Received: by 2002:a05:6a10:8c0a:0:0:0:0 with SMTP id go10csp2326981pxb; Thu, 11 Feb 2021 09:33:37 -0800 (PST) X-Google-Smtp-Source: ABdhPJxpxFHITIxKiRjszO7WF37XzRQiVpeY9UHicJgtPNpr9YtnjMNwMoDRkXeo2Xm4e7Ss5yvL X-Received: by 2002:a17:906:685a:: with SMTP id a26mr3435726ejs.241.1613064817084; Thu, 11 Feb 2021 09:33:37 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1613064817; cv=none; d=google.com; s=arc-20160816; b=C8lqKYiuUlIfKKBk6infy4Cb+Gw4ivOluw3qUrrKUtGjQdMTpkn/2j3SI+Txyj1Jy3 18KEaPirlk+4nmog8VTZtJJXxS2tsAxncHmBlTxgaqN2xZIbpXStS5ZH252L1eJ/1/fm UCgL0auVppAZVYEtT18o/Svv/aPhNHlxmfDXtLMS0V/GrQEBC1/payJVOJkmp5xtfEqH 9/LzgQs+javp6A6jElixhN8nq14sOArsB7VubzOo/TopRlauMvWOzgjYmPY3iofiGXV1 2OdLlJrr91wsPYlu/jyUX/qeNJCJnKp3ELAnJKIRc4fzxq566cWwuB1e9fcZx3Dk/idC 0wHA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=ABj8h6JxoKzCkEFlLOPlFl55Hb6x4ubH36UnScGj9KU=; b=NlriTHkxDxUoL+zAM4hlUltoQv9kxpZ93iB2+jxw4cWmIGv853WcK1+wdWMTBNrAr2 JuNRXb3oRrJIIQR3FkhaXYfEun0wvbI0WCQyJ5oW2sDZkey9Za3vBPLQ/iq01esp0uB8 TnJoWdXZrgGeLM+q/ETRE6ivL4Hsk9x2HsL++E+YuWQto9pXOz1tBSeMzIpYPbYQ3T3n PTBKTIKm+xYWV4cxRCrntb64qjopMLDP0cQxVVJ45y3MxEySD6BFVIOOIv/AlGqHrX/T drEUHYiIjhnBRhAZ7cmniRLEsNgH21gpcLzb5NkCKoidb4onvCb4TCHxzYsbWxsyx4nf U0EQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=BNxr53Eh; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id g12si4440778edk.115.2021.02.11.09.33.11; Thu, 11 Feb 2021 09:33:37 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=BNxr53Eh; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230042AbhBKRb6 (ORCPT + 99 others); Thu, 11 Feb 2021 12:31:58 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:37726 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231743AbhBKQaa (ORCPT ); Thu, 11 Feb 2021 11:30:30 -0500 Received: from mail-ej1-x62d.google.com (mail-ej1-x62d.google.com [IPv6:2a00:1450:4864:20::62d]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C3A75C061574 for ; Thu, 11 Feb 2021 08:29:46 -0800 (PST) Received: by mail-ej1-x62d.google.com with SMTP id f14so10968605ejc.8 for ; Thu, 11 Feb 2021 08:29:46 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=ABj8h6JxoKzCkEFlLOPlFl55Hb6x4ubH36UnScGj9KU=; b=BNxr53Eh4Rd+L3Iw+fOTZ3NITnYeHKeJ8+3HLB+AB44V4L2zuKgso8bfqhIZT85PdG MadFFUeEB8p8acfVuuXebGL5/coigQDu+Kkx9UYe62gOanXH4mBtMZG4A/EAZ7Dyr/6s KVRhrf9gIWH1e+4bBOu/eJkfQExosu4Xf7VL02HVcfadCSvcZGikKnqJhnp8bXf67oT1 +WkfOdhxc4ETMZs3Vgj+UIOMy8beZbbLvmViZBtOybjqxmPjhgU4hfHpL/ffyD1I9rkL yPqFnvkvqgJ4/bA6t+VSk0TaR7Mw6MV3oPTy16RPjBs2EjJaNHHJa+slCef/Ijb9pW98 qYiw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=ABj8h6JxoKzCkEFlLOPlFl55Hb6x4ubH36UnScGj9KU=; b=FeLz71g9/9k8vp96mIkiPE2e+CeWAwfHSdbqkP0uog8+BLq9IdhYHaEUXcliwIoYdL 6aWaMQ5z9gnZLQiZP1lFqZ23DSQ8kpnkJ94fSaLlMl1ghu1lHNtHmcFNRqliTUBpgakG y5GB9p9ye1fEFUDlcZZnpP7kAFpt4ZOqeHxIsgwtPARkdtymy3k3mBEzRZlb6ACZAsV5 63g0/hILwFwxKwklwXioyGsRmTxBpIYVEs8xim54h6Q44ASpWylMD/kBOceLRcSEqGBw LoT3+bmiOf8to+UYVH21DytlwvFSvwlDKFe5vdMPMcGgIhNVj/HjIYsceSsE7uSMOBcM bghQ== X-Gm-Message-State: AOAM531q1B5w2UClDLP6M6SuDQl+/gSd8B/V2k4nqpcfUaKGCZtfEPVo