[PATCH v4 0/2] audit: improve NETFILTER_PKT records

[PATCH v4 0/2] audit: improve NETFILTER_PKT records

[Ricardo Robaina]

The first patch moves duplicated code from netfilter-related source
files to audit.c by creating two helper functions 'audit_log_packet_ip4'
and 'audit_log_packet_ip6'. The second one improves the NETFILTER_PKT
records, by including source and destination ports for protocols of
interest.

Ricardo Robaina (2):
  audit: add audit_log_packet_ip4 and audit_log_packet_ip6 helper
    functions
  audit: include source and destination ports to NETFILTER_PKT

 include/linux/audit.h    |   2 +
 kernel/audit.c           | 120 +++++++++++++++++++++++++++++++++++++++
 net/netfilter/nft_log.c  |  43 ++------------
 net/netfilter/xt_AUDIT.c |  43 ++------------
 4 files changed, 130 insertions(+), 78 deletions(-)

-- 
2.51.0

[PATCH v4 1/2] audit: add audit_log_packet_ip4 and audit_log_packet_ip6 helper functions

[Ricardo Robaina]

Netfilter code (net/netfilter/nft_log.c and net/netfilter/xt_AUDIT.c)
have to be kept in sync. Both source files had duplicated versions of
audit_ip4() and audit_ip6() functions, which can result in lack of
consistency and/or duplicated work.

This patch adds two helper functions in audit.c that can be called by
netfilter code commonly, aiming to improve maintainability and
consistency.

Signed-off-by: Ricardo Robaina <rrobaina@redhat.com>
---
 include/linux/audit.h    |  2 ++
 kernel/audit.c           | 39 ++++++++++++++++++++++++++++++++++++
 net/netfilter/nft_log.c  | 43 ++++------------------------------------
 net/netfilter/xt_AUDIT.c | 43 ++++------------------------------------
 4 files changed, 49 insertions(+), 78 deletions(-)

diff --git a/include/linux/audit.h b/include/linux/audit.h
index 536f8ee8da81..5edb83ea63fd 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -195,6 +195,8 @@ extern int audit_log_subj_ctx(struct audit_buffer *ab, struct lsm_prop *prop);
 extern int audit_log_obj_ctx(struct audit_buffer *ab, struct lsm_prop *prop);
 extern int audit_log_task_context(struct audit_buffer *ab);
 extern void audit_log_task_info(struct audit_buffer *ab);
+extern bool audit_log_packet_ip4(struct audit_buffer *ab, struct sk_buff *skb);
+extern bool audit_log_packet_ip6(struct audit_buffer *ab, struct sk_buff *skb);
 
 extern int		    audit_update_lsm_rules(void);
 
diff --git a/kernel/audit.c b/kernel/audit.c
index 26a332ffb1b8..09764003db74 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -58,6 +58,8 @@
 #include <linux/freezer.h>
 #include <linux/pid_namespace.h>
 #include <net/netns/generic.h>
+#include <net/ip.h>
+#include <net/ipv6.h>
 
 #include "audit.h"
 
@@ -2538,6 +2540,43 @@ static void audit_log_set_loginuid(kuid_t koldloginuid, kuid_t kloginuid,
 	audit_log_end(ab);
 }
 
+bool audit_log_packet_ip4(struct audit_buffer *ab, struct sk_buff *skb)
+{
+	struct iphdr _iph;
+	const struct iphdr *ih;
+
+	ih = skb_header_pointer(skb, skb_network_offset(skb), sizeof(_iph), &_iph);
+	if (!ih)
+		return false;
+
+	audit_log_format(ab, " saddr=%pI4 daddr=%pI4 proto=%hhu",
+			 &ih->saddr, &ih->daddr, ih->protocol);
+
+	return true;
+}
+EXPORT_SYMBOL(audit_log_packet_ip4);
+
+bool audit_log_packet_ip6(struct audit_buffer *ab, struct sk_buff *skb)
+{
+	struct ipv6hdr _ip6h;
+	const struct ipv6hdr *ih;
+	u8 nexthdr;
+	__be16 frag_off;
+
+	ih = skb_header_pointer(skb, skb_network_offset(skb), sizeof(_ip6h), &_ip6h);
+	if (!ih)
+		return false;
+
+	nexthdr = ih->nexthdr;
+	ipv6_skip_exthdr(skb, skb_network_offset(skb) + sizeof(_ip6h), &nexthdr, &frag_off);
+
+	audit_log_format(ab, " saddr=%pI6c daddr=%pI6c proto=%hhu",
+			 &ih->saddr, &ih->daddr, nexthdr);
+
+	return true;
+}
+EXPORT_SYMBOL(audit_log_packet_ip6);
+
 /**
  * audit_set_loginuid - set current task's loginuid
  * @loginuid: loginuid value
diff --git a/net/netfilter/nft_log.c b/net/netfilter/nft_log.c
index e35588137995..f53fb4222134 100644
--- a/net/netfilter/nft_log.c
+++ b/net/netfilter/nft_log.c
@@ -26,41 +26,6 @@ struct nft_log {
 	char			*prefix;
 };
 
