* [PATCH v7 1/2] audit: add audit_log_nf_skb helper function
2025-11-14 12:36 [PATCH v7 0/2] audit: improve NETFILTER_PKT records Ricardo Robaina
@ 2025-11-14 12:36 ` Ricardo Robaina
2025-12-16 13:42 ` Florian Westphal
2025-11-14 12:36 ` [PATCH v7 2/2] audit: include source and destination ports to NETFILTER_PKT Ricardo Robaina
2025-12-16 2:07 ` [PATCH v7 0/2] audit: improve NETFILTER_PKT records Paul Moore
2 siblings, 1 reply; 9+ messages in thread
From: Ricardo Robaina @ 2025-11-14 12:36 UTC (permalink / raw)
To: audit, linux-kernel, netfilter-devel, coreteam
Cc: paul, eparis, fw, pablo, kadlec, Ricardo Robaina
Netfilter code (net/netfilter/nft_log.c and net/netfilter/xt_AUDIT.c)
have to be kept in sync. Both source files had duplicated versions of
audit_ip4() and audit_ip6() functions, which can result in lack of
consistency and/or duplicated work.
This patch adds a helper function in audit.c that can be called by
netfilter code commonly, aiming to improve maintainability and
consistency.
Suggested-by: Florian Westphal <fw@strlen.de>
Suggested-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Ricardo Robaina <rrobaina@redhat.com>
---
include/linux/audit.h | 8 +++++
kernel/audit.c | 64 ++++++++++++++++++++++++++++++++++++++++
net/netfilter/nft_log.c | 58 +-----------------------------------
net/netfilter/xt_AUDIT.c | 58 +-----------------------------------
4 files changed, 74 insertions(+), 114 deletions(-)
diff --git a/include/linux/audit.h b/include/linux/audit.h
index 536f8ee8da81..d8173af498ba 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -195,6 +195,8 @@ extern int audit_log_subj_ctx(struct audit_buffer *ab, struct lsm_prop *prop);
extern int audit_log_obj_ctx(struct audit_buffer *ab, struct lsm_prop *prop);
extern int audit_log_task_context(struct audit_buffer *ab);
extern void audit_log_task_info(struct audit_buffer *ab);
+extern int audit_log_nf_skb(struct audit_buffer *ab,
+ const struct sk_buff *skb, u8 nfproto);
extern int audit_update_lsm_rules(void);
@@ -272,6 +274,12 @@ static inline int audit_log_task_context(struct audit_buffer *ab)
static inline void audit_log_task_info(struct audit_buffer *ab)
{ }
+static inline int audit_log_nf_skb(struct audit_buffer *ab,
+ const struct sk_buff *skb, u8 nfproto)
+{
+ return 0;
+}
+
static inline kuid_t audit_get_loginuid(struct task_struct *tsk)
{
return INVALID_UID;
diff --git a/kernel/audit.c b/kernel/audit.c
index 26a332ffb1b8..5c302c4592db 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -58,6 +58,8 @@
#include <linux/freezer.h>
#include <linux/pid_namespace.h>
#include <net/netns/generic.h>
+#include <net/ip.h>
+#include <net/ipv6.h>
#include "audit.h"
@@ -2488,6 +2490,68 @@ void audit_log_path_denied(int type, const char *operation)
audit_log_end(ab);
}
+int audit_log_nf_skb(struct audit_buffer *ab,
+ const struct sk_buff *skb, u8 nfproto)
+{
+ /* find the IP protocol in the case of NFPROTO_BRIDGE */
+ if (nfproto == NFPROTO_BRIDGE) {
