On Fri, Sep 22, 2023 at 9:53 PM Phil Sutter <phil@xxxxxx> wrote:
>
> When adding/updating an object, the transaction handler emits suitable
> audit log entries already, the one in nft_obj_notify() is redundant. To
> fix that (and retain the audit logging from objects' 'update' callback),
> Introduce an "audit log free" variant for internal use.
>
> Fixes: c520292f29b80 ("audit: log nftables configuration change events once per table")
> Signed-off-by: Phil Sutter <phil@xxxxxx>
> ---
> net/netfilter/nf_tables_api.c | 44 ++++++++++++-------
> .../testing/selftests/netfilter/nft_audit.sh | 20 +++++++++
> 2 files changed, 48 insertions(+), 16 deletions(-)
Thanks for working on this Phil, it looks good to me from an audit perspective.
Acked-by: Paul Moore <paul@xxxxxxxxxxxxxx> (Audit)
--
paul-moore.com
