iptables/SOURCES/0014-xtables-monitor-Fix-fo...

From 08754c9274e81f2fcb96ce0e2169e0333d2a8dcf Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Wed, 14 Aug 2024 14:30:11 +0200
Subject: [PATCH] xtables-monitor: Fix for ebtables rule events

JIRA: https://issues.redhat.com/browse/RHEL-47264
Upstream Status: iptables commit 56217d37aa38938ec3e118ae761481522155ff21

commit 56217d37aa38938ec3e118ae761481522155ff21
Author: Phil Sutter <phil@nwl.cc>
Date:   Fri Jul 12 14:01:45 2024 +0200

    xtables-monitor: Fix for ebtables rule events

    Bridge family wasn't recognized in rule_cb(), so merely an empty
    "EVENT:" line was printed for ebtables rule changes. For lack of a
    well-known family modifier flag for bridge family, simply prefix rules
    by "ebtables".

    Signed-off-by: Phil Sutter <phil@nwl.cc>

Signed-off-by: Phil Sutter <psutter@redhat.com>
---
 .../testcases/nft-only/0012-xtables-monitor_0     | 15 ++++++---------
 iptables/xtables-monitor.c                        |  3 +++
 2 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/iptables/tests/shell/testcases/nft-only/0012-xtables-monitor_0 b/iptables/tests/shell/testcases/nft-only/0012-xtables-monitor_0
index 7b028ba..0f0295b 100755
--- a/iptables/tests/shell/testcases/nft-only/0012-xtables-monitor_0
+++ b/iptables/tests/shell/testcases/nft-only/0012-xtables-monitor_0
@@ -55,7 +55,7 @@ monitorcheck ip6tables -A FORWARD -j ACCEPT
 EXP="\
  EVENT: nft: NEW table: table filter bridge flags 0 use 1 handle 0
  EVENT: nft: NEW chain: bridge filter FORWARD use 1 type filter hook forward prio -200 policy accept packets 0 bytes 0 flags 1
- EVENT: "
+ EVENT: ebtables -t filter -A FORWARD -j ACCEPT"
 monitorcheck ebtables -A FORWARD -j ACCEPT
 
 EXP="\
@@ -73,7 +73,7 @@ monitorcheck ip6tables -N foo
 # FIXME
 EXP="\
  EVENT: nft: NEW chain: bridge filter foo use 1
- EVENT: "
+ EVENT: ebtables -t filter -A foo -j ACCEPT"
 monitorcheck ebtables -N foo
 
 EXP=" EVENT: -0 -t filter -N foo"
@@ -86,8 +86,7 @@ monitorcheck iptables -A FORWARD -i eth1 -o eth2 -p tcp --dport 22 -j ACCEPT
 EXP=" EVENT: -6 -t filter -A FORWARD -i eth1 -o eth2 -p udp -m udp --sport 1337 -j ACCEPT"
 monitorcheck ip6tables -A FORWARD -i eth1 -o eth2 -p udp --sport 1337 -j ACCEPT
 
-# FIXME
-EXP=" EVENT: "
+EXP=" EVENT: ebtables -t filter -A FORWARD -p IPv4 -i eth1 -o eth2 --ip-proto udp --ip-sport 1337 -j ACCEPT"
 monitorcheck ebtables -A FORWARD -i eth1 -o eth2 -p ip --ip-protocol udp --ip-source-port 1337 -j ACCEPT
 
 EXP=" EVENT: -0 -t filter -A INPUT -j ACCEPT -i eth1 -s 1.2.3.4 --src-mac 01:02:03:04:05:06"
@@ -99,8 +98,7 @@ monitorcheck iptables -D FORWARD -i eth1 -o eth2 -p tcp --dport 22 -j ACCEPT
 EXP=" EVENT: -6 -t filter -D FORWARD -i eth1 -o eth2 -p udp -m udp --sport 1337 -j ACCEPT"
 monitorcheck ip6tables -D FORWARD -i eth1 -o eth2 -p udp --sport 1337 -j ACCEPT
 
