Re: [PATCH V3] audit: normalize NETFILTER_PKT

2017-03-03 Thread Richard Guy Briggs
On 2017-03-03 13:45, Florian Westphal wrote: > Richard Guy Briggs wrote: > > > Perhaps I'm missing something here, but let me ask again, how does > > > userspace distinguish between an unset nfmark and a nfmark of > > > 0x? > > > > It can't. > > It can if you log it as

Re: [PATCH V3] audit: normalize NETFILTER_PKT

2017-03-03 Thread Richard Guy Briggs
On 2017-03-03 14:22, Florian Westphal wrote: > Paul Moore wrote: > > On Fri, Mar 3, 2017 at 7:45 AM, Florian Westphal wrote: > > > Richard Guy Briggs wrote: > > >> > Perhaps I'm missing something here, but let me ask again, how does > > >> >

Re: [PATCH V3] audit: normalize NETFILTER_PKT

2017-03-03 Thread Florian Westphal
Paul Moore wrote: > On Fri, Mar 3, 2017 at 7:45 AM, Florian Westphal wrote: > > Richard Guy Briggs wrote: > >> > Perhaps I'm missing something here, but let me ask again, how does > >> > userspace distinguish between an unset nfmark and a

Re: [PATCH V3] audit: normalize NETFILTER_PKT

2017-03-03 Thread Florian Westphal
Richard Guy Briggs wrote: > > Perhaps I'm missing something here, but let me ask again, how does > > userspace distinguish between an unset nfmark and a nfmark of > > 0x? > > It can't. It can if you log it as 0, as I asked in patch 1 review. (You wouldn't log sk uid of

Re: [PATCH V3] audit: normalize NETFILTER_PKT

2017-03-03 Thread Paul Moore
On Fri, Mar 3, 2017 at 8:22 AM, Florian Westphal wrote: > Paul Moore wrote: >> On Fri, Mar 3, 2017 at 7:45 AM, Florian Westphal wrote: >> > Richard Guy Briggs wrote: >> >> > Perhaps I'm missing something here, but let me ask

Re: [PATCH V3] audit: normalize NETFILTER_PKT

2017-03-03 Thread Paul Moore
On Fri, Mar 3, 2017 at 7:45 AM, Florian Westphal wrote: > Richard Guy Briggs wrote: >> > Perhaps I'm missing something here, but let me ask again, how does >> > userspace distinguish between an unset nfmark and a nfmark of >> > 0x? >> >> It can't. > > It

Re: [PATCH V3] audit: normalize NETFILTER_PKT

2017-03-03 Thread Richard Guy Briggs
On 2017-03-02 21:54, Paul Moore wrote: > On Thu, Mar 2, 2017 at 9:00 PM, Richard Guy Briggs wrote: > > On 2017-03-02 19:16, Paul Moore wrote: > >> On Wed, Mar 1, 2017 at 5:34 PM, Richard Guy Briggs wrote: > >> > On 2017-03-01 17:19, Paul Moore wrote: > >> >> On

Re: [PATCH V3] audit: normalize NETFILTER_PKT

2017-03-02 Thread Paul Moore
On Thu, Mar 2, 2017 at 9:00 PM, Richard Guy Briggs wrote: > On 2017-03-02 19:16, Paul Moore wrote: >> On Wed, Mar 1, 2017 at 5:34 PM, Richard Guy Briggs wrote: >> > On 2017-03-01 17:19, Paul Moore wrote: >> >> On Wed, Mar 1, 2017 at 11:28 AM, Richard Guy Briggs

Re: [PATCH V3] audit: normalize NETFILTER_PKT

2017-03-02 Thread Richard Guy Briggs
On 2017-03-02 19:16, Paul Moore wrote: > On Wed, Mar 1, 2017 at 5:34 PM, Richard Guy Briggs wrote: > > On 2017-03-01 17:19, Paul Moore wrote: > >> On Wed, Mar 1, 2017 at 11:28 AM, Richard Guy Briggs > >> wrote: > >> > On 2017-02-28 17:22, Paul Moore wrote: > >>

Re: [PATCH V3] audit: normalize NETFILTER_PKT

2017-03-02 Thread Paul Moore
On Wed, Mar 1, 2017 at 5:34 PM, Richard Guy Briggs wrote: > On 2017-03-01 17:19, Paul Moore wrote: >> On Wed, Mar 1, 2017 at 11:28 AM, Richard Guy Briggs wrote: >> > On 2017-02-28 17:22, Paul Moore wrote: >> >> On Sun, Feb 26, 2017 at 3:49 PM, Richard Guy Briggs

Re: [PATCH V3] audit: normalize NETFILTER_PKT

2017-03-01 Thread Richard Guy Briggs
On 2017-03-01 17:19, Paul Moore wrote: > On Wed, Mar 1, 2017 at 11:28 AM, Richard Guy Briggs wrote: > > On 2017-02-28 17:22, Paul Moore wrote: > >> On Sun, Feb 26, 2017 at 3:49 PM, Richard Guy Briggs > >> wrote: > >> > Eliminate flipping in and out of message

Re: [PATCH V3] audit: normalize NETFILTER_PKT

2017-03-01 Thread Pablo Neira Ayuso
On Wed, Mar 01, 2017 at 11:28:02AM -0500, Richard Guy Briggs wrote: > On 2017-02-28 17:22, Paul Moore wrote: > > On Sun, Feb 26, 2017 at 3:49 PM, Richard Guy Briggs wrote: > > > Eliminate flipping in and out of message fields, dropping fields in the > > > process. > > > > > >

Re: [PATCH V3] audit: normalize NETFILTER_PKT

2017-03-01 Thread Richard Guy Briggs
On 2017-02-28 17:22, Paul Moore wrote: > On Sun, Feb 26, 2017 at 3:49 PM, Richard Guy Briggs wrote: > > Eliminate flipping in and out of message fields, dropping fields in the > > process. > > > > Sample raw message format IPv4 UDP: > > type=NETFILTER_PKT

[PATCH V3] audit: normalize NETFILTER_PKT

2017-02-26 Thread Richard Guy Briggs
Eliminate flipping in and out of message fields, dropping fields in the process. Sample raw message format IPv4 UDP: type=NETFILTER_PKT msg=audit(1487874761.386:228): mark=0xae8a2732 saddr=127.0.0.1 daddr=127.0.0.1 proto=17^] Sample raw message format IPv6 ICMP6: type=NETFILTER_PKT