[nf PATCH 0/3] Review nf_tables audit logging

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


When working on locking for reset commands, some audit log calls had to
be adjusted as well. This series deals with the "fallout" from adding
tests for the changed log calls, dealing with the uncovered issues and
adding more tests.

Patch 1 adds more testing to nft_audit.sh for commands which are

Patch 2 deals with (likely) leftovers from audit log flood prevention in
commit c520292f29b80 ("audit: log nftables configuration change events
once per table").

Patch 3 changes logging for object reset requests to happen once per
table (if skb size is sufficient) and thereby aligns output with object
add requests. As a side-effect, logging is fixed to happen after the
actual reset has succeeded, not before.

NOTE: This whole series probably depends on the reset locking series[1]
submitted earlier, but there's no functional connection and reviews
should happen independently.

[1] https://lore.kernel.org/netfilter-devel/20230923013807.11398-1-phil@xxxxxx/

Phil Sutter (3):
  selftests: netfilter: Extend nft_audit.sh
  netfilter: nf_tables: Deduplicate nft_register_obj audit logs
  netfilter: nf_tables: Audit log object reset once per table

 net/netfilter/nf_tables_api.c                 |  95 +++++-----
 .../testing/selftests/netfilter/nft_audit.sh  | 163 ++++++++++++++++--
 2 files changed, 203 insertions(+), 55 deletions(-)


[Index of Archives]     [Netfitler Users]     [Berkeley Packet Filter]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux