From patchwork Tue Jul 16 12:27:58 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Phil Sutter X-Patchwork-Id: 1961076 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=nwl.cc header.i=@nwl.cc header.a=rsa-sha256 header.s=mail2022 header.b=gq0xqCoA; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org (client-ip=147.75.80.249; helo=am.mirrors.kernel.org; envelope-from=netfilter-devel+bounces-3002-incoming=patchwork.ozlabs.org@vger.kernel.org; receiver=patchwork.ozlabs.org) Received: from am.mirrors.kernel.org (am.mirrors.kernel.org [147.75.80.249]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4WNddk4nMYz1xrK for ; Tue, 16 Jul 2024 22:28:26 +1000 (AEST) Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by am.mirrors.kernel.org (Postfix) with ESMTPS id 6153F1F233E7 for ; Tue, 16 Jul 2024 12:28:24 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 2017F199E83; Tue, 16 Jul 2024 12:28:15 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=fail reason="signature verification failed" (2048-bit key) header.d=nwl.cc header.i=@nwl.cc header.b="gq0xqCoA" X-Original-To: netfilter-devel@vger.kernel.org Received: from orbyte.nwl.cc (orbyte.nwl.cc [151.80.46.58]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 24858199EB9 for ; Tue, 16 Jul 2024 12:28:12 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=151.80.46.58 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1721132894; cv=none; b=ZgSvl6hJ7pQk8FlAVHPI2fQaNJKEZcVima6U+ZK2xDzk+Upe3gyYx0VwigZyo5YFnWQPai7SV6NeLtPd/+gsdscw2/uklCRKjqY3Thf2X9PVjo9kNGuyN5wkcZcKyII1e+s6ujJIvwiHdcVONlwXHqODfGwKl6u5HpXv24ouvYI= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1721132894; c=relaxed/simple; bh=2v9P92JqNJM+UJOLxXG1/g44RyhsFUSKs0ZMU++MewA=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=XYJNQXyNEYN2tarVce0//yzScjcR9/rrnxQ6fChkBE8j2ICGFzsjGZyAdKPlCTDHDmtKb7fPcr5efk6tc+rBLbDObtjgYN07zk0QCVxa/dNvpDXQNbY3C3XMmKTv2Rq1hQquXdTDRcL5fZxVTDuh9T9NJIMFSbmgugd80kvzaOU= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=nwl.cc; spf=pass smtp.mailfrom=nwl.cc; dkim=pass (2048-bit key) header.d=nwl.cc header.i=@nwl.cc header.b=gq0xqCoA; arc=none smtp.client-ip=151.80.46.58 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=nwl.cc Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=nwl.cc DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=nwl.cc; s=mail2022; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To: Message-ID:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=oWAjJgBgfxNV18vi3MjpJZyKUS1RpedtrAiVKGoPQHs=; b=gq0xqCoAKxw3PCVOFZ8NPACKPE l8rKNN1uFBAMgNnE68cIwdyDvKw0hJTbkg5sm4O4/0uOcTczO/4vNI+44mV7BJzGe0BNfmL0dNRrm kxdyaUS504GvZgX2dWnwXiuDgiyAEwVIj4i/qyEgS1ZUDtD+tN9sJ675Mvym+z1vhSSRXoDxisQj9 3jfs5q1Zu1BrVINpe6AJELpTP5VoMKYAIQ09dQPfX2qhnDdNaPnlHaUwrvPsaVVaTwp+lmhXHlVym 2mURqJ7nUO31Qbz1Tq/g9Rkk0HW1OltvMehnInkigRHPo7ZQlfNxVTxYKNiN/Kdsj1oSW9wObYm45 haZRW6ow==; Received: from localhost ([::1] helo=xic) by orbyte.nwl.cc with esmtp (Exim 4.97.1) (envelope-from ) id 1sThHv-000000007tK-1h8y; Tue, 16 Jul 2024 14:28:11 +0200 From: Phil Sutter To: netfilter-devel@vger.kernel.org Cc: Florian Westphal , Pablo Neira Ayuso Subject: [iptables PATCH 1/8] xtables-monitor: Proper re-init for rule's family Date: Tue, 16 Jul 2024 14:27:58 +0200 Message-ID: <20240716122805.22331-2-phil@nwl.cc> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20240716122805.22331-1-phil@nwl.cc> References: <20240716122805.22331-1-phil@nwl.cc> Precedence: bulk X-Mailing-List: netfilter-devel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 When not running for a specific family only (via -4/-6 flags), xtables-monitor potentially sees events/traces for all families. To correctly parse rules when printing for NEWRULE, DELRULE or TRACE messages, nft_handle has to be reinitialized for the rule's family. It is not sufficient to reset nft_handle::ops: Some expression parsers rely upon nft_handle::family to be properly set, too (cf. references to 'ctx->h->family in nft-ruleparse.c). Adjusting the 'afinfo' pointer provided by libxtables is even more crucial, as e.g. do_parse() in xshared.c relies upon it for the proper optstring. This is actually a day-1 bug in xtables-monitor which surfaced due to commit 9075c3aa983d9 ("nft: Increase rule parser strictness"). Therefore make this fix the commit it is following-up. Fixes: ca69b0290dc50 ("xtables-monitor: Fix ip6tables rule printing") Signed-off-by: Phil Sutter --- iptables/xtables-monitor.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/iptables/xtables-monitor.c b/iptables/xtables-monitor.c index cf2729d87968b..cf92355f76f8a 100644 --- a/iptables/xtables-monitor.c +++ b/iptables/xtables-monitor.c @@ -92,7 +92,9 @@ static int rule_cb(const struct nlmsghdr *nlh, void *data) if (arg->nfproto && arg->nfproto != family) goto err_free; + xtables_set_nfproto(family); arg->h->ops = nft_family_ops_lookup(family); + arg->h->family = family; if (arg->is_event) printf(" EVENT: "); From patchwork Tue Jul 16 12:27:59 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Phil Sutter X-Patchwork-Id: 1961073 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=nwl.cc header.i=@nwl.cc header.a=rsa-sha256 header.s=mail2022 header.b=PmhKU1hY; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org (client-ip=2604:1380:4601:e00::3; helo=am.mirrors.kernel.org; envelope-from=netfilter-devel+bounces-2999-incoming=patchwork.ozlabs.org@vger.kernel.org; receiver=patchwork.ozlabs.org) Received: from am.mirrors.kernel.org (am.mirrors.kernel.org [IPv6:2604:1380:4601:e00::3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4WNddd0gvqz1xrK for ; Tue, 16 Jul 2024 22:28:21 +1000 (AEST) Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by am.mirrors.kernel.org (Postfix) with ESMTPS id C0BB41F233A2 for ; Tue, 16 Jul 2024 12:28:18 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 7FB10199E88; Tue, 16 Jul 2024 12:28:14 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=fail reason="signature verification failed" (2048-bit key) header.d=nwl.cc header.i=@nwl.cc header.b="PmhKU1hY" X-Original-To: netfilter-devel@vger.kernel.org Received: from orbyte.nwl.cc (orbyte.nwl.cc [151.80.46.58]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8FB87199233 for ; Tue, 16 Jul 2024 12:28:11 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=151.80.46.58 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1721132894; cv=none; b=Y+lGflYH86VDqu/VFxllqtwven8QsYTYUR2mzh7pKZSNO+8O/XXAmDQxZufqQCC6dQ5ruP7C1nP06J5yeAT4xNSVnNprH+vgrdwrAdqajcLwXMYDJ7Agy/qvTxvSV2xoSozRjfOkGkiVpPG4c/UbE1+a3WeVwa1WVS/FfSeLBnc= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1721132894; c=relaxed/simple; bh=o21GVZJNW84A5GMBFIbfCSrEzTIt2TryUybmiex1pIk=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=N39ncnv/29JO1NGM3zNYdcXG19LexjGhw3i0L3USdvpOQkBjKHY4MtZPrDz6BNgBvrTPCplHFaL5TrR+kDhkbdcG5bzdbSrEb12aUF1wSTSwh4Tug9i23kEZnl/jac4Ram8lIbyHZY8fw50d4qI3r1egFhFBb8D7RW6O+qZX6j8= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=nwl.cc; spf=pass smtp.mailfrom=nwl.cc; dkim=pass (2048-bit key) header.d=nwl.cc header.i=@nwl.cc header.b=PmhKU1hY; arc=none smtp.client-ip=151.80.46.58 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=nwl.cc Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=nwl.cc DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=nwl.cc; s=mail2022; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To: Message-ID:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=1dLEXydO5CuNrfEL7lgghAkbu8K2fNhpgqpaiTQZXe8=; b=PmhKU1hYeyr6aeb67zlrEQ1bQX kuSN4TjGCZ5QiqhD/zbhUmaiVE5lbH1LojWyXdGYuaVeojJXvxlxKcgBrvs+PvQFTPoVvUE0V9Jcw 9lgWWpoEC0s12p0hw8QeN8Y+8QDTntG/cUq8UdnGZtxI3uCH56ChO680luBH0hyb+zsx/+SG+awfd o5iKfjBSKPURWzlpCOau7FqsjRGd/DbwW2suG9X/PPEs5Qu8fmpvo/5ApE0QMFKdSAn1Dw/cusaUC wfwXV6XRix3B8C9gyV59z4xR00rPJD//AZovAvNZ+ZJ3a8+OnUtIy4ihHg+NVdNNEoSNJwByWY1lo XOyEXyoA==; Received: from localhost ([::1] helo=xic) by orbyte.nwl.cc with esmtp (Exim 4.97.1) (envelope-from ) id 1sThHt-000000007su-0IjM; Tue, 16 Jul 2024 14:28:09 +0200 From: Phil Sutter To: netfilter-devel@vger.kernel.org Cc: Florian Westphal , Pablo Neira Ayuso Subject: [iptables PATCH 2/8] xtables-monitor: Flush stdout after all lines of output Date: Tue, 16 Jul 2024 14:27:59 +0200 Message-ID: <20240716122805.22331-3-phil@nwl.cc> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20240716122805.22331-1-phil@nwl.cc> References: <20240716122805.22331-1-phil@nwl.cc> Precedence: bulk X-Mailing-List: netfilter-devel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Writing an xtables-monitor testsuite is pretty much impossible without this due to unreliable output flushing. Just move the fflush() call from trace_cb() to its caller so monitor events benefit from it as well. Fixes: 07af4da52ab30 ("xtables-monitor: fix rule printing") Signed-off-by: Phil Sutter --- iptables/xtables-monitor.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/iptables/xtables-monitor.c b/iptables/xtables-monitor.c index cf92355f76f8a..90d1cc5e37f31 100644 --- a/iptables/xtables-monitor.c +++ b/iptables/xtables-monitor.c @@ -544,7 +544,6 @@ static int trace_cb(const struct nlmsghdr *nlh, struct cb_arg *arg) err_free: nftnl_trace_free(nlt); err: - fflush(stdout); return MNL_CB_OK; } @@ -576,6 +575,7 @@ static int monitor_cb(const struct nlmsghdr *nlh, void *data) break; } + fflush(stdout); return ret; } From patchwork Tue Jul 16 12:28:00 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Phil Sutter X-Patchwork-Id: 1961080 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=nwl.cc header.i=@nwl.cc header.a=rsa-sha256 header.s=mail2022 header.b=Pi1P7ALH; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org (client-ip=139.178.88.99; helo=sv.mirrors.kernel.org; envelope-from=netfilter-devel+bounces-3006-incoming=patchwork.ozlabs.org@vger.kernel.org; receiver=patchwork.ozlabs.org) Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org [139.178.88.99]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4WNddr6F1kz20Ct for ; Tue, 16 Jul 2024 22:28:32 +1000 (AEST) Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sv.mirrors.kernel.org (Postfix) with ESMTPS id 6CA492831D1 for ; Tue, 16 Jul 2024 12:28:31 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id EEBD519A87D; Tue, 16 Jul 2024 12:28:17 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=fail reason="signature verification failed" (2048-bit key) header.d=nwl.cc header.i=@nwl.cc header.b="Pi1P7ALH" X-Original-To: netfilter-devel@vger.kernel.org Received: from orbyte.nwl.cc (orbyte.nwl.cc [151.80.46.58]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id D06041991B0 for ; Tue, 16 Jul 2024 12:28:15 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=151.80.46.58 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1721132897; cv=none; b=qkGgAHHlMhlcImBFvm4b/3/XVm4IZqWbBQlX4H1MaJl+ZGyAQKsm4raA4ZnQQNNhQw+tfSZb2L5sEfLfLfpr4kYK9UIPCm1oV6I7TI+x86nXJhJEVJDXihnpj7IaGwZVyMZ+v3Dkf4HTYCmCA1E5RLzEKgAR7o7vJtQZl8CoSnQ= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1721132897; c=relaxed/simple; bh=b73EsrS/R6t+V7OTN3jajRGaOmaVtljrkHPnEmdYVLM=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=CkR2HuriXYsKE4NPNVta4AVJexuylYA9j17KhIFr1r2h/TF7Nv5bQP1ns/vZ/T+fNbpeDZosTeewCLqJfP3CQYGErDGStcWzs4DEUGq4jqNregvSjXl0BWgiVMWQSKaM3SWmrdrgtdCOWkMXvsf2tK/azy2OBB6vG7bcDbrOBV4= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=nwl.cc; spf=pass smtp.mailfrom=nwl.cc; dkim=pass (2048-bit key) header.d=nwl.cc