+ switch (eth_hdr(skb)->h_proto) {
+ case htons(ETH_P_IP):
+ nfproto = NFPROTO_IPV4;
+ break;
+ case htons(ETH_P_IPV6):
+ nfproto = NFPROTO_IPV6;
+ break;
+ default:
+ goto unknown_proto;
+ }
+ }
+
+ switch (nfproto) {
+ case NFPROTO_IPV4: {
+ struct iphdr iph;
+ const struct iphdr *ih;
+
+ ih = skb_header_pointer(skb, skb_network_offset(skb),
+ sizeof(iph), &iph);
+ if (!ih)
+ return -ENOMEM;
+
+ audit_log_format(ab, " saddr=%pI4 daddr=%pI4 proto=%hhu",
+ &ih->saddr, &ih->daddr, ih->protocol);
+ break;
+ }
+ case NFPROTO_IPV6: {
+ struct ipv6hdr iph;
+ const struct ipv6hdr *ih;
+ u8 nexthdr;
+ __be16 frag_off;
+
+ ih = skb_header_pointer(skb, skb_network_offset(skb),
+ sizeof(iph), &iph);
+ if (!ih)
+ return -ENOMEM;
+
+ nexthdr = ih->nexthdr;
+ ipv6_skip_exthdr(skb, skb_network_offset(skb) + sizeof(iph),
+ &nexthdr, &frag_off);
+
+ audit_log_format(ab, " saddr=%pI6c daddr=%pI6c proto=%hhu",
+ &ih->saddr, &ih->daddr, nexthdr);
+ break;
+ }
+ default:
+ goto unknown_proto;
+ }
+
+ return 0;
+
+unknown_proto:
+ audit_log_format(ab, " saddr=? daddr=? proto=?");
+ return -EPFNOSUPPORT;
+}
+EXPORT_SYMBOL(audit_log_nf_skb);
+
/* global counter which is incremented every time something logs in */
static atomic_t session_id = ATOMIC_INIT(0);
diff --git a/net/netfilter/nft_log.c b/net/netfilter/nft_log.c
index e35588137995..bf01cf8a8907 100644
--- a/net/netfilter/nft_log.c
+++ b/net/netfilter/nft_log.c
@@ -26,46 +26,10 @@ struct nft_log {
char *prefix;
};
-static bool audit_ip4(struct audit_buffer *ab, struct sk_buff *skb)
-{
- struct iphdr _iph;
- const struct iphdr *ih;
-
- ih = skb_header_pointer(skb, skb_network_offset(skb), sizeof(_iph), &_iph);
- if (!ih)
- return false;
-
- audit_log_format(ab, " saddr=%pI4 daddr=%pI4 proto=%hhu",
- &ih->saddr, &ih->daddr, ih->protocol);
-
- return true;
-}
-
-static bool audit_ip6(struct audit_buffer *ab, struct sk_buff *skb)
-{
- struct ipv6hdr _ip6h;
- const struct ipv6hdr *ih;
- u8 nexthdr;
- __be16 frag_off;
-
- ih = skb_header_pointer(skb, skb_network_offset(skb), sizeof(_ip6h), &_ip6h);
- if (!ih)
- return false;
-
- nexthdr = ih->nexthdr;
- ipv6_skip_exthdr(skb, skb_network_offset(skb) + sizeof(_ip6h), &nexthdr, &frag_off);
-
- audit_log_format(ab, " saddr=%pI6c daddr=%pI6c proto=%hhu",
- &ih->saddr, &ih->daddr, nexthdr);
-
- return true;
-}
-
static void nft_log_eval_audit(const struct nft_pktinfo *pkt)
{
struct sk_buff *skb = pkt->skb;
struct audit_buffer *ab;
- int fam = -1;
if (!audit_enabled)
return;
@@ -76,27 +40,7 @@ static void nft_log_eval_audit(const struct nft_pktinfo *pkt)
audit_log_format(ab, "mark=%#x", skb->mark);
- switch (nft_pf(pkt)) {
- case NFPROTO_BRIDGE:
- switch (eth_hdr(skb)->h_proto) {
- case htons(ETH_P_IP):
- fam = audit_ip4(ab, skb) ? NFPROTO_IPV4 : -1;
- break;
- case htons(ETH_P_IPV6):
- fam = audit_ip6(ab, skb) ? NFPROTO_IPV6 : -1;
- break;
- }
- break;
- case NFPROTO_IPV4:
- fam = audit_ip4(ab, skb) ? NFPROTO_IPV4 : -1;
- break;
- case NFPROTO_IPV6:
- fam = audit_ip6(ab, skb) ? NFPROTO_IPV6 : -1;
- break;
- }
-
- if (fam == -1)
- audit_log_format(ab, " saddr=? daddr=? proto=-1");
+ audit_log_nf_skb(ab, skb, nft_pf(pkt));
audit_log_end(ab);
}
diff --git a/net/netfilter/xt_AUDIT.c b/net/netfilter/xt_AUDIT.c
index b6a015aee0ce..4c18606b8654 100644
--- a/net/netfilter/xt_AUDIT.c
+++ b/net/netfilter/xt_AUDIT.c
@@ -28,46 +28,10 @@ MODULE_ALIAS("ip6t_AUDIT");
MODULE_ALIAS("ebt_AUDIT");
MODULE_ALIAS("arpt_AUDIT");
-static bool audit_ip4(struct audit_buffer *ab, struct sk_buff *skb)
-{
- struct iphdr _iph;
- const struct iphdr *ih;
-
- ih = skb_header_pointer(skb, skb_network_offset(skb), sizeof(_iph), &_iph);
- if (!ih)
- return false;
-
- audit_log_format(ab, " saddr=%pI4 daddr=%pI4 proto=%hhu",
- &ih->saddr, &ih->daddr, ih->protocol);
-
- return true;
-}
-
-static bool audit_ip6(struct audit_buffer *ab, struct sk_buff *skb)
-{
- struct ipv6hdr _ip6h;
- const struct ipv6hdr *ih;
- u8 nexthdr;
- __be16 frag_off;
-
- ih = skb_header_pointer(skb, skb_network_offset(skb), sizeof(_ip6h), &_ip6h);
- if (!ih)
- return false;
-
- nexthdr = ih->nexthdr;
- ipv6_skip_exthdr(skb, skb_network_offset(skb) + sizeof(_ip6h), &nexthdr, &frag_off);
-
- audit_log_format(ab, " saddr=%pI6c daddr=%pI6c proto=%hhu",
- &ih->saddr, &ih->daddr, nexthdr);
-
- return true;
-}
-
static unsigned int
audit_tg(struct sk_buff *skb, const struct xt_action_param *par)
{
struct audit_buffer *ab;
- int fam = -1;
if (audit_enabled == AUDIT_OFF)
goto errout;
@@ -77,27 +41,7 @@ audit_tg(struct sk_buff *skb, const struct xt_action_param *par)
audit_log_format(ab, "mark=%#x", skb->mark);
- switch (xt_family(par)) {
- case NFPROTO_BRIDGE:
- switch (eth_hdr(skb)->h_proto) {
- case htons(ETH_P_IP):
- fam = audit_ip4(ab, skb) ? NFPROTO_IPV4 : -1;
- break;
- case htons(ETH_P_IPV6):
- fam = audit_ip6(ab, skb) ? NFPROTO_IPV6 : -1;
- break;
- }
- break;
- case NFPROTO_IPV4:
- fam = audit_ip4(ab, skb) ? NFPROTO_IPV4 : -1;
- break;
- case NFPROTO_IPV6:
- fam = audit_ip6(ab, skb) ? NFPROTO_IPV6 : -1;
- break;
- }
-
- if (fam == -1)
- audit_log_format(ab, " saddr=? daddr=? proto=-1");
+ audit_log_nf_skb(ab, skb, xt_family(par));
audit_log_end(ab);
--
2.51.1
^ permalink raw reply related [flat|nested] 9+ messages in thread* Re: [PATCH v7 1/2] audit: add audit_log_nf_skb helper function
2025-11-14 12:36 ` [PATCH v7 1/2] audit: add audit_log_nf_skb helper function Ricardo Robaina
@ 2025-12-16 13:42 ` Florian Westphal
0 siblings, 0 replies; 9+ messages in thread
From: Florian Westphal @ 2025-12-16 13:42 UTC (permalink / raw)
To: Ricardo Robaina
Cc: audit, linux-kernel, netfilter-devel, coreteam, paul, eparis,
pablo, kadlec
Ricardo Robaina <rrobaina@redhat.com> wrote:
> Netfilter code (net/netfilter/nft_log.c and net/netfilter/xt_AUDIT.c)
> have to be kept in sync. Both source files had duplicated versions of
> audit_ip4() and audit_ip6() functions, which can result in lack of
> consistency and/or duplicated work.
