lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <a396108e2b9f19f0c453a44c8e7be873@paul-moore.com>
Date: Fri, 07 Nov 2025 17:46:20 -0500
From: Paul Moore <paul@...l-moore.com>
To: Ricardo Robaina <rrobaina@...hat.com>, audit@...r.kernel.org, linux-kernel@...r.kernel.org, netfilter-devel@...r.kernel.org, coreteam@...filter.org
Cc: eparis@...hat.com, fw@...len.de, pablo@...filter.org, kadlec@...filter.org, Ricardo Robaina <rrobaina@...hat.com>
Subject: Re: [PATCH v5 2/2] audit: include source and destination ports to  NETFILTER_PKT

On Nov  6, 2025 Ricardo Robaina <rrobaina@...hat.com> wrote:
> 
> NETFILTER_PKT records show both source and destination
> addresses, in addition to the associated networking protocol.
> However, it lacks the ports information, which is often
> valuable for troubleshooting.
> 
> This patch adds both source and destination port numbers,
> 'sport' and 'dport' respectively, to TCP, UDP, UDP-Lite and
> SCTP-related NETFILTER_PKT records.
> 
>  $ TESTS="netfilter_pkt" make -e test &> /dev/null
>  $ ausearch -i -ts recent |grep NETFILTER_PKT
>  type=NETFILTER_PKT ... proto=icmp
>  type=NETFILTER_PKT ... proto=ipv6-icmp
>  type=NETFILTER_PKT ... proto=udp sport=46333 dport=42424
>  type=NETFILTER_PKT ... proto=udp sport=35953 dport=42424
>  type=NETFILTER_PKT ... proto=tcp sport=50314 dport=42424
>  type=NETFILTER_PKT ... proto=tcp sport=57346 dport=42424
> 
> Link: https://github.com/linux-audit/audit-kernel/issues/162
> 
> Signed-off-by: Ricardo Robaina <rrobaina@...hat.com>
> Acked-by: Florian Westphal <fw@...len.de>
> ---
>  kernel/audit.c | 83 +++++++++++++++++++++++++++++++++++++++++++++++---
>  1 file changed, 79 insertions(+), 4 deletions(-)

This looks fine to me, although it may change a bit based on the
discussion around patch 1/2.  However, two things I wanted to comment
on in this patch:

- Please try to stick to an 80 char line width for audit code.  There are
obvious exceptions like printf-esque strings, etc. but the
skb_header_pointer() calls in this patch could be easily split into
multiple lines, each under 80 chars.

- This isn't a general comment, but in this particular case it would be
nice to move the protocol header variables into their associated switch
case (see what I did in patch 1/2).

--
paul-moore.com

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