[PATCH v7 0/2] audit: improve NETFILTER_PKT records

[PATCH v7 0/2] audit: improve NETFILTER_PKT records

[Ricardo Robaina]

Currently, NETFILTER_PKT records lack source and destination
port information, which is often valuable for troubleshooting.
This patch series adds ports numbers, to NETFILTER_PKT records.

The first patch refactors netfilter-related code, by moving
duplicated code to audit.c, by creating audit_log_nf_skb()
helper function.
The second one, improves the NETFILTER_PKT records, by 
including source and destination ports for protocols of
interest.

Ricardo Robaina (2):
  audit: add audit_log_nf_skb helper function
  audit: include source and destination ports to NETFILTER_PKT

 include/linux/audit.h    |   8 ++
 kernel/audit.c           | 159 +++++++++++++++++++++++++++++++++++++++
 net/netfilter/nft_log.c  |  58 +-------------
 net/netfilter/xt_AUDIT.c |  58 +-------------
 4 files changed, 169 insertions(+), 114 deletions(-)

-- 
2.51.1

[PATCH v7 1/2] audit: add audit_log_nf_skb helper function

[Ricardo Robaina]

Netfilter code (net/netfilter/nft_log.c and net/netfilter/xt_AUDIT.c)
have to be kept in sync. Both source files had duplicated versions of
audit_ip4() and audit_ip6() functions, which can result in lack of
consistency and/or duplicated work.

This patch adds a helper function in audit.c that can be called by
netfilter code commonly, aiming to improve maintainability and
consistency.

Suggested-by: Florian Westphal <fw@strlen.de>
Suggested-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Ricardo Robaina <rrobaina@redhat.com>
---
 include/linux/audit.h    |  8 +++++
 kernel/audit.c           | 64 ++++++++++++++++++++++++++++++++++++++++
 net/netfilter/nft_log.c  | 58 +-----------------------------------
 net/netfilter/xt_AUDIT.c | 58 +-----------------------------------
 4 files changed, 74 insertions(+), 114 deletions(-)

diff --git a/include/linux/audit.h b/include/linux/audit.h
index 536f8ee8da81..d8173af498ba 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -195,6 +195,8 @@ extern int audit_log_subj_ctx(struct audit_buffer *ab, struct lsm_prop *prop);
 extern int audit_log_obj_ctx(struct audit_buffer *ab, struct lsm_prop *prop);
 extern int audit_log_task_context(struct audit_buffer *ab);
 extern void audit_log_task_info(struct audit_buffer *ab);
+extern int audit_log_nf_skb(struct audit_buffer *ab,
+			    const struct sk_buff *skb, u8 nfproto);
 
 extern int		    audit_update_lsm_rules(void);
 
@@ -272,6 +274,12 @@ static inline int audit_log_task_context(struct audit_buffer *ab)
 static inline void audit_log_task_info(struct audit_buffer *ab)
 { }
 
+static inline int audit_log_nf_skb(struct audit_buffer *ab,
+				   const struct sk_buff *skb, u8 nfproto)
+{
+	return 0;
+}
+
 static inline kuid_t audit_get_loginuid(struct task_struct *tsk)
 {
 	return INVALID_UID;
diff --git a/kernel/audit.c b/kernel/audit.c
index 26a332ffb1b8..5c302c4592db 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -58,6 +58,8 @@
 #include <linux/freezer.h>
 #include <linux/pid_namespace.h>
 #include <net/netns/generic.h>
+#include <net/ip.h>
+#include <net/ipv6.h>
 
 #include "audit.h"
 
@@ -2488,6 +2490,68 @@ void audit_log_path_denied(int type, const char *operation)
 	audit_log_end(ab);
 }
 
