Re: [nf PATCH 0/3] Review nf_tables audit logging

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, Sep 22, 2023 at 9:53 PM Phil Sutter <phil@xxxxxx> wrote:
>
> When working on locking for reset commands, some audit log calls had to
> be adjusted as well. This series deals with the "fallout" from adding
> tests for the changed log calls, dealing with the uncovered issues and
> adding more tests.
>
> Patch 1 adds more testing to nft_audit.sh for commands which are
> unproblematic.
>
> Patch 2 deals with (likely) leftovers from audit log flood prevention in
> commit c520292f29b80 ("audit: log nftables configuration change events
> once per table").
>
> Patch 3 changes logging for object reset requests to happen once per
> table (if skb size is sufficient) and thereby aligns output with object
> add requests. As a side-effect, logging is fixed to happen after the
> actual reset has succeeded, not before.
>
> NOTE: This whole series probably depends on the reset locking series[1]
> submitted earlier, but there's no functional connection and reviews
> should happen independently.
>
> [1] https://lore.kernel.org/netfilter-devel/20230923013807.11398-1-phil@xxxxxx/
>
> Phil Sutter (3):
>   selftests: netfilter: Extend nft_audit.sh
>   netfilter: nf_tables: Deduplicate nft_register_obj audit logs
>   netfilter: nf_tables: Audit log object reset once per table
>
>  net/netfilter/nf_tables_api.c                 |  95 +++++-----
>  .../testing/selftests/netfilter/nft_audit.sh  | 163 ++++++++++++++++--
>  2 files changed, 203 insertions(+), 55 deletions(-)

Hi Phil,

Thanks for continuing to work on this, my network access is limited at
the moment but I hope to be able to review this next week.

-- 
paul-moore.com




[Index of Archives]     [Netfitler Users]     [Berkeley Packet Filter]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux