| Message ID | 20230923015351.15707-1-phil@nwl.cc (mailing list archive) |
|---|---|
| Headers | show |
| Series | Review nf_tables audit logging | expand |
On Fri, Sep 22, 2023 at 9:53 PM Phil Sutter <phil@nwl.cc> wrote: > > When working on locking for reset commands, some audit log calls had to > be adjusted as well. This series deals with the "fallout" from adding > tests for the changed log calls, dealing with the uncovered issues and > adding more tests. > > Patch 1 adds more testing to nft_audit.sh for commands which are > unproblematic. > > Patch 2 deals with (likely) leftovers from audit log flood prevention in > commit c520292f29b80 ("audit: log nftables configuration change events > once per table"). > > Patch 3 changes logging for object reset requests to happen once per > table (if skb size is sufficient) and thereby aligns output with object > add requests. As a side-effect, logging is fixed to happen after the > actual reset has succeeded, not before. > > NOTE: This whole series probably depends on the reset locking series[1] > submitted earlier, but there's no functional connection and reviews > should happen independently. > > [1] https://lore.kernel.org/netfilter-devel/20230923013807.11398-1-phil@nwl.cc/ > > Phil Sutter (3): > selftests: netfilter: Extend nft_audit.sh > netfilter: nf_tables: Deduplicate nft_register_obj audit logs > netfilter: nf_tables: Audit log object reset once per table > > net/netfilter/nf_tables_api.c | 95 +++++----- > .../testing/selftests/netfilter/nft_audit.sh | 163 ++++++++++++++++-- > 2 files changed, 203 insertions(+), 55 deletions(-) Hi Phil, Thanks for continuing to work on this, my network access is limited at the moment but I hope to be able to review this next week.
When working on locking for reset commands, some audit log calls had to be adjusted as well. This series deals with the "fallout" from adding tests for the changed log calls, dealing with the uncovered issues and adding more tests. Patch 1 adds more testing to nft_audit.sh for commands which are unproblematic. Patch 2 deals with (likely) leftovers from audit log flood prevention in commit c520292f29b80 ("audit: log nftables configuration change events once per table"). Patch 3 changes logging for object reset requests to happen once per table (if skb size is sufficient) and thereby aligns output with object add requests. As a side-effect, logging is fixed to happen after the actual reset has succeeded, not before. NOTE: This whole series probably depends on the reset locking series[1] submitted earlier, but there's no functional connection and reviews should happen independently. [1] https://lore.kernel.org/netfilter-devel/20230923013807.11398-1-phil@nwl.cc/ Phil Sutter (3): selftests: netfilter: Extend nft_audit.sh netfilter: nf_tables: Deduplicate nft_register_obj audit logs netfilter: nf_tables: Audit log object reset once per table net/netfilter/nf_tables_api.c | 95 +++++----- .../testing/selftests/netfilter/nft_audit.sh | 163 ++++++++++++++++-- 2 files changed, 203 insertions(+), 55 deletions(-)