On Wed, Sep 13, 2023 at 09:31:46PM +0200, Florian Westphal wrote:
> Phil Sutter wrote:
> > The value in idx and the number of rules handled in that particular
> > __nf_tables_dump_rules() call is not identical. The former is a cursor
> > to pick up from if multiple netlink messages are needed, so
On Wed, Sep 13, 2023 at 03:51:35PM +0200, Phil Sutter wrote:
> Patch f1 fixes/improves Pablo's fix for the bug I built into nf_tables'
> audit support code.
>
> Patch 2 adds a selftest for the audit notifications in nf_tables. I
> consider it mature enough to submit it as non-RFC now.
>
> Larger
Phil Sutter wrote:
> The value in idx and the number of rules handled in that particular
> __nf_tables_dump_rules() call is not identical. The former is a cursor
> to pick up from if multiple netlink messages are needed, so its value is
> ever increasing. Fixing this is not just a matter of subtra
The value in idx and the number of rules handled in that particular
__nf_tables_dump_rules() call is not identical. The former is a cursor
to pick up from if multiple netlink messages are needed, so its value is
ever increasing. Fixing this is not just a matter of subtracting s_idx
from it, though:
Patch f1 fixes/improves Pablo's fix for the bug I built into nf_tables'
audit support code.
Patch 2 adds a selftest for the audit notifications in nf_tables. I
consider it mature enough to submit it as non-RFC now.
Larger changes in both patches, details in each patch.
Phil Sutter (2):
netfilt
Compare NETFILTER_CFG type audit logs emitted from kernel upon ruleset
modifications against expected output.
Signed-off-by: Phil Sutter
---
Changes since v1:
- Implement a custom log reader which turns audit logging on/off as
needed, drop auditd dependency.
- Record required CONFIG_AUDIT in 'c