-static bool audit_ip4(struct audit_buffer *ab, struct sk_buff *skb)
-{
-	struct iphdr _iph;
-	const struct iphdr *ih;
-
-	ih = skb_header_pointer(skb, skb_network_offset(skb), sizeof(_iph), &_iph);
-	if (!ih)
-		return false;
-
-	audit_log_format(ab, " saddr=%pI4 daddr=%pI4 proto=%hhu",
-			 &ih->saddr, &ih->daddr, ih->protocol);
-
-	return true;
-}
-
-static bool audit_ip6(struct audit_buffer *ab, struct sk_buff *skb)
-{
-	struct ipv6hdr _ip6h;
-	const struct ipv6hdr *ih;
-	u8 nexthdr;
-	__be16 frag_off;
-
-	ih = skb_header_pointer(skb, skb_network_offset(skb), sizeof(_ip6h), &_ip6h);
-	if (!ih)
-		return false;
-
-	nexthdr = ih->nexthdr;
-	ipv6_skip_exthdr(skb, skb_network_offset(skb) + sizeof(_ip6h), &nexthdr, &frag_off);
-
-	audit_log_format(ab, " saddr=%pI6c daddr=%pI6c proto=%hhu",
-			 &ih->saddr, &ih->daddr, nexthdr);
-
-	return true;
-}
-
 static void nft_log_eval_audit(const struct nft_pktinfo *pkt)
 {
 	struct sk_buff *skb = pkt->skb;
@@ -80,18 +45,18 @@ static void nft_log_eval_audit(const struct nft_pktinfo *pkt)
 	case NFPROTO_BRIDGE:
 		switch (eth_hdr(skb)->h_proto) {
 		case htons(ETH_P_IP):
-			fam = audit_ip4(ab, skb) ? NFPROTO_IPV4 : -1;
+			fam = audit_log_packet_ip4(ab, skb) ? NFPROTO_IPV4 : -1;
 			break;
 		case htons(ETH_P_IPV6):
-			fam = audit_ip6(ab, skb) ? NFPROTO_IPV6 : -1;
+			fam = audit_log_packet_ip6(ab, skb) ? NFPROTO_IPV6 : -1;
 			break;
 		}
 		break;
 	case NFPROTO_IPV4:
-		fam = audit_ip4(ab, skb) ? NFPROTO_IPV4 : -1;
+		fam = audit_log_packet_ip4(ab, skb) ? NFPROTO_IPV4 : -1;
 		break;
 	case NFPROTO_IPV6:
-		fam = audit_ip6(ab, skb) ? NFPROTO_IPV6 : -1;
+		fam = audit_log_packet_ip6(ab, skb) ? NFPROTO_IPV6 : -1;
 		break;
 	}
 
diff --git a/net/netfilter/xt_AUDIT.c b/net/netfilter/xt_AUDIT.c
index b6a015aee0ce..28cdd6435d56 100644
--- a/net/netfilter/xt_AUDIT.c
+++ b/net/netfilter/xt_AUDIT.c
@@ -28,41 +28,6 @@ MODULE_ALIAS("ip6t_AUDIT");
 MODULE_ALIAS("ebt_AUDIT");
 MODULE_ALIAS("arpt_AUDIT");
 
-static bool audit_ip4(struct audit_buffer *ab, struct sk_buff *skb)
-{
-	struct iphdr _iph;
-	const struct iphdr *ih;
-
-	ih = skb_header_pointer(skb, skb_network_offset(skb), sizeof(_iph), &_iph);
-	if (!ih)
-		return false;
-
-	audit_log_format(ab, " saddr=%pI4 daddr=%pI4 proto=%hhu",
-			 &ih->saddr, &ih->daddr, ih->protocol);
-
-	return true;
-}
-
-static bool audit_ip6(struct audit_buffer *ab, struct sk_buff *skb)
-{
-	struct ipv6hdr _ip6h;
-	const struct ipv6hdr *ih;
-	u8 nexthdr;
-	__be16 frag_off;
-
-	ih = skb_header_pointer(skb, skb_network_offset(skb), sizeof(_ip6h), &_ip6h);
-	if (!ih)
-		return false;
-
-	nexthdr = ih->nexthdr;
-	ipv6_skip_exthdr(skb, skb_network_offset(skb) + sizeof(_ip6h), &nexthdr, &frag_off);
-
-	audit_log_format(ab, " saddr=%pI6c daddr=%pI6c proto=%hhu",
-			 &ih->saddr, &ih->daddr, nexthdr);
-
-	return true;
-}
-
 static unsigned int
 audit_tg(struct sk_buff *skb, const struct xt_action_param *par)
 {
@@ -81,18 +46,18 @@ audit_tg(struct sk_buff *skb, const struct xt_action_param *par)
 	case NFPROTO_BRIDGE:
 		switch (eth_hdr(skb)->h_proto) {
 		case htons(ETH_P_IP):
-			fam = audit_ip4(ab, skb) ? NFPROTO_IPV4 : -1;
+			fam = audit_log_packet_ip4(ab, skb) ? NFPROTO_IPV4 : -1;
 			break;
 		case htons(ETH_P_IPV6):
-			fam = audit_ip6(ab, skb) ? NFPROTO_IPV6 : -1;
+			fam = audit_log_packet_ip6(ab, skb) ? NFPROTO_IPV6 : -1;
 			break;
 		}
 		break;
 	case NFPROTO_IPV4:
-		fam = audit_ip4(ab, skb) ? NFPROTO_IPV4 : -1;
+		fam = audit_log_packet_ip4(ab, skb) ? NFPROTO_IPV4 : -1;
 		break;
 	case NFPROTO_IPV6:
-		fam = audit_ip6(ab, skb) ? NFPROTO_IPV6 : -1;
+		fam = audit_log_packet_ip6(ab, skb) ? NFPROTO_IPV6 : -1;
 		break;
 	}
 
-- 
2.51.0

Re: [PATCH v4 1/2] audit: add audit_log_packet_ip4 and audit_log_packet_ip6 helper functions

[kernel test robot]

Hi Ricardo,

kernel test robot noticed the following build errors:

[auto build test ERROR on pcmoore-audit/next]
[also build test ERROR on netfilter-nf/main linus/master v6.18-rc3 next-20251031]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch#_base_tree_information]

url:    https://github.com/intel-lab-lkp/linux/commits/Ricardo-Robaina/audit-add-audit_log_packet_ip4-and-audit_log_packet_ip6-helper-functions/20251031-220605
base:   https://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit.git next
patch link:    https://lore.kernel.org/r/cfafc5247fbfcd2561de16bcff67c1afd5676c9e.1761918165.git.rrobaina%40redhat.com
patch subject: [PATCH v4 1/2] audit: add audit_log_packet_ip4 and audit_log_packet_ip6 helper functions
config: s390-randconfig-002-20251101 (https://download.01.org/0day-ci/archive/20251101/202511011350.ye4VgG6l-lkp@intel.com/config)
compiler: clang version 22.0.0git (https://github.com/llvm/llvm-project be2081d9457ed095c4a6ebe2a920f0f7b76369c6)
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20251101/202511011350.ye4VgG6l-lkp@intel.com/reproduce)

If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202511011350.ye4VgG6l-lkp@intel.com/

All errors (new ones prefixed by >>):

>> net/netfilter/nft_log.c:48:10: error: call to undeclared function 'audit_log_packet_ip4'; ISO C99 and later do not support implicit function declarations [-Wimplicit-function-declaration]
      48 |                         fam = audit_log_packet_ip4(ab, skb) ? NFPROTO_IPV4 : -1;
         |                               ^
>> net/netfilter/nft_log.c:51:10: error: call to undeclared function 'audit_log_packet_ip6'; ISO C99 and later do not support implicit function declarations [-Wimplicit-function-declaration]
      51 |                         fam = audit_log_packet_ip6(ab, skb) ? NFPROTO_IPV6 : -1;
         |                               ^
   net/netfilter/nft_log.c:56:9: error: call to undeclared function 'audit_log_packet_ip4'; ISO C99 and later do not support implicit function declarations [-Wimplicit-function-declaration]
      56 |                 fam = audit_log_packet_ip4(ab, skb) ? NFPROTO_IPV4 : -1;
         |                       ^
   net/netfilter/nft_log.c:59:9: error: call to undeclared function 'audit_log_packet_ip6'; ISO C99 and later do not support implicit function declarations [-Wimplicit-function-declaration]
      59 |                 fam = audit_log_packet_ip6(ab, skb) ? NFPROTO_IPV6 : -1;
         |                       ^
   4 errors generated.


vim +/audit_log_packet_ip4 +48 net/netfilter/nft_log.c

    28	
    29	static void nft_log_eval_audit(const struct nft_pktinfo *pkt)
    30	{
    31		struct sk_buff *skb = pkt->skb;
    32		struct audit_buffer *ab;
    33		int fam = -1;
    34	
    35		if (!audit_enabled)
    36			return;
    37	
    38		ab = audit_log_start(NULL, GFP_ATOMIC, AUDIT_NETFILTER_PKT);
    39		if (!ab)
    40			return;
    41	
    42		audit_log_format(ab, "mark=%#x", skb->mark);
    43	
    44		switch (nft_pf(pkt)) {
    45		case NFPROTO_BRIDGE:
    46			switch (eth_hdr(skb)->h_proto) {
    47			case htons(ETH_P_IP):
  > 48				fam = audit_log_packet_ip4(ab, skb) ? NFPROTO_IPV4 : -1;
    49				break;
    50			case htons(ETH_P_IPV6):
  > 51				fam = audit_log_packet_ip6(ab, skb) ? NFPROTO_IPV6 : -1;
    52				break;
    53			}
    54			break;
    55		case NFPROTO_IPV4:
    56			fam = audit_log_packet_ip4(ab, skb) ? NFPROTO_IPV4 : -1;
    57			break;
    58		case NFPROTO_IPV6:
    59			fam = audit_log_packet_ip6(ab, skb) ? NFPROTO_IPV6 : -1;
    60			break;
    61		}
    62	
    63		if (fam == -1)
    64			audit_log_format(ab, " saddr=? daddr=? proto=-1");
    65	
    66		audit_log_end(ab);
    67	}
    68	

-- 
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki

Re: [PATCH v4 1/2] audit: add audit_log_packet_ip4 and audit_log_packet_ip6 helper functions

[kernel test robot]

Hi Ricardo,

kernel test robot noticed the following build errors:

[auto build test ERROR on pcmoore-audit/next]
[also build test ERROR on netfilter-nf/main nf-next/master linus/master v6.18-rc3 next-20251031]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch#_base_tree_information]

url:    https://github.com/intel-lab-lkp/linux/commits/Ricardo-Robaina/audit-add-audit_log_packet_ip4-and-audit_log_packet_ip6-helper-functions/20251031-220605
base:   https://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit.git next
patch link:    https://lore.kernel.org/r/cfafc5247fbfcd2561de16bcff67c1afd5676c9e.1761918165.git.rrobaina%40redhat.com
patch subject: [PATCH v4 1/2] audit: add audit_log_packet_ip4 and audit_log_packet_ip6 helper functions
config: m68k-defconfig (https://download.01.org/0day-ci/archive/20251101/202511012016.TaXzGDDi-lkp@intel.com/config)
compiler: m68k-linux-gcc (GCC) 15.1.0
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20251101/202511012016.TaXzGDDi-lkp@intel.com/reproduce)

If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202511012016.TaXzGDDi-lkp@intel.com/

