RFE: missing sport and dport from NETFILTER_PKT audit log

[mvasi90]

nft log level audit writes the messages into the audit buffer for reading with ausearch.

I want to use it instead of journalctl, but it is very limited. Only shows saddr,daddr and proto:

ausearch -i -m netfilter_pkt
type=NETFILTER_PKT msg=audit(06/20/2024 15:49:52.819:576) : mark=0x0 saddr=<ip> daddr=<ip> proto=tcp 
----
type=NETFILTER_PKT msg=audit(06/20/2024 15:49:56.452:577) : mark=0x0 saddr=<ip> daddr=<ip> proto=tcp 
...

dpt and spt is needed.
For the output packets the sid and gid is needed.

I can't believe I'm the only one who has this need. No one else has reported it?

[pcmoore]

No one else has reported it?

I don't believe so, but I could be wrong. If you are interested in this new functionality, patches are always welcome upstream.

[rprobaina]

@mvasi90, kernel patch submitted upstream [1].

[1] https://lore.kernel.org/audit/20250922200942.1534414-1-rrobaina@redhat.com/T/#u