iptables notification.
#include "libaudit.h"
#include <stdio.h>
#include <string.h>
#include <unistd.h>
int main()
{
int rc;
struct audit_message rep;
int fd;
struct sockaddr_nl sa;
memset(&sa, 0, sizeof(sa));
sa.nl_family = AF_NETLINK;
sa.nl_groups = 0;
fd = audit_open();
bind(fd, (struct sockaddr *) &sa, sizeof(sa));
rc = audit_get_reply(fd, &rep, GET_REPLY_BLOCKING, 0);
if(rc < 0)
{
printf("Error");
}
else
{
printf("msg received %d n",rep.nlh.nlmsg_type );
break;
}
audit_close(fd);
return 0;
}
c linux linux-kernel iptables netlink
New contributor
|
show 4 more comments
up vote
0
down vote
favorite
I wrote a program to listen to iptables modification through netlink sockets, for this I used NETLINK_AUDIT
family, when I execute the program and modify the iptables rule, program doesn't receive any message from kernel and it will be in blocking mode only. Could you help me to find what is wrong in this program or what else I need to do to receive iptables notification.
#include "libaudit.h"
#include <stdio.h>
#include <string.h>
#include <unistd.h>
int main()
{
int rc;
struct audit_message rep;
int fd;
struct sockaddr_nl sa;
memset(&sa, 0, sizeof(sa));
sa.nl_family = AF_NETLINK;
sa.nl_groups = 0;
fd = audit_open();
bind(fd, (struct sockaddr *) &sa, sizeof(sa));
rc = audit_get_reply(fd, &rep, GET_REPLY_BLOCKING, 0);
if(rc < 0)
{
printf("Error");
}
else
{
printf("msg received %d n",rep.nlh.nlmsg_type );
break;
}
audit_close(fd);
return 0;
}
c linux linux-kernel iptables netlink
New contributor
are you running this program as a root / privileged user ?
– Devidas
Nov 21 at 6:07
Yes,running as a root user.
– avinash
Nov 21 at 6:08
do you have auditd running ?
– Devidas
Nov 21 at 6:09
Yes. ps -eaf | grep -i auditd root 499 2 0 Nov16 ? 00:00:00 [kauditd] root 926 1 0 Nov16 ? 00:00:00 /sbin/auditd -n
– avinash
Nov 21 at 6:15
can you check return value of bind and if it is less than zero use perror or check errno ?
– Devidas
Nov 21 at 6:30
|
show 4 more comments
up vote
0
down vote
favorite
up vote
0
down vote
favorite
I wrote a program to listen to iptables modification through netlink sockets, for this I used NETLINK_AUDIT
family, when I execute the program and modify the iptables rule, program doesn't receive any message from kernel and it will be in blocking mode only. Could you help me to find what is wrong in this program or what else I need to do to receive iptables notification.
#include "libaudit.h"
#include <stdio.h>
#include <string.h>
#include <unistd.h>
int main()
{
int rc;
struct audit_message rep;
int fd;
struct sockaddr_nl sa;
memset(&sa, 0, sizeof(sa));
sa.nl_family = AF_NETLINK;
sa.nl_groups = 0;
fd = audit_open();
bind(fd, (struct sockaddr *) &sa, sizeof(sa));
rc = audit_get_reply(fd, &rep, GET_REPLY_BLOCKING, 0);
if(rc < 0)
{
printf("Error");
}
else
{
printf("msg received %d n",rep.nlh.nlmsg_type );
break;
}
audit_close(fd);
return 0;
}
c linux linux-kernel iptables netlink
New contributor
I wrote a program to listen to iptables modification through netlink sockets, for this I used NETLINK_AUDIT
family, when I execute the program and modify the iptables rule, program doesn't receive any message from kernel and it will be in blocking mode only. Could you help me to find what is wrong in this program or what else I need to do to receive iptables notification.