+int audit_log_nf_skb(struct audit_buffer *ab,
+		     const struct sk_buff *skb, u8 nfproto)
+{
+	/* find the IP protocol in the case of NFPROTO_BRIDGE */
+	if (nfproto == NFPROTO_BRIDGE) {
+		switch (eth_hdr(skb)->h_proto) {
+		case htons(ETH_P_IP):
+			nfproto = NFPROTO_IPV4;
+			break;
+		case htons(ETH_P_IPV6):
+			nfproto = NFPROTO_IPV6;
+			break;
+		default:
+			goto unknown_proto;
+		}
+	}
+
+	switch (nfproto) {
+	case NFPROTO_IPV4: {
+		struct iphdr iph;
+		const struct iphdr *ih;
+
+		ih = skb_header_pointer(skb, skb_network_offset(skb),
+					sizeof(iph), &iph);
+		if (!ih)
+			return -ENOMEM;
+
+		audit_log_format(ab, " saddr=%pI4 daddr=%pI4 proto=%hhu",
+				 &ih->saddr, &ih->daddr, ih->protocol);
+		break;
+	}
+	case NFPROTO_IPV6: {
+		struct ipv6hdr iph;
+		const struct ipv6hdr *ih;
+		u8 nexthdr;
+		__be16 frag_off;
+
+		ih = skb_header_pointer(skb, skb_network_offset(skb),
+					sizeof(iph), &iph);
+		if (!ih)
+			return -ENOMEM;
+
+		nexthdr = ih->nexthdr;
+		ipv6_skip_exthdr(skb, skb_network_offset(skb) + sizeof(iph),
+				 &nexthdr, &frag_off);
+
+		audit_log_format(ab, " saddr=%pI6c daddr=%pI6c proto=%hhu",
+				 &ih->saddr, &ih->daddr, nexthdr);
+		break;
+	}
+	default:
+		goto unknown_proto;
+	}
+
+	return 0;
+
+unknown_proto:
+	audit_log_format(ab, " saddr=? daddr=? proto=?");
+	return -EPFNOSUPPORT;
+}
+EXPORT_SYMBOL(audit_log_nf_skb);
+
 /* global counter which is incremented every time something logs in */
 static atomic_t session_id = ATOMIC_INIT(0);
 
diff --git a/net/netfilter/nft_log.c b/net/netfilter/nft_log.c
index e35588137995..bf01cf8a8907 100644
--- a/net/netfilter/nft_log.c
+++ b/net/netfilter/nft_log.c
@@ -26,46 +26,10 @@ struct nft_log {
 	char			*prefix;
 };
 
-static bool audit_ip4(struct audit_buffer *ab, struct sk_buff *skb)
-{
-	struct iphdr _iph;
-	const struct iphdr *ih;
-
-	ih = skb_header_pointer(skb, skb_network_offset(skb), sizeof(_iph), &_iph);
-	if (!ih)
-		return false;
-
-	audit_log_format(ab, " saddr=%pI4 daddr=%pI4 proto=%hhu",
-			 &ih->saddr, &ih->daddr, ih->protocol);
-
-	return true;
-}
-
-static bool audit_ip6(struct audit_buffer *ab, struct sk_buff *skb)
-{
-	struct ipv6hdr _ip6h;
-	const struct ipv6hdr *ih;
-	u8 nexthdr;
-	__be16 frag_off;
-
-	ih = skb_header_pointer(skb, skb_network_offset(skb), sizeof(_ip6h), &_ip6h);
-	if (!ih)
-		return false;
-
-	nexthdr = ih->nexthdr;
-	ipv6_skip_exthdr(skb, skb_network_offset(skb) + sizeof(_ip6h), &nexthdr, &frag_off);
-
-	audit_log_format(ab, " saddr=%pI6c daddr=%pI6c proto=%hhu",
-			 &ih->saddr, &ih->daddr, nexthdr);
-
-	return true;
-}
-
 static void nft_log_eval_audit(const struct nft_pktinfo *pkt)
 {
 	struct sk_buff *skb = pkt->skb;
 	struct audit_buffer *ab;
-	int fam = -1;
 
 	if (!audit_enabled)
 		return;
@@ -76,27 +40,7 @@ static void nft_log_eval_audit(const struct nft_pktinfo *pkt)
 
 	audit_log_format(ab, "mark=%#x", skb->mark);
 
-	switch (nft_pf(pkt)) {
-	case NFPROTO_BRIDGE:
-		switch (eth_hdr(skb)->h_proto) {
-		case htons(ETH_P_IP):
-			fam = audit_ip4(ab, skb) ? NFPROTO_IPV4 : -1;
-			break;
-		case htons(ETH_P_IPV6):
-			fam = audit_ip6(ab, skb) ? NFPROTO_IPV6 : -1;
-			break;
-		}
-		break;
-	case NFPROTO_IPV4:
-		fam = audit_ip4(ab, skb) ? NFPROTO_IPV4 : -1;
-		break;
-	case NFPROTO_IPV6:
-		fam = audit_ip6(ab, skb) ? NFPROTO_IPV6 : -1;
-		break;
-	}
-
-	if (fam == -1)
-		audit_log_format(ab, " saddr=? daddr=? proto=-1");
+	audit_log_nf_skb(ab, skb, nft_pf(pkt));
 
