Re: AUDIT_NETFILTER_PKT message format

On Wed, Feb 8, 2017 at 11:30 AM, Steve Grubb <sgrubb(a)redhat.com&gt; wrote: > On Tuesday, February 7, 2017 10:56:39 PM EST Paul Moore wrote: >> On Tue, Feb 7, 2017 at 3:52 PM, Richard Guy Briggs <rgb(a)redhat.com&gt; wrote: >> > So while I'm not advocating this is what should be done and I'm trying >> > to establish bounds to the scope of this feature, but would it be >> > reasonable to simply not log packets that were transiting this machine >> > without a local endpoint? >> >> I'm still waiting on more detailed requirements information from >> Steve, but based on what we've heard so far, it seems that ignoring >> forwarded traffic is a reasonable thing to do. > > OK, I have done teh analysis to see where things stand on this ... ... > At this point, I would say there is no purpose for xt_AUDIT.c based on Common > Criteria. It looks like its built in response to the > CONFIG_NETFILTER_XT_TARGET_AUDIT config option. So, it can be cleanly > deprecated. Based on some off-list discussions with Richard it would appear that there are several users of the NETFILTER_PKT record so I am in no hurry to deprecate it. Considering that there are no CC requirements on the record, I think we can focus on simply providing a basic record that satisfies the whims of the userspace tools without adding any pain to the kernel. I believe Richard is currently working on a proposal to do that, let's discuss it further in that thread.