header.i=@nwl.cc header.b=Pi1P7ALH; arc=none smtp.client-ip=151.80.46.58 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=nwl.cc Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=nwl.cc DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=nwl.cc; s=mail2022; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To: Message-ID:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=lJMjF38+6RBWuo2sqp3DiNSvhyqMHD/6P51kfLbobJI=; b=Pi1P7ALHVk1TITt0KqQS92ui/e DsXq7GpZdDuyPo1RvzODPhD04NDIsPhf1L7d+L/r2pA9NFo/CP/ZCOc8i6K/nN8K94dLolZJsXvJw mKEQqEzXAL3Vt9k1vR2SOnM0/Uo9bMaHw6NjExztnqwcX2OEBAgYMNL6ElHRLOAvwi83yY1PFZsU6 zQ7uLOSIyNoicgwrZZeE+89RshJSFo4GZcD2fSJnmM34J7bqAJgEjRM0RzvabgeZi8drNqSl5lIsY Di5erqIZOsHRqngkh8bTb3mERseeaoJGsmiudWXD99WHX+GL8rV30dyhXrqRUZJW5Hnjh27V92PqM NAV8BpNw==; Received: from localhost ([::1] helo=xic) by orbyte.nwl.cc with esmtp (Exim 4.97.1) (envelope-from ) id 1sThHy-000000007th-1S8H; Tue, 16 Jul 2024 14:28:14 +0200 From: Phil Sutter To: netfilter-devel@vger.kernel.org Cc: Florian Westphal , Pablo Neira Ayuso Subject: [iptables PATCH 3/8] xtables-monitor: Align builtin chain and table output Date: Tue, 16 Jul 2024 14:28:00 +0200 Message-ID: <20240716122805.22331-4-phil@nwl.cc> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20240716122805.22331-1-phil@nwl.cc> References: <20240716122805.22331-1-phil@nwl.cc> Precedence: bulk X-Mailing-List: netfilter-devel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Drop the leading hash sign and add "NEW/DEL chain" annotation. Signed-off-by: Phil Sutter --- iptables/xtables-monitor.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/iptables/xtables-monitor.c b/iptables/xtables-monitor.c index 90d1cc5e37f31..e136e9b722e92 100644 --- a/iptables/xtables-monitor.c +++ b/iptables/xtables-monitor.c @@ -153,7 +153,8 @@ static int chain_cb(const struct nlmsghdr *nlh, void *data) break; default: nftnl_chain_snprintf(buf, sizeof(buf), c, NFTNL_OUTPUT_DEFAULT, 0); - printf("# nft: %s\n", buf); + printf("nft: %s chain: %s\n", + type == NFT_MSG_NEWCHAIN ? "NEW" : "DEL", buf); goto err_free; } From patchwork Tue Jul 16 12:28:01 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Phil Sutter X-Patchwork-Id: 1961081 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=nwl.cc header.i=@nwl.cc header.a=rsa-sha256 header.s=mail2022 header.b=PN1DAlWQ; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org (client-ip=2604:1380:40f1:3f00::1; helo=sy.mirrors.kernel.org; envelope-from=netfilter-devel+bounces-3007-incoming=patchwork.ozlabs.org@vger.kernel.org; receiver=patchwork.ozlabs.org) Received: from sy.mirrors.kernel.org (sy.mirrors.kernel.org [IPv6:2604:1380:40f1:3f00::1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4WNddt1Y3jz1xrK for ; Tue, 16 Jul 2024 22:28:34 +1000 (AEST) Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sy.mirrors.kernel.org (Postfix) with ESMTPS id EF046B22ADE for ; Tue, 16 Jul 2024 12:28:33 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 4B7DD19AA40; Tue, 16 Jul 2024 12:28:18 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=fail reason="signature verification failed" (2048-bit key) header.d=nwl.cc header.i=@nwl.cc header.b="PN1DAlWQ" X-Original-To: netfilter-devel@vger.kernel.org Received: from orbyte.nwl.cc (orbyte.nwl.cc [151.80.46.58]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8F0F219A868 for ; Tue, 16 Jul 2024 12:28:16 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=151.80.46.58 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1721132897; cv=none; b=jto8xN6VFoka+M4C9cX03+IpGKCmXJbXrV3GAzFjcYGFt3YjzRjzyu5Z8BiHKaM1BItAOyUeprcRNRmqn49nUvkpW+OWRUNZh8pJlBmM+dMVvnwUjgOka9Qop3WUx/w6MsRuI53JZjis0XmxrsokXxX44Zok8l6Lt0SyvYVZyiQ= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1721132897; c=relaxed/simple; bh=bo6wr9YP4QPIZLTgbKkXlZ0OLVHtyHWFCztyvgDGDgU=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=e9ZtM0qcrxlBttlu2Qzth0ZsIVZ/wsWgq2vB/+70wwzPYpnuCWl8r9RQMg35pURXGRYVUiHOzJm6UQlRHfdaTXf0OVtFWUKKFTCtkuwAVRL/lDLf17tBWUmgyaVqtX5chLWOukf1Vm/30X2c1qTnpFAks4pHdrdy8uGnOPgL9tI= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=nwl.cc; spf=pass smtp.mailfrom=nwl.cc; dkim=pass (2048-bit key) header.d=nwl.cc header.i=@nwl.cc header.b=PN1DAlWQ; arc=none smtp.client-ip=151.80.46.58 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=nwl.cc Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=nwl.cc DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=nwl.cc; s=mail2022; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To: Message-ID:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=9eyUAiMqk4xoVRapzFGKh2QXm3/etW3wnSc7MCFlEdQ=; b=PN1DAlWQwTx0r7wXNNXf6QDnn3 0EtpcYJEEDTQ2Iydsw8858ke/X4p1N9HW5s1/o1+CfnnA2DIJzyEw74EAKhTEJD4LsOO6rfi8ZUOE Qly5d7mUENPwS7fCTTvJgsZdk2rUv63aML220Lf48CU+m+wpkTzgEhFlcfjU+jbBdxF5omrxyFy90 EPvc5LduZq6c2lpaKpgco/2u6RfJYHXKdm+8cbSHcNWzEK2mTg5w2SsI1nvOKmtm/hdgcUVBnYqwc aZSIJGw8trPQKT/O0CnTljtgwmI1Cg97logNl20riDkiHwfI8BUQQfmIc2EtPn/X1t5q1qdS6dkGQ /KYpQ6Yw==; Received: from localhost ([::1] helo=xic) by orbyte.nwl.cc with esmtp (Exim 4.97.1) (envelope-from ) id 1sThHy-000000007tp-3iUm; Tue, 16 Jul 2024 14:28:14 +0200 From: Phil Sutter To: netfilter-devel@vger.kernel.org Cc: Florian Westphal , Pablo Neira Ayuso Subject: [iptables PATCH 4/8] xtables-monitor: Support arptables chain events Date: Tue, 16 Jul 2024 14:28:01 +0200 Message-ID: <20240716122805.22331-5-phil@nwl.cc> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20240716122805.22331-1-phil@nwl.cc> References: <20240716122805.22331-1-phil@nwl.cc> Precedence: bulk X-Mailing-List: netfilter-devel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Print arptables NEWCHAIN/DELCHAIN events just like for iptables, using the '-0' prefix rule callback already uses. Signed-off-by: Phil Sutter --- iptables/xtables-monitor.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/iptables/xtables-monitor.c b/iptables/xtables-monitor.c index e136e9b722e92..714a2dfd7074a 100644 --- a/iptables/xtables-monitor.c +++ b/iptables/xtables-monitor.c @@ -151,6 +151,9 @@ static int chain_cb(const struct nlmsghdr *nlh, void *data) case NFPROTO_IPV6: family = 6; break; + case NFPROTO_ARP: + family = 0; + break; default: nftnl_chain_snprintf(buf, sizeof(buf), c, NFTNL_OUTPUT_DEFAULT, 0); printf("nft: %s chain: %s\n", From patchwork Tue Jul 16 12:28:02 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Phil Sutter X-Patchwork-Id: 1961075 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=nwl.cc header.i=@nwl.cc header.a=rsa-sha256 header.s=mail2022 header.b=NLNvXj2B; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org (client-ip=2604:1380:45d1:ec00::1; helo=ny.mirrors.kernel.org; envelope-from=netfilter-devel+bounces-3000-incoming=patchwork.ozlabs.org@vger.kernel.org; receiver=patchwork.ozlabs.org) Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org [IPv6:2604:1380:45d1:ec00::1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4WNddj3GRHz20Ct for ; Tue, 16 Jul 2024 22:28:25 +1000 (AEST) Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ny.mirrors.kernel.org (Postfix) with ESMTPS id AD5DE1C21FFA for ; Tue, 16 Jul 2024 12:28:21 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id DC56B19A84C; Tue, 16 Jul 2024 12:28:14 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=fail reason="signature verification failed" (2048-bit key) header.d=nwl.cc header.i=@nwl.cc header.b="NLNvXj2B" X-Original-To: netfilter-devel@vger.kernel.org Received: from orbyte.nwl.cc (orbyte.nwl.cc [151.80.46.58]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id EBEA3199E83 for ; Tue, 16 Jul 2024 12:28:11 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=151.80.46.58 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1721132894; cv=none; b=dm7IGZ8stLTlNz9wKLofzC4SbcDZ7z2M1skPTOTASHckCKVttWwEtCYXlYhEL6IX+TA/k3KW68XxVUS/yKyNeP8aTZ0QeDMt4Ssmj/DG8R8Z6vOYS9QDXszMqAZZX1HrkkbVdJRtMtXAs7t5DIc1euJLHEN1umsJ35tOCgao2m4= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1721132894; c=relaxed/simple; bh=Y8mFIXVmQ5ZHUtbnCEwP9KKOepaZukGjbjJHELHN2V0=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=ZQJ+uUw5cjR+aIVoMFm+vkRbRtw/fqhxaiVDjkqtf2o/9eW8pDthKnYfQ6dIqRjEC0dx+KXyA3CRmmtdxnKqUGCAVkJUBI6y7ZMXy2jER/MB/hJEybb+ITkeNWUPyPpyjh3uxu4EBTR3eyD80EVEULRLwUlpCcSuANbHVm2OwLA= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=nwl.cc; spf=pass smtp.mailfrom=nwl.cc; dkim=pass (2048-bit key) header.d=nwl.cc header.i=@nwl.cc header.b=NLNvXj2B; arc=none smtp.client-ip=151.80.46.58 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=nwl.cc Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=nwl.cc DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=nwl.cc; s=mail2022; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To: Message-ID:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=WZhbIJbFqqnuMyluYResKMnT+NalK7R9sGZZOeuy+GU=; b=NLNvXj2BlPtbASN6laeiNFZy0T ZbLel0LnU1T0l5C1V82O+TTc+JVu5ck1rewnVIuqiwR8J5mpF6VKnVD2dqjQGk8j0X4fhm45iOxYl Ri5sUwY99dbRZMsURNlDfnxXUhNjkbRnBzz4B9gHq+uA1S8ZM3ux0gq1jpDzLWmJazscTegTxQkN+ Hk8z9e3placKp7i5mvsgEcImyYfQFf87MQHGVfivuOG3OPdw0NZD7h4fQwiQb+amEwtldZZE37khQ vUUAUTKk9T3mMeNEHzY6zBOSy6+Bz/HhUCQT0rpoB9AkAvB7B49cL+3Jj4DJYje426ZQkmkiwNbct 6+nzHwYQ==; Received: from localhost ([::1] helo=xic) by orbyte.nwl.cc with esmtp (Exim 4.97.1) (envelope-from ) id 1sThHu-000000007t8-160w; Tue, 16 Jul 2024 14:28:10 +0200 From: Phil Sutter To: netfilter-devel@vger.kernel.org Cc: Florian Westphal , Pablo Neira Ayuso Subject: [iptables PATCH 5/8] tests: shell: New xtables-monitor test Date: Tue, 16 Jul 2024 14:28:02 +0200 Message-ID: <20240716122805.22331-6-phil@nwl.cc> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20240716122805.22331-1-phil@nwl.cc> References: <20240716122805.22331-1-phil@nwl.cc> Precedence: bulk X-Mailing-List: netfilter-devel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Only events monitoring for now. Signed-off-by: Phil Sutter --- .../testcases/nft-only/0012-xtables-monitor_0 | 149 ++++++++++++++++++ 1 file changed, 149 insertions(+) create mode 100755 iptables/tests/shell/testcases/nft-only/0012-xtables-monitor_0 diff --git a/iptables/tests/shell/testcases/nft-only/0012-xtables-monitor_0 b/iptables/tests/shell/testcases/nft-only/0012-xtables-monitor_0 new file mode 100755 index 0000000000000..7b028ba7a9ca5 --- /dev/null +++ b/iptables/tests/shell/testcases/nft-only/0012-xtables-monitor_0 @@ -0,0 +1,149 @@ +#!/bin/bash + +[[ $XT_MULTI == *xtables-nft-multi ]] || { echo "skip $XT_MULTI"; exit 0; } + +log=$(mktemp) +trap "rm -f $log" EXIT +echo "logging into file $log" +rc=0 + +# Filter monitor output: +# - NEWGEN event is moot: +# - GENID/PID are arbitrary, +# - NAME always "xtables-nft-mul" +# - handle is arbitrary as well +logfilter() { # (logfile) + grep -v '^NEWGEN:' "$1" | sed -e 's/handle [0-9]\+/handle 0/' +} + +# Compare monitor output for given command against content of the global $EXP +monitorcheck() { # (cmd ...) + $XT_MULTI xtables-monitor -e >"$log"& + monpid=$! + sleep 0.5 + + $XT_MULTI "$@" || { + echo "Error: command failed: $@" + let "rc++" + kill $monpid + wait + return + } + sleep 0.5 + kill $monpid + wait + diffout=$(diff -u <(echo "$EXP") <(logfilter "$log")) || { + echo "Fail: unexpected result for command: '$@':" + grep -v '^\(---\|+++\|@@\)' <<< "$diffout" + let "rc++" + } +} + +EXP="\ + EVENT: nft: NEW table: table filter ip flags 0 use 1 handle 0 + EVENT: nft: NEW chain: ip filter FORWARD use 1 type