110 lines
4.0 KiB
Diff
110 lines
4.0 KiB
Diff
From 4a0811c0db13ccc7217123be907d6946ded384a1 Mon Sep 17 00:00:00 2001
|
|
From: Phil Sutter <psutter@redhat.com>
|
|
Date: Wed, 14 Aug 2024 14:30:12 +0200
|
|
Subject: [PATCH] xtables-monitor: Ignore ebtables policy rules unless tracing
|
|
|
|
JIRA: https://issues.redhat.com/browse/RHEL-47264
|
|
Upstream Status: iptables commit 5aa4935bc88fd8acf90cce4535e58fc3be85f055
|
|
|
|
commit 5aa4935bc88fd8acf90cce4535e58fc3be85f055
|
|
Author: Phil Sutter <phil@nwl.cc>
|
|
Date: Fri Jul 12 18:07:16 2024 +0200
|
|
|
|
xtables-monitor: Ignore ebtables policy rules unless tracing
|
|
|
|
Do not expose this implementation detail to users, otherwise new
|
|
user-defined chains are followed by a new rule event.
|
|
|
|
When tracing, they are useful as they potentially terminate rule
|
|
traversal.
|
|
|
|
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
Signed-off-by: Phil Sutter <psutter@redhat.com>
|
|
---
|
|
iptables/nft.c | 2 +-
|
|
iptables/nft.h | 1 +
|
|
.../shell/testcases/nft-only/0012-xtables-monitor_0 | 11 ++---------
|
|
iptables/xtables-monitor.c | 7 +++++++
|
|
4 files changed, 11 insertions(+), 10 deletions(-)
|
|
|
|
diff --git a/iptables/nft.c b/iptables/nft.c
|
|
index ad4c866..81e8f76 100644
|
|
--- a/iptables/nft.c
|
|
+++ b/iptables/nft.c
|
|
@@ -1823,7 +1823,7 @@ nft_rule_print_save(struct nft_handle *h, const struct nftnl_rule *r,
|
|
return ret;
|
|
}
|
|
|
|
-static bool nft_rule_is_policy_rule(struct nftnl_rule *r)
|
|
+bool nft_rule_is_policy_rule(struct nftnl_rule *r)
|
|
{
|
|
const struct nftnl_udata *tb[UDATA_TYPE_MAX + 1] = {};
|
|
const void *data;
|
|
diff --git a/iptables/nft.h b/iptables/nft.h
|
|
index 5acbbf8..8b173d1 100644
|
|
--- a/iptables/nft.h
|
|
+++ b/iptables/nft.h
|
|
@@ -184,6 +184,7 @@ int nft_rule_list_save(struct nft_handle *h, const char *chain, const char *tabl
|
|
int nft_rule_save(struct nft_handle *h, const char *table, unsigned int format);
|
|
int nft_rule_flush(struct nft_handle *h, const char *chain, const char *table, bool verbose);
|
|
int nft_rule_zero_counters(struct nft_handle *h, const char *chain, const char *table, int rulenum);
|
|
+bool nft_rule_is_policy_rule(struct nftnl_rule *r);
|
|
|
|
/*
|
|
* Operations used in userspace tools
|
|
diff --git a/iptables/tests/shell/testcases/nft-only/0012-xtables-monitor_0 b/iptables/tests/shell/testcases/nft-only/0012-xtables-monitor_0
|
|
index 0f0295b..ef1ec3c 100755
|
|
--- a/iptables/tests/shell/testcases/nft-only/0012-xtables-monitor_0
|
|
+++ b/iptables/tests/shell/testcases/nft-only/0012-xtables-monitor_0
|
|
@@ -51,7 +51,6 @@ EXP="\
|
|
EVENT: -6 -t filter -A FORWARD -j ACCEPT"
|
|
monitorcheck ip6tables -A FORWARD -j ACCEPT
|
|
|
|
-# FIXME
|
|
EXP="\
|
|
EVENT: nft: NEW table: table filter bridge flags 0 use 1 handle 0
|
|
EVENT: nft: NEW chain: bridge filter FORWARD use 1 type filter hook forward prio -200 policy accept packets 0 bytes 0 flags 1
|
|
@@ -70,10 +69,7 @@ monitorcheck iptables -N foo
|
|
EXP=" EVENT: -6 -t filter -N foo"
|
|
monitorcheck ip6tables -N foo
|
|
|
|
-# FIXME
|
|
-EXP="\
|
|
- EVENT: nft: NEW chain: bridge filter foo use 1
|
|
- EVENT: ebtables -t filter -A foo -j ACCEPT"
|
|
+EXP=" EVENT: nft: NEW chain: bridge filter foo use 1"
|
|
monitorcheck ebtables -N foo
|
|
|
|
EXP=" EVENT: -0 -t filter -N foo"
|
|
@@ -110,10 +106,7 @@ monitorcheck iptables -X foo
|
|
EXP=" EVENT: -6 -t filter -X foo"
|
|
monitorcheck ip6tables -X foo
|
|
|
|
-# FIXME
|
|
-EXP="\
|
|
- EVENT: ebtables -t filter -D foo -j ACCEPT
|
|
- EVENT: nft: DEL chain: bridge filter foo use 0"
|
|
+EXP=" EVENT: nft: DEL chain: bridge filter foo use 0"
|
|
monitorcheck ebtables -X foo
|
|
|
|
EXP=" EVENT: -0 -t filter -X foo"
|
|
diff --git a/iptables/xtables-monitor.c b/iptables/xtables-monitor.c
|
|
index 7079a03..b54a704 100644
|
|
--- a/iptables/xtables-monitor.c
|
|
+++ b/iptables/xtables-monitor.c
|
|
@@ -96,6 +96,13 @@ static int rule_cb(const struct nlmsghdr *nlh, void *data)
|
|
arg->h->ops = nft_family_ops_lookup(family);
|
|
arg->h->family = family;
|
|
|
|
+ /* ignore policy rules unless tracing,
|
|
+ * they are reported when deleting user-defined chains */
|
|
+ if (family == NFPROTO_BRIDGE &&
|
|
+ arg->is_event &&
|
|
+ nft_rule_is_policy_rule(r))
|
|
+ goto err_free;
|
|
+
|
|
if (arg->is_event)
|
|
printf(" EVENT: ");
|
|
switch (family) {
|