Description of problem: The AUDIT_NETFILTER_PKT audit events are not normalized. They swing fields in and out based on settings rather than changing the value of the event. Here's one example in ./net/netfilter/xt_AUDIT.c: if (ntohs(ih->frag_off) & IP_OFFSET) { audit_log_format(ab, " frag=1"); return; } frag should always be set like: audit_log_format(ab, " frag=%d", ntohs(ih->frag_off) & IP_OFFSET); Version-Release number of selected component (if applicable): 4.3.3
There was a discussion upstream about some enhancements that could be made to make iptables based audit events more usable: https://www.redhat.com/archives/linux-audit/2013-February/msg00020.html
Closing this as we are tracking upstream RFEs on GitHub now: * https://github.com/linux-audit/audit-kernel/issues/11