 	audit_log_end(ab);
 }
diff --git a/net/netfilter/xt_AUDIT.c b/net/netfilter/xt_AUDIT.c
index b6a015aee0ce..4c18606b8654 100644
--- a/net/netfilter/xt_AUDIT.c
+++ b/net/netfilter/xt_AUDIT.c
@@ -28,46 +28,10 @@ MODULE_ALIAS("ip6t_AUDIT");
 MODULE_ALIAS("ebt_AUDIT");
 MODULE_ALIAS("arpt_AUDIT");
 
-static bool audit_ip4(struct audit_buffer *ab, struct sk_buff *skb)
-{
-	struct iphdr _iph;
-	const struct iphdr *ih;
-
-	ih = skb_header_pointer(skb, skb_network_offset(skb), sizeof(_iph), &_iph);
-	if (!ih)
-		return false;
-
-	audit_log_format(ab, " saddr=%pI4 daddr=%pI4 proto=%hhu",
-			 &ih->saddr, &ih->daddr, ih->protocol);
-
-	return true;
-}
-
-static bool audit_ip6(struct audit_buffer *ab, struct sk_buff *skb)
-{
-	struct ipv6hdr _ip6h;
-	const struct ipv6hdr *ih;
-	u8 nexthdr;
-	__be16 frag_off;
-
-	ih = skb_header_pointer(skb, skb_network_offset(skb), sizeof(_ip6h), &_ip6h);
-	if (!ih)
-		return false;
-
-	nexthdr = ih->nexthdr;
-	ipv6_skip_exthdr(skb, skb_network_offset(skb) + sizeof(_ip6h), &nexthdr, &frag_off);
-
-	audit_log_format(ab, " saddr=%pI6c daddr=%pI6c proto=%hhu",
-			 &ih->saddr, &ih->daddr, nexthdr);
-
-	return true;
-}
-
 static unsigned int
 audit_tg(struct sk_buff *skb, const struct xt_action_param *par)
 {
 	struct audit_buffer *ab;
-	int fam = -1;
 
 	if (audit_enabled == AUDIT_OFF)
 		goto errout;
@@ -77,27 +41,7 @@ audit_tg(struct sk_buff *skb, const struct xt_action_param *par)
 
 	audit_log_format(ab, "mark=%#x", skb->mark);
 
-	switch (xt_family(par)) {
-	case NFPROTO_BRIDGE:
-		switch (eth_hdr(skb)->h_proto) {
-		case htons(ETH_P_IP):
-			fam = audit_ip4(ab, skb) ? NFPROTO_IPV4 : -1;
-			break;
-		case htons(ETH_P_IPV6):
-			fam = audit_ip6(ab, skb) ? NFPROTO_IPV6 : -1;
-			break;
-		}
-		break;
-	case NFPROTO_IPV4:
-		fam = audit_ip4(ab, skb) ? NFPROTO_IPV4 : -1;
-		break;
-	case NFPROTO_IPV6:
-		fam = audit_ip6(ab, skb) ? NFPROTO_IPV6 : -1;
-		break;
-	}
-
-	if (fam == -1)
-		audit_log_format(ab, " saddr=? daddr=? proto=-1");
+	audit_log_nf_skb(ab, skb, xt_family(par));
 
 	audit_log_end(ab);
 
-- 
2.51.1

[PATCH v7 2/2] audit: include source and destination ports to NETFILTER_PKT

[Ricardo Robaina]

NETFILTER_PKT records show both source and destination
addresses, in addition to the associated networking protocol.
However, it lacks the ports information, which is often
valuable for troubleshooting.

This patch adds both source and destination port numbers,
'sport' and 'dport' respectively, to TCP, UDP, UDP-Lite and
SCTP-related NETFILTER_PKT records.

