NETFILTER_PKT records show both source and destination
addresses, in addition to the associated networking protocol.
However, it lacks the ports information, which is often
valuable for troubleshooting.
This patch adds both source and destination port numbers,
'sport' and 'dport' respectively, to TCP, UDP, UDP-Lite and
SCTP-related NETFILTER_PKT records.
$ TESTS="netfilter_pkt" make -e test &> /dev/null
$ ausearch -i -ts recent |grep NETFILTER_PKT
type=NETFILTER_PKT ... proto=icmp
type=NETFILTER_PKT ... proto=ipv6-icmp
type=NETFILTER_PKT ... proto=udp sport=46333 dport=42424
type=NETFILTER_PKT ... proto=udp sport=35953 dport=42424
type=NETFILTER_PKT ... proto=tcp sport=50314 dport=42424
type=NETFILTER_PKT ... proto=tcp sport=57346 dport=42424
Link: https://github.com/linux-audit/audit-kernel/issues/162
Signed-off-by: Ricardo Robaina <rrobaina@redhat.com>
---
kernel/audit.c | 89 +++++++++++++++++++++++++++++++++++++++++++++++---
1 file changed, 85 insertions(+), 4 deletions(-)
diff --git a/kernel/audit.c b/kernel/audit.c
index 09764003db74..bc7217402a35 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -60,6 +60,7 @@
#include <net/netns/generic.h>
#include <net/ip.h>
#include <net/ipv6.h>
+#include <linux/sctp.h>
#include "audit.h"
@@ -2549,8 +2550,48 @@ bool audit_log_packet_ip4(struct audit_buffer *ab, struct sk_buff *skb)
if (!ih)
return false;
- audit_log_format(ab, " saddr=%pI4 daddr=%pI4 proto=%hhu",
- &ih->saddr, &ih->daddr, ih->protocol);
+ switch (ih->protocol) {
+ case IPPROTO_TCP:
+ struct tcphdr _tcph;
+ const struct tcphdr *th;
+
+ th = skb_header_pointer(skb, skb_transport_offset(skb), sizeof(_tcph), &_tcph);
+ if (!th)
+ return false;
+
+ audit_log_format(ab, " saddr=%pI4 daddr=%pI4 proto=%hhu sport=%hu dport=%hu",
+ &ih->saddr, &ih->daddr, ih->protocol,
+ ntohs(th->source), ntohs(th->dest));
+ break;
+ case IPPROTO_UDP:
+ case IPPROTO_UDPLITE:
+ struct udphdr _udph;
+ const struct udphdr *uh;
+
+ uh = skb_header_pointer(skb, skb_transport_offset(skb), sizeof(_udph), &_udph);
+ if (!uh)
+ return false;
+
+ audit_log_format(ab, " saddr=%pI4 daddr=%pI4 proto=%hhu sport=%hu dport=%hu",
+ &ih->saddr, &ih->daddr, ih->protocol,
+ ntohs(uh->source), ntohs(uh->dest));
+ break;
+ case IPPROTO_SCTP:
+ struct sctphdr _sctph;
+ const struct sctphdr *sh;
+
+ sh = skb_header_pointer(skb, skb_transport_offset(skb), sizeof(_sctph), &_sctph);
+ if (!sh)
+ return false;
+
+ audit_log_format(ab, " saddr=%pI4 daddr=%pI4 proto=%hhu sport=%hu dport=%hu",
+ &ih->saddr, &ih->daddr, ih->protocol,
+ ntohs(sh->source), ntohs(sh->dest));
+ break;
+ default:
+ audit_log_format(ab, " saddr=%pI4 daddr=%pI4 proto=%hhu",
+ &ih->saddr, &ih->daddr, ih->protocol);
+ }
return true;
}
@@ -2570,8 +2611,48 @@ bool audit_log_packet_ip6(struct audit_buffer *ab, struct sk_buff *skb)
nexthdr = ih->nexthdr;
ipv6_skip_exthdr(skb, skb_network_offset(skb) + sizeof(_ip6h), &nexthdr, &frag_off);
- audit_log_format(ab, " saddr=%pI6c daddr=%pI6c proto=%hhu",
- &ih->saddr, &ih->daddr, nexthdr);
+ switch (nexthdr) {
+ case IPPROTO_TCP:
+ struct tcphdr _tcph;
+ const struct tcphdr *th;
+
