On Sat, Sep 27, 2025 at 7:45 AM Florian Westphal <[email protected]> wrote: > > Ricardo Robaina <[email protected]> wrote: > > + case IPPROTO_TCP: > > + audit_log_format(ab, " saddr=%pI4 daddr=%pI4 proto=%hhu > > sport=%hu dport=%hu", > > + &ih->saddr, &ih->daddr, ih->protocol, > > + ntohs(tcp_hdr(skb)->source), > > ntohs(tcp_hdr(skb)->dest)); > > You need to use skb_header_pointer() like elsewhere in netfilter to > access the transport protocol header. > > You can have a look at nf_log_dump_tcp_header() in nf_log_syslog.c for > a template. > > Also please have a look at net/netfilter/nft_log.c, in particular > nft_log_eval_audit(): xt_AUDIT and nft audit should be kept in sync wrt. > their formatting. > Thanks for reviewing this patch, Florian! I’ll work on a newer version addressing your suggestions.
> Maybe Paul would be open to adding something like audit_log_packet() to > kernel/audit.c and then have xt_AUDIT.c and nft_log.c just call the > common helper. > It sounds like a good idea to me. What do you think, Paul?
