Hi,

I wrote a program to listen to iptables modification through netlink sockets, for this I used NETLINK_AUDIT family, when I execute the program and modify the iptables rule, program doesn't receive any message from kernel and it will be in blocking mode only. Could you help me to find what is wrong in this program or what else I need to do to receive iptables notification ?

I ran this program as a root user & audit deamon is also running.

ps -eaf | grep -i auditd

root 499 2 0 Nov16 ? 00:00:00 [kauditd]

 root 926 1 0 Nov16 ? 00:00:00 /sbin/auditd -n

I tried configuring auditctl setting as well directly using auditctl command & can see the modifcation with "ausearch -k iptablesChange" command output but notification is not received in application.

Here is the program :-

#include "libaudit.h"

#include <stdio.h>
#include <string.h>
#include <unistd.h>

int main()
{
        int rc;
        struct audit_message rep;
        int fd;
        struct sockaddr_nl sa;

        memset(&sa, 0, sizeof(sa));
        sa.nl_family = AF_NETLINK;
        sa.nl_groups = 0; 

        fd = audit_open();

        bind(fd, (struct sockaddr *) &sa, sizeof(sa));

        rc = audit_get_reply(fd, &rep, GET_REPLY_BLOCKING, 0);
        if(rc < 0)
        {
                printf("Error");
        }
        else
        {       
                printf("msg received %d \n",rep.nlh.nlmsg_type );
                break;
        }       


        audit_close(fd);

        return 0;
}

Thanks,Avinash