This patch adds a new netfilter target which creates audit records for packets traversing a certain chain. It can be used to record packets which are rejected administraively as follows:  -N AUDIT_DROP  -A AUDIT_DROP -j AUDIT --type DROP  -A AUDIT_DROP -j DROP a rule which would typically drop or reject a packet would then invoke the new chain to record packets before dropping them.  -j AUDIT_DROP The module is protocol independant and works for iptables, ip6tables and ebtables. The following information is logged:  - netfilter hook  - packet length  - incomming/outgoing interface  - MAC src/dst/proto for ethernet packets  - src/dst/protocol address for IPv4/IPv6  - src/dst port for TCP/UDP/UDPLITE  - icmp type/code Cc: Patrick McHardy <kaber(a)trash.net&gt; Cc: Eric Paris <eparis(a)parisplace.org&gt; Cc: Al Viro <viro(a)ZenIV.linux.org.uk&gt; Signed-off-by: Thomas Graf <tgraf(a)redhat.com&gt;

From an audit PoV feel free to add