[PATCH v1] audit: include source and destination ports to NETFILTER_PKT

[PATCH v1] audit: include source and destination ports to NETFILTER_PKT

[Ricardo Robaina]

NETFILTER_PKT records show both source and destination
addresses, in addition to the associated networking protocol.
However, it lacks the ports information, which is often
valuable for troubleshooting.

This patch adds both source and destination port numbers,
'sport' and 'dport' respectively, only to tcp/udp-related
NETFILTER_PKT records.

 # ./audit-testsuite/tests/netfilter_pkt/test &> /dev/null
 # ausearch -i -m netfilter_pkt |tail -n12
 type=NETFILTER_PKT ... saddr=127.0.0.1 daddr=127.0.0.1 proto=icmp
 ----
 type=NETFILTER_PKT ... saddr=::1 daddr=::1 proto=ipv6-icmp
 ----
 type=NETFILTER_PKT ... daddr=127.0.0.1 proto=udp sport=38173 dport=42424
 ----
 type=NETFILTER_PKT ... daddr=::1 proto=udp sport=56852 dport=42424
 ----
 type=NETFILTER_PKT ... daddr=127.0.0.1 proto=tcp sport=57022 dport=42424
 ----
 type=NETFILTER_PKT ... daddr=::1 proto=tcp sport=50810 dport=42424

Link: https://github.com/linux-audit/audit-kernel/issues/162
Signed-off-by: Ricardo Robaina <rrobaina@redhat.com>
---
 net/netfilter/xt_AUDIT.c | 29 ++++++++++++++++++++++++++++-
 1 file changed, 28 insertions(+), 1 deletion(-)

diff --git a/net/netfilter/xt_AUDIT.c b/net/netfilter/xt_AUDIT.c
index b6a015aee0ce..96a18675d468 100644
--- a/net/netfilter/xt_AUDIT.c
+++ b/net/netfilter/xt_AUDIT.c
@@ -32,6 +32,7 @@ static bool audit_ip4(struct audit_buffer *ab, struct sk_buff *skb)
 {
 	struct iphdr _iph;
 	const struct iphdr *ih;
+	__be16 dport, sport;
 
 	ih = skb_header_pointer(skb, skb_network_offset(skb), sizeof(_iph), &_iph);
 	if (!ih)
@@ -40,6 +41,19 @@ static bool audit_ip4(struct audit_buffer *ab, struct sk_buff *skb)
 	audit_log_format(ab, " saddr=%pI4 daddr=%pI4 proto=%hhu",
 			 &ih->saddr, &ih->daddr, ih->protocol);
 
+	switch (ih->protocol) {
+	case IPPROTO_TCP:
+		sport = tcp_hdr(skb)->source;
+		dport = tcp_hdr(skb)->dest;
+		break;
+	case IPPROTO_UDP:
+		sport = udp_hdr(skb)->source;
+		dport = udp_hdr(skb)->dest;
+	}
+
+	if (ih->protocol == IPPROTO_TCP || ih->protocol == IPPROTO_UDP)
+		audit_log_format(ab, " sport=%hu dport=%hu", ntohs(sport), ntohs(dport));
+
 	return true;
 }
 
@@ -48,7 +62,7 @@ static bool audit_ip6(struct audit_buffer *ab, struct sk_buff *skb)
 	struct ipv6hdr _ip6h;
 	const struct ipv6hdr *ih;
 	u8 nexthdr;
-	__be16 frag_off;
+	__be16 frag_off, dport, sport;
 
 	ih = skb_header_pointer(skb, skb_network_offset(skb), sizeof(_ip6h), &_ip6h);
 	if (!ih)
@@ -60,6 +74,19 @@ static bool audit_ip6(struct audit_buffer *ab, struct sk_buff *skb)
 	audit_log_format(ab, " saddr=%pI6c daddr=%pI6c proto=%hhu",
 			 &ih->saddr, &ih->daddr, nexthdr);
 
+	switch (ih->nexthdr) {
+	case IPPROTO_TCP:
+		sport = tcp_hdr(skb)->source;
+		dport = tcp_hdr(skb)->dest;
+		break;
+	case IPPROTO_UDP:
+		sport = udp_hdr(skb)->source;
+		dport = udp_hdr(skb)->dest;
+	}
+
+	if (ih->nexthdr == IPPROTO_TCP || ih->nexthdr == IPPROTO_UDP)
+		audit_log_format(ab, " sport=%hu dport=%hu", ntohs(sport), ntohs(dport));
+
 	return true;
 }
 
-- 
2.51.0

Re: [PATCH v1] audit: include source and destination ports to NETFILTER_PKT

[Jan Engelhardt]

On Monday 2025-09-22 22:09, Ricardo Robaina wrote:

>NETFILTER_PKT records show both source and destination
>addresses, in addition to the associated networking protocol.
>However, it lacks the ports information, which is often
>valuable for troubleshooting.
>
>+	switch (ih->protocol) {
>+	case IPPROTO_TCP:
>+		sport = tcp_hdr(skb)->source;
>+		dport = tcp_hdr(skb)->dest;
>+		break;
>+	case IPPROTO_UDP:
>+		sport = udp_hdr(skb)->source;
>+		dport = udp_hdr(skb)->dest;
>+	}

Should be easy enough to add the cases for UDPLITE,
SCTP and DCCP, right?

Re: [PATCH v1] audit: include source and destination ports to NETFILTER_PKT

[Ricardo Robaina]

On Mon, Sep 22, 2025 at 8:29 PM Jan Engelhardt <ej@inai.de> wrote:
>
>
> On Monday 2025-09-22 22:09, Ricardo Robaina wrote:
>
> >NETFILTER_PKT records show both source and destination
> >addresses, in addition to the associated networking protocol.
> >However, it lacks the ports information, which is often
> >valuable for troubleshooting.
> >
> >+      switch (ih->protocol) {
> >+      case IPPROTO_TCP:
> >+              sport = tcp_hdr(skb)->source;
> >+              dport = tcp_hdr(skb)->dest;
> >+              break;
> >+      case IPPROTO_UDP:
> >+              sport = udp_hdr(skb)->source;
> >+              dport = udp_hdr(skb)->dest;
> >+      }
>
> Should be easy enough to add the cases for UDPLITE,
> SCTP and DCCP, right?
>

Thanks for reviewing this patch, Jan.

Yes, it should. I assume it’s safe to use udp_hdr() for the UDP-Lite
case as well, right?

It seems DCCP has been retired by commit 2a63dd0edf38 (“net: Retire
DCCP socket.”). I’ll work on a V2, adding cases for both UDP-Lite and
SCTP.

Re: [PATCH v1] audit: include source and destination ports to NETFILTER_PKT

[Florian Westphal]

Ricardo Robaina <rrobaina@redhat.com> wrote:
> It seems DCCP has been retired by commit 2a63dd0edf38 (“net: Retire
> DCCP socket.”). I’ll work on a V2, adding cases for both UDP-Lite and
> SCTP.

Thanks.  This will also need a formal ack from audit maintainers.

Re: [PATCH v1] audit: include source and destination ports to NETFILTER_PKT

[Paul Moore]

On Tue, Sep 23, 2025 at 1:44 PM Florian Westphal <fw@strlen.de> wrote:
> Ricardo Robaina <rrobaina@redhat.com> wrote:
> > It seems DCCP has been retired by commit 2a63dd0edf38 (“net: Retire
> > DCCP socket.”). I’ll work on a V2, adding cases for both UDP-Lite and
> > SCTP.
>
> Thanks.  This will also need a formal ack from audit maintainers.

It's in my queue, but considering we're at -rc7 this is a few notches
down on my priority list as this isn't something I would consider for
the upcoming merge window.

-- 
paul-moore.com