filter hook forward prio 0 policy accept packets 0 bytes 0 flags 1 + EVENT: -4 -t filter -A FORWARD -j ACCEPT" +monitorcheck iptables -A FORWARD -j ACCEPT + +EXP="\ + EVENT: nft: NEW table: table filter ip6 flags 0 use 1 handle 0 + EVENT: nft: NEW chain: ip6 filter FORWARD use 1 type filter hook forward prio 0 policy accept packets 0 bytes 0 flags 1 + EVENT: -6 -t filter -A FORWARD -j ACCEPT" +monitorcheck ip6tables -A FORWARD -j ACCEPT + +# FIXME +EXP="\ + EVENT: nft: NEW table: table filter bridge flags 0 use 1 handle 0 + EVENT: nft: NEW chain: bridge filter FORWARD use 1 type filter hook forward prio -200 policy accept packets 0 bytes 0 flags 1 + EVENT: " +monitorcheck ebtables -A FORWARD -j ACCEPT + +EXP="\ + EVENT: nft: NEW table: table filter arp flags 0 use 1 handle 0 + EVENT: nft: NEW chain: arp filter INPUT use 1 type filter hook input prio 0 policy accept packets 0 bytes 0 flags 1 + EVENT: -0 -t filter -A INPUT -j ACCEPT" +monitorcheck arptables -A INPUT -j ACCEPT + +EXP=" EVENT: -4 -t filter -N foo" +monitorcheck iptables -N foo + +EXP=" EVENT: -6 -t filter -N foo" +monitorcheck ip6tables -N foo + +# FIXME +EXP="\ + EVENT: nft: NEW chain: bridge filter foo use 1 + EVENT: " +monitorcheck ebtables -N foo + +EXP=" EVENT: -0 -t filter -N foo" +monitorcheck arptables -N foo + +# meta l4proto matches require proper nft_handle:family value +EXP=" EVENT: -4 -t filter -A FORWARD -i eth1 -o eth2 -p tcp -m tcp --dport 22 -j ACCEPT" +monitorcheck iptables -A FORWARD -i eth1 -o eth2 -p tcp --dport 22 -j ACCEPT + +EXP=" EVENT: -6 -t filter -A FORWARD -i eth1 -o eth2 -p udp -m udp --sport 1337 -j ACCEPT" +monitorcheck ip6tables -A FORWARD -i eth1 -o eth2 -p udp --sport 1337 -j ACCEPT + +# FIXME +EXP=" EVENT: " +monitorcheck ebtables -A FORWARD -i eth1 -o eth2 -p ip --ip-protocol udp --ip-source-port 1337 -j ACCEPT + +EXP=" EVENT: -0 -t filter -A INPUT -j ACCEPT -i eth1 -s 1.2.3.4 --src-mac 01:02:03:04:05:06" +monitorcheck arptables -A INPUT -i eth1 -s 1.2.3.4 --src-mac 01:02:03:04:05:06 -j ACCEPT + +EXP=" EVENT: -4 -t filter -D FORWARD -i eth1 -o eth2 -p tcp -m tcp --dport 22 -j ACCEPT" +monitorcheck iptables -D FORWARD -i eth1 -o eth2 -p tcp --dport 22 -j ACCEPT + +EXP=" EVENT: -6 -t filter -D FORWARD -i eth1 -o eth2 -p udp -m udp --sport 1337 -j ACCEPT" +monitorcheck ip6tables -D FORWARD -i eth1 -o eth2 -p udp --sport 1337 -j ACCEPT + +# FIXME +EXP=" EVENT: " +monitorcheck ebtables -D FORWARD -i eth1 -o eth2 -p ip --ip-protocol udp --ip-source-port 1337 -j ACCEPT + +EXP=" EVENT: -0 -t filter -D INPUT -j ACCEPT -i eth1 -s 1.2.3.4 --src-mac 01:02:03:04:05:06" +monitorcheck arptables -D INPUT -i eth1 -s 1.2.3.4 --src-mac 01:02:03:04:05:06 -j ACCEPT + +EXP=" EVENT: -4 -t filter -X foo" +monitorcheck iptables -X foo + +EXP=" EVENT: -6 -t filter -X foo" +monitorcheck ip6tables -X foo + +# FIXME +EXP="\ + EVENT: + EVENT: nft: DEL chain: bridge filter foo use 0" +monitorcheck ebtables -X foo + +EXP=" EVENT: -0 -t filter -X foo" +monitorcheck arptables -X foo + +EXP=" EVENT: -4 -t filter -D FORWARD -j ACCEPT" +monitorcheck iptables -F FORWARD + +EXP=" EVENT: -6 -t filter -D FORWARD -j ACCEPT" +monitorcheck ip6tables -F FORWARD + +# FIXME +EXP=" EVENT: " +monitorcheck ebtables -F FORWARD + +EXP=" EVENT: -0 -t filter -D INPUT -j ACCEPT" +monitorcheck arptables -F INPUT + +EXP=" EVENT: nft: DEL chain: ip filter FORWARD use 0 type filter hook forward prio 0 policy accept packets 0 bytes 0 flags 1" +monitorcheck iptables -X FORWARD + +EXP=" EVENT: nft: DEL chain: ip6 filter FORWARD use 0 type filter hook forward prio 0 policy accept packets 0 bytes 0 flags 1" +monitorcheck ip6tables -X FORWARD + +EXP=" EVENT: nft: DEL chain: bridge filter FORWARD use 0 type filter hook forward prio -200 policy accept packets 0 bytes 0 flags 1" +monitorcheck ebtables -X FORWARD + +EXP=" EVENT: nft: DEL chain: arp filter INPUT use 0 type filter hook input prio 0 policy accept packets 0 bytes 0 flags 1" +monitorcheck arptables -X INPUT + +exit $rc From patchwork Tue Jul 16 12:28:03 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Phil Sutter X-Patchwork-Id: 1961074 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=nwl.cc header.i=@nwl.cc header.a=rsa-sha256 header.s=mail2022 header.b=h9aChjt3; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org (client-ip=2604:1380:4601:e00::3; helo=am.mirrors.kernel.org; envelope-from=netfilter-devel+bounces-3001-incoming=patchwork.ozlabs.org@vger.kernel.org; receiver=patchwork.ozlabs.org) Received: from am.mirrors.kernel.org (am.mirrors.kernel.org [IPv6:2604:1380:4601:e00::3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4WNddj024tz1xrK for ; Tue, 16 Jul 2024 22:28:25 +1000 (AEST) Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by am.mirrors.kernel.org (Postfix) with ESMTPS id DF1EC1F23221 for ; Tue, 16 Jul 2024 12:28:22 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id DC5B719A84D; Tue, 16 Jul 2024 12:28:14 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=fail reason="signature verification failed" (2048-bit key) header.d=nwl.cc header.i=@nwl.cc header.b="h9aChjt3" X-Original-To: netfilter-devel@vger.kernel.org Received: from orbyte.nwl.cc (orbyte.nwl.cc [151.80.46.58]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E81F3199225 for ; Tue, 16 Jul 2024 12:28:12 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=151.80.46.58 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1721132894; cv=none; b=DbFIBSQCZkVZ5xaJXnFWOYFyCdouGUm/9SQ3ydCQcS3Xf9Rw5vbB9ScaS2sY6Gor5FzaEtsS2p90bSQjiTjBar2CrPzv8EjUKmkV1Pr7CDn8beoyIySziLlZXccFn0gPKN5RFJSQYpwSMqCbT/QeHqHx/3ZvI5lEeOGRiDJrgsQ= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1721132894; c=relaxed/simple; bh=NPYR50ktjxcEcM2QRMbczNIuiRwdIoMdVrQbeN3i7dU=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=UBLur9N01H8U0YnckvbR4P+oL411dFv3I1GD4sJenGzZf6EL5MHa0bCGRv7LOEiR680rvj4fLviNBHkgf+B8ETRJwHFkltuBYbeDZoQDXtxwm/fDRgbLmmZA38w/yielh8qzerEFDofGlrlacYX6Q6RGJVp7Qe1RhBXbV/zgANc= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=nwl.cc; spf=pass