xtables-monitor: Ignore ebtables policy rules unless tracing

Do not expose this implementation detail to users, otherwise new
user-defined chains are followed by a new rule event.

When tracing, they are useful as they potentially terminate rule
traversal.

Signed-off-by: Phil Sutter <phil@nwl.cc>

diff --git a/iptables/nft.c b/iptables/nft.c
index 884cc77e647ba850677a2503f2c6b19705dad259..83fb81439ccb1881bdd518809c84a80a231ee9bd 100644 (file)
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@ -1813,7 +1813,7 @@ nft_rule_print_save(struct nft_handle *h, const struct nftnl_rule *r,
        return ret;
 }
 
-static bool nft_rule_is_policy_rule(struct nftnl_rule *r)
+bool nft_rule_is_policy_rule(struct nftnl_rule *r)
 {
        const struct nftnl_udata *tb[UDATA_TYPE_MAX + 1] = {};
        const void *data;

diff --git a/iptables/nft.h b/iptables/nft.h
index b2a8484f09f0a6130e7034732f3882eb3753d007..8f17f3100a19083c86054f77ed69c150f47acf78 100644 (file)
--- a/iptables/nft.h
+++ b/iptables/nft.h
@@ -185,6 +185,7 @@ int nft_rule_list_save(struct nft_handle *h, const char *chain, const char *tabl
 int nft_rule_save(struct nft_handle *h, const char *table, unsigned int format);
 int nft_rule_flush(struct nft_handle *h, const char *chain, const char *table, bool verbose);
 int nft_rule_zero_counters(struct nft_handle *h, const char *chain, const char *table, int rulenum);
+bool nft_rule_is_policy_rule(struct nftnl_rule *r);
 
 /*
  * Operations used in userspace tools

diff --git a/iptables/tests/shell/testcases/nft-only/0012-xtables-monitor_0 b/iptables/tests/shell/testcases/nft-only/0012-xtables-monitor_0
index 0f0295b05ec5289089c5bfff1f23010dbc37f0c6..ef1ec3c9446aed650d8296965e9253e3321b2c57 100755 (executable)
--- a/iptables/tests/shell/testcases/nft-only/0012-xtables-monitor_0
+++ b/iptables/tests/shell/testcases/nft-only/0012-xtables-monitor_0
@@ -51,7 +51,6 @@ EXP="\
  EVENT: -6 -t filter -A FORWARD -j ACCEPT"
 monitorcheck ip6tables -A FORWARD -j ACCEPT
 
-# FIXME
 EXP="\
  EVENT: nft: NEW table: table filter bridge flags 0 use 1 handle 0
  EVENT: nft: NEW chain: bridge filter FORWARD use 1 type filter hook forward prio -200 policy accept packets 0 bytes 0 flags 1
@@ -70,10 +69,7 @@ monitorcheck iptables -N foo
 EXP=" EVENT: -6 -t filter -N foo"
 monitorcheck ip6tables -N foo
 
-# FIXME
-EXP="\
- EVENT: nft: NEW chain: bridge filter foo use 1
- EVENT: ebtables -t filter -A foo -j ACCEPT"
+EXP=" EVENT: nft: NEW chain: bridge filter foo use 1"
 monitorcheck ebtables -N foo
 
 EXP=" EVENT: -0 -t filter -N foo"
@@ -110,10 +106,7 @@ monitorcheck iptables -X foo
 EXP=" EVENT: -6 -t filter -X foo"
 monitorcheck ip6tables -X foo
 
-# FIXME
-EXP="\
- EVENT: ebtables -t filter -D foo -j ACCEPT
- EVENT: nft: DEL chain: bridge filter foo use 0"
+EXP=" EVENT: nft: DEL chain: bridge filter foo use 0"
 monitorcheck ebtables -X foo
 
 EXP=" EVENT: -0 -t filter -X foo"

diff --git a/iptables/xtables-monitor.c b/iptables/xtables-monitor.c
index 7079a039fb28b797db0d0da0c75c055338cabe33..b54a704bb1786c651fc5193695ed6fbc9e295162 100644 (file)
--- a/iptables/xtables-monitor.c
+++ b/iptables/xtables-monitor.c
@@ -96,6 +96,13 @@ static int rule_cb(const struct nlmsghdr *nlh, void *data)
        arg->h->ops = nft_family_ops_lookup(family);
        arg->h->family = family;
 
+       /* ignore policy rules unless tracing,
+        * they are reported when deleting user-defined chains */
+       if (family == NFPROTO_BRIDGE &&
+           arg->is_event &&
+           nft_rule_is_policy_rule(r))
+               goto err_free;
+
        if (arg->is_event)
                printf(" EVENT: ");
        switch (family) {