All errors (new ones prefixed by >>):

   net/netfilter/nft_log.c: In function 'nft_log_eval_audit':
>> net/netfilter/nft_log.c:48:31: error: implicit declaration of function 'audit_log_packet_ip4'; did you mean 'audit_log_capset'? [-Wimplicit-function-declaration]
      48 |                         fam = audit_log_packet_ip4(ab, skb) ? NFPROTO_IPV4 : -1;
         |                               ^~~~~~~~~~~~~~~~~~~~
         |                               audit_log_capset
>> net/netfilter/nft_log.c:51:31: error: implicit declaration of function 'audit_log_packet_ip6'; did you mean 'audit_log_capset'? [-Wimplicit-function-declaration]
      51 |                         fam = audit_log_packet_ip6(ab, skb) ? NFPROTO_IPV6 : -1;
         |                               ^~~~~~~~~~~~~~~~~~~~
         |                               audit_log_capset


vim +48 net/netfilter/nft_log.c

    28	
    29	static void nft_log_eval_audit(const struct nft_pktinfo *pkt)
    30	{
    31		struct sk_buff *skb = pkt->skb;
    32		struct audit_buffer *ab;
    33		int fam = -1;
    34	
    35		if (!audit_enabled)
    36			return;
    37	
    38		ab = audit_log_start(NULL, GFP_ATOMIC, AUDIT_NETFILTER_PKT);
    39		if (!ab)
    40			return;
    41	
    42		audit_log_format(ab, "mark=%#x", skb->mark);
    43	
    44		switch (nft_pf(pkt)) {
    45		case NFPROTO_BRIDGE:
    46			switch (eth_hdr(skb)->h_proto) {
    47			case htons(ETH_P_IP):
  > 48				fam = audit_log_packet_ip4(ab, skb) ? NFPROTO_IPV4 : -1;
    49				break;
    50			case htons(ETH_P_IPV6):
  > 51				fam = audit_log_packet_ip6(ab, skb) ? NFPROTO_IPV6 : -1;
    52				break;
    53			}
    54			break;
    55		case NFPROTO_IPV4:
    56			fam = audit_log_packet_ip4(ab, skb) ? NFPROTO_IPV4 : -1;
    57			break;
    58		case NFPROTO_IPV6:
    59			fam = audit_log_packet_ip6(ab, skb) ? NFPROTO_IPV6 : -1;
    60			break;
    61		}
    62	
    63		if (fam == -1)
    64			audit_log_format(ab, " saddr=? daddr=? proto=-1");
    65	
    66		audit_log_end(ab);
    67	}
    68	

-- 
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki

Re: [PATCH v4 1/2] audit: add audit_log_packet_ip4 and audit_log_packet_ip6 helper functions

[Ricardo Robaina]

I didn't get these warning messages in my local build. I'll fix it and
submit a new version.

On Sat, Nov 1, 2025 at 10:15 AM kernel test robot <lkp@intel.com> wrote:
>
> Hi Ricardo,
>
> kernel test robot noticed the following build errors:
>
> [auto build test ERROR on pcmoore-audit/next]
> [also build test ERROR on netfilter-nf/main nf-next/master linus/master v6.18-rc3 next-20251031]
> [If your patch is applied to the wrong git tree, kindly drop us a note.
> And when submitting patch, we suggest to use '--base' as documented in
> https://git-scm.com/docs/git-format-patch#_base_tree_information]
>
> url:    https://github.com/intel-lab-lkp/linux/commits/Ricardo-Robaina/audit-add-audit_log_packet_ip4-and-audit_log_packet_ip6-helper-functions/20251031-220605
> base:   https://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit.git next
> patch link:    https://lore.kernel.org/r/cfafc5247fbfcd2561de16bcff67c1afd5676c9e.1761918165.git.rrobaina%40redhat.com
> patch subject: [PATCH v4 1/2] audit: add audit_log_packet_ip4 and audit_log_packet_ip6 helper functions
> config: m68k-defconfig (https://download.01.org/0day-ci/archive/20251101/202511012016.TaXzGDDi-lkp@intel.com/config)
> compiler: m68k-linux-gcc (GCC) 15.1.0
> reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20251101/202511012016.TaXzGDDi-lkp@intel.com/reproduce)
>
> If you fix the issue in a separate patch/commit (i.e. not just a new version of
> the same patch/commit), kindly add following tags
> | Reported-by: kernel test robot <lkp@intel.com>
> | Closes: https://lore.kernel.org/oe-kbuild-all/202511012016.TaXzGDDi-lkp@intel.com/
>
> All errors (new ones prefixed by >>):
>
>    net/netfilter/nft_log.c: In function 'nft_log_eval_audit':
> >> net/netfilter/nft_log.c:48:31: error: implicit declaration of function 'audit_log_packet_ip4'; did you mean 'audit_log_capset'? [-Wimplicit-function-declaration]
>       48 |                         fam = audit_log_packet_ip4(ab, skb) ? NFPROTO_IPV4 : -1;
>          |                               ^~~~~~~~~~~~~~~~~~~~
>          |                               audit_log_capset
> >> net/netfilter/nft_log.c:51:31: error: implicit declaration of function 'audit_log_packet_ip6'; did you mean 'audit_log_capset'? [-Wimplicit-function-declaration]
>       51 |                         fam = audit_log_packet_ip6(ab, skb) ? NFPROTO_IPV6 : -1;
>          |                               ^~~~~~~~~~~~~~~~~~~~
>          |                               audit_log_capset
>
>
> vim +48 net/netfilter/nft_log.c
>
>     28
>     29  static void nft_log_eval_audit(const struct nft_pktinfo *pkt)
>     30  {
>     31          struct sk_buff *skb = pkt->skb;
>     32          struct audit_buffer *ab;
>     33          int fam = -1;
>     34
>     35          if (!audit_enabled)
>     36                  return;
>     37
>     38          ab = audit_log_start(NULL, GFP_ATOMIC, AUDIT_NETFILTER_PKT);
>     39          if (!ab)
>     40                  return;
>     41
>     42          audit_log_format(ab, "mark=%#x", skb->mark);
>     43
>     44          switch (nft_pf(pkt)) {
>     45          case NFPROTO_BRIDGE:
>     46                  switch (eth_hdr(skb)->h_proto) {
>     47                  case htons(ETH_P_IP):
>   > 48                          fam = audit_log_packet_ip4(ab, skb) ? NFPROTO_IPV4 : -1;
>     49                          break;
>     50                  case htons(ETH_P_IPV6):
>   > 51                          fam = audit_log_packet_ip6(ab, skb) ? NFPROTO_IPV6 : -1;
>     52                          break;
>     53                  }
>     54                  break;
>     55          case NFPROTO_IPV4:
>     56                  fam = audit_log_packet_ip4(ab, skb) ? NFPROTO_IPV4 : -1;
>     57                  break;
>     58          case NFPROTO_IPV6:
>     59                  fam = audit_log_packet_ip6(ab, skb) ? NFPROTO_IPV6 : -1;
>     60                  break;
>     61          }
>     62
>     63          if (fam == -1)
>     64                  audit_log_format(ab, " saddr=? daddr=? proto=-1");
>     65
>     66          audit_log_end(ab);
>     67  }
>     68
>
> --
> 0-DAY CI Kernel Test Service
> https://github.com/intel/lkp-tests/wiki
>