smtp.mailfrom=nwl.cc; dkim=pass (2048-bit key) header.d=nwl.cc header.i=@nwl.cc header.b=h9aChjt3; arc=none smtp.client-ip=151.80.46.58 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=nwl.cc Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=nwl.cc DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=nwl.cc; s=mail2022; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To: Message-ID:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=ri/eTvHh+adhepAFA+8mFEdjzF37wtgQKn32pN8lWhA=; b=h9aChjt3/WbkNuGnLafN89XU1U nVzY9ojhsRwJQOSEk/sO0VqHHw+v+2tHToVU7ybhH7QBhDGiJv49DWCYzFiZzswVQdLgExgNkVnHf 7SkJAO2+tWVHmLglPb75t5L3x4Btc974WY1AdORNHPIany3l6t8qT7cbrwIGwE24AfuTJcX2d1wzu z2TULXYiWsd0B2Y7IL1xQk8SyFycI6p5cqNB+8tkYGMcxzLeiJp/35/SjUwY1pDqUw4CY8Bqju87m QX3XUWLcXhZ8/SiqUkcaoNF8MbmtS4S6xNzLwUV4GF/TgfiI4yAYZUpJOlAXiWp0EXAzRxx1OOKUF gu3ZsTiw==; Received: from localhost ([::1] helo=xic) by orbyte.nwl.cc with esmtp (Exim 4.97.1) (envelope-from ) id 1sThHu-000000007tE-3UpR; Tue, 16 Jul 2024 14:28:10 +0200 From: Phil Sutter To: netfilter-devel@vger.kernel.org Cc: Florian Westphal , Pablo Neira Ayuso Subject: [iptables PATCH 6/8] xtables-monitor: Fix for ebtables rule events Date: Tue, 16 Jul 2024 14:28:03 +0200 Message-ID: <20240716122805.22331-7-phil@nwl.cc> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20240716122805.22331-1-phil@nwl.cc> References: <20240716122805.22331-1-phil@nwl.cc> Precedence: bulk X-Mailing-List: netfilter-devel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Bridge family wasn't recognized in rule_cb(), so merely an empty "EVENT:" line was printed for ebtables rule changes. For lack of a well-known family modifier flag for bridge family, simply prefix rules by "ebtables". Signed-off-by: Phil Sutter --- .../testcases/nft-only/0012-xtables-monitor_0 | 15 ++++++--------- iptables/xtables-monitor.c | 3 +++ 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/iptables/tests/shell/testcases/nft-only/0012-xtables-monitor_0 b/iptables/tests/shell/testcases/nft-only/0012-xtables-monitor_0 index 7b028ba7a9ca5..0f0295b05ec52 100755 --- a/iptables/tests/shell/testcases/nft-only/0012-xtables-monitor_0 +++ b/iptables/tests/shell/testcases/nft-only/0012-xtables-monitor_0 @@ -55,7 +55,7 @@ monitorcheck ip6tables -A FORWARD -j ACCEPT EXP="\ EVENT: nft: NEW table: table filter bridge flags 0 use 1 handle 0 EVENT: nft: NEW chain: bridge filter FORWARD use 1 type filter hook forward prio -200 policy accept packets 0 bytes 0 flags 1 - EVENT: " + EVENT: ebtables -t filter -A FORWARD -j ACCEPT" monitorcheck ebtables -A FORWARD -j ACCEPT EXP="\ @@ -73,7 +73,7 @@ monitorcheck ip6tables -N foo # FIXME EXP="\ EVENT: nft: NEW chain: bridge filter foo use 1 - EVENT: " + EVENT: ebtables -t filter -A foo -j ACCEPT" monitorcheck ebtables -N foo EXP=" EVENT: -0 -t filter -N foo" @@ -86,8 +86,7 @@ monitorcheck iptables -A FORWARD -i eth1 -o eth2 -p tcp --dport 22 -j ACCEPT EXP=" EVENT: -6 -t filter -A FORWARD -i eth1 -o eth2 -p udp -m udp --sport 1337 -j ACCEPT" monitorcheck ip6tables -A FORWARD -i eth1 -o eth2 -p udp --sport 1337 -j ACCEPT -# FIXME -EXP=" EVENT: " +EXP=" EVENT: ebtables -t filter -A FORWARD -p IPv4 -i eth1 -o eth2 --ip-proto udp --ip-sport 1337 -j ACCEPT" monitorcheck ebtables -A FORWARD -i eth1 -o eth2 -p ip --ip-protocol udp --ip-source-port 1337 -j ACCEPT EXP=" EVENT: -0 -t filter -A INPUT -j ACCEPT -i eth1 -s 1.2.3.4 --src-mac 01:02:03:04:05:06" @@ -99,8 +98,7 @@ monitorcheck iptables -D FORWARD -i eth1 -o eth2 -p tcp --dport 22 -j ACCEPT EXP=" EVENT: -6 -t filter -D FORWARD -i eth1 -o eth2 -p udp -m udp --sport 1337 -j ACCEPT" monitorcheck ip6tables -D FORWARD -i eth1 -o eth2 -p udp --sport 1337 -j ACCEPT -# FIXME -EXP=" EVENT: " +EXP=" EVENT: ebtables -t filter -D FORWARD -p IPv4 -i eth1 -o eth2 --ip-proto udp --ip-sport 1337 -j ACCEPT" monitorcheck ebtables -D FORWARD -i eth1 -o eth2 -p ip --ip-protocol udp --ip-source-port 1337 -j ACCEPT EXP=" EVENT: -0 -t filter -D INPUT -j ACCEPT -i eth1 -s 1.2.3.4 --src-mac 01:02:03:04:05:06" @@ -114,7 +112,7 @@ monitorcheck ip6tables -X foo # FIXME EXP="\ - EVENT: + EVENT: ebtables -t filter -D foo -j ACCEPT EVENT: nft: DEL chain: bridge filter foo use 0" monitorcheck ebtables -X foo @@ -127,8 +125,7 @@ monitorcheck iptables -F FORWARD EXP=" EVENT: -6 -t filter -D FORWARD -j ACCEPT" monitorcheck ip6tables -F FORWARD -# FIXME -EXP=" EVENT: " +EXP=" EVENT: ebtables -t filter -D FORWARD -j ACCEPT" monitorcheck ebtables -F FORWARD EXP=" EVENT: -0 -t filter -D INPUT -j ACCEPT" diff --git a/iptables/xtables-monitor.c b/iptables/xtables-monitor.c index 714a2dfd7074a..7079a039fb28b 100644 --- a/iptables/xtables-monitor.c +++ b/iptables/xtables-monitor.c @@ -106,6 +106,9 @@ static int rule_cb(const struct nlmsghdr *nlh, void *data) case NFPROTO_ARP: printf("-0 "); break; + case NFPROTO_BRIDGE: + printf("ebtables "); + break; default: puts(""); goto err_free; From patchwork Tue Jul 16 12:28:04 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Phil Sutter X-Patchwork-Id: 1961077 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=nwl.cc header.i=@nwl.cc header.a=rsa-sha256 header.s=mail2022 header.b=fRFly2Tv; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org (client-ip=2604:1380:4601:e00::3; helo=am.mirrors.kernel.org; envelope-from=netfilter-devel+bounces-3003-incoming=patchwork.ozlabs.org@vger.kernel.org; receiver=patchwork.ozlabs.org) Received: from am.mirrors.kernel.org (am.mirrors.kernel.org [IPv6:2604:1380:4601:e00::3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4WNddm2FQHz1xrK for ; Tue, 16 Jul 2024 22:28:28 +1000 (AEST) Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by am.mirrors.kernel.org (Postfix) with ESMTPS id 1847E1F22FB6 for ; Tue, 16 Jul 2024 12:28:26 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 98A2219A85C; Tue, 16 Jul 2024 12:28:15 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=fail reason="signature verification failed" (2048-bit key) header.d=nwl.cc header.i=@nwl.cc header.b="fRFly2Tv" X-Original-To: netfilter-devel@vger.kernel.org Received: from orbyte.nwl.cc (orbyte.nwl.cc [151.80.46.58]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 92D171991B0 for ; Tue, 16 Jul 2024 12:28:13 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=151.80.46.58 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1721132895; cv=none; b=f9GmAZ8u/CZDca0Ku8g7X3Jkm2vEpoilQ4ld9DY45n74+ACFvvSmWAfOV59xDjnH6QiQNtOK2op3A0enp+dHEsahOBk+2Nhbe0EkIcC1Lzkd+53DVFppkMZT5lIOX4ya0re9knCCE+IudkTyXmo9IstDSnEe9xpq6HPfHLvozHE= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1721132895; c=relaxed/simple; bh=kqreRsjj8elBF2Gix/Fr85jjiypRibF0LpL5sVb+1VU=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=GX7zNR6RhqrKpTd77b8XYXJL79V4rlD4R74L4R3aDqkLS0DUw3Tu5LXd6Ukl/DUOhpK5o7djRe105Xu5Amy5sBtz0GwGNhHerjdybNAraOBligpA11ZHC60YYnayOjg4B1o0+cETuNTLFoIu5I506vyzgVqYYrKOdfa1kLdumfg= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=nwl.cc; spf=pass smtp.mailfrom=nwl.cc; dkim=pass (2048-bit key) header.d=nwl.cc header.i=@nwl.cc header.b=fRFly2Tv; arc=none smtp.client-ip=151.80.46.58 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=nwl.cc Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=nwl.cc DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=nwl.cc; s=mail2022; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To: Message-ID:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=IduPTip0XZKJDPDLt2+lxkaZxLaqKo5PSxZ3HJFb5tk=; b=fRFly2TvOs1DyI2ou+m/VWzW+2 56NWFL7BAt8Qk6O9xts2VzDrC4ldd2SBCwREEde+zHW+7LCRjmbrM4S8zjHynrCKVtiLmO/fxwy98 sPIgFt4lfrZ7n1FNXnyIFgYldX9OBSLuYlo7Ttfu38ViUigqvpLAA+jJqDlq3AQjBeBV1L05jXvuw /aWn4mdgT2gDSqVo7OnKK5tNmzoEuuTVS7CRhn/zBOTuyu+CwonMhJvUHM1nI5iDUgqjrdc8Q0fsA gY1vFF0JJYug9cUibBGG4Hw0a9f8aw05I7zmZMl2LrK55oFti+H5h6rAVDpmjWGRGAjPcc3qWFmBH LMaBWE7A==; Received: from localhost ([::1] helo=xic) by orbyte.nwl.cc with esmtp (Exim 4.97.1) (envelope-from ) id 1sThHv-000000007tQ-3wQD; Tue, 16 Jul 2024 14:28:12 +0200 From: Phil Sutter To: netfilter-devel@vger.kernel.org Cc: Florian Westphal , Pablo Neira Ayuso Subject: [iptables PATCH 7/8] xtables-monitor: Ignore ebtables policy rules unless tracing Date: Tue, 16 Jul 2024 14:28:04 +0200 Message-ID: <20240716122805.22331-8-phil@nwl.cc> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20240716122805.22331-1-phil@nwl.cc> References: <20240716122805.22331-1-phil@nwl.cc> Precedence: bulk X-Mailing-List: netfilter-devel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Do not expose this implementation detail to users, otherwise new user-defined chains are followed by a new rule event. When tracing, they are useful as they potentially terminate rule traversal. Signed-off-by: Phil Sutter --- iptables/nft.c | 2 +- iptables/nft.h | 1 + .../shell/testcases/nft-only/0012-xtables-monitor_0 | 11 ++--------- iptables/xtables-monitor.c | 7 +++++++ 4 files changed, 11 insertions(+), 10 deletions(-) diff --git a/iptables/nft.c b/iptables/nft.c index 884cc77e647ba..83fb81439ccb1 100644 --- a/iptables/nft.c +++ b/iptables/nft.c @@ -1813,7 +1813,7 @@ nft_rule_print_save(struct nft_handle *h, const struct nftnl_rule *r, return ret; } -static bool nft_rule_is_policy_rule(struct nftnl_rule *r) +bool nft_rule_is_policy_rule(struct nftnl_rule *r) { const struct nftnl_udata *tb[UDATA_TYPE_MAX + 1] = {}; const void *data; diff --git a/iptables/nft.h b/iptables/nft.h index b2a8484f09f0a..8f17f3100a190 100644 --- a/iptables/nft.h +++ b/iptables/nft.h @@ -185,6 +185,7 @@ int nft_rule_list_save(struct nft_handle *h, const char *chain, const char *tabl int nft_rule_save(struct nft_handle *h, const char *table, unsigned int format); int nft_rule_flush(struct nft_handle *h, const char *chain, const char *table, bool verbose); int nft_rule_zero_counters(struct nft_handle *h, const char *chain, const char *table, int rulenum); +bool nft_rule_is_policy_rule(struct nftnl_rule *r); /* * Operations used in userspace tools diff --git a/iptables/tests/shell/testcases/nft-only/0012-xtables-monitor_0 b/iptables/tests/shell/testcases/nft-only/0012-xtables-monitor_0 index 0f0295b05ec52..ef1ec3c9446ae 100755 --- a/iptables/tests/shell/testcases/nft-only/0012-xtables-monitor_0 +++ b/iptables/tests/shell/testcases/nft-only/0012-xtables-monitor_0 @@ -51,7 +51,6 @@ EXP="\ EVENT: -6 -t filter -A FORWARD -j ACCEPT" monitorcheck ip6tables -A FORWARD -j ACCEPT -# FIXME EXP="\ EVENT: nft: NEW table: table filter bridge flags 0 use 1 handle 0 EVENT: nft: NEW chain: bridge filter FORWARD use 1 type filter hook forward prio -200 policy accept packets 0 bytes 0 flags 1 @@ -70,10 +69,7 @@ monitorcheck iptables -N foo EXP=" EVENT: -6 -t filter -N foo" monitorcheck ip6tables -N foo -# FIXME -EXP="\ - EVENT: nft: NEW chain: bridge filter foo use 1 - EVENT: ebtables -t filter -A foo -j ACCEPT" +EXP=" EVENT: nft: NEW chain: bridge filter foo use 1" monitorcheck ebtables -N foo EXP=" EVENT: -0 -t filter -N foo" @@ -110,10 +106,7 @@ monitorcheck iptables -X foo EXP=" EVENT: -6 -t filter -X foo" monitorcheck ip6tables -X foo -# FIXME -EXP="\ - EVENT: ebtables -t filter -D foo -j ACCEPT - EVENT: nft: DEL chain: bridge filter