>
> This patch adds a helper function in audit.c that can be called by
> netfilter code commonly, aiming to improve maintainability and
> consistency.
Acked-by: Florian Westphal <fw@strlen.de>
^ permalink raw reply [flat|nested] 9+ messages in thread
* [PATCH v7 2/2] audit: include source and destination ports to NETFILTER_PKT
2025-11-14 12:36 [PATCH v7 0/2] audit: improve NETFILTER_PKT records Ricardo Robaina
2025-11-14 12:36 ` [PATCH v7 1/2] audit: add audit_log_nf_skb helper function Ricardo Robaina
@ 2025-11-14 12:36 ` Ricardo Robaina
2025-12-16 13:44 ` Florian Westphal
2025-12-16 2:07 ` [PATCH v7 0/2] audit: improve NETFILTER_PKT records Paul Moore
2 siblings, 1 reply; 9+ messages in thread
From: Ricardo Robaina @ 2025-11-14 12:36 UTC (permalink / raw)
To: audit, linux-kernel, netfilter-devel, coreteam
Cc: paul, eparis, fw, pablo, kadlec, Ricardo Robaina
NETFILTER_PKT records show both source and destination
addresses, in addition to the associated networking protocol.
However, it lacks the ports information, which is often
valuable for troubleshooting.
This patch adds both source and destination port numbers,
'sport' and 'dport' respectively, to TCP, UDP, UDP-Lite and
SCTP-related NETFILTER_PKT records.
$ TESTS="netfilter_pkt" make -e test &> /dev/null
$ ausearch -i -ts recent |grep NETFILTER_PKT
type=NETFILTER_PKT ... proto=icmp
type=NETFILTER_PKT ... proto=ipv6-icmp
type=NETFILTER_PKT ... proto=udp sport=46333 dport=42424
type=NETFILTER_PKT ... proto=udp sport=35953 dport=42424
type=NETFILTER_PKT ... proto=tcp sport=50314 dport=42424
type=NETFILTER_PKT ... proto=tcp sport=57346 dport=42424
Link: https://github.com/linux-audit/audit-kernel/issues/162
Signed-off-by: Ricardo Robaina <rrobaina@redhat.com>
---
kernel/audit.c | 103 +++++++++++++++++++++++++++++++++++++++++++++++--
1 file changed, 99 insertions(+), 4 deletions(-)
diff --git a/kernel/audit.c b/kernel/audit.c
index 5c302c4592db..39c4f26c484d 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -60,6 +60,7 @@
#include <net/netns/generic.h>
#include <net/ip.h>
#include <net/ipv6.h>
+#include <linux/sctp.h>
#include "audit.h"
@@ -2517,8 +2518,55 @@ int audit_log_nf_skb(struct audit_buffer *ab,
if (!ih)
return -ENOMEM;
- audit_log_format(ab, " saddr=%pI4 daddr=%pI4 proto=%hhu",
- &ih->saddr, &ih->daddr, ih->protocol);
+ switch (ih->protocol) {
+ case IPPROTO_TCP: {
+ struct tcphdr _tcph;
+ const struct tcphdr *th;
+
+ th = skb_header_pointer(skb, skb_transport_offset(skb),
+ sizeof(_tcph), &_tcph);
+ if (!th)
+ return -ENOMEM;
+
+ audit_log_format(ab, " saddr=%pI4 daddr=%pI4 proto=%hhu sport=%hu dport=%hu",
+ &ih->saddr, &ih->daddr, ih->protocol,
+ ntohs(th->source), ntohs(th->dest));
+ break;
+ }
+ case IPPROTO_UDP:
+ case IPPROTO_UDPLITE: {
+ struct udphdr _udph;
+ const struct udphdr *uh;
+
+ uh = skb_header_pointer(skb, skb_transport_offset(skb),
+ sizeof(_udph), &_udph);
+ if (!uh)
+ return -ENOMEM;
+
+ audit_log_format(ab, " saddr=%pI4 daddr=%pI4 proto=%hhu sport=%hu dport=%hu",
+ &ih->saddr, &ih->daddr, ih->protocol,
+ ntohs(uh->source), ntohs(uh->dest));
+ break;
+ }
+ case IPPROTO_SCTP: {
+ struct sctphdr _sctph;
+ const struct sctphdr *sh;
+
+ sh = skb_header_pointer(skb, skb_transport_offset(skb),
+ sizeof(_sctph), &_sctph);
+ if (!sh)
+ return -ENOMEM;
+
+ audit_log_format(ab, " saddr=%pI4 daddr=%pI4 proto=%hhu sport=%hu dport=%hu",
+ &ih->saddr, &ih->daddr, ih->protocol,
+ ntohs(sh->source), ntohs(sh->dest));
+ break;
+ }
+ default:
+ audit_log_format(ab, " saddr=%pI4 daddr=%pI4 proto=%hhu",
+ &ih->saddr, &ih->daddr, ih->protocol);
+ }
+
break;
}
case NFPROTO_IPV6: {
@@ -2536,8 +2584,55 @@ int audit_log_nf_skb(struct audit_buffer *ab,
ipv6_skip_exthdr(skb, skb_network_offset(skb) + sizeof(iph),
&nexthdr, &frag_off);
- audit_log_format(ab, " saddr=%pI6c daddr=%pI6c proto=%hhu",
- &ih->saddr, &ih->daddr, nexthdr);
+ switch (nexthdr) {
+ case IPPROTO_TCP: {
+ struct tcphdr _tcph;
+ const struct tcphdr *th;
+
+ th = skb_header_pointer(skb, skb_transport_offset(skb),
+ sizeof(_tcph), &_tcph);
+ if (!th)
+ return -ENOMEM;
+
+ audit_log_format(ab, " saddr=%pI6c daddr=%pI6c proto=%hhu sport=%hu dport=%hu",
+ &ih->saddr, &ih->daddr, nexthdr,
+ ntohs(th->source), ntohs(th->dest));
+ break;
+ }
+ case IPPROTO_UDP:
+ case IPPROTO_UDPLITE: {
+ struct udphdr _udph;
+ const struct udphdr *uh;
+
+ uh = skb_header_pointer(skb, skb_transport_offset(skb),
+ sizeof(_udph), &_udph);
+ if (!uh)
+ return -ENOMEM;
+
+ audit_log_format(ab, " saddr=%pI6c daddr=%pI6c proto=%hhu sport=%hu dport=%hu",
+ &ih->saddr, &ih->daddr, nexthdr,
+ ntohs(uh->source), ntohs(uh->dest));
+ break;
+ }
+ case IPPROTO_SCTP: {
+ struct sctphdr _sctph;
+ const struct sctphdr *sh;
+
+ sh = skb_header_pointer(skb, skb_transport_offset(skb),
+ sizeof(_sctph), &_sctph);
+ if (!sh)
+ return -ENOMEM;
+
+ audit_log_format(ab, " saddr=%pI6c daddr=%pI6c proto=%hhu sport=%hu dport=%hu",
+ &ih->saddr, &ih->daddr, nexthdr,
+ ntohs(sh->source), ntohs(sh->dest));
+ break;
+ }
+ default:
+ audit_log_format(ab, " saddr=%pI6c daddr=%pI6c proto=%hhu",
+ &ih->saddr, &ih->daddr, nexthdr);
+ }
+
break;
}
default:
--
2.51.1
^ permalink raw reply related [flat|nested] 9+ messages in thread* Re: [PATCH v7 2/2] audit: include source and destination ports to NETFILTER_PKT
2025-11-14 12:36 ` [PATCH v7 2/2] audit: include source and destination ports to NETFILTER_PKT Ricardo Robaina
@ 2025-12-16 13:44 ` Florian Westphal
0 siblings, 0 replies; 9+ messages in thread
From: Florian Westphal @ 2025-12-16 13:44 UTC (permalink / raw)
To: Ricardo Robaina
Cc: audit, linux-kernel, netfilter-devel, coreteam, paul, eparis,
pablo, kadlec
Ricardo Robaina <rrobaina@redhat.com> wrote:
> NETFILTER_PKT records show both source and destination
> addresses, in addition to the associated networking protocol.
> However, it lacks the ports information, which is often
> valuable for troubleshooting.
>
> This patch adds both source and destination port numbers,
> 'sport' and 'dport' respectively, to TCP, UDP, UDP-Lite and
> SCTP-related NETFILTER_PKT records.
>
> $ TESTS="netfilter_pkt" make -e test &> /dev/null
> $ ausearch -i -ts recent |grep NETFILTER_PKT
> type=NETFILTER_PKT ... proto=icmp
> type=NETFILTER_PKT ... proto=ipv6-icmp
> type=NETFILTER_PKT ... proto=udp sport=46333 dport=42424
> type=NETFILTER_PKT ... proto=udp sport=35953 dport=42424
> type=NETFILTER_PKT ... proto=tcp sport=50314 dport=42424
> type=NETFILTER_PKT ... proto=tcp sport=57346 dport=42424
>
> Link: https://github.com/linux-audit/audit-kernel/issues/162
Acked-by: Florian Westphal <fw@strlen.de>
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH v7 0/2] audit: improve NETFILTER_PKT records
2025-11-14 12:36 [PATCH v7 0/2] audit: improve NETFILTER_PKT records Ricardo Robaina
2025-11-14 12:36 ` [PATCH v7 1/2] audit: add audit_log_nf_skb helper function Ricardo Robaina
2025-11-14 12:36 ` [PATCH v7 2/2] audit: include source and destination ports to NETFILTER_PKT Ricardo Robaina
@ 2025-12-16 2:07 ` Paul Moore
2025-12-16 16:10 ` Paul Moore
2 siblings, 1 reply; 9+ messages in thread
From: Paul Moore @ 2025-12-16 2:07 UTC (permalink / raw)
To: Ricardo Robaina, fw
Cc: audit, linux-kernel, netfilter-devel, coreteam, eparis, pablo,
kadlec
On Fri, Nov 14, 2025 at 7:36 AM Ricardo Robaina <rrobaina@redhat.com> wrote:
>
> Currently, NETFILTER_PKT records lack source and destination
> port information, which is often valuable for troubleshooting.
> This patch series adds ports numbers, to NETFILTER_PKT records.
>
> The first patch refactors netfilter-related code, by moving
> duplicated code to audit.c, by creating audit_log_nf_skb()
> helper function.
> The second one, improves the NETFILTER_PKT records, by
> including source and destination ports for protocols of
> interest.
>
> Ricardo Robaina (2):
> audit: add audit_log_nf_skb helper function
> audit: include source and destination ports to NETFILTER_PKT
>
> include/linux/audit.h | 8 ++
> kernel/audit.c | 159 +++++++++++++++++++++++++++++++++++++++
> net/netfilter/nft_log.c | 58 +-------------
> net/netfilter/xt_AUDIT.c | 58 +-------------
> 4 files changed, 169 insertions(+), 114 deletions(-)
Thanks Ricardo, both patches look good to me, I'm going to merge them
into audit/dev-staging just to get some very basic testing, but if I
can get an ACK from Florian on the patchset I'll go ahead and move the
patches over to audit/dev (feeds into linux-next and the next merge
window).
--
paul-moore.com
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH v7 0/2] audit: improve NETFILTER_PKT records
2025-12-16 2:07 ` [PATCH v7 0/2] audit: improve NETFILTER_PKT records Paul Moore
@ 2025-12-16 16:10 ` Paul Moore
2025-12-17 11:39 ` Ricardo Robaina
0 siblings, 1 reply; 9+ messages in thread
From: Paul Moore @ 2025-12-16 16:10 UTC (permalink / raw)
To: Ricardo Robaina, fw
Cc: audit, linux-kernel, netfilter-devel, coreteam, eparis, pablo,
kadlec
On Mon, Dec 15, 2025 at 9:07 PM Paul Moore <paul@paul-moore.com> wrote:
> On Fri, Nov 14, 2025 at 7:36 AM Ricardo Robaina <rrobaina@redhat.com> wrote:
> >
> > Currently, NETFILTER_PKT records lack source and destination
> > port information, which is often valuable for troubleshooting.
