6eebdb8221
* Wed Aug 14 2024 Phil Sutter <psutter@redhat.com> [1.8.10-5.el9] - xtables-monitor: Ignore ebtables policy rules unless tracing (Phil Sutter) [RHEL-47264] - xtables-monitor: Fix for ebtables rule events (Phil Sutter) [RHEL-47264] - tests: shell: New xtables-monitor test (Phil Sutter) [RHEL-47264] - xtables-monitor: Support arptables chain events (Phil Sutter) [RHEL-47264] - xtables-monitor: Align builtin chain and table output (Phil Sutter) [RHEL-47264] - xtables-monitor: Flush stdout after all lines of output (Phil Sutter) [RHEL-47264] - xtables-monitor: Proper re-init for rule's family (Phil Sutter) [RHEL-47264] - nft: Fix for zeroing existent builtin chains (Phil Sutter) [RHEL-49497] - nft: cache: Annotate faked base chains as such (Phil Sutter) [RHEL-49497] - nft: Fix for zeroing non-existent builtin chains (Phil Sutter) [RHEL-49497] Resolves: RHEL-47264, RHEL-49497
103 lines
4.0 KiB
Diff
103 lines
4.0 KiB
Diff
From 08754c9274e81f2fcb96ce0e2169e0333d2a8dcf Mon Sep 17 00:00:00 2001
|
|
From: Phil Sutter <psutter@redhat.com>
|
|
Date: Wed, 14 Aug 2024 14:30:11 +0200
|
|
Subject: [PATCH] xtables-monitor: Fix for ebtables rule events
|
|
|
|
JIRA: https://issues.redhat.com/browse/RHEL-47264
|
|
Upstream Status: iptables commit 56217d37aa38938ec3e118ae761481522155ff21
|
|
|
|
commit 56217d37aa38938ec3e118ae761481522155ff21
|
|
Author: Phil Sutter <phil@nwl.cc>
|
|
Date: Fri Jul 12 14:01:45 2024 +0200
|
|
|
|
xtables-monitor: Fix for ebtables rule events
|
|
|
|
Bridge family wasn't recognized in rule_cb(), so merely an empty
|
|
"EVENT:" line was printed for ebtables rule changes. For lack of a
|
|
well-known family modifier flag for bridge family, simply prefix rules
|
|
by "ebtables".
|
|
|
|
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
Signed-off-by: Phil Sutter <psutter@redhat.com>
|
|
---
|
|
.../testcases/nft-only/0012-xtables-monitor_0 | 15 ++++++---------
|
|
iptables/xtables-monitor.c | 3 +++
|
|
2 files changed, 9 insertions(+), 9 deletions(-)
|
|
|
|
diff --git a/iptables/tests/shell/testcases/nft-only/0012-xtables-monitor_0 b/iptables/tests/shell/testcases/nft-only/0012-xtables-monitor_0
|
|
index 7b028ba..0f0295b 100755
|
|
--- a/iptables/tests/shell/testcases/nft-only/0012-xtables-monitor_0
|
|
+++ b/iptables/tests/shell/testcases/nft-only/0012-xtables-monitor_0
|
|
@@ -55,7 +55,7 @@ monitorcheck ip6tables -A FORWARD -j ACCEPT
|
|
EXP="\
|
|
EVENT: nft: NEW table: table filter bridge flags 0 use 1 handle 0
|
|
EVENT: nft: NEW chain: bridge filter FORWARD use 1 type filter hook forward prio -200 policy accept packets 0 bytes 0 flags 1
|
|
- EVENT: "
|
|
+ EVENT: ebtables -t filter -A FORWARD -j ACCEPT"
|
|
monitorcheck ebtables -A FORWARD -j ACCEPT
|
|
|
|
EXP="\
|
|
@@ -73,7 +73,7 @@ monitorcheck ip6tables -N foo
|
|
# FIXME
|
|
EXP="\
|
|
EVENT: nft: NEW chain: bridge filter foo use 1
|
|
- EVENT: "
|
|
+ EVENT: ebtables -t filter -A foo -j ACCEPT"
|
|
monitorcheck ebtables -N foo
|
|
|
|
EXP=" EVENT: -0 -t filter -N foo"
|
|
@@ -86,8 +86,7 @@ monitorcheck iptables -A FORWARD -i eth1 -o eth2 -p tcp --dport 22 -j ACCEPT
|
|
EXP=" EVENT: -6 -t filter -A FORWARD -i eth1 -o eth2 -p udp -m udp --sport 1337 -j ACCEPT"
|
|
monitorcheck ip6tables -A FORWARD -i eth1 -o eth2 -p udp --sport 1337 -j ACCEPT
|
|
|
|
-# FIXME
|
|
-EXP=" EVENT: "
|
|
+EXP=" EVENT: ebtables -t filter -A FORWARD -p IPv4 -i eth1 -o eth2 --ip-proto udp --ip-sport 1337 -j ACCEPT"
|
|
monitorcheck ebtables -A FORWARD -i eth1 -o eth2 -p ip --ip-protocol udp --ip-source-port 1337 -j ACCEPT
|
|
|
|
EXP=" EVENT: -0 -t filter -A INPUT -j ACCEPT -i eth1 -s 1.2.3.4 --src-mac 01:02:03:04:05:06"
|
|
@@ -99,8 +98,7 @@ monitorcheck iptables -D FORWARD -i eth1 -o eth2 -p tcp --dport 22 -j ACCEPT
|
|
EXP=" EVENT: -6 -t filter -D FORWARD -i eth1 -o eth2 -p udp -m udp --sport 1337 -j ACCEPT"
|
|
monitorcheck ip6tables -D FORWARD -i eth1 -o eth2 -p udp --sport 1337 -j ACCEPT
|
|
|
|
-# FIXME
|
|
-EXP=" EVENT: "
|
|
+EXP=" EVENT: ebtables -t filter -D FORWARD -p IPv4 -i eth1 -o eth2 --ip-proto udp --ip-sport 1337 -j ACCEPT"
|
|
monitorcheck ebtables -D FORWARD -i eth1 -o eth2 -p ip --ip-protocol udp --ip-source-port 1337 -j ACCEPT
|
|
|
|
EXP=" EVENT: -0 -t filter -D INPUT -j ACCEPT -i eth1 -s 1.2.3.4 --src-mac 01:02:03:04:05:06"
|
|
@@ -114,7 +112,7 @@ monitorcheck ip6tables -X foo
|
|
|
|
# FIXME
|
|
EXP="\
|
|
- EVENT:
|
|
+ EVENT: ebtables -t filter -D foo -j ACCEPT
|
|
EVENT: nft: DEL chain: bridge filter foo use 0"
|
|
monitorcheck ebtables -X foo
|
|
|
|
@@ -127,8 +125,7 @@ monitorcheck iptables -F FORWARD
|
|
EXP=" EVENT: -6 -t filter -D FORWARD -j ACCEPT"
|
|
monitorcheck ip6tables -F FORWARD
|
|
|
|
-# FIXME
|
|
-EXP=" EVENT: "
|
|
+EXP=" EVENT: ebtables -t filter -D FORWARD -j ACCEPT"
|
|
monitorcheck ebtables -F FORWARD
|
|
|
|
EXP=" EVENT: -0 -t filter -D INPUT -j ACCEPT"
|
|
diff --git a/iptables/xtables-monitor.c b/iptables/xtables-monitor.c
|
|
index 714a2df..7079a03 100644
|
|
--- a/iptables/xtables-monitor.c
|
|
+++ b/iptables/xtables-monitor.c
|
|
@@ -106,6 +106,9 @@ static int rule_cb(const struct nlmsghdr *nlh, void *data)
|
|
case NFPROTO_ARP:
|
|
printf("-0 ");
|
|
break;
|
|
+ case NFPROTO_BRIDGE:
|
|
+ printf("ebtables ");
|
|
+ break;
|
|
default:
|
|
puts("");
|
|
goto err_free;
|