On Fri, Sep 22, 2023 at 9:53 PM Phil Sutter <phil@xxxxxx> wrote:
>
> When working on locking for reset commands, some audit log calls had to
> be adjusted as well. This series deals with the "fallout" from adding
> tests for the changed log calls, dealing with the uncovered issues and
> adding more tests.
>
> Patch 1 adds more testing to nft_audit.sh for commands which are
> unproblematic.
>
> Patch 2 deals with (likely) leftovers from audit log flood prevention in
> commit c520292f29b80 ("audit: log nftables configuration change events
> once per table").
>
> Patch 3 changes logging for object reset requests to happen once per
> table (if skb size is sufficient) and thereby aligns output with object
> add requests. As a side-effect, logging is fixed to happen after the
> actual reset has succeeded, not before.
>
> NOTE: This whole series probably depends on the reset locking series[1]
> submitted earlier, but there's no functional connection and reviews
> should happen independently.
>
> [1] https://lore.kernel.org/netfilter-devel/20230923013807.11398-1-phil@xxxxxx/
>
> Phil Sutter (3):
> selftests: netfilter: Extend nft_audit.sh
> netfilter: nf_tables: Deduplicate nft_register_obj audit logs
> netfilter: nf_tables: Audit log object reset once per table
>
> net/netfilter/nf_tables_api.c | 95 +++++-----
> .../testing/selftests/netfilter/nft_audit.sh | 163 ++++++++++++++++--
> 2 files changed, 203 insertions(+), 55 deletions(-)
Hi Phil,
Thanks for continuing to work on this, my network access is limited at
the moment but I hope to be able to review this next week.
--
paul-moore.com