 $ TESTS="netfilter_pkt" make -e test &> /dev/null
 $ ausearch -i -ts recent |grep NETFILTER_PKT
 type=NETFILTER_PKT ... proto=icmp
 type=NETFILTER_PKT ... proto=ipv6-icmp
 type=NETFILTER_PKT ... proto=udp sport=46333 dport=42424
 type=NETFILTER_PKT ... proto=udp sport=35953 dport=42424
 type=NETFILTER_PKT ... proto=tcp sport=50314 dport=42424
 type=NETFILTER_PKT ... proto=tcp sport=57346 dport=42424

Link: https://github.com/linux-audit/audit-kernel/issues/162

Signed-off-by: Ricardo Robaina <rrobaina@redhat.com>
---
 kernel/audit.c | 103 +++++++++++++++++++++++++++++++++++++++++++++++--
 1 file changed, 99 insertions(+), 4 deletions(-)

diff --git a/kernel/audit.c b/kernel/audit.c
index 5c302c4592db..39c4f26c484d 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -60,6 +60,7 @@
 #include <net/netns/generic.h>
 #include <net/ip.h>
 #include <net/ipv6.h>
+#include <linux/sctp.h>
 
 #include "audit.h"
 
@@ -2517,8 +2518,55 @@ int audit_log_nf_skb(struct audit_buffer *ab,
 		if (!ih)
 			return -ENOMEM;
 
-		audit_log_format(ab, " saddr=%pI4 daddr=%pI4 proto=%hhu",
-				 &ih->saddr, &ih->daddr, ih->protocol);
+		switch (ih->protocol) {
+		case IPPROTO_TCP: {
+			struct tcphdr _tcph;
+			const struct tcphdr *th;
+
+			th = skb_header_pointer(skb, skb_transport_offset(skb),
+						sizeof(_tcph), &_tcph);
+			if (!th)
+				return -ENOMEM;
+
+			audit_log_format(ab, " saddr=%pI4 daddr=%pI4 proto=%hhu sport=%hu dport=%hu",
+					 &ih->saddr, &ih->daddr, ih->protocol,
+					 ntohs(th->source), ntohs(th->dest));
+			break;
+		}
+		case IPPROTO_UDP:
+		case IPPROTO_UDPLITE: {
+			struct udphdr _udph;
+			const struct udphdr *uh;
+
+			uh = skb_header_pointer(skb, skb_transport_offset(skb),
+						sizeof(_udph), &_udph);
+			if (!uh)
+				return -ENOMEM;
+
+			audit_log_format(ab, " saddr=%pI4 daddr=%pI4 proto=%hhu sport=%hu dport=%hu",
+					 &ih->saddr, &ih->daddr, ih->protocol,
+					 ntohs(uh->source), ntohs(uh->dest));
+			break;
+		}
+		case IPPROTO_SCTP: {
+			struct sctphdr _sctph;
+			const struct sctphdr *sh;
+
+			sh = skb_header_pointer(skb, skb_transport_offset(skb),
+						sizeof(_sctph), &_sctph);
+			if (!sh)
+				return -ENOMEM;
+
+			audit_log_format(ab, " saddr=%pI4 daddr=%pI4 proto=%hhu sport=%hu dport=%hu",
+					 &ih->saddr, &ih->daddr, ih->protocol,
+					 ntohs(sh->source), ntohs(sh->dest));
+			break;
+		}
+		default:
+			audit_log_format(ab, " saddr=%pI4 daddr=%pI4 proto=%hhu",
+					 &ih->saddr, &ih->daddr, ih->protocol);
+		}
+
 		break;
 	}
 	case NFPROTO_IPV6: {
@@ -2536,8 +2584,55 @@ int audit_log_nf_skb(struct audit_buffer *ab,
 		ipv6_skip_exthdr(skb, skb_network_offset(skb) + sizeof(iph),
 				 &nexthdr, &frag_off);
 
-		audit_log_format(ab, " saddr=%pI6c daddr=%pI6c proto=%hhu",
-				 &ih->saddr, &ih->daddr, nexthdr);
+		switch (nexthdr) {
+		case IPPROTO_TCP: {
+			struct tcphdr _tcph;
+			const struct tcphdr *th;
+
+			th = skb_header_pointer(skb, skb_transport_offset(skb),
+						sizeof(_tcph), &_tcph);
+			if (!th)
+				return -ENOMEM;
+
+			audit_log_format(ab, " saddr=%pI6c daddr=%pI6c proto=%hhu sport=%hu dport=%hu",
+					 &ih->saddr, &ih->daddr, nexthdr,
+					 ntohs(th->source), ntohs(th->dest));
+			break;
+		}
+		case IPPROTO_UDP:
+		case IPPROTO_UDPLITE: {
+			struct udphdr _udph;
+			const struct udphdr *uh;
+
+			uh = skb_header_pointer(skb, skb_transport_offset(skb),
+						sizeof(_udph), &_udph);
+			if (!uh)
+				return -ENOMEM;
+
+			audit_log_format(ab, " saddr=%pI6c daddr=%pI6c proto=%hhu sport=%hu dport=%hu",
+					 &ih->saddr, &ih->daddr, nexthdr,
+					 ntohs(uh->source), ntohs(uh->dest));
+			break;
+		}
+		case IPPROTO_SCTP: {
+			struct sctphdr _sctph;
+			const struct sctphdr *sh;
+
+			sh = skb_header_pointer(skb, skb_transport_offset(skb),
+						sizeof(_sctph), &_sctph);
+			if (!sh)
+				return -ENOMEM;
+
+			audit_log_format(ab, " saddr=%pI6c daddr=%pI6c proto=%hhu sport=%hu dport=%hu",
+					 &ih->saddr, &ih->daddr, nexthdr,
+					 ntohs(sh->source), ntohs(sh->dest));
+			break;
+		}
+		default:
+			audit_log_format(ab, " saddr=%pI6c daddr=%pI6c proto=%hhu",
+					 &ih->saddr, &ih->daddr, nexthdr);
+		}
+
 		break;
 	}
 	default:
-- 
2.51.1

Re: [PATCH v7 1/2] audit: add audit_log_nf_skb helper function

[kernel test robot]

BCC: lkp@intel.com
CC: oe-kbuild-all@lists.linux.dev
In-Reply-To: <e5a5be5997fc2b8f7cc5f92e48b6d42158aff2c3.1763122537.git.rrobaina@redhat.com>
References: <e5a5be5997fc2b8f7cc5f92e48b6d42158aff2c3.1763122537.git.rrobaina@redhat.com>
TO: Ricardo Robaina <rrobaina@redhat.com>
TO: audit@vger.kernel.org
TO: linux-kernel@vger.kernel.org
TO: netfilter-devel@vger.kernel.org
TO: coreteam@netfilter.org
CC: paul@paul-moore.com
CC: eparis@redhat.com
CC: fw@strlen.de
CC: pablo@netfilter.org
CC: kadlec@netfilter.org
CC: Ricardo Robaina <rrobaina@redhat.com>

Hi Ricardo,

kernel test robot noticed the following build warnings:

[auto build test WARNING on pcmoore-audit/next]
[also build test WARNING on netfilter-nf/main linus/master v6.18-rc5 next-20251114]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch#_base_tree_information]

url:    https://github.com/intel-lab-lkp/linux/commits/Ricardo-Robaina/audit-add-audit_log_nf_skb-helper-function/20251114-204406
base:   https://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit.git next
patch link:    https://lore.kernel.org/r/e5a5be5997fc2b8f7cc5f92e48b6d42158aff2c3.1763122537.git.rrobaina%40redhat.com
patch subject: [PATCH v7 1/2] audit: add audit_log_nf_skb helper function
:::::: branch date: 21 hours ago
:::::: commit date: 21 hours ago
config: sh-randconfig-r071-20251115 (https://download.01.org/0day-ci/archive/20251115/202511151759.0Bs9YatW-lkp@intel.com/config)
compiler: sh4-linux-gcc (GCC) 15.1.0

If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@intel.com>
| Reported-by: Dan Carpenter <error27@gmail.com>
| Closes: https://lore.kernel.org/r/202511151759.0Bs9YatW-lkp@intel.com/

smatch warnings:
kernel/audit.c:2533 audit_log_nf_skb() warn: missing unwind goto?