-# FIXME
-EXP=" EVENT: "
+EXP=" EVENT: ebtables -t filter -D FORWARD -p IPv4 -i eth1 -o eth2 --ip-proto udp --ip-sport 1337 -j ACCEPT"
 monitorcheck ebtables -D FORWARD -i eth1 -o eth2 -p ip --ip-protocol udp --ip-source-port 1337 -j ACCEPT
 
 EXP=" EVENT: -0 -t filter -D INPUT -j ACCEPT -i eth1 -s 1.2.3.4 --src-mac 01:02:03:04:05:06"
@@ -114,7 +112,7 @@ monitorcheck ip6tables -X foo
 
 # FIXME
 EXP="\
- EVENT: 
+ EVENT: ebtables -t filter -D foo -j ACCEPT
  EVENT: nft: DEL chain: bridge filter foo use 0"
 monitorcheck ebtables -X foo
 
@@ -127,8 +125,7 @@ monitorcheck iptables -F FORWARD
 EXP=" EVENT: -6 -t filter -D FORWARD -j ACCEPT"
 monitorcheck ip6tables -F FORWARD
 
-# FIXME
-EXP=" EVENT: "
+EXP=" EVENT: ebtables -t filter -D FORWARD -j ACCEPT"
 monitorcheck ebtables -F FORWARD
 
 EXP=" EVENT: -0 -t filter -D INPUT -j ACCEPT"
diff --git a/iptables/xtables-monitor.c b/iptables/xtables-monitor.c
index 714a2df..7079a03 100644
--- a/iptables/xtables-monitor.c
+++ b/iptables/xtables-monitor.c
@@ -106,6 +106,9 @@ static int rule_cb(const struct nlmsghdr *nlh, void *data)
 	case NFPROTO_ARP:
 		printf("-0 ");
 		break;
+	case NFPROTO_BRIDGE:
+		printf("ebtables ");
+		break;
 	default:
 		puts("");
 		goto err_free;
import iptables-1.8.10-5.el9 1 month ago			`From 08754c9274e81f2fcb96ce0e2169e0333d2a8dcf Mon Sep 17 00:00:00 2001`
			`From: Phil Sutter <psutter@redhat.com>`
			`Date: Wed, 14 Aug 2024 14:30:11 +0200`
			`Subject: [PATCH] xtables-monitor: Fix for ebtables rule events`

			`JIRA: https://issues.redhat.com/browse/RHEL-47264`
			`Upstream Status: iptables commit 56217d37aa38938ec3e118ae761481522155ff21`

			`commit 56217d37aa38938ec3e118ae761481522155ff21`
			`Author: Phil Sutter <phil@nwl.cc>`
			`Date: Fri Jul 12 14:01:45 2024 +0200`

			`xtables-monitor: Fix for ebtables rule events`

			`Bridge family wasn't recognized in rule_cb(), so merely an empty`
			`"EVENT:" line was printed for ebtables rule changes. For lack of a`
			`well-known family modifier flag for bridge family, simply prefix rules`
			`by "ebtables".`

			`Signed-off-by: Phil Sutter <phil@nwl.cc>`

			`Signed-off-by: Phil Sutter <psutter@redhat.com>`
			`---`
			`.../testcases/nft-only/0012-xtables-monitor_0 \| 15 ++++++---------`
			`iptables/xtables-monitor.c \| 3 +++`
			`2 files changed, 9 insertions(+), 9 deletions(-)`

			`diff --git a/iptables/tests/shell/testcases/nft-only/0012-xtables-monitor_0 b/iptables/tests/shell/testcases/nft-only/0012-xtables-monitor_0`
			`index 7b028ba..0f0295b 100755`
			`--- a/iptables/tests/shell/testcases/nft-only/0012-xtables-monitor_0`
			`+++ b/iptables/tests/shell/testcases/nft-only/0012-xtables-monitor_0`
			`@@ -55,7 +55,7 @@ monitorcheck ip6tables -A FORWARD -j ACCEPT`
			`EXP="\`
			`EVENT: nft: NEW table: table filter bridge flags 0 use 1 handle 0`
			`EVENT: nft: NEW chain: bridge filter FORWARD use 1 type filter hook forward prio -200 policy accept packets 0 bytes 0 flags 1`
			`- EVENT: "`
			`+ EVENT: ebtables -t filter -A FORWARD -j ACCEPT"`
			`monitorcheck ebtables -A FORWARD -j ACCEPT`

			`EXP="\`
			`@@ -73,7 +73,7 @@ monitorcheck ip6tables -N foo`
			`# FIXME`
			`EXP="\`
			`EVENT: nft: NEW chain: bridge filter foo use 1`
			`- EVENT: "`
			`+ EVENT: ebtables -t filter -A foo -j ACCEPT"`
			`monitorcheck ebtables -N foo`

			`EXP=" EVENT: -0 -t filter -N foo"`
			`@@ -86,8 +86,7 @@ monitorcheck iptables -A FORWARD -i eth1 -o eth2 -p tcp --dport 22 -j ACCEPT`
			`EXP=" EVENT: -6 -t filter -A FORWARD -i eth1 -o eth2 -p udp -m udp --sport 1337 -j ACCEPT"`
			`monitorcheck ip6tables -A FORWARD -i eth1 -o eth2 -p udp --sport 1337 -j ACCEPT`

			`-# FIXME`
			`-EXP=" EVENT: "`
			`+EXP=" EVENT: ebtables -t filter -A FORWARD -p IPv4 -i eth1 -o eth2 --ip-proto udp --ip-sport 1337 -j ACCEPT"`
			`monitorcheck ebtables -A FORWARD -i eth1 -o eth2 -p ip --ip-protocol udp --ip-source-port 1337 -j ACCEPT`

			`EXP=" EVENT: -0 -t filter -A INPUT -j ACCEPT -i eth1 -s 1.2.3.4 --src-mac 01:02:03:04:05:06"`
			`@@ -99,8 +98,7 @@ monitorcheck iptables -D FORWARD -i eth1 -o eth2 -p tcp --dport 22 -j ACCEPT`
			`EXP=" EVENT: -6 -t filter -D FORWARD -i eth1 -o eth2 -p udp -m udp --sport 1337 -j ACCEPT"`
			`monitorcheck ip6tables -D FORWARD -i eth1 -o eth2 -p udp --sport 1337 -j ACCEPT`

			`-# FIXME`
			`-EXP=" EVENT: "`
			`+EXP=" EVENT: ebtables -t filter -D FORWARD -p IPv4 -i eth1 -o eth2 --ip-proto udp --ip-sport 1337 -j ACCEPT"`
			`monitorcheck ebtables -D FORWARD -i eth1 -o eth2 -p ip --ip-protocol udp --ip-source-port 1337 -j ACCEPT`

			`EXP=" EVENT: -0 -t filter -D INPUT -j ACCEPT -i eth1 -s 1.2.3.4 --src-mac 01:02:03:04:05:06"`
			`@@ -114,7 +112,7 @@ monitorcheck ip6tables -X foo`

			`# FIXME`
			`EXP="\`
			`- EVENT:`
			`+ EVENT: ebtables -t filter -D foo -j ACCEPT`
			`EVENT: nft: DEL chain: bridge filter foo use 0"`
			`monitorcheck ebtables -X foo`

			`@@ -127,8 +125,7 @@ monitorcheck iptables -F FORWARD`
			`EXP=" EVENT: -6 -t filter -D FORWARD -j ACCEPT"`
			`monitorcheck ip6tables -F FORWARD`

			`-# FIXME`
			`-EXP=" EVENT: "`
			`+EXP=" EVENT: ebtables -t filter -D FORWARD -j ACCEPT"`
			`monitorcheck ebtables -F FORWARD`

			`EXP=" EVENT: -0 -t filter -D INPUT -j ACCEPT"`
			`diff --git a/iptables/xtables-monitor.c b/iptables/xtables-monitor.c`
			`index 714a2df..7079a03 100644`
			`--- a/iptables/xtables-monitor.c`
			`+++ b/iptables/xtables-monitor.c`
			`@@ -106,6 +106,9 @@ static int rule_cb(const struct nlmsghdr nlh, void data)`
			`case NFPROTO_ARP:`
			`printf("-0 ");`
			`break;`
			`+ case NFPROTO_BRIDGE:`
			`+ printf("ebtables ");`
			`+ break;`
			`default:`
			`puts("");`
			`goto err_free;`