foo use 0" +EXP=" EVENT: nft: DEL chain: bridge filter foo use 0" monitorcheck ebtables -X foo EXP=" EVENT: -0 -t filter -X foo" diff --git a/iptables/xtables-monitor.c b/iptables/xtables-monitor.c index 7079a039fb28b..b54a704bb1786 100644 --- a/iptables/xtables-monitor.c +++ b/iptables/xtables-monitor.c @@ -96,6 +96,13 @@ static int rule_cb(const struct nlmsghdr *nlh, void *data) arg->h->ops = nft_family_ops_lookup(family); arg->h->family = family; + /* ignore policy rules unless tracing, + * they are reported when deleting user-defined chains */ + if (family == NFPROTO_BRIDGE && + arg->is_event && + nft_rule_is_policy_rule(r)) + goto err_free; + if (arg->is_event) printf(" EVENT: "); switch (family) { From patchwork Tue Jul 16 12:28:05 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Phil Sutter X-Patchwork-Id: 1961079 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=nwl.cc header.i=@nwl.cc header.a=rsa-sha256 header.s=mail2022 header.b=c9/tC1BU; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org (client-ip=147.75.80.249; helo=am.mirrors.kernel.org; envelope-from=netfilter-devel+bounces-3005-incoming=patchwork.ozlabs.org@vger.kernel.org; receiver=patchwork.ozlabs.org) Received: from am.mirrors.kernel.org (am.mirrors.kernel.org [147.75.80.249]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4WNddr3JX8z1xrK for ; Tue, 16 Jul 2024 22:28:32 +1000 (AEST) Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by am.mirrors.kernel.org (Postfix) with ESMTPS id 38D4D1F232BB for ; Tue, 16 Jul 2024 12:28:30 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 3821D19A870; Tue, 16 Jul 2024 12:28:17 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=fail reason="signature verification failed" (2048-bit key) header.d=nwl.cc header.i=@nwl.cc header.b="c9/tC1BU" X-Original-To: netfilter-devel@vger.kernel.org Received: from orbyte.nwl.cc (orbyte.nwl.cc [151.80.46.58]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E3E8E19A854 for ; Tue, 16 Jul 2024 12:28:14 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=151.80.46.58 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1721132896; cv=none; b=TBKcyROzY3qeedjvgfy7Zy8TrKBBLvA6hEF7VQ3Yolsshkry3vWMm9hwkSvVOVTMX6nF6DozYIUCIEFaBc56XixCLlHBlCr/BhuWYurpIRgEZTsIS+tgH6WK/rmWjy1PGrvN2KJhDF2eb0ZJIg2qrLgTI7ktBcBka/N0dLJe3Pc= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1721132896; c=relaxed/simple; bh=tx7z+EDAD+bfCstFjOCsZhtGPgkuxayz163MvUcJwew=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=eTUdgtzA5rImTvRBroHGKfRxCy+s6yMdQb9cfVR1hWC52kA76H6bSvJF/dbeAIFhhkYz9NaXa9+in4sahec4hRSW+EF4CVlj3KZQ3bL+0m4CuahGHyhuX+CWVjsT5/tuQgqdKa5QFduB4DUkDUz/65z3GpG/dBEHLaJ2KgHER2w= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=nwl.cc; spf=pass smtp.mailfrom=nwl.cc; dkim=pass (2048-bit key) header.d=nwl.cc header.i=@nwl.cc header.b=c9/tC1BU; arc=none smtp.client-ip=151.80.46.58 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=nwl.cc Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=nwl.cc DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=nwl.cc; s=mail2022; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To: Message-ID:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=d57mw90EoYFOGNEoq/FCSi0/k7Xvij4lyiAEHrZURHo=; b=c9/tC1BUkzs28/eC7cZO7nFQAa mvNM6RhGxCF36qHMEWKWFbOUAsgko+Uz4FlRUTZdStaiUtifM3Odh329b7iIj1J6Jo/GCQORDNLbb ZVBUXi1G72dFtEW4fi+yLJWkyZ/u2LyZz7I/HCBWzA+pX7Jyh90ZjHrjCkSntF59Ii/PVvu6eAxHq srFlN4TXQsYscjui1rW5CwtSMPpOV/K/9NTCADRQiqtNjbUD6x9FUu45aUMfGISqta6SO6/n79dom l4uOC6mYJNg3XhRKTWNacnKBqlikjirWRNfef9dddgRyUiILAnrlHICiLQOBzFSR2s8YEP3uoNxzH uokM9ZIg==; Received: from localhost ([::1] helo=xic) by orbyte.nwl.cc with esmtp (Exim 4.97.1) (envelope-from ) id 1sThHx-000000007tY-17FP; Tue, 16 Jul 2024 14:28:13 +0200 From: Phil Sutter To: netfilter-devel@vger.kernel.org Cc: Florian Westphal , Pablo Neira Ayuso Subject: [RFC iptables PATCH 8/8] xtables-monitor: Print commands instead of -4/-6/-0 flags Date: Tue, 16 Jul 2024 14:28:05 +0200 Message-ID: <20240716122805.22331-9-phil@nwl.cc> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20240716122805.22331-1-phil@nwl.cc> References: <20240716122805.22331-1-phil@nwl.cc> Precedence: bulk X-Mailing-List: netfilter-devel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 The '-4' and '-6' flags are a rarely used feature of iptables-restore. The '-0' flag is purely artificial and not recognized anywhere (at least not as an arptables rule prefix in this sense). Finally, there is no such flag for ebtables in the first place. Go with a more intuitively clear approach and instead print the typical command which added the rule being printed. Signed-off-by: Phil Sutter --- .../testcases/nft-only/0012-xtables-monitor_0 | 40 +++++------ iptables/xtables-monitor.c | 66 +++++++++---------- 2 files changed, 50 insertions(+), 56 deletions(-) diff --git a/iptables/tests/shell/testcases/nft-only/0012-xtables-monitor_0 b/iptables/tests/shell/testcases/nft-only/0012-xtables-monitor_0 index ef1ec3c9446ae..c49b7ccddeb35 100755 --- a/iptables/tests/shell/testcases/nft-only/0012-xtables-monitor_0 +++ b/iptables/tests/shell/testcases/nft-only/0012-xtables-monitor_0 @@ -42,13 +42,13 @@ monitorcheck() { # (cmd ...) EXP="\ EVENT: nft: NEW table: table filter ip flags 0 use 1 handle 0 EVENT: nft: NEW chain: ip filter FORWARD use 1 type filter hook forward prio 0 policy accept packets 0 bytes 0 flags 1 - EVENT: -4 -t filter -A FORWARD -j ACCEPT" + EVENT: iptables -t filter -A FORWARD -j ACCEPT" monitorcheck iptables -A FORWARD -j ACCEPT EXP="\ EVENT: nft: NEW table: table filter ip6 flags 0 use 1 handle 0 EVENT: nft: NEW chain: ip6 filter FORWARD use 1 type filter hook forward prio 0 policy accept packets 0 bytes 0 flags