[PATCH V2] audit: normalize NETFILTER_PKT
Paul Moore
paul at paul-moore.com
Fri Feb 24 05:56:04 UTC 2017
On Thu, Feb 23, 2017 at 8:59 PM, Florian Westphal <fw at strlen.de> wrote:
> Richard Guy Briggs <rgb at redhat.com> wrote:
>> > Not following, sorry, are you saying users can/should use -j MARK
>> > somehow?
>>
>> Part of the discussed design and rationale for stripping many of the
>> vanishing fields is that when setting up netfilter rules to invoke the
>> AUDIT target, an accompanying nf mark should be used to indicate which
>> rule caught that packet, since the chain name and rule number aren't
>> available to the audit target. We would use the nf mark similarly to
>> the way we use a rule key in the audit rules (see man auditctl).
>
> I see. While this works, nfmark might already be used for other
> purposes such as policy routing, so you might need an extra cookie
> that can be passed to the AUDIT target instead.
Yes, we discussed the idea that the nfmark field already serves many
purposes, most of which are related to labeling traffic flows. I
agree that using the nfmark may complicate some configurations, but
using it in this manner seems to be in keeping with the ideas behind
nfmark (from what I can tell). As for the configuration complexity, I
think it is safe to say that any users of the NETFILTER_PKT record
already have a sufficiently complex system configuration and the added
complexity here may not be significant; in fact, the existing nfmark
configuration may be helpful in identifying traffic categories such
that no changes need to be made.
--
paul moore
www.paul-moore.com
More information about the Linux-audit
mailing list