[PATCH v4 2/2] audit: include source and destination ports to NETFILTER_PKT

[Ricardo Robaina]

NETFILTER_PKT records show both source and destination
addresses, in addition to the associated networking protocol.
However, it lacks the ports information, which is often
valuable for troubleshooting.

This patch adds both source and destination port numbers,
'sport' and 'dport' respectively, to TCP, UDP, UDP-Lite and
SCTP-related NETFILTER_PKT records.

 $ TESTS="netfilter_pkt" make -e test &> /dev/null
 $ ausearch -i -ts recent |grep NETFILTER_PKT
 type=NETFILTER_PKT ... proto=icmp
 type=NETFILTER_PKT ... proto=ipv6-icmp
 type=NETFILTER_PKT ... proto=udp sport=46333 dport=42424
 type=NETFILTER_PKT ... proto=udp sport=35953 dport=42424
 type=NETFILTER_PKT ... proto=tcp sport=50314 dport=42424
 type=NETFILTER_PKT ... proto=tcp sport=57346 dport=42424

Link: https://github.com/linux-audit/audit-kernel/issues/162

Signed-off-by: Ricardo Robaina <rrobaina@redhat.com>
---
 kernel/audit.c | 89 +++++++++++++++++++++++++++++++++++++++++++++++---
 1 file changed, 85 insertions(+), 4 deletions(-)

diff --git a/kernel/audit.c b/kernel/audit.c
index 09764003db74..bc7217402a35 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -60,6 +60,7 @@
 #include <net/netns/generic.h>
 #include <net/ip.h>
 #include <net/ipv6.h>
+#include <linux/sctp.h>
 
 #include "audit.h"
 
@@ -2549,8 +2550,48 @@ bool audit_log_packet_ip4(struct audit_buffer *ab, struct sk_buff *skb)
 	if (!ih)
 		return false;
 
-	audit_log_format(ab, " saddr=%pI4 daddr=%pI4 proto=%hhu",
-			 &ih->saddr, &ih->daddr, ih->protocol);
+	switch (ih->protocol) {
+	case IPPROTO_TCP:
+		struct tcphdr _tcph;
+		const struct tcphdr *th;
+
+		th = skb_header_pointer(skb, skb_transport_offset(skb), sizeof(_tcph), &_tcph);
+		if (!th)
+			return false;
+
+		audit_log_format(ab, " saddr=%pI4 daddr=%pI4 proto=%hhu sport=%hu dport=%hu",
+				 &ih->saddr, &ih->daddr, ih->protocol,
+				 ntohs(th->source), ntohs(th->dest));
+		break;
+	case IPPROTO_UDP:
+	case IPPROTO_UDPLITE:
+		struct udphdr _udph;
+		const struct udphdr *uh;
+
+		uh = skb_header_pointer(skb, skb_transport_offset(skb), sizeof(_udph), &_udph);
+		if (!uh)
+			return false;
+
+		audit_log_format(ab, " saddr=%pI4 daddr=%pI4 proto=%hhu sport=%hu dport=%hu",
+				 &ih->saddr, &ih->daddr, ih->protocol,
+				 ntohs(uh->source), ntohs(uh->dest));
+		break;
+	case IPPROTO_SCTP:
+		struct sctphdr _sctph;
+		const struct sctphdr *sh;
+
+		sh = skb_header_pointer(skb, skb_transport_offset(skb), sizeof(_sctph), &_sctph);
+		if (!sh)
+			return false;
+
+		audit_log_format(ab, " saddr=%pI4 daddr=%pI4 proto=%hhu sport=%hu dport=%hu",
+				 &ih->saddr, &ih->daddr, ih->protocol,
+				 ntohs(sh->source), ntohs(sh->dest));
+		break;
+	default:
+		audit_log_format(ab, " saddr=%pI4 daddr=%pI4 proto=%hhu",
+				 &ih->saddr, &ih->daddr, ih->protocol);
+	}
 
 	return true;
 }
@@ -2570,8 +2611,48 @@ bool audit_log_packet_ip6(struct audit_buffer *ab, struct sk_buff *skb)
 	nexthdr = ih->nexthdr;
 	ipv6_skip_exthdr(skb, skb_network_offset(skb) + sizeof(_ip6h), &nexthdr, &frag_off);
 