+ th = skb_header_pointer(skb, skb_transport_offset(skb), sizeof(_tcph), &_tcph);
+ if (!th)
+ return false;
+
+ audit_log_format(ab, " saddr=%pI6c daddr=%pI6c proto=%hhu sport=%hu dport=%hu",
+ &ih->saddr, &ih->daddr, nexthdr,
+ ntohs(th->source), ntohs(th->dest));
+ break;
+ case IPPROTO_UDP:
+ case IPPROTO_UDPLITE:
+ struct udphdr _udph;
+ const struct udphdr *uh;
+
+ uh = skb_header_pointer(skb, skb_transport_offset(skb), sizeof(_udph), &_udph);
+ if (!uh)
+ return false;
+
+ audit_log_format(ab, " saddr=%pI6c daddr=%pI6c proto=%hhu sport=%hu dport=%hu",
+ &ih->saddr, &ih->daddr, nexthdr,
+ ntohs(uh->source), ntohs(uh->dest));
+ break;
+ case IPPROTO_SCTP:
+ struct sctphdr _sctph;
+ const struct sctphdr *sh;
+
+ sh = skb_header_pointer(skb, skb_transport_offset(skb), sizeof(_sctph), &_sctph);
+ if (!sh)
+ return false;
+
+ audit_log_format(ab, " saddr=%pI6c daddr=%pI6c proto=%hhu sport=%hu dport=%hu",
+ &ih->saddr, &ih->daddr, nexthdr,
+ ntohs(sh->source), ntohs(sh->dest));
+ break;
+ default:
+ audit_log_format(ab, " saddr=%pI6c daddr=%pI6c proto=%hhu",
+ &ih->saddr, &ih->daddr, nexthdr);
+ }
return true;
}
--
2.51.0Hi Ricardo,
kernel test robot noticed the following build errors:
[auto build test ERROR on pcmoore-audit/next]
[also build test ERROR on netfilter-nf/main nf-next/master linus/master v6.18-rc3 next-20251031]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch#_base_tree_information]
url: https://github.com/intel-lab-lkp/linux/commits/Ricardo-Robaina/audit-add-audit_log_packet_ip4-and-audit_log_packet_ip6-helper-functions/20251031-220605
base: https://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit.git next
patch link: https://lore.kernel.org/r/6ac2baf0d5ae176cbd3279a4dff9e2c7750c6d45.1761918165.git.rrobaina%40redhat.com
patch subject: [PATCH v4 2/2] audit: include source and destination ports to NETFILTER_PKT
config: arc-randconfig-002-20251101 (https://download.01.org/0day-ci/archive/20251101/202511011146.aPtw8SOn-lkp@intel.com/config)
compiler: arc-linux-gcc (GCC) 8.5.0
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20251101/202511011146.aPtw8SOn-lkp@intel.com/reproduce)
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202511011146.aPtw8SOn-lkp@intel.com/
All errors (new ones prefixed by >>):
kernel/audit.c: In function 'audit_log_packet_ip4':
>> kernel/audit.c:2555:3: error: a label can only be part of a statement and a declaration is not a statement
struct tcphdr _tcph;
^~~~~~
>> kernel/audit.c:2556:3: error: expected expression before 'const'
const struct tcphdr *th;
^~~~~
>> kernel/audit.c:2558:3: error: 'th' undeclared (first use in this function); did you mean 'ih'?
th = skb_header_pointer(skb, skb_transport_offset(skb), sizeof(_tcph), &_tcph);
^~
ih
kernel/audit.c:2558:3: note: each undeclared identifier is reported only once for each function it appears in
kernel/audit.c:2568:3: error: a label can only be part of a statement and a declaration is not a statement
struct udphdr _udph;
^~~~~~
kernel/audit.c:2569:3: error: expected expression before 'const'
const struct udphdr *uh;
^~~~~
>> kernel/audit.c:2571:3: error: 'uh' undeclared (first use in this function); did you mean 'ih'?
