From mboxrd@z Thu Jan 1 00:00:00 1970 From: Pablo Neira Ayuso Subject: Re: [PATCH 6/6 RFC] netfilter: add audit netns ID Date: Wed, 24 May 2017 19:31:06 +0200 Message-ID: <20170524173106.GA7439@salvia> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Return-path: Content-Disposition: inline In-Reply-To: Sender: netfilter-devel-owner@vger.kernel.org To: Richard Guy Briggs Cc: Netfilter Developer Mailing List , linux-audit@redhat.com, Florian Westphal , Thomas Woerner , Thomas Graf , Eric Paris , Paul Moore , Steve Grubb , "Eric W. Biederman" List-Id: linux-audit@redhat.com Cc'ing Eric Biederman. On Thu, May 18, 2017 at 01:21:52PM -0400, Richard Guy Briggs wrote: > diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c > index 59b63a8..0f77b2a 100644 > --- a/net/bridge/netfilter/ebtables.c > +++ b/net/bridge/netfilter/ebtables.c > @@ -27,6 +27,7 @@ > #include > #include > #include > +#define PROC_DYNAMIC_FIRST 0xF0000000U > #include > /* needed for logical [in,out]-dev filtering */ > #include "../br_private.h" > @@ -1075,7 +1076,8 @@ static int do_replace_finish(struct net *net, struct ebt_replace *repl, > ab = audit_log_start(current->audit_context, GFP_KERNEL, > AUDIT_NETFILTER_CFG); > if (ab) { > - audit_log_format(ab, "op=replace family=%u table=%s entries=%u", > + audit_log_format(ab, "op=replace net=%u family=%u table=%s entries=%u", > + net->ns.inum - PROC_DYNAMIC_FIRST, IIRC, there was a discussion on exposing netns i-node number to userspace time ago on netdev and Eric Biederman was not happy about this?