> > This patch series adds ports numbers, to NETFILTER_PKT records.
> >
> > The first patch refactors netfilter-related code, by moving
> > duplicated code to audit.c, by creating audit_log_nf_skb()
> > helper function.
> > The second one, improves the NETFILTER_PKT records, by
> > including source and destination ports for protocols of
> > interest.
> >
> > Ricardo Robaina (2):
> > audit: add audit_log_nf_skb helper function
> > audit: include source and destination ports to NETFILTER_PKT
> >
> > include/linux/audit.h | 8 ++
> > kernel/audit.c | 159 +++++++++++++++++++++++++++++++++++++++
> > net/netfilter/nft_log.c | 58 +-------------
> > net/netfilter/xt_AUDIT.c | 58 +-------------
> > 4 files changed, 169 insertions(+), 114 deletions(-)
>
> Thanks Ricardo, both patches look good to me, I'm going to merge them
> into audit/dev-staging just to get some very basic testing, but if I
> can get an ACK from Florian on the patchset I'll go ahead and move the
> patches over to audit/dev (feeds into linux-next and the next merge
> window).
I just moved these patches in audit/dev with Florian's ACK. Thanks everyone!
--
paul-moore.com
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH v7 0/2] audit: improve NETFILTER_PKT records
2025-12-16 16:10 ` Paul Moore
@ 2025-12-17 11:39 ` Ricardo Robaina
0 siblings, 0 replies; 9+ messages in thread
From: Ricardo Robaina @ 2025-12-17 11:39 UTC (permalink / raw)
To: Paul Moore
Cc: fw, audit, linux-kernel, netfilter-devel, coreteam, eparis, pablo,
kadlec
On Tue, Dec 16, 2025 at 1:10 PM Paul Moore <paul@paul-moore.com> wrote:
>
> On Mon, Dec 15, 2025 at 9:07 PM Paul Moore <paul@paul-moore.com> wrote:
> > On Fri, Nov 14, 2025 at 7:36 AM Ricardo Robaina <rrobaina@redhat.com> wrote:
> > >
> > > Currently, NETFILTER_PKT records lack source and destination
> > > port information, which is often valuable for troubleshooting.
> > > This patch series adds ports numbers, to NETFILTER_PKT records.
> > >
> > > The first patch refactors netfilter-related code, by moving
> > > duplicated code to audit.c, by creating audit_log_nf_skb()
> > > helper function.
> > > The second one, improves the NETFILTER_PKT records, by
> > > including source and destination ports for protocols of
> > > interest.
> > >
> > > Ricardo Robaina (2):
> > > audit: add audit_log_nf_skb helper function
> > > audit: include source and destination ports to NETFILTER_PKT
> > >
> > > include/linux/audit.h | 8 ++
> > > kernel/audit.c | 159 +++++++++++++++++++++++++++++++++++++++
> > > net/netfilter/nft_log.c | 58 +-------------
> > > net/netfilter/xt_AUDIT.c | 58 +-------------
> > > 4 files changed, 169 insertions(+), 114 deletions(-)
> >
> > Thanks Ricardo, both patches look good to me, I'm going to merge them
> > into audit/dev-staging just to get some very basic testing, but if I
> > can get an ACK from Florian on the patchset I'll go ahead and move the
> > patches over to audit/dev (feeds into linux-next and the next merge
> > window).
>
> I just moved these patches in audit/dev with Florian's ACK. Thanks everyone!
>
> --
> paul-moore.com
>
I'm happy to hear it. Thanks, Paul and Florian!
^ permalink raw reply [flat|nested] 9+ messages in thread