-	audit_log_format(ab, " saddr=%pI6c daddr=%pI6c proto=%hhu",
-			 &ih->saddr, &ih->daddr, nexthdr);
+	switch (nexthdr) {
+	case IPPROTO_TCP:
+		struct tcphdr _tcph;
+		const struct tcphdr *th;
+
+		th = skb_header_pointer(skb, skb_transport_offset(skb), sizeof(_tcph), &_tcph);
+		if (!th)
+			return false;
+
+		audit_log_format(ab, " saddr=%pI6c daddr=%pI6c proto=%hhu sport=%hu dport=%hu",
+				 &ih->saddr, &ih->daddr, nexthdr,
+				 ntohs(th->source), ntohs(th->dest));
+		break;
+	case IPPROTO_UDP:
+	case IPPROTO_UDPLITE:
+		struct udphdr _udph;
+		const struct udphdr *uh;
+
+		uh = skb_header_pointer(skb, skb_transport_offset(skb), sizeof(_udph), &_udph);
+		if (!uh)
+			return false;
+
+		audit_log_format(ab, " saddr=%pI6c daddr=%pI6c proto=%hhu sport=%hu dport=%hu",
+				 &ih->saddr, &ih->daddr, nexthdr,
+				 ntohs(uh->source), ntohs(uh->dest));
+		break;
+	case IPPROTO_SCTP:
+		struct sctphdr _sctph;
+		const struct sctphdr *sh;
+
+		sh = skb_header_pointer(skb, skb_transport_offset(skb), sizeof(_sctph), &_sctph);
+		if (!sh)
+			return false;
+
+		audit_log_format(ab, " saddr=%pI6c daddr=%pI6c proto=%hhu sport=%hu dport=%hu",
+				 &ih->saddr, &ih->daddr, nexthdr,
+				 ntohs(sh->source), ntohs(sh->dest));
+		break;
+	default:
+		audit_log_format(ab, " saddr=%pI6c daddr=%pI6c proto=%hhu",
+				 &ih->saddr, &ih->daddr, nexthdr);
+	}
 
 	return true;
 }
-- 
2.51.0

Re: [PATCH v4 2/2] audit: include source and destination ports to NETFILTER_PKT

[kernel test robot]

Hi Ricardo,

kernel test robot noticed the following build errors:

[auto build test ERROR on pcmoore-audit/next]
[also build test ERROR on netfilter-nf/main nf-next/master linus/master v6.18-rc3 next-20251031]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch#_base_tree_information]

url:    https://github.com/intel-lab-lkp/linux/commits/Ricardo-Robaina/audit-add-audit_log_packet_ip4-and-audit_log_packet_ip6-helper-functions/20251031-220605
base:   https://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit.git next
patch link:    https://lore.kernel.org/r/6ac2baf0d5ae176cbd3279a4dff9e2c7750c6d45.1761918165.git.rrobaina%40redhat.com
patch subject: [PATCH v4 2/2] audit: include source and destination ports to NETFILTER_PKT
config: arc-randconfig-002-20251101 (https://download.01.org/0day-ci/archive/20251101/202511011146.aPtw8SOn-lkp@intel.com/config)
compiler: arc-linux-gcc (GCC) 8.5.0
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20251101/202511011146.aPtw8SOn-lkp@intel.com/reproduce)

If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202511011146.aPtw8SOn-lkp@intel.com/

All errors (new ones prefixed by >>):

   kernel/audit.c: In function 'audit_log_packet_ip4':
>> kernel/audit.c:2555:3: error: a label can only be part of a statement and a declaration is not a statement
      struct tcphdr _tcph;
      ^~~~~~
>> kernel/audit.c:2556:3: error: expected expression before 'const'
      const struct tcphdr *th;
      ^~~~~
>> kernel/audit.c:2558:3: error: 'th' undeclared (first use in this function); did you mean 'ih'?
      th = skb_header_pointer(skb, skb_transport_offset(skb), sizeof(_tcph), &_tcph);
      ^~
      ih
   kernel/audit.c:2558:3: note: each undeclared identifier is reported only once for each function it appears in
   kernel/audit.c:2568:3: error: a label can only be part of a statement and a declaration is not a statement
      struct udphdr _udph;
      ^~~~~~
   kernel/audit.c:2569:3: error: expected expression before 'const'
      const struct udphdr *uh;
      ^~~~~
>> kernel/audit.c:2571:3: error: 'uh' undeclared (first use in this function); did you mean 'ih'?
      uh = skb_header_pointer(skb, skb_transport_offset(skb), sizeof(_udph), &_udph);
      ^~
      ih
   kernel/audit.c:2580:3: error: a label can only be part of a statement and a declaration is not a statement
      struct sctphdr _sctph;
      ^~~~~~
   kernel/audit.c:2581:3: error: expected expression before 'const'
      const struct sctphdr *sh;
      ^~~~~
>> kernel/audit.c:2583:3: error: 'sh' undeclared (first use in this function); did you mean 'ih'?
      sh = skb_header_pointer(skb, skb_transport_offset(skb), sizeof(_sctph), &_sctph);
      ^~
      ih
   kernel/audit.c: In function 'audit_log_packet_ip6':
   kernel/audit.c:2616:3: error: a label can only be part of a statement and a declaration is not a statement
      struct tcphdr _tcph;
      ^~~~~~
   kernel/audit.c:2617:3: error: expected expression before 'const'
      const struct tcphdr *th;
      ^~~~~
   kernel/audit.c:2619:3: error: 'th' undeclared (first use in this function); did you mean 'ih'?
      th = skb_header_pointer(skb, skb_transport_offset(skb), sizeof(_tcph), &_tcph);
      ^~
      ih
   kernel/audit.c:2629:3: error: a label can only be part of a statement and a declaration is not a statement
      struct udphdr _udph;
      ^~~~~~
   kernel/audit.c:2630:3: error: expected expression before 'const'
      const struct udphdr *uh;
      ^~~~~
   kernel/audit.c:2632:3: error: 'uh' undeclared (first use in this function); did you mean 'ih'?
      uh = skb_header_pointer(skb, skb_transport_offset(skb), sizeof(_udph), &_udph);
      ^~
      ih
   kernel/audit.c:2641:3: error: a label can only be part of a statement and a declaration is not a statement
      struct sctphdr _sctph;
      ^~~~~~
   kernel/audit.c:2642:3: error: expected expression before 'const'
      const struct sctphdr *sh;
      ^~~~~
   kernel/audit.c:2644:3: error: 'sh' undeclared (first use in this function); did you mean 'ih'?
      sh = skb_header_pointer(skb, skb_transport_offset(skb), sizeof(_sctph), &_sctph);
      ^~
      ih