#include "libaudit.h"
#include <stdio.h>
#include <string.h>
#include <unistd.h>
int main()
{
int rc;
struct audit_message rep;
int fd;
struct sockaddr_nl sa;
memset(&sa, 0, sizeof(sa));
sa.nl_family = AF_NETLINK;
sa.nl_groups = 0;
fd = audit_open();
bind(fd, (struct sockaddr *) &sa, sizeof(sa));
rc = audit_get_reply(fd, &rep, GET_REPLY_BLOCKING, 0);
if(rc < 0)
{
printf("Error");
}
else
{
printf("msg received %d n",rep.nlh.nlmsg_type );
break;
}
audit_close(fd);
return 0;
}
c linux linux-kernel iptables netlink
c linux linux-kernel iptables netlink
New contributor
New contributor
edited Nov 21 at 12:02
red0ct
1,1153822
1,1153822
New contributor
asked Nov 21 at 5:52
avinash
1
1
New contributor
New contributor
are you running this program as a root / privileged user ?
– Devidas
Nov 21 at 6:07
Yes,running as a root user.
– avinash
Nov 21 at 6:08
do you have auditd running ?
– Devidas
Nov 21 at 6:09
Yes. ps -eaf | grep -i auditd root 499 2 0 Nov16 ? 00:00:00 [kauditd] root 926 1 0 Nov16 ? 00:00:00 /sbin/auditd -n
– avinash
Nov 21 at 6:15
can you check return value of bind and if it is less than zero use perror or check errno ?
– Devidas
Nov 21 at 6:30
|
show 4 more comments
are you running this program as a root / privileged user ?
– Devidas
Nov 21 at 6:07
Yes,running as a root user.
– avinash
Nov 21 at 6:08
do you have auditd running ?
– Devidas
Nov 21 at 6:09
Yes. ps -eaf | grep -i auditd root 499 2 0 Nov16 ? 00:00:00 [kauditd] root 926 1 0 Nov16 ? 00:00:00 /sbin/auditd -n
– avinash
Nov 21 at 6:15
can you check return value of bind and if it is less than zero use perror or check errno ?
– Devidas
Nov 21 at 6:30
are you running this program as a root / privileged user ?
– Devidas
Nov 21 at 6:07
are you running this program as a root / privileged user ?
– Devidas
Nov 21 at 6:07
Yes,running as a root user.
– avinash
Nov 21 at 6:08
Yes,running as a root user.
– avinash
Nov 21 at 6:08
do you have auditd running ?
– Devidas
Nov 21 at 6:09
do you have auditd running ?
– Devidas
Nov 21 at 6:09
Yes. ps -eaf | grep -i auditd root 499 2 0 Nov16 ? 00:00:00 [kauditd] root 926 1 0 Nov16 ? 00:00:00 /sbin/auditd -n
– avinash
Nov 21 at 6:15
Yes. ps -eaf | grep -i auditd root 499 2 0 Nov16 ? 00:00:00 [kauditd] root 926 1 0 Nov16 ? 00:00:00 /sbin/auditd -n
– avinash
Nov 21 at 6:15
can you check return value of bind and if it is less than zero use perror or check errno ?
– Devidas
Nov 21 at 6:30
can you check return value of bind and if it is less than zero use perror or check errno ?
– Devidas
Nov 21 at 6:30
|
show 4 more comments
1 Answer
1
active
oldest
votes
up vote
0
down vote
try this flag
https://github.com/linux-audit/audit-userspace/blob/master/lib/libaudit.c#L383
from libaudit source code
rc = audit_get_reply(fd, &rep, GET_REPLY_NONBLOCKING,0);
I have tried this as well before ,since it's non blocking call,it will come out without waiting there(used the polling as well before thi call) but not received any data
– avinash
Nov 22 at 1:23
Is there any other way as well to receive the iptable change notification ?
– avinash
Nov 22 at 1:25
maybe you have to configure audit withauditctl
? can you consult man page and try configuring it ?
– Devidas
Nov 22 at 8:12
from your observation it is clear that there is less probablity of this code having problem. as it may have given some error. so I feel is audit is not configured to listem to netlink related or for that matter any call by default. I suggest you to go through this access.redhat.com/documentation/en-us/red_hat_enterprise_linux/… specifically example 7.2 and try simmilar thing with given example try it works and then do same/ related for netlink
– Devidas
Nov 22 at 8:17
I tried configuring those setting earlier directly using auditctl command & can see the modifcation with "ausearch -k iptablesChange" command output..this time i configured more rules in /etc/audit/audit.rules file but still issue persist.
– avinash
Nov 23 at 8:43
|
show 3 more comments
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
0
down vote
try this flag
https://github.com/linux-audit/audit-userspace/blob/master/lib/libaudit.c#L383
from libaudit source code
rc = audit_get_reply(fd, &rep, GET_REPLY_NONBLOCKING,0);
I have tried this as well before ,since it's non blocking call,it will come out without waiting there(used the polling as well before thi call) but not received any data
– avinash
Nov 22 at 1:23
Is there any other way as well to receive the iptable change notification ?
– avinash
Nov 22 at 1:25
maybe you have to configure audit withauditctl
? can you consult man page and try configuring it ?
– Devidas
Nov 22 at 8:12
from your observation it is clear that there is less probablity of this code having problem. as it may have given some error. so I feel is audit is not configured to listem to netlink related or for that matter any call by default. I suggest you to go through this access.redhat.com/documentation/en-us/red_hat_enterprise_linux/… specifically example 7.2 and try simmilar thing with given example try it works and then do same/ related for netlink
– Devidas
Nov 22 at 8:17
I tried configuring those setting earlier directly using auditctl command & can see the modifcation with "ausearch -k iptablesChange" command output..this time i configured more rules in /etc/audit/audit.rules file but still issue persist.
– avinash
Nov 23 at 8:43
|
show 3 more comments
up vote
0
down vote
try this flag
https://github.com/linux-audit/audit-userspace/blob/master/lib/libaudit.c#L383
from libaudit source code
rc = audit_get_reply(fd, &rep, GET_REPLY_NONBLOCKING,0);
I have tried this as well before ,since it's non blocking call,it will come out without waiting there(used the polling as well before thi call) but not received any data
– avinash
Nov 22 at 1:23
Is there any other way as well to receive the iptable change notification ?
– avinash
Nov 22 at 1:25
maybe you have to configure audit withauditctl
? can you consult man page and try configuring it ?
– Devidas
Nov 22 at 8:12
from your observation it is clear that there is less probablity of this code having problem. as it may have given some error. so I feel is audit is not configured to listem to netlink related or for that matter any call by default. I suggest you to go through this access.redhat.com/documentation/en-us/red_hat_enterprise_linux/… specifically example 7.2 and try simmilar thing with given example try it works and then do same/ related for netlink
– Devidas
Nov 22 at 8:17
I tried configuring those setting earlier directly using auditctl command & can see the modifcation with "ausearch -k iptablesChange" command output..this time i configured more rules in /etc/audit/audit.rules file but still issue persist.
– avinash
Nov 23 at 8:43
|
show 3 more comments
up vote
0
down vote
up vote
0
down vote
try this flag
https://github.com/linux-audit/audit-userspace/blob/master/lib/libaudit.c#L383
from libaudit source code
rc = audit_get_reply(fd, &rep, GET_REPLY_NONBLOCKING,0);
try this flag
https://github.com/linux-audit/audit-userspace/blob/master/lib/libaudit.c#L383
from libaudit source code
rc = audit_get_reply(fd, &rep, GET_REPLY_NONBLOCKING,0);
answered Nov 21 at 9:43
Devidas
535212
535212
I have tried this as well before ,since it's non blocking call,it will come out without waiting there(used the polling as well before thi call) but not received any data
– avinash
Nov 22 at 1:23
Is there any other way as well to receive the iptable change notification ?
– avinash
Nov 22 at 1:25
maybe you have to configure audit withauditctl
? can you consult man page and try configuring it ?
– Devidas
Nov 22 at 8:12
from your observation it is clear that there is less probablity of this code having problem. as it may have given some error. so I feel is audit is not configured to listem to netlink related or for that matter any call by default. I suggest you to go through this access.redhat.com/documentation/en-us/red_hat_enterprise_linux/… specifically example 7.2 and try simmilar thing with given example try it works and then do same/ related for netlink
– Devidas
Nov 22 at 8:17
I tried configuring those setting earlier directly using auditctl command & can see the modifcation with "ausearch -k iptablesChange" command output..this time i configured more rules in /etc/audit/audit.rules file but still issue persist.
– avinash
Nov 23 at 8:43
|
show 3 more comments
I have tried this as well before ,since it's non blocking call,it will come out without waiting there(used the polling as well before thi call) but not received any data
– avinash
Nov 22 at 1:23
Is there any other way as well to receive the iptable change notification ?
– avinash
Nov 22 at 1:25
maybe you have to configure audit withauditctl
? can you consult man page and try configuring it ?
– Devidas
Nov 22 at 8:12
from your observation it is clear that there is less probablity of this code having problem. as it may have given some error. so I feel is audit is not configured to listem to netlink related or for that matter any call by default. I suggest you to go through this access.redhat.com/documentation/en-us/red_hat_enterprise_linux/… specifically example 7.2 and try simmilar thing with given example try it works and then do same/ related for netlink
– Devidas
Nov 22 at 8:17
I tried configuring those setting earlier directly using auditctl command & can see the modifcation with "ausearch -k iptablesChange" command output..this time i configured more rules in /etc/audit/audit.rules file but still issue persist.
– avinash
Nov 23 at 8:43
I have tried this as well before ,since it's non blocking call,it will come out without waiting there(used the polling as well before thi call) but not received any data
– avinash
Nov 22 at 1:23
I have tried this as well before ,since it's non blocking call,it will come out without waiting there(used the polling as well before thi call) but not received any data
– avinash
Nov 22 at 1:23
Is there any other way as well to receive the iptable change notification ?
– avinash
Nov 22 at 1:25
Is there any other way as well to receive the iptable change notification ?
– avinash
Nov 22 at 1:25
maybe you have to configure audit with
auditctl
? can you consult man page and try configuring it ?– Devidas
Nov 22 at 8:12
maybe you have to configure audit with
auditctl
? can you consult man page and try configuring it ?– Devidas
Nov 22 at 8:12
from your observation it is clear that there is less probablity of this code having problem. as it may have given some error. so I feel is audit is not configured to listem to netlink related or for that matter any call by default. I suggest you to go through this access.redhat.com/documentation/en-us/red_hat_enterprise_linux/… specifically example 7.2 and try simmilar thing with given example try it works and then do same/ related for netlink
– Devidas
Nov 22 at 8:17
from your observation it is clear that there is less probablity of this code having problem. as it may have given some error. so I feel is audit is not configured to listem to netlink related or for that matter any call by default. I suggest you to go through this access.redhat.com/documentation/en-us/red_hat_enterprise_linux/… specifically example 7.2 and try simmilar thing with given example try it works and then do same/ related for netlink
– Devidas
Nov 22 at 8:17
I tried configuring those setting earlier directly using auditctl command & can see the modifcation with "ausearch -k iptablesChange" command output..this time i configured more rules in /etc/audit/audit.rules file but still issue persist.
– avinash
Nov 23 at 8:43
I tried configuring those setting earlier directly using auditctl command & can see the modifcation with "ausearch -k iptablesChange" command output..this time i configured more rules in /etc/audit/audit.rules file but still issue persist.
– avinash
Nov 23 at 8:43
|
show 3 more comments
avinash is a new contributor. Be nice, and check out our Code of Conduct.
avinash is a new contributor. Be nice, and check out our Code of Conduct.
avinash is a new contributor. Be nice, and check out our Code of Conduct.
avinash is a new contributor. Be nice, and check out our Code of Conduct.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53405999%2fnetlink-notification-for-iptable-modification-are-not-received-to-application%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
are you running this program as a root / privileged user ?
– Devidas
Nov 21 at 6:07
Yes,running as a root user.
– avinash
Nov 21 at 6:08
do you have auditd running ?
– Devidas
Nov 21 at 6:09
Yes. ps -eaf | grep -i auditd root 499 2 0 Nov16 ? 00:00:00 [kauditd] root 926 1 0 Nov16 ? 00:00:00 /sbin/auditd -n
– avinash
Nov 21 at 6:15
can you check return value of bind and if it is less than zero use perror or check errno ?
– Devidas
Nov 21 at 6:30