Received: by 2002:a05:6a10:8c0a:0:0:0:0 with SMTP id go10csp7301266pxb;
        Thu, 18 Feb 2021 06:44:22 -0800 (PST)
X-Google-Smtp-Source: ABdhPJxS5MUlvMA0pcf1VP/uz16pCLUc+kp945N45Rhklf7yJKiwcV8gdH3uGzo7aHUjzMZWOq8f
X-Received: by 2002:a50:fe02:: with SMTP id f2mr4477889edt.173.1613659461987;
        Thu, 18 Feb 2021 06:44:21 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1613659461; cv=none;
        d=google.com; s=arc-20160816;
        b=sEkiG4X4qey18huUjZSW/ZrsyjCU+CKmaxhn35WUrmo1oIBoBsujzdyWP37a3CtfJ7
         SSAFWW8qz48jh/XZq6+GpZmegXnjvgF/F5gX5xW7aOtdpB74sywEsIqdZ5egTY0538/r
         ZR5TXsZymB1amlSfy0ksFEyH74cbZbetWmaXqmCSg1j+xfHLVzFX6Uf7xd4c9BtjkOoB
         B3LvFY+7OVAS+D+a+gnwlrFJWkEqUvGV2rtqYPcjIMYs7qe376kBg1jW/Kpd8IbMYnDF
         +w0klKbajgipeMFqH62giM9uZzwM1o0bPcCHXDOa0K2VujSfemKU82H47vASnEuYYOwe
         0G+g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:user-agent:in-reply-to:content-disposition
         :mime-version:references:message-id:subject:cc:to:from:date
         :dkim-signature;
        bh=nVrd9G628h0NB/gKNnBTpu/6zrPi5r6BbRgDdDS9hdc=;
        b=OzB0nBQzgMWVfon/C5F84GrOMIEc3j9nxDrIAU1PQ2KhihDLoBWnak8mfLmF1Hm9j1
         cRhfwd/wR3ToUZw1+ZazaGznZoaO6COZEgp8M9UuGHRAzmSa3AwULyFK5xnmMyLjW+Jz
         3jiGs6lZksPd7p8AZ6ZT9mHv+EDX6GdA1S7nTJv2URbEK8OkpxKkJ9ILt3Blv7W9Ch38
         lrgzfuD0n5Bs1xO/Etj417DMJoUrZHO4RneN/mcV8RpSyqReQHC5IXt73fW+Or9gJFT1
         MBXNZB1QClDV5SV94zzpHZbvczteuGQ5ztnNTqKX5pYAR6poqyGeOhUoX8s2PFdcIPiY
         /SIg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=hZixlmeL;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id x7si3735669ejc.370.2021.02.18.06.43.56;
        Thu, 18 Feb 2021 06:44:21 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=hZixlmeL;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S230239AbhBROlx (ORCPT <rfc822;lpowencom@gmail.com> + 99 others);
        Thu, 18 Feb 2021 09:41:53 -0500
Received: from us-smtp-delivery-124.mimecast.com ([216.205.24.124]:60221 "EHLO
        us-smtp-delivery-124.mimecast.com" rhost-flags-OK-OK-OK-OK)
        by vger.kernel.org with ESMTP id S233168AbhBRMom (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 18 Feb 2021 07:44:42 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
        s=mimecast20190719; t=1613652145;
        h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
         to:to:cc:cc:mime-version:mime-version:content-type:content-type:
         in-reply-to:in-reply-to:references:references;
        bh=nVrd9G628h0NB/gKNnBTpu/6zrPi5r6BbRgDdDS9hdc=;
        b=hZixlmeL83KCmOH/evgtiE+nvMqZ/QCFFgpg9aFNCQMf9Q4zW11kAo0UvM111hrodSPYu7
        vYu6muMZ+WWs5DrM514wkHV7vLH8FBtfiK7BvY/xsBCy+KbdYJwDhPj2pdKVVrhlMYXS1X
        ErjOmfWt7YMfBBdZWcHUJXllJYuFI9I=
Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com
 [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id
 us-mta-469-YJkbiILVNdyfMPqUlGghyw-1; Thu, 18 Feb 2021 07:42:23 -0500
X-MC-Unique: YJkbiILVNdyfMPqUlGghyw-1
Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.phx2.redhat.com [10.5.11.23])
        (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
        (No client certificate requested)
        by mimecast-mx01.redhat.com (Postfix) with ESMTPS id E71A9801980;
        Thu, 18 Feb 2021 12:42:21 +0000 (UTC)
Received: from madcap2.tricolour.ca (unknown [10.10.110.8])
        by smtp.corp.redhat.com (Postfix) with ESMTPS id D4DB019D61;
        Thu, 18 Feb 2021 12:42:13 +0000 (UTC)
Date:   Thu, 18 Feb 2021 07:42:11 -0500
From:   Richard Guy Briggs <rgb@redhat.com>
To:     Florian Westphal <fw@strlen.de>
Cc:     Phil Sutter <phil@nwl.cc>, LKML <linux-kernel@vger.kernel.org>,
        Linux-Audit Mailing List <linux-audit@redhat.com>,
        netfilter-devel@vger.kernel.org, twoerner@redhat.com,
        Eric Paris <eparis@parisplace.org>, tgraf@infradead.org
Subject: Re: [PATCH ghak124 v3] audit: log nftables configuration change
 events
Message-ID: <20210218124211.GO3141668@madcap2.tricolour.ca>
References: <f9da8b5dbf2396b621c77c17b5b1123be5aa484e.1591275439.git.rgb@redhat.com>
 <20210211151606.GX3158@orbyte.nwl.cc>
 <CAHC9VhTNQW9d=8GCW-70vAEMh8-LXviP+JHFC2-YkuitokLLMQ@mail.gmail.com>
 <20210211202628.GP2015948@madcap2.tricolour.ca>
 <20210211220930.GC2766@breakpoint.cc>
 <20210217234131.GN3141668@madcap2.tricolour.ca>
 <20210218082207.GJ2766@breakpoint.cc>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20210218082207.GJ2766@breakpoint.cc>
User-Agent: Mutt/1.10.1 (2018-07-13)
X-Scanned-By: MIMEDefang 2.84 on 10.5.11.23
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On 2021-02-18 09:22, Florian Westphal wrote:
> Richard Guy Briggs <rgb@redhat.com> wrote:
> > On 2021-02-11 23:09, Florian Westphal wrote:
> > > So, if just a summary is needed a single audit_log_nfcfg()
> > > after 'step 3' and outside of the list_for_each_entry_safe() is all
> > > that is needed.
> > 
> > Ok, so it should not matter if it is before or after that
> > list_for_each_entry_safe(), which could be used to collect that summary.
> 
> Right, it won't matter.
> 
> > > If a summary is wanted as well one could fe. count the number of
> > > transaction types in the batch, e.g. table adds, chain adds, rule
> > > adds etc. and then log a summary count instead.
> > 
> > The current fields are "table", "family", "entries", "op".
> > 
> > Could one batch change more than one table?  (I think it could?)
> 
> Yes.

Ok, listing all tables involved in one commit with deduplication will be
a bit of a nuisance.

> > It appears it can change more than one family.
> > "family" is currently a single integer, so that might need to be changed
> > to a list, or something to indicate multi-family.
> 
> Yes, it can also affect different families.
> 
> > Listing all the ops seems a bit onerous.  Is there a hierarchy to the
> > ops and if so, are they in that order in a batch or in nf_tables_commit()?
> 
> No.  There is a hierarchy, e.g. you can't add a chain without first
> adding a table, BUT in case the table was already created by an earlier
> transaction it can also be stand-alone.

Ok, so there could be a stand-alone chain mod with one table, then a
table add of a different one with a "higher ranking" op...

> > It seems I'd need to filter out the NFT_MSG_GET_* ops.
> 
> No need, the GET ops do not cause changes and will not trigger a
> generation id change.

Ah, so it could trigger on generation change.  Would GET ops be included
in any other change, such that it would be desirable to filter them out
to reduce noise in that single log line if it is attempted to list all
the change ops?  It almost sounds like it would be better to do one
audit log line for each table for each family, and possibly for each op
to avoid the need to change userspace.  This would already be a
significant improvement picking the highest ranking op.

- RGB

--
Richard Guy Briggs <rgb@redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635