From 4a0811c0db13ccc7217123be907d6946ded384a1 Mon Sep 17 00:00:00 2001 From: Phil Sutter Date: Wed, 14 Aug 2024 14:30:12 +0200 Subject: [PATCH] xtables-monitor: Ignore ebtables policy rules unless tracing JIRA: https://issues.redhat.com/browse/RHEL-47264 Upstream Status: iptables commit 5aa4935bc88fd8acf90cce4535e58fc3be85f055 commit 5aa4935bc88fd8acf90cce4535e58fc3be85f055 Author: Phil Sutter Date: Fri Jul 12 18:07:16 2024 +0200 xtables-monitor: Ignore ebtables policy rules unless tracing Do not expose this implementation detail to users, otherwise new user-defined chains are followed by a new rule event. When tracing, they are useful as they potentially terminate rule traversal. Signed-off-by: Phil Sutter Signed-off-by: Phil Sutter --- iptables/nft.c | 2 +- iptables/nft.h | 1 + .../shell/testcases/nft-only/0012-xtables-monitor_0 | 11 ++--------- iptables/xtables-monitor.c | 7 +++++++ 4 files changed, 11 insertions(+), 10 deletions(-) diff --git a/iptables/nft.c b/iptables/nft.c index ad4c866..81e8f76 100644 --- a/iptables/nft.c +++ b/iptables/nft.c @@ -1823,7 +1823,7 @@ nft_rule_print_save(struct nft_handle *h, const struct nftnl_rule *r, return ret; } -static bool nft_rule_is_policy_rule(struct nftnl_rule *r) +bool nft_rule_is_policy_rule(struct nftnl_rule *r) { const struct nftnl_udata *tb[UDATA_TYPE_MAX + 1] = {}; const void *data; diff --git a/iptables/nft.h b/iptables/nft.h index 5acbbf8..8b173d1 100644 --- a/iptables/nft.h +++ b/iptables/nft.h @@ -184,6 +184,7 @@ int nft_rule_list_save(struct nft_handle *h, const char *chain, const char *tabl int nft_rule_save(struct nft_handle *h, const char *table, unsigned int format); int nft_rule_flush(struct nft_handle *h, const char *chain, const char *table, bool verbose); int nft_rule_zero_counters(struct nft_handle *h, const char *chain, const char *table, int rulenum); +bool nft_rule_is_policy_rule(struct nftnl_rule *r); /* * Operations used in userspace tools diff --git a/iptables/tests/shell/testcases/nft-only/0012-xtables-monitor_0 b/iptables/tests/shell/testcases/nft-only/0012-xtables-monitor_0 index 0f0295b..ef1ec3c 100755 --- a/iptables/tests/shell/testcases/nft-only/0012-xtables-monitor_0 +++ b/iptables/tests/shell/testcases/nft-only/0012-xtables-monitor_0 @@ -51,7 +51,6 @@ EXP="\ EVENT: -6 -t filter -A FORWARD -j ACCEPT" monitorcheck ip6tables -A FORWARD -j ACCEPT -# FIXME EXP="\ EVENT: nft: NEW table: table filter bridge flags 0 use 1 handle 0 EVENT: nft: NEW chain: bridge filter FORWARD use 1 type filter hook forward prio -200 policy accept packets 0 bytes 0 flags 1 @@ -70,10 +69,7 @@ monitorcheck iptables -N foo EXP=" EVENT: -6 -t filter -N foo" monitorcheck ip6tables -N foo -# FIXME -EXP="\ - EVENT: nft: NEW chain: bridge filter foo use 1 - EVENT: ebtables -t filter -A foo -j ACCEPT" +EXP=" EVENT: nft: NEW chain: bridge filter foo use 1" monitorcheck ebtables -N foo EXP=" EVENT: -0 -t filter -N foo" @@ -110,10 +106,7 @@ monitorcheck iptables -X foo EXP=" EVENT: -6 -t filter -X foo" monitorcheck ip6tables -X foo -# FIXME -EXP="\ - EVENT: ebtables -t filter -D foo -j ACCEPT - EVENT: nft: DEL chain: bridge filter foo use 0" +EXP=" EVENT: nft: DEL chain: bridge filter foo use 0" monitorcheck ebtables -X foo EXP=" EVENT: -0 -t filter -X foo" diff --git a/iptables/xtables-monitor.c b/iptables/xtables-monitor.c index 7079a03..b54a704 100644 --- a/iptables/xtables-monitor.c +++ b/iptables/xtables-monitor.c @@ -96,6 +96,13 @@ static int rule_cb(const struct nlmsghdr *nlh, void *data) arg->h->ops = nft_family_ops_lookup(family); arg->h->family = family; + /* ignore policy rules unless tracing, + * they are reported when deleting user-defined chains */ + if (family == NFPROTO_BRIDGE && + arg->is_event && + nft_rule_is_policy_rule(r)) + goto err_free; + if (arg->is_event) printf(" EVENT: "); switch (family) {