iptables/0014-xtables-monitor-Fix-for-ebtables-rule-events.patch
Phil Sutter 6eebdb8221 iptables-1.8.10-5.el9
* Wed Aug 14 2024 Phil Sutter <psutter@redhat.com> [1.8.10-5.el9]
- xtables-monitor: Ignore ebtables policy rules unless tracing (Phil Sutter) [RHEL-47264]
- xtables-monitor: Fix for ebtables rule events (Phil Sutter) [RHEL-47264]
- tests: shell: New xtables-monitor test (Phil Sutter) [RHEL-47264]
- xtables-monitor: Support arptables chain events (Phil Sutter) [RHEL-47264]
- xtables-monitor: Align builtin chain and table output (Phil Sutter) [RHEL-47264]
- xtables-monitor: Flush stdout after all lines of output (Phil Sutter) [RHEL-47264]
- xtables-monitor: Proper re-init for rule's family (Phil Sutter) [RHEL-47264]
- nft: Fix for zeroing existent builtin chains (Phil Sutter) [RHEL-49497]
- nft: cache: Annotate faked base chains as such (Phil Sutter) [RHEL-49497]
- nft: Fix for zeroing non-existent builtin chains (Phil Sutter) [RHEL-49497]
Resolves: RHEL-47264, RHEL-49497
2024-08-14 16:11:43 +02:00

103 lines
4.0 KiB
Diff

From 08754c9274e81f2fcb96ce0e2169e0333d2a8dcf Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Wed, 14 Aug 2024 14:30:11 +0200
Subject: [PATCH] xtables-monitor: Fix for ebtables rule events
JIRA: https://issues.redhat.com/browse/RHEL-47264
Upstream Status: iptables commit 56217d37aa38938ec3e118ae761481522155ff21
commit 56217d37aa38938ec3e118ae761481522155ff21
Author: Phil Sutter <phil@nwl.cc>
Date: Fri Jul 12 14:01:45 2024 +0200
xtables-monitor: Fix for ebtables rule events
Bridge family wasn't recognized in rule_cb(), so merely an empty
"EVENT:" line was printed for ebtables rule changes. For lack of a
well-known family modifier flag for bridge family, simply prefix rules
by "ebtables".
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Phil Sutter <psutter@redhat.com>
---
.../testcases/nft-only/0012-xtables-monitor_0 | 15 ++++++---------
iptables/xtables-monitor.c | 3 +++
2 files changed, 9 insertions(+), 9 deletions(-)
diff --git a/iptables/tests/shell/testcases/nft-only/0012-xtables-monitor_0 b/iptables/tests/shell/testcases/nft-only/0012-xtables-monitor_0
index 7b028ba..0f0295b 100755
--- a/iptables/tests/shell/testcases/nft-only/0012-xtables-monitor_0
+++ b/iptables/tests/shell/testcases/nft-only/0012-xtables-monitor_0
@@ -55,7 +55,7 @@ monitorcheck ip6tables -A FORWARD -j ACCEPT
EXP="\
EVENT: nft: NEW table: table filter bridge flags 0 use 1 handle 0
EVENT: nft: NEW chain: bridge filter FORWARD use 1 type filter hook forward prio -200 policy accept packets 0 bytes 0 flags 1
- EVENT: "
+ EVENT: ebtables -t filter -A FORWARD -j ACCEPT"
monitorcheck ebtables -A FORWARD -j ACCEPT
EXP="\
@@ -73,7 +73,7 @@ monitorcheck ip6tables -N foo
# FIXME
EXP="\
EVENT: nft: NEW chain: bridge filter foo use 1
- EVENT: "
+ EVENT: ebtables -t filter -A foo -j ACCEPT"
monitorcheck ebtables -N foo
EXP=" EVENT: -0 -t filter -N foo"
@@ -86,8 +86,7 @@ monitorcheck iptables -A FORWARD -i eth1 -o eth2 -p tcp --dport 22 -j ACCEPT
EXP=" EVENT: -6 -t filter -A FORWARD -i eth1 -o eth2 -p udp -m udp --sport 1337 -j ACCEPT"
monitorcheck ip6tables -A FORWARD -i eth1 -o eth2 -p udp --sport 1337 -j ACCEPT
-# FIXME
-EXP=" EVENT: "
+EXP=" EVENT: ebtables -t filter -A FORWARD -p IPv4 -i eth1 -o eth2 --ip-proto udp --ip-sport 1337 -j ACCEPT"
monitorcheck ebtables -A FORWARD -i eth1 -o eth2 -p ip --ip-protocol udp --ip-source-port 1337 -j ACCEPT
EXP=" EVENT: -0 -t filter -A INPUT -j ACCEPT -i eth1 -s 1.2.3.4 --src-mac 01:02:03:04:05:06"
@@ -99,8 +98,7 @@ monitorcheck iptables -D FORWARD -i eth1 -o eth2 -p tcp --dport 22 -j ACCEPT
EXP=" EVENT: -6 -t filter -D FORWARD -i eth1 -o eth2 -p udp -m udp --sport 1337 -j ACCEPT"
monitorcheck ip6tables -D FORWARD -i eth1 -o eth2 -p udp --sport 1337 -j ACCEPT
-# FIXME
-EXP=" EVENT: "
+EXP=" EVENT: ebtables -t filter -D FORWARD -p IPv4 -i eth1 -o eth2 --ip-proto udp --ip-sport 1337 -j ACCEPT"
monitorcheck ebtables -D FORWARD -i eth1 -o eth2 -p ip --ip-protocol udp --ip-source-port 1337 -j ACCEPT
EXP=" EVENT: -0 -t filter -D INPUT -j ACCEPT -i eth1 -s 1.2.3.4 --src-mac 01:02:03:04:05:06"
@@ -114,7 +112,7 @@ monitorcheck ip6tables -X foo
# FIXME
EXP="\
- EVENT:
+ EVENT: ebtables -t filter -D foo -j ACCEPT
EVENT: nft: DEL chain: bridge filter foo use 0"
monitorcheck ebtables -X foo
@@ -127,8 +125,7 @@ monitorcheck iptables -F FORWARD
EXP=" EVENT: -6 -t filter -D FORWARD -j ACCEPT"
monitorcheck ip6tables -F FORWARD
-# FIXME
-EXP=" EVENT: "
+EXP=" EVENT: ebtables -t filter -D FORWARD -j ACCEPT"
monitorcheck ebtables -F FORWARD
EXP=" EVENT: -0 -t filter -D INPUT -j ACCEPT"
diff --git a/iptables/xtables-monitor.c b/iptables/xtables-monitor.c
index 714a2df..7079a03 100644
--- a/iptables/xtables-monitor.c
+++ b/iptables/xtables-monitor.c
@@ -106,6 +106,9 @@ static int rule_cb(const struct nlmsghdr *nlh, void *data)
case NFPROTO_ARP:
printf("-0 ");
break;
+ case NFPROTO_BRIDGE:
+ printf("ebtables ");
+ break;
default:
puts("");
goto err_free;