On Tue, Aug 29, 2023 at 08:02:30PM +0200, Pablo Neira Ayuso wrote:
> On Tue, Aug 29, 2023 at 07:51:57PM +0200, Phil Sutter wrote:
> > Since set element reset is not integrated into nf_tables' transaction
> > logic, an explicit log call is needed, similar to NFT_MSG_GETOB
Resetting rules' stateful data happens outside of the transaction logic,
so 'get' and 'dump' handlers have to emit audit log entries themselves.
Cc: Richard Guy Briggs
Fixes: 8daa8fde3fc3f ("netfilter: nf_tables: Introduce NFT_MSG_GETRULE_RESET")
Signed-off-
ng to
adjust the logged element count depending on whether a catchall element
was found or not.
Cc: Richard Guy Briggs
Fixes: 079cd633219d7 ("netfilter: nf_tables: Introduce
NFT_MSG_GETSETELEM_RESET")
Signed-off-by: Phil Sutter
---
include/linux/audit.h | 1 +
k
un-time between running or stopped auditd, at least for
large rulesets. Individual calls suffer from added audit logging, but
that's expected of course.
Tested-by: Phil Sutter
Thanks, Phil
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
On Thu, Mar 18, 2021 at 02:37:03PM -0400, Richard Guy Briggs wrote:
> On 2021-03-18 17:30, Phil Sutter wrote:
[...]
> > Why did you leave the object-related logs in place? They should reappear
> > at commit time just like chains and sets for instance, no?
>
> There are
Hi,
On Thu, Mar 18, 2021 at 11:39:52AM -0400, Richard Guy Briggs wrote:
> Reduce logging of nftables events to a level similar to iptables.
> Restore the table field to list the table, adding the generation.
This looks much better, a few remarks below:
[...]
> +static const u8 nft2audit_op[] = {