Ricardo Robaina <[email protected]> wrote: > + case IPPROTO_TCP: > + audit_log_format(ab, " saddr=%pI4 daddr=%pI4 proto=%hhu > sport=%hu dport=%hu", > + &ih->saddr, &ih->daddr, ih->protocol, > + ntohs(tcp_hdr(skb)->source), > ntohs(tcp_hdr(skb)->dest));
You need to use skb_header_pointer() like elsewhere in netfilter to access the transport protocol header. You can have a look at nf_log_dump_tcp_header() in nf_log_syslog.c for a template. Also please have a look at net/netfilter/nft_log.c, in particular nft_log_eval_audit(): xt_AUDIT and nft audit should be kept in sync wrt. their formatting. Maybe Paul would be open to adding something like audit_log_packet() to kernel/audit.c and then have xt_AUDIT.c and nft_log.c just call the common helper.