uh = skb_header_pointer(skb, skb_transport_offset(skb), sizeof(_udph), &_udph);
^~
ih
kernel/audit.c:2580:3: error: a label can only be part of a statement and a declaration is not a statement
struct sctphdr _sctph;
^~~~~~
kernel/audit.c:2581:3: error: expected expression before 'const'
const struct sctphdr *sh;
^~~~~
>> kernel/audit.c:2583:3: error: 'sh' undeclared (first use in this function); did you mean 'ih'?
sh = skb_header_pointer(skb, skb_transport_offset(skb), sizeof(_sctph), &_sctph);
^~
ih
kernel/audit.c: In function 'audit_log_packet_ip6':
kernel/audit.c:2616:3: error: a label can only be part of a statement and a declaration is not a statement
struct tcphdr _tcph;
^~~~~~
kernel/audit.c:2617:3: error: expected expression before 'const'
const struct tcphdr *th;
^~~~~
kernel/audit.c:2619:3: error: 'th' undeclared (first use in this function); did you mean 'ih'?
th = skb_header_pointer(skb, skb_transport_offset(skb), sizeof(_tcph), &_tcph);
^~
ih
kernel/audit.c:2629:3: error: a label can only be part of a statement and a declaration is not a statement
struct udphdr _udph;
^~~~~~
kernel/audit.c:2630:3: error: expected expression before 'const'
const struct udphdr *uh;
^~~~~
kernel/audit.c:2632:3: error: 'uh' undeclared (first use in this function); did you mean 'ih'?
uh = skb_header_pointer(skb, skb_transport_offset(skb), sizeof(_udph), &_udph);
^~
ih
kernel/audit.c:2641:3: error: a label can only be part of a statement and a declaration is not a statement
struct sctphdr _sctph;
^~~~~~
kernel/audit.c:2642:3: error: expected expression before 'const'
const struct sctphdr *sh;
^~~~~
kernel/audit.c:2644:3: error: 'sh' undeclared (first use in this function); did you mean 'ih'?
sh = skb_header_pointer(skb, skb_transport_offset(skb), sizeof(_sctph), &_sctph);
^~
ih
vim +2555 kernel/audit.c
2543
2544 bool audit_log_packet_ip4(struct audit_buffer *ab, struct sk_buff *skb)
2545 {
2546 struct iphdr _iph;
2547 const struct iphdr *ih;
2548
2549 ih = skb_header_pointer(skb, skb_network_offset(skb), sizeof(_iph), &_iph);
2550 if (!ih)
2551 return false;
2552
2553 switch (ih->protocol) {
2554 case IPPROTO_TCP:
> 2555 struct tcphdr _tcph;
> 2556 const struct tcphdr *th;
2557
> 2558 th = skb_header_pointer(skb, skb_transport_offset(skb), sizeof(_tcph), &_tcph);
2559 if (!th)
2560 return false;
2561
2562 audit_log_format(ab, " saddr=%pI4 daddr=%pI4 proto=%hhu sport=%hu dport=%hu",
2563 &ih->saddr, &ih->daddr, ih->protocol,
2564 ntohs(th->source), ntohs(th->dest));
2565 break;
2566 case IPPROTO_UDP:
2567 case IPPROTO_UDPLITE:
2568 struct udphdr _udph;
2569 const struct udphdr *uh;
2570
> 2571 uh = skb_header_pointer(skb, skb_transport_offset(skb), sizeof(_udph), &_udph);
2572 if (!uh)
2573 return false;
2574
2575 audit_log_format(ab, " saddr=%pI4 daddr=%pI4 proto=%hhu sport=%hu dport=%hu",
2576 &ih->saddr, &ih->daddr, ih->protocol,
2577 ntohs(uh->source), ntohs(uh->dest));
2578 break;
2579 case IPPROTO_SCTP:
2580 struct sctphdr _sctph;
2581 const struct sctphdr *sh;
2582
> 2583 sh = skb_header_pointer(skb, skb_transport_offset(skb), sizeof(_sctph), &_sctph);
2584 if (!sh)
2585 return false;
2586
2587 audit_log_format(ab, " saddr=%pI4 daddr=%pI4 proto=%hhu sport=%hu dport=%hu",
2588 &ih->saddr, &ih->daddr, ih->protocol,
2589 ntohs(sh->source), ntohs(sh->dest));
2590 break;
2591 default:
2592 audit_log_format(ab, " saddr=%pI4 daddr=%pI4 proto=%hhu",
2593 &ih->saddr, &ih->daddr, ih->protocol);
2594 }
2595
2596 return true;
2597 }
2598 EXPORT_SYMBOL(audit_log_packet_ip4);
2599
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
Same thing here. I didn't get these warning messages in my local
build. I'll fix it and submit a new version.
On Sat, Nov 1, 2025 at 1:05 AM kernel test robot <lkp@intel.com> wrote:
>
> Hi Ricardo,
>
> kernel test robot noticed the following build errors:
>
> [auto build test ERROR on pcmoore-audit/next]
> [also build test ERROR on netfilter-nf/main nf-next/master linus/master v6.18-rc3 next-20251031]
> [If your patch is applied to the wrong git tree, kindly drop us a note.
> And when submitting patch, we suggest to use '--base' as documented in
> https://git-scm.com/docs/git-format-patch#_base_tree_information]
>
> url: https://github.com/intel-lab-lkp/linux/commits/Ricardo-Robaina/audit-add-audit_log_packet_ip4-and-audit_log_packet_ip6-helper-functions/20251031-220605
> base: https://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit.git next
> patch link: https://lore.kernel.org/r/6ac2baf0d5ae176cbd3279a4dff9e2c7750c6d45.1761918165.git.rrobaina%40redhat.com
> patch subject: [PATCH v4 2/2] audit: include source and destination ports to NETFILTER_PKT
> config: arc-randconfig-002-20251101 (https://download.01.org/0day-ci/archive/20251101/202511011146.aPtw8SOn-lkp@intel.com/config)
> compiler: arc-linux-gcc (GCC) 8.5.0
> reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20251101/202511011146.aPtw8SOn-lkp@intel.com/reproduce)
>
> If you fix the issue in a separate patch/commit (i.e. not just a new version of
> the same patch/commit), kindly add following tags
> | Reported-by: kernel test robot <lkp@intel.com>
> | Closes: https://lore.kernel.org/oe-kbuild-all/202511011146.aPtw8SOn-lkp@intel.com/
>
> All errors (new ones prefixed by >>):
>
> kernel/audit.c: In function 'audit_log_packet_ip4':
> >> kernel/audit.c:2555:3: error: a label can only be part of a statement and a declaration is not a statement
> struct tcphdr _tcph;
> ^~~~~~
> >> kernel/audit.c:2556:3: error: expected expression before 'const'
> const struct tcphdr *th;
> ^~~~~
> >> kernel/audit.c:2558:3: error: 'th' undeclared (first use in this function); did you mean 'ih'?
> th = skb_header_pointer(skb, skb_transport_offset(skb), sizeof(_tcph), &_tcph);
> ^~
> ih
> kernel/audit.c:2558:3: note: each undeclared identifier is reported only once for each function it appears in
> kernel/audit.c:2568:3: error: a label can only be part of a statement and a declaration is not a statement
> struct udphdr _udph;
> ^~~~~~
> kernel/audit.c:2569:3: error: expected expression before 'const'
> const struct udphdr *uh;
> ^~~~~
> >> kernel/audit.c:2571:3: error: 'uh' undeclared (first use in this function); did you mean 'ih'?
> uh = skb_header_pointer(skb, skb_transport_offset(skb), sizeof(_udph), &_udph);
> ^~
> ih
> kernel/audit.c:2580:3: error: a label can only be part of a statement and a declaration is not a statement
> struct sctphdr _sctph;
> ^~~~~~
> kernel/audit.c:2581:3: error: expected expression before 'const'
> const struct sctphdr *sh;
> ^~~~~
> >> kernel/audit.c:2583:3: error: 'sh' undeclared (first use in this function); did you mean 'ih'?
> sh = skb_header_pointer(skb, skb_transport_offset(skb), sizeof(_sctph), &_sctph);
> ^~
> ih
> kernel/audit.c: In function 'audit_log_packet_ip6':
> kernel/audit.c:2616:3: error: a label can only be part of a statement and a declaration is not a statement
> struct tcphdr _tcph;
> ^~~~~~
> kernel/audit.c:2617:3: error: expected expression before 'const'
> const struct tcphdr *th;
> ^~~~~
> kernel/audit.c:2619:3: error: 'th' undeclared (first use in this function); did you mean 'ih'?
