Received: by 2002:a05:6a10:9848:0:0:0:0 with SMTP id x8csp688980pxf;
        Thu, 1 Apr 2021 10:58:36 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJy38hvpm12QQuD5xVDwxxiYLrpYy8Uw065RHNhuCw1L1devuXu7hRYhPvEsOxiaeoj4WH3l
X-Received: by 2002:a17:906:5d12:: with SMTP id g18mr10268909ejt.246.1617299915950;
        Thu, 01 Apr 2021 10:58:35 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1617299915; cv=none;
        d=google.com; s=arc-20160816;
        b=oW0Eoxh4sBUGmpgIVb3ZzLXkFSQaqI6V1d/A2QZTy9p7wAUq0a85TXqgfnHceC8J6w
         2sz6/xQnuE/llgMDX9o9tKKy/SmSOz/dcGrSPrr6dX7uQO4q9Pj/bFxLzkGxCa7er8NX
         yrDtdfTU+V8g/OkqYHtO7GTCKgSQ7eVwkEAFRZE3LmF+z0EyRLLTZxivRTu+wARfqW+P
         +oF8tKBauoOTSMkzATSpTYnhjfHeAAJ1gN9G1SNH+4IET6SQKTUiQTNGW+DE1FJYMFcS
         NY5qPlvTkaUk+/umfGyv3dSRkwg9Xl1aC/3Fm0QUO81uFczTgismTzqznuZZ5JZdc/bF
         4TSA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:in-reply-to:content-disposition
         :mime-version:references:mail-followup-to:message-id:subject:cc:to
         :from:date;
        bh=/hlaLc2tTfyxN05BO90efiwkeMqgBbdkdxEIveQEex8=;
        b=kmC5ndaPB/bEjSNZDxtOvQo50142bUhccPATk585Up7rPuDYXhUAzRkcxfWUf7dX17
         i+b1+9BPw5gu+ppKLBJO3FkRQmBAID8V+dDWe8Qh/idlXMAfDYl6Rk1Jd/yWRI/YBArL
         oOl/lLfIfgaoxGt0yc7+8gAtHzsjCINSKlDFZ9m4vc2jB1HY6E0/mIWfPGnSJ60Hzv5T
         acoyKQfDVjejnalGwf2QJFBAiOvolmWob7s0GXD9vlE5EcLYkJQrTG+bs3MpnNoeYcxi
         bJmOvl04/vn/Ql5gEkezcqiFqc+rTgFHdwRnXbh2FLiHtw+GtkMTWN1NA8WP/AB/Q46m
         mZPw==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id j19si4740539edp.531.2021.04.01.10.58.13;
        Thu, 01 Apr 2021 10:58:35 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S235341AbhDAR5I (ORCPT <rfc822;mahongyuan1997@gmail.com>
        + 99 others); Thu, 1 Apr 2021 13:57:08 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58370 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S234474AbhDARmQ (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 1 Apr 2021 13:42:16 -0400
Received: from orbyte.nwl.cc (orbyte.nwl.cc [IPv6:2001:41d0:e:133a::1])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C4186C08EA3C;
        Thu,  1 Apr 2021 06:24:49 -0700 (PDT)
Received: from n0-1 by orbyte.nwl.cc with local (Exim 4.94)
        (envelope-from <n0-1@orbyte.nwl.cc>)
        id 1lRxJU-0001yJ-EH; Thu, 01 Apr 2021 15:24:44 +0200
Date:   Thu, 1 Apr 2021 15:24:44 +0200
From:   Phil Sutter <phil@nwl.cc>
To:     Richard Guy Briggs <rgb@redhat.com>
Cc:     Linux-Audit Mailing List <linux-audit@redhat.com>,
        LKML <linux-kernel@vger.kernel.org>,
        netfilter-devel@vger.kernel.org, Paul Moore <paul@paul-moore.com>,
        Eric Paris <eparis@parisplace.org>,
        Steve Grubb <sgrubb@redhat.com>,
        Florian Westphal <fw@strlen.de>, twoerner@redhat.com,
        tgraf@infradead.org, dan.carpenter@oracle.com,
        Jones Desougi <jones.desougi+netfilter@gmail.com>
Subject: Re: [PATCH v5] audit: log nftables configuration change events once
 per table
Message-ID: <20210401132444.GX3158@orbyte.nwl.cc>
Mail-Followup-To: Phil Sutter <phil@nwl.cc>,
        Richard Guy Briggs <rgb@redhat.com>,
        Linux-Audit Mailing List <linux-audit@redhat.com>,
        LKML <linux-kernel@vger.kernel.org>,
        netfilter-devel@vger.kernel.org, Paul Moore <paul@paul-moore.com>,
        Eric Paris <eparis@parisplace.org>, Steve Grubb <sgrubb@redhat.com>,
        Florian Westphal <fw@strlen.de>, twoerner@redhat.com,
        tgraf@infradead.org, dan.carpenter@oracle.com,
        Jones Desougi <jones.desougi+netfilter@gmail.com>
References: <28de34275f58b45fd4626a92ccae96b6d2b4e287.1616702731.git.rgb@redhat.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <28de34275f58b45fd4626a92ccae96b6d2b4e287.1616702731.git.rgb@redhat.com>
Sender:  <n0-1@orbyte.nwl.cc>
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Fri, Mar 26, 2021 at 01:38:59PM -0400, Richard Guy Briggs wrote:
> Reduce logging of nftables events to a level similar to iptables.
> Restore the table field to list the table, adding the generation.
> 
> Indicate the op as the most significant operation in the event.
> 
> A couple of sample events:
> 
> type=PROCTITLE msg=audit(2021-03-18 09:30:49.801:143) : proctitle=/usr/bin/python3 -s /usr/sbin/firewalld --nofork --nopid
> type=SYSCALL msg=audit(2021-03-18 09:30:49.801:143) : arch=x86_64 syscall=sendmsg success=yes exit=172 a0=0x6 a1=0x7ffdcfcbe650 a2=0x0 a3=0x7ffdcfcbd52c items=0 ppid=1 pid=367 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=roo
> t sgid=root fsgid=root tty=(none) ses=unset comm=firewalld exe=/usr/bin/python3.9 subj=system_u:system_r:firewalld_t:s0 key=(null)
> type=NETFILTER_CFG msg=audit(2021-03-18 09:30:49.801:143) : table=firewalld:2 family=ipv6 entries=1 op=nft_register_table pid=367 subj=system_u:system_r:firewalld_t:s0 comm=firewalld
> type=NETFILTER_CFG msg=audit(2021-03-18 09:30:49.801:143) : table=firewalld:2 family=ipv4 entries=1 op=nft_register_table pid=367 subj=system_u:system_r:firewalld_t:s0 comm=firewalld
> type=NETFILTER_CFG msg=audit(2021-03-18 09:30:49.801:143) : table=firewalld:2 family=inet entries=1 op=nft_register_table pid=367 subj=system_u:system_r:firewalld_t:s0 comm=firewalld
> 
> type=PROCTITLE msg=audit(2021-03-18 09:30:49.839:144) : proctitle=/usr/bin/python3 -s /usr/sbin/firewalld --nofork --nopid
> type=SYSCALL msg=audit(2021-03-18 09:30:49.839:144) : arch=x86_64 syscall=sendmsg success=yes exit=22792 a0=0x6 a1=0x7ffdcfcbe650 a2=0x0 a3=0x7ffdcfcbd52c items=0 ppid=1 pid=367 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=r
> oot sgid=root fsgid=root tty=(none) ses=unset comm=firewalld exe=/usr/bin/python3.9 subj=system_u:system_r:firewalld_t:s0 key=(null)
> type=NETFILTER_CFG msg=audit(2021-03-18 09:30:49.839:144) : table=firewalld:3 family=ipv6 entries=30 op=nft_register_chain pid=367 subj=system_u:system_r:firewalld_t:s0 comm=firewalld
> type=NETFILTER_CFG msg=audit(2021-03-18 09:30:49.839:144) : table=firewalld:3 family=ipv4 entries=30 op=nft_register_chain pid=367 subj=system_u:system_r:firewalld_t:s0 comm=firewalld
> type=NETFILTER_CFG msg=audit(2021-03-18 09:30:49.839:144) : table=firewalld:3 family=inet entries=165 op=nft_register_chain pid=367 subj=system_u:system_r:firewalld_t:s0 comm=firewalld
> 
> The issue was originally documented in
> https://github.com/linux-audit/audit-kernel/issues/124
> 
> Signed-off-by: Richard Guy Briggs <rgb@redhat.com>

Tested this patch to make sure it eliminates the slowdown of
iptables-nft when auditd is running. With this applied, neither
iptables-nft-restore nor 'iptables-nft -F' show a significant
difference in run-time between running or stopped auditd, at least for
large rulesets. Individual calls suffer from added audit logging, but
that's expected of course.

Tested-by: Phil Sutter <phil@nwl.cc>

Thanks, Phil