Hi, On Thu, Jun 04, 2020 at 09:20:49AM -0400, Richard Guy Briggs wrote: > iptables, ip6tables, arptables and ebtables table registration, > replacement and unregistration configuration events are logged for the > native (legacy) iptables setsockopt api, but not for the > nftables netlink api which is used by the nft-variant of iptables in > addition to nftables itself. > > Add calls to log the configuration actions in the nftables netlink api. As discussed offline already, these audit notifications are pretty hefty performance-wise. In an internal report, 300% restore time of a ruleset containing 70k set elements is measured. If I'm not mistaken, iptables emits a single audit log per table, ipset doesn't support audit at all. So I wonder how much audit logging is required at all (for certification or whatever reason). How much granularity is desired? I personally would notify once per transaction. This is easy and quick. Once per table or chain should be acceptable, as well. At the very least, we should not have to notify once per each element. This is the last resort of fast ruleset adjustments. If we lose it, people are better off with ipset IMHO. Unlike nft monitor, auditd is not designed to be disabled "at will". So turning it off for performance-critical workloads is no option. Cheers, Phil