vim +2555 kernel/audit.c

  2543	
  2544	bool audit_log_packet_ip4(struct audit_buffer *ab, struct sk_buff *skb)
  2545	{
  2546		struct iphdr _iph;
  2547		const struct iphdr *ih;
  2548	
  2549		ih = skb_header_pointer(skb, skb_network_offset(skb), sizeof(_iph), &_iph);
  2550		if (!ih)
  2551			return false;
  2552	
  2553		switch (ih->protocol) {
  2554		case IPPROTO_TCP:
> 2555			struct tcphdr _tcph;
> 2556			const struct tcphdr *th;
  2557	
> 2558			th = skb_header_pointer(skb, skb_transport_offset(skb), sizeof(_tcph), &_tcph);
  2559			if (!th)
  2560				return false;
  2561	
  2562			audit_log_format(ab, " saddr=%pI4 daddr=%pI4 proto=%hhu sport=%hu dport=%hu",
  2563					 &ih->saddr, &ih->daddr, ih->protocol,
  2564					 ntohs(th->source), ntohs(th->dest));
  2565			break;
  2566		case IPPROTO_UDP:
  2567		case IPPROTO_UDPLITE:
  2568			struct udphdr _udph;
  2569			const struct udphdr *uh;
  2570	
> 2571			uh = skb_header_pointer(skb, skb_transport_offset(skb), sizeof(_udph), &_udph);
  2572			if (!uh)
  2573				return false;
  2574	
  2575			audit_log_format(ab, " saddr=%pI4 daddr=%pI4 proto=%hhu sport=%hu dport=%hu",
  2576					 &ih->saddr, &ih->daddr, ih->protocol,
  2577					 ntohs(uh->source), ntohs(uh->dest));
  2578			break;
  2579		case IPPROTO_SCTP:
  2580			struct sctphdr _sctph;
  2581			const struct sctphdr *sh;
  2582	
> 2583			sh = skb_header_pointer(skb, skb_transport_offset(skb), sizeof(_sctph), &_sctph);
  2584			if (!sh)
  2585				return false;
  2586	
  2587			audit_log_format(ab, " saddr=%pI4 daddr=%pI4 proto=%hhu sport=%hu dport=%hu",
  2588					 &ih->saddr, &ih->daddr, ih->protocol,
  2589					 ntohs(sh->source), ntohs(sh->dest));
  2590			break;
  2591		default:
  2592			audit_log_format(ab, " saddr=%pI4 daddr=%pI4 proto=%hhu",
  2593					 &ih->saddr, &ih->daddr, ih->protocol);
  2594		}
  2595	
  2596		return true;
  2597	}
  2598	EXPORT_SYMBOL(audit_log_packet_ip4);
  2599	

-- 
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki

Re: [PATCH v4 2/2] audit: include source and destination ports to NETFILTER_PKT

[Ricardo Robaina]

Same thing here. I didn't get these warning messages in my local
build. I'll fix it and submit a new version.

