Add ARP hook name recognition

stevegrubb · stevegrubb · commit 4c0b60ba7258 · 2025-08-09T00:04:28.000-04:00
Added an ARP netfilter hook table mapping numeric values to INPUT,
OUTPUT, and FORWARD for audit interpretation.

Extended the build system and test suite to generate and exercise the
new ARP hook translations alongside existing inet hooks.

Updated print_hook to detect the surrounding record’s netfilter family
and choose the proper ARP or inet hook name accordingly.
diff --git a/auparse/Makefile.am b/auparse/Makefile.am
@@ -65,7 +65,7 @@ BUILT_SOURCES = accesstabs.h captabs.h clocktabs.h clone-flagtabs.h \
 	seektabs.h shm_modetabs.h signaltabs.h sockoptnametabs.h \
 	socktabs.h sockleveltabs.h socktypetabs.h \
 	tcpoptnametabs.h typetabs.h umounttabs.h inethooktabs.h \
-	netactiontabs.h \
+	arphooktabs.h netactiontabs.h \
 	normalize_obj_kind_maps.h normalize_record_maps.h \
 	normalize_syscall_maps.h normalize_evtypetabs.h bpftabs.h \
 	openat2-resolvetabs.h xattr-atflagtabs.h access-flagtabs.h
@@ -83,7 +83,7 @@ noinst_PROGRAMS = gen_accesstabs_h gen_captabs_h gen_clock_h \
 	gen_seektabs_h gen_shm_modetabs_h gen_signals_h \
 	gen_sockoptnametabs_h gen_socktabs_h gen_sockleveltabs_h \
 	gen_socktypetabs_h gen_tcpoptnametabs_h gen_typetabs_h \
-	gen_umounttabs_h gen_inethooktabs_h gen_netactiontabs_h \
+	gen_umounttabs_h gen_inethooktabs_h gen_arphooktabs_h gen_netactiontabs_h \
 	gen_normalize_record_map gen_normalize_syscall_map \
 	gen_normalize_obj_kind_map gen_normalize_evtypetabs_h gen_bpftabs_h \
 	gen_openat2-resolvetabs_h gen_xattr-atflagtabs_h gen_access-flagtabs_h
@@ -705,3 +705,16 @@ gen_openat2-resolvetabs_h$(BUILD_EXEEXT): LDFLAGS=$(LDFLAGS_FOR_BUILD)
 openat2-resolvetabs.h: gen_openat2-resolvetabs_h Makefile
 	./gen_openat2-resolvetabs_h --i2s-transtab openat2_resolve > $@
 
+
+gen_arphooktabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h arphooktab.h
+gen_arphooktabs_h_CFLAGS = '-DTABLE_H="arphooktab.h"'
+$(gen_arphooktabs_h_OBJECTS): CC=$(CC_FOR_BUILD)
+$(gen_arphooktabs_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD)
+$(gen_arphooktabs_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+$(gen_arphooktabs_h_OBJECTS): LDFLAGS=$(LDFLAGS_FOR_BUILD)
+gen_arphooktabs_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD)
+gen_arphooktabs_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD)
+gen_arphooktabs_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+gen_arphooktabs_h$(BUILD_EXEEXT): LDFLAGS=$(LDFLAGS_FOR_BUILD)
+arphooktabs.h: gen_arphooktabs_h Makefile
+	./gen_arphooktabs_h --i2s arphook > $@
diff --git a/auparse/interpret.c b/auparse/interpret.c
@@ -27,6 +27,7 @@
 #include "internal.h"
 #include "interpret.h"
 #include "auparse-idata.h"
+#include "auparse.h"
 #include "nvlist.h"
 #include <stddef.h>
 #include <stdio.h>
@@ -45,6 +46,7 @@
 #include <linux/atm.h>
 #include <linux/x25.h>
 #include <linux/capability.h>
+#include <linux/netfilter.h>
 #include <sys/personality.h>
 #include <sys/prctl.h>
 #include <sched.h>
@@ -123,6 +125,7 @@
 #include "umounttabs.h"
 #include "ioctlreqtabs.h"
 #include "inethooktabs.h"
+#include "arphooktabs.h"
 #include "netactiontabs.h"
 #include "bpftabs.h"
 #include "openat2-resolvetabs.h"
@@ -3011,12 +3014,14 @@ static const char *print_protocol(const char *val)
 	return out;
 }
 
-/* FIXME - this assumes inet hook. Could also be an arp hook */
-static const char *print_hook(const char *val)
+/* Netfilter hook names */
+static const char *print_hook(auparse_state_t *au, const char *val)
 {
 	int hook;
 	char *out;
 	const char *str;
+	const char *fam;
+	int proto = -1;
 
 	errno = 0;
 	hook = strtoul(val, NULL, 16);
@@ -3025,7 +3030,21 @@ static const char *print_hook(const char *val)
 			out = NULL;
 		return out;
 	}
-	str = inethook_i2s(hook);
+
+	fam = auparse_find_field(au, "family");
+	if (fam) {
+		errno = 0;
+		proto = strtoul(fam, NULL, 10);
+		if (errno)
+			proto = -1;
+	}
+	auparse_find_field(au, "hook");
+
+	if (proto == NFPROTO_ARP)
+		str = arphook_i2s(hook);
+	else
+		str = inethook_i2s(hook);
+
 	if (str == NULL) {
 		if (asprintf(&out, "unknown-hook(%s)", val) < 0)
 			out = NULL;
@@ -3521,7 +3540,7 @@ char *auparse_do_interpretation(auparse_state_t *au, int type, const idata *id,
 			out = print_proctitle(id->val);
 			break;
 		case AUPARSE_TYPE_HOOK:
-			out = print_hook(id->val);
+			out = print_hook(au, id->val);
 			break;
 		case AUPARSE_TYPE_NETACTION:
 			out = print_netaction(id->val);
diff --git a/auparse/test/lookup_test.c b/auparse/test/lookup_test.c
@@ -185,6 +185,20 @@ test_icmptypetab(void)
 #undef I2S
 }
 
+#include "../arphooktabs.h"
+static void
+test_arphooktab(void)
+{
+	static const struct entry t[] = {
+#include "../arphooktab.h"
+	};
+
+	printf("Testing arphooktab...\n");
+#define I2S(I) arphook_i2s(I)
+	TEST_I2S(0);
+#undef I2S
+}
+
 #include "../inethooktabs.h"
 static void
 test_inethooktab(void)
@@ -540,6 +554,7 @@ main(void)
 	test_fcntltab();
 	test_fsconfig();
 	test_icmptypetab();
+	test_arphooktab();
 	test_inethooktab();
 	test_ioctlreqtab();
 	test_ip6optnametab();