cnIgInwP9ukjdeQSnDgOVIA07wlZChboA6PkqFo1 X-Received: by 2002:a17:906:35d9:: with SMTP id p25mr9185445ejb.398.1613060985419; Thu, 11 Feb 2021 08:29:45 -0800 (PST) MIME-Version: 1.0 References: <20210211151606.GX3158@orbyte.nwl.cc> In-Reply-To: <20210211151606.GX3158@orbyte.nwl.cc> From: Paul Moore Date: Thu, 11 Feb 2021 11:29:34 -0500 Message-ID: Subject: Re: [PATCH ghak124 v3] audit: log nftables configuration change events To: Phil Sutter , Richard Guy Briggs , Linux-Audit Mailing List , LKML , netfilter-devel@vger.kernel.org, Paul Moore , sgrubb@redhat.com, Ondrej Mosnacek , fw@strlen.de, twoerner@redhat.com, Eric Paris , tgraf@infradead.org Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Feb 11, 2021 at 10:16 AM Phil Sutter wrote: > Hi, > > On Thu, Jun 04, 2020 at 09:20:49AM -0400, Richard Guy Briggs wrote: > > iptables, ip6tables, arptables and ebtables table registration, > > replacement and unregistration configuration events are logged for the > > native (legacy) iptables setsockopt api, but not for the > > nftables netlink api which is used by the nft-variant of iptables in > > addition to nftables itself. > > > > Add calls to log the configuration actions in the nftables netlink api. > > As discussed offline already, these audit notifications are pretty hefty > performance-wise. In an internal report, 300% restore time of a ruleset > containing 70k set elements is measured. If you're going to reference offline/off-list discussions in a post to a public list, perhaps the original discussion shouldn't have been off-list ;) If you don't involve us in the discussion, we have to waste a lot of time getting caught up. > If I'm not mistaken, iptables emits a single audit log per table, ipset > doesn't support audit at all. So I wonder how much audit logging is > required at all (for certification or whatever reason). How much > granularity is desired? That's a question for the people who track these certification requirements, which is thankfully not me at the moment. Unless somebody else wants to speak up, Steve Grubb is probably the only person who tracks that sort of stuff and comments here. I believe the netfilter auditing was mostly a nice-to-have bit of functionality to help add to the completeness of the audit logs, but I could very easily be mistaken. Richard put together those patches, he can probably provide the background/motivation for the effort. > I personally would notify once per transaction. This is easy and quick. > Once per table or chain should be acceptable, as well. At the very > least, we should not have to notify once per each element. This is the > last resort of fast ruleset adjustments. If we lose it, people are > better off with ipset IMHO. > > Unlike nft monitor, auditd is not designed to be disabled "at will". So > turning it off for performance-critical workloads is no option. Patches are always welcome, but it might be wise to get to the bottom of the certification requirements first. -- paul moore www.paul-moore.com