iptables/0015-xtables-monitor-Ignore-ebtables-policy-rules-unless-.patch

110 lines
4.0 KiB
Diff
Raw Permalink Normal View History

From 4a0811c0db13ccc7217123be907d6946ded384a1 Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Wed, 14 Aug 2024 14:30:12 +0200
Subject: [PATCH] xtables-monitor: Ignore ebtables policy rules unless tracing
JIRA: https://issues.redhat.com/browse/RHEL-47264
Upstream Status: iptables commit 5aa4935bc88fd8acf90cce4535e58fc3be85f055
commit 5aa4935bc88fd8acf90cce4535e58fc3be85f055
Author: Phil Sutter <phil@nwl.cc>
Date: Fri Jul 12 18:07:16 2024 +0200
xtables-monitor: Ignore ebtables policy rules unless tracing
Do not expose this implementation detail to users, otherwise new
user-defined chains are followed by a new rule event.
When tracing, they are useful as they potentially terminate rule
traversal.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Phil Sutter <psutter@redhat.com>
---
iptables/nft.c | 2 +-
iptables/nft.h | 1 +
.../shell/testcases/nft-only/0012-xtables-monitor_0 | 11 ++---------
iptables/xtables-monitor.c | 7 +++++++
4 files changed, 11 insertions(+), 10 deletions(-)
diff --git a/iptables/nft.c b/iptables/nft.c
index ad4c866..81e8f76 100644
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@ -1823,7 +1823,7 @@ nft_rule_print_save(struct nft_handle *h, const struct nftnl_rule *r,
return ret;
}
-static bool nft_rule_is_policy_rule(struct nftnl_rule *r)
+bool nft_rule_is_policy_rule(struct nftnl_rule *r)
{
const struct nftnl_udata *tb[UDATA_TYPE_MAX + 1] = {};
const void *data;
diff --git a/iptables/nft.h b/iptables/nft.h
index 5acbbf8..8b173d1 100644
--- a/iptables/nft.h
+++ b/iptables/nft.h
@@ -184,6 +184,7 @@ int nft_rule_list_save(struct nft_handle *h, const char *chain, const char *tabl
int nft_rule_save(struct nft_handle *h, const char *table, unsigned int format);
int nft_rule_flush(struct nft_handle *h, const char *chain, const char *table, bool verbose);
int nft_rule_zero_counters(struct nft_handle *h, const char *chain, const char *table, int rulenum);
+bool nft_rule_is_policy_rule(struct nftnl_rule *r);
/*
* Operations used in userspace tools
diff --git a/iptables/tests/shell/testcases/nft-only/0012-xtables-monitor_0 b/iptables/tests/shell/testcases/nft-only/0012-xtables-monitor_0
index 0f0295b..ef1ec3c 100755
--- a/iptables/tests/shell/testcases/nft-only/0012-xtables-monitor_0
+++ b/iptables/tests/shell/testcases/nft-only/0012-xtables-monitor_0
@@ -51,7 +51,6 @@ EXP="\
EVENT: -6 -t filter -A FORWARD -j ACCEPT"
monitorcheck ip6tables -A FORWARD -j ACCEPT
-# FIXME
EXP="\
EVENT: nft: NEW table: table filter bridge flags 0 use 1 handle 0
EVENT: nft: NEW chain: bridge filter FORWARD use 1 type filter hook forward prio -200 policy accept packets 0 bytes 0 flags 1
@@ -70,10 +69,7 @@ monitorcheck iptables -N foo
EXP=" EVENT: -6 -t filter -N foo"
monitorcheck ip6tables -N foo
-# FIXME
-EXP="\
- EVENT: nft: NEW chain: bridge filter foo use 1
- EVENT: ebtables -t filter -A foo -j ACCEPT"
+EXP=" EVENT: nft: NEW chain: bridge filter foo use 1"
monitorcheck ebtables -N foo
EXP=" EVENT: -0 -t filter -N foo"
@@ -110,10 +106,7 @@ monitorcheck iptables -X foo
EXP=" EVENT: -6 -t filter -X foo"
monitorcheck ip6tables -X foo
-# FIXME
-EXP="\
- EVENT: ebtables -t filter -D foo -j ACCEPT
- EVENT: nft: DEL chain: bridge filter foo use 0"
+EXP=" EVENT: nft: DEL chain: bridge filter foo use 0"
monitorcheck ebtables -X foo
EXP=" EVENT: -0 -t filter -X foo"
diff --git a/iptables/xtables-monitor.c b/iptables/xtables-monitor.c
index 7079a03..b54a704 100644
--- a/iptables/xtables-monitor.c
+++ b/iptables/xtables-monitor.c
@@ -96,6 +96,13 @@ static int rule_cb(const struct nlmsghdr *nlh, void *data)
arg->h->ops = nft_family_ops_lookup(family);
arg->h->family = family;
+ /* ignore policy rules unless tracing,
+ * they are reported when deleting user-defined chains */
+ if (family == NFPROTO_BRIDGE &&
+ arg->is_event &&
+ nft_rule_is_policy_rule(r))
+ goto err_free;
+
if (arg->is_event)
printf(" EVENT: ");
switch (family) {