vim +2533 kernel/audit.c

a51d9eaa41866a Kees Cook       2012-07-25  2492  
4fde464da4ac67 Ricardo Robaina 2025-11-14  2493  int audit_log_nf_skb(struct audit_buffer *ab,
4fde464da4ac67 Ricardo Robaina 2025-11-14  2494  		     const struct sk_buff *skb, u8 nfproto)
4fde464da4ac67 Ricardo Robaina 2025-11-14  2495  {
4fde464da4ac67 Ricardo Robaina 2025-11-14  2496  	/* find the IP protocol in the case of NFPROTO_BRIDGE */
4fde464da4ac67 Ricardo Robaina 2025-11-14  2497  	if (nfproto == NFPROTO_BRIDGE) {
4fde464da4ac67 Ricardo Robaina 2025-11-14  2498  		switch (eth_hdr(skb)->h_proto) {
4fde464da4ac67 Ricardo Robaina 2025-11-14  2499  		case htons(ETH_P_IP):
4fde464da4ac67 Ricardo Robaina 2025-11-14  2500  			nfproto = NFPROTO_IPV4;
4fde464da4ac67 Ricardo Robaina 2025-11-14  2501  			break;
4fde464da4ac67 Ricardo Robaina 2025-11-14  2502  		case htons(ETH_P_IPV6):
4fde464da4ac67 Ricardo Robaina 2025-11-14  2503  			nfproto = NFPROTO_IPV6;
4fde464da4ac67 Ricardo Robaina 2025-11-14  2504  			break;
4fde464da4ac67 Ricardo Robaina 2025-11-14  2505  		default:
4fde464da4ac67 Ricardo Robaina 2025-11-14  2506  			goto unknown_proto;
4fde464da4ac67 Ricardo Robaina 2025-11-14  2507  		}
4fde464da4ac67 Ricardo Robaina 2025-11-14  2508  	}
4fde464da4ac67 Ricardo Robaina 2025-11-14  2509  
4fde464da4ac67 Ricardo Robaina 2025-11-14  2510  	switch (nfproto) {
4fde464da4ac67 Ricardo Robaina 2025-11-14  2511  	case NFPROTO_IPV4: {
4fde464da4ac67 Ricardo Robaina 2025-11-14  2512  		struct iphdr iph;
4fde464da4ac67 Ricardo Robaina 2025-11-14  2513  		const struct iphdr *ih;
4fde464da4ac67 Ricardo Robaina 2025-11-14  2514  
4fde464da4ac67 Ricardo Robaina 2025-11-14  2515  		ih = skb_header_pointer(skb, skb_network_offset(skb),
4fde464da4ac67 Ricardo Robaina 2025-11-14  2516  					sizeof(iph), &iph);
4fde464da4ac67 Ricardo Robaina 2025-11-14  2517  		if (!ih)
4fde464da4ac67 Ricardo Robaina 2025-11-14  2518  			return -ENOMEM;
4fde464da4ac67 Ricardo Robaina 2025-11-14  2519  
4fde464da4ac67 Ricardo Robaina 2025-11-14  2520  		audit_log_format(ab, " saddr=%pI4 daddr=%pI4 proto=%hhu",
4fde464da4ac67 Ricardo Robaina 2025-11-14  2521  				 &ih->saddr, &ih->daddr, ih->protocol);
4fde464da4ac67 Ricardo Robaina 2025-11-14  2522  		break;
4fde464da4ac67 Ricardo Robaina 2025-11-14  2523  	}
4fde464da4ac67 Ricardo Robaina 2025-11-14  2524  	case NFPROTO_IPV6: {
4fde464da4ac67 Ricardo Robaina 2025-11-14  2525  		struct ipv6hdr iph;
4fde464da4ac67 Ricardo Robaina 2025-11-14  2526  		const struct ipv6hdr *ih;
4fde464da4ac67 Ricardo Robaina 2025-11-14  2527  		u8 nexthdr;
4fde464da4ac67 Ricardo Robaina 2025-11-14  2528  		__be16 frag_off;
4fde464da4ac67 Ricardo Robaina 2025-11-14  2529  
4fde464da4ac67 Ricardo Robaina 2025-11-14  2530  		ih = skb_header_pointer(skb, skb_network_offset(skb),
4fde464da4ac67 Ricardo Robaina 2025-11-14  2531  					sizeof(iph), &iph);
4fde464da4ac67 Ricardo Robaina 2025-11-14  2532  		if (!ih)
4fde464da4ac67 Ricardo Robaina 2025-11-14 @2533  			return -ENOMEM;
4fde464da4ac67 Ricardo Robaina 2025-11-14  2534  
4fde464da4ac67 Ricardo Robaina 2025-11-14  2535  		nexthdr = ih->nexthdr;
4fde464da4ac67 Ricardo Robaina 2025-11-14  2536  		ipv6_skip_exthdr(skb, skb_network_offset(skb) + sizeof(iph),
4fde464da4ac67 Ricardo Robaina 2025-11-14  2537  				 &nexthdr, &frag_off);
4fde464da4ac67 Ricardo Robaina 2025-11-14  2538  
4fde464da4ac67 Ricardo Robaina 2025-11-14  2539  		audit_log_format(ab, " saddr=%pI6c daddr=%pI6c proto=%hhu",
4fde464da4ac67 Ricardo Robaina 2025-11-14  2540  				 &ih->saddr, &ih->daddr, nexthdr);
4fde464da4ac67 Ricardo Robaina 2025-11-14  2541  		break;
4fde464da4ac67 Ricardo Robaina 2025-11-14  2542  	}
4fde464da4ac67 Ricardo Robaina 2025-11-14  2543  	default:
4fde464da4ac67 Ricardo Robaina 2025-11-14  2544  		goto unknown_proto;
4fde464da4ac67 Ricardo Robaina 2025-11-14  2545  	}
4fde464da4ac67 Ricardo Robaina 2025-11-14  2546  
4fde464da4ac67 Ricardo Robaina 2025-11-14  2547  	return 0;
4fde464da4ac67 Ricardo Robaina 2025-11-14  2548  
4fde464da4ac67 Ricardo Robaina 2025-11-14  2549  unknown_proto:
4fde464da4ac67 Ricardo Robaina 2025-11-14  2550  	audit_log_format(ab, " saddr=? daddr=? proto=?");
4fde464da4ac67 Ricardo Robaina 2025-11-14  2551  	return -EPFNOSUPPORT;
4fde464da4ac67 Ricardo Robaina 2025-11-14  2552  }
4fde464da4ac67 Ricardo Robaina 2025-11-14  2553  EXPORT_SYMBOL(audit_log_nf_skb);
4fde464da4ac67 Ricardo Robaina 2025-11-14  2554  

-- 
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki

Re: [PATCH v7 0/2] audit: improve NETFILTER_PKT records

[Paul Moore]

On Fri, Nov 14, 2025 at 7:36 AM Ricardo Robaina <rrobaina@redhat.com> wrote:
>
> Currently, NETFILTER_PKT records lack source and destination
> port information, which is often valuable for troubleshooting.
> This patch series adds ports numbers, to NETFILTER_PKT records.
>
> The first patch refactors netfilter-related code, by moving
> duplicated code to audit.c, by creating audit_log_nf_skb()
> helper function.
> The second one, improves the NETFILTER_PKT records, by
> including source and destination ports for protocols of
> interest.
>
> Ricardo Robaina (2):
>   audit: add audit_log_nf_skb helper function
>   audit: include source and destination ports to NETFILTER_PKT
>
>  include/linux/audit.h    |   8 ++
>  kernel/audit.c           | 159 +++++++++++++++++++++++++++++++++++++++
>  net/netfilter/nft_log.c  |  58 +-------------
>  net/netfilter/xt_AUDIT.c |  58 +-------------
>  4 files changed, 169 insertions(+), 114 deletions(-)

Thanks Ricardo, both patches look good to me, I'm going to merge them
into audit/dev-staging just to get some very basic testing, but if I
can get an ACK from Florian on the patchset I'll go ahead and move the
patches over to audit/dev (feeds into linux-next and the next merge
window).

-- 
paul-moore.com

Re: [PATCH v7 1/2] audit: add audit_log_nf_skb helper function

[Florian Westphal]

Ricardo Robaina <rrobaina@redhat.com> wrote:
> Netfilter code (net/netfilter/nft_log.c and net/netfilter/xt_AUDIT.c)
> have to be kept in sync. Both source files had duplicated versions of
> audit_ip4() and audit_ip6() functions, which can result in lack of
> consistency and/or duplicated work.
> 
> This patch adds a helper function in audit.c that can be called by
> netfilter code commonly, aiming to improve maintainability and
> consistency.

Acked-by: Florian Westphal <fw@strlen.de>

Re: [PATCH v7 2/2] audit: include source and destination ports to NETFILTER_PKT

[Florian Westphal]

Ricardo Robaina <rrobaina@redhat.com> wrote:
> NETFILTER_PKT records show both source and destination
> addresses, in addition to the associated networking protocol.
> However, it lacks the ports information, which is often
> valuable for troubleshooting.
> 
> This patch adds both source and destination port numbers,
> 'sport' and 'dport' respectively, to TCP, UDP, UDP-Lite and
> SCTP-related NETFILTER_PKT records.
> 
>  $ TESTS="netfilter_pkt" make -e test &> /dev/null
>  $ ausearch -i -ts recent |grep NETFILTER_PKT
>  type=NETFILTER_PKT ... proto=icmp
>  type=NETFILTER_PKT ... proto=ipv6-icmp
>  type=NETFILTER_PKT ... proto=udp sport=46333 dport=42424
>  type=NETFILTER_PKT ... proto=udp sport=35953 dport=42424
>  type=NETFILTER_PKT ... proto=tcp sport=50314 dport=42424
>  type=NETFILTER_PKT ... proto=tcp sport=57346 dport=42424
> 
> Link: https://github.com/linux-audit/audit-kernel/issues/162

Acked-by: Florian Westphal <fw@strlen.de>

Re: [PATCH v7 0/2] audit: improve NETFILTER_PKT records

[Paul Moore]

On Mon, Dec 15, 2025 at 9:07 PM Paul Moore <paul@paul-moore.com> wrote:
> On Fri, Nov 14, 2025 at 7:36 AM Ricardo Robaina <rrobaina@redhat.com> wrote:
> >
> > Currently, NETFILTER_PKT records lack source and destination
> > port information, which is often valuable for troubleshooting.
> > This patch series adds ports numbers, to NETFILTER_PKT records.
> >
> > The first patch refactors netfilter-related code, by moving
> > duplicated code to audit.c, by creating audit_log_nf_skb()
> > helper function.
> > The second one, improves the NETFILTER_PKT records, by
> > including source and destination ports for protocols of
> > interest.
> >
> > Ricardo Robaina (2):
> >   audit: add audit_log_nf_skb helper function
> >   audit: include source and destination ports to NETFILTER_PKT
> >
> >  include/linux/audit.h    |   8 ++
> >  kernel/audit.c           | 159 +++++++++++++++++++++++++++++++++++++++
> >  net/netfilter/nft_log.c  |  58 +-------------
> >  net/netfilter/xt_AUDIT.c |  58 +-------------
> >  4 files changed, 169 insertions(+), 114 deletions(-)
>
> Thanks Ricardo, both patches look good to me, I'm going to merge them
> into audit/dev-staging just to get some very basic testing, but if I
> can get an ACK from Florian on the patchset I'll go ahead and move the
> patches over to audit/dev (feeds into linux-next and the next merge
> window).

I just moved these patches in audit/dev with Florian's ACK.  Thanks everyone!

-- 
paul-moore.com

Re: [PATCH v7 0/2] audit: improve NETFILTER_PKT records

[Ricardo Robaina]

On Tue, Dec 16, 2025 at 1:10 PM Paul Moore <paul@paul-moore.com> wrote:
>
> On Mon, Dec 15, 2025 at 9:07 PM Paul Moore <paul@paul-moore.com> wrote:
> > On Fri, Nov 14, 2025 at 7:36 AM Ricardo Robaina <rrobaina@redhat.com> wrote:
> > >
> > > Currently, NETFILTER_PKT records lack source and destination
> > > port information, which is often valuable for troubleshooting.
> > > This patch series adds ports numbers, to NETFILTER_PKT records.
> > >
> > > The first patch refactors netfilter-related code, by moving
> > > duplicated code to audit.c, by creating audit_log_nf_skb()
> > > helper function.
> > > The second one, improves the NETFILTER_PKT records, by
> > > including source and destination ports for protocols of
> > > interest.
> > >
> > > Ricardo Robaina (2):
> > >   audit: add audit_log_nf_skb helper function
> > >   audit: include source and destination ports to NETFILTER_PKT
> > >
> > >  include/linux/audit.h    |   8 ++
> > >  kernel/audit.c           | 159 +++++++++++++++++++++++++++++++++++++++
> > >  net/netfilter/nft_log.c  |  58 +-------------
> > >  net/netfilter/xt_AUDIT.c |  58 +-------------
> > >  4 files changed, 169 insertions(+), 114 deletions(-)
> >
> > Thanks Ricardo, both patches look good to me, I'm going to merge them
> > into audit/dev-staging just to get some very basic testing, but if I
> > can get an ACK from Florian on the patchset I'll go ahead and move the
> > patches over to audit/dev (feeds into linux-next and the next merge
> > window).
>
> I just moved these patches in audit/dev with Florian's ACK.  Thanks everyone!
>
> --
> paul-moore.com
>

I'm happy to hear it. Thanks, Paul and Florian!