Re: [PATCH V2] audit: normalize NETFILTER_PKT
Richard Guy Briggs <rgb(a)redhat.com> wrote:
> Not following, sorry, are you saying users can/should use -j
MARK
> somehow?
Part of the discussed design and rationale for stripping many of the
vanishing fields is that when setting up netfilter rules to invoke the
AUDIT target, an accompanying nf mark should be used to indicate which
rule caught that packet, since the chain name and rule number aren't
available to the audit target. We would use the nf mark similarly to
the way we use a rule key in the audit rules (see man auditctl).
I see. While this works, nfmark might already be used for other
purposes such as policy routing, so you might need an extra cookie
that can be passed to the AUDIT target instead.