> th = skb_header_pointer(skb, skb_transport_offset(skb), sizeof(_tcph), &_tcph);
> ^~
> ih
> kernel/audit.c:2629:3: error: a label can only be part of a statement and a declaration is not a statement
> struct udphdr _udph;
> ^~~~~~
> kernel/audit.c:2630:3: error: expected expression before 'const'
> const struct udphdr *uh;
> ^~~~~
> kernel/audit.c:2632:3: error: 'uh' undeclared (first use in this function); did you mean 'ih'?
> uh = skb_header_pointer(skb, skb_transport_offset(skb), sizeof(_udph), &_udph);
> ^~
> ih
> kernel/audit.c:2641:3: error: a label can only be part of a statement and a declaration is not a statement
> struct sctphdr _sctph;
> ^~~~~~
> kernel/audit.c:2642:3: error: expected expression before 'const'
> const struct sctphdr *sh;
> ^~~~~
> kernel/audit.c:2644:3: error: 'sh' undeclared (first use in this function); did you mean 'ih'?
> sh = skb_header_pointer(skb, skb_transport_offset(skb), sizeof(_sctph), &_sctph);
> ^~
> ih
>
>
> vim +2555 kernel/audit.c
>
> 2543
> 2544 bool audit_log_packet_ip4(struct audit_buffer *ab, struct sk_buff *skb)
> 2545 {
> 2546 struct iphdr _iph;
> 2547 const struct iphdr *ih;
> 2548
> 2549 ih = skb_header_pointer(skb, skb_network_offset(skb), sizeof(_iph), &_iph);
> 2550 if (!ih)
> 2551 return false;
> 2552
> 2553 switch (ih->protocol) {
> 2554 case IPPROTO_TCP:
> > 2555 struct tcphdr _tcph;
> > 2556 const struct tcphdr *th;
> 2557
> > 2558 th = skb_header_pointer(skb, skb_transport_offset(skb), sizeof(_tcph), &_tcph);
> 2559 if (!th)
> 2560 return false;
> 2561
> 2562 audit_log_format(ab, " saddr=%pI4 daddr=%pI4 proto=%hhu sport=%hu dport=%hu",
> 2563 &ih->saddr, &ih->daddr, ih->protocol,
> 2564 ntohs(th->source), ntohs(th->dest));
> 2565 break;
> 2566 case IPPROTO_UDP:
> 2567 case IPPROTO_UDPLITE:
> 2568 struct udphdr _udph;
> 2569 const struct udphdr *uh;
> 2570
> > 2571 uh = skb_header_pointer(skb, skb_transport_offset(skb), sizeof(_udph), &_udph);
> 2572 if (!uh)
> 2573 return false;
> 2574
> 2575 audit_log_format(ab, " saddr=%pI4 daddr=%pI4 proto=%hhu sport=%hu dport=%hu",
> 2576 &ih->saddr, &ih->daddr, ih->protocol,
> 2577 ntohs(uh->source), ntohs(uh->dest));
> 2578 break;
> 2579 case IPPROTO_SCTP:
> 2580 struct sctphdr _sctph;
> 2581 const struct sctphdr *sh;
> 2582
> > 2583 sh = skb_header_pointer(skb, skb_transport_offset(skb), sizeof(_sctph), &_sctph);
> 2584 if (!sh)
> 2585 return false;
> 2586
> 2587 audit_log_format(ab, " saddr=%pI4 daddr=%pI4 proto=%hhu sport=%hu dport=%hu",
> 2588 &ih->saddr, &ih->daddr, ih->protocol,
> 2589 ntohs(sh->source), ntohs(sh->dest));
> 2590 break;
> 2591 default:
> 2592 audit_log_format(ab, " saddr=%pI4 daddr=%pI4 proto=%hhu",
> 2593 &ih->saddr, &ih->daddr, ih->protocol);
> 2594 }
> 2595
> 2596 return true;
> 2597 }
> 2598 EXPORT_SYMBOL(audit_log_packet_ip4);
> 2599
>
> --
> 0-DAY CI Kernel Test Service
> https://github.com/intel/lkp-tests/wiki
>
© 2016 - 2026 Red Hat, Inc.