On Sat, Nov 1, 2025 at 1:05 AM kernel test robot <lkp@intel.com> wrote:
>
> Hi Ricardo,
>
> kernel test robot noticed the following build errors:
>
> [auto build test ERROR on pcmoore-audit/next]
> [also build test ERROR on netfilter-nf/main nf-next/master linus/master v6.18-rc3 next-20251031]
> [If your patch is applied to the wrong git tree, kindly drop us a note.
> And when submitting patch, we suggest to use '--base' as documented in
> https://git-scm.com/docs/git-format-patch#_base_tree_information]
>
> url:    https://github.com/intel-lab-lkp/linux/commits/Ricardo-Robaina/audit-add-audit_log_packet_ip4-and-audit_log_packet_ip6-helper-functions/20251031-220605
> base:   https://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit.git next
> patch link:    https://lore.kernel.org/r/6ac2baf0d5ae176cbd3279a4dff9e2c7750c6d45.1761918165.git.rrobaina%40redhat.com
> patch subject: [PATCH v4 2/2] audit: include source and destination ports to NETFILTER_PKT
> config: arc-randconfig-002-20251101 (https://download.01.org/0day-ci/archive/20251101/202511011146.aPtw8SOn-lkp@intel.com/config)
> compiler: arc-linux-gcc (GCC) 8.5.0
> reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20251101/202511011146.aPtw8SOn-lkp@intel.com/reproduce)
>
> If you fix the issue in a separate patch/commit (i.e. not just a new version of
> the same patch/commit), kindly add following tags
> | Reported-by: kernel test robot <lkp@intel.com>
> | Closes: https://lore.kernel.org/oe-kbuild-all/202511011146.aPtw8SOn-lkp@intel.com/
>
> All errors (new ones prefixed by >>):
>
>    kernel/audit.c: In function 'audit_log_packet_ip4':
> >> kernel/audit.c:2555:3: error: a label can only be part of a statement and a declaration is not a statement
>       struct tcphdr _tcph;
>       ^~~~~~
> >> kernel/audit.c:2556:3: error: expected expression before 'const'
>       const struct tcphdr *th;
>       ^~~~~
> >> kernel/audit.c:2558:3: error: 'th' undeclared (first use in this function); did you mean 'ih'?
>       th = skb_header_pointer(skb, skb_transport_offset(skb), sizeof(_tcph), &_tcph);
>       ^~
>       ih
>    kernel/audit.c:2558:3: note: each undeclared identifier is reported only once for each function it appears in
>    kernel/audit.c:2568:3: error: a label can only be part of a statement and a declaration is not a statement
>       struct udphdr _udph;
>       ^~~~~~
>    kernel/audit.c:2569:3: error: expected expression before 'const'
>       const struct udphdr *uh;
>       ^~~~~
> >> kernel/audit.c:2571:3: error: 'uh' undeclared (first use in this function); did you mean 'ih'?
>       uh = skb_header_pointer(skb, skb_transport_offset(skb), sizeof(_udph), &_udph);
>       ^~
>       ih
>    kernel/audit.c:2580:3: error: a label can only be part of a statement and a declaration is not a statement
>       struct sctphdr _sctph;
>       ^~~~~~
>    kernel/audit.c:2581:3: error: expected expression before 'const'
>       const struct sctphdr *sh;
>       ^~~~~
> >> kernel/audit.c:2583:3: error: 'sh' undeclared (first use in this function); did you mean 'ih'?
>       sh = skb_header_pointer(skb, skb_transport_offset(skb), sizeof(_sctph), &_sctph);
>       ^~
>       ih
>    kernel/audit.c: In function 'audit_log_packet_ip6':
>    kernel/audit.c:2616:3: error: a label can only be part of a statement and a declaration is not a statement
>       struct tcphdr _tcph;
>       ^~~~~~
>    kernel/audit.c:2617:3: error: expected expression before 'const'
>       const struct tcphdr *th;
>       ^~~~~
>    kernel/audit.c:2619:3: error: 'th' undeclared (first use in this function); did you mean 'ih'?
>       th = skb_header_pointer(skb, skb_transport_offset(skb), sizeof(_tcph), &_tcph);
>       ^~
>       ih
>    kernel/audit.c:2629:3: error: a label can only be part of a statement and a declaration is not a statement
>       struct udphdr _udph;
>       ^~~~~~
>    kernel/audit.c:2630:3: error: expected expression before 'const'
>       const struct udphdr *uh;
>       ^~~~~
>    kernel/audit.c:2632:3: error: 'uh' undeclared (first use in this function); did you mean 'ih'?
>       uh = skb_header_pointer(skb, skb_transport_offset(skb), sizeof(_udph), &_udph);
>       ^~
>       ih
>    kernel/audit.c:2641:3: error: a label can only be part of a statement and a declaration is not a statement
>       struct sctphdr _sctph;
>       ^~~~~~
>    kernel/audit.c:2642:3: error: expected expression before 'const'
>       const struct sctphdr *sh;
>       ^~~~~
>    kernel/audit.c:2644:3: error: 'sh' undeclared (first use in this function); did you mean 'ih'?
>       sh = skb_header_pointer(skb, skb_transport_offset(skb), sizeof(_sctph), &_sctph);
>       ^~
>       ih
>
>
> vim +2555 kernel/audit.c
>
>   2543
>   2544  bool audit_log_packet_ip4(struct audit_buffer *ab, struct sk_buff *skb)
>   2545  {
>   2546          struct iphdr _iph;
>   2547          const struct iphdr *ih;
>   2548
>   2549          ih = skb_header_pointer(skb, skb_network_offset(skb), sizeof(_iph), &_iph);
>   2550          if (!ih)
>   2551                  return false;
>   2552
>   2553          switch (ih->protocol) {
>   2554          case IPPROTO_TCP:
> > 2555                  struct tcphdr _tcph;
> > 2556                  const struct tcphdr *th;
>   2557
> > 2558                  th = skb_header_pointer(skb, skb_transport_offset(skb), sizeof(_tcph), &_tcph);
>   2559                  if (!th)
>   2560                          return false;
>   2561
>   2562                  audit_log_format(ab, " saddr=%pI4 daddr=%pI4 proto=%hhu sport=%hu dport=%hu",
>   2563                                   &ih->saddr, &ih->daddr, ih->protocol,
>   2564                                   ntohs(th->source), ntohs(th->dest));
>   2565                  break;
>   2566          case IPPROTO_UDP:
>   2567          case IPPROTO_UDPLITE:
>   2568                  struct udphdr _udph;
>   2569                  const struct udphdr *uh;
>   2570
> > 2571                  uh = skb_header_pointer(skb, skb_transport_offset(skb), sizeof(_udph), &_udph);
>   2572                  if (!uh)
>   2573                          return false;
>   2574
>   2575                  audit_log_format(ab, " saddr=%pI4 daddr=%pI4 proto=%hhu sport=%hu dport=%hu",
>   2576                                   &ih->saddr, &ih->daddr, ih->protocol,
>   2577                                   ntohs(uh->source), ntohs(uh->dest));
>   2578                  break;
>   2579          case IPPROTO_SCTP:
>   2580                  struct sctphdr _sctph;
>   2581                  const struct sctphdr *sh;
>   2582
> > 2583                  sh = skb_header_pointer(skb, skb_transport_offset(skb), sizeof(_sctph), &_sctph);
>   2584                  if (!sh)
>   2585                          return false;
>   2586
>   2587                  audit_log_format(ab, " saddr=%pI4 daddr=%pI4 proto=%hhu sport=%hu dport=%hu",
>   2588                                   &ih->saddr, &ih->daddr, ih->protocol,
>   2589                                   ntohs(sh->source), ntohs(sh->dest));
>   2590                  break;
>   2591          default:
>   2592                  audit_log_format(ab, " saddr=%pI4 daddr=%pI4 proto=%hhu",
>   2593                                   &ih->saddr, &ih->daddr, ih->protocol);
>   2594          }
>   2595
>   2596          return true;
>   2597  }
>   2598  EXPORT_SYMBOL(audit_log_packet_ip4);
>   2599
>
> --
> 0-DAY CI Kernel Test Service
> https://github.com/intel/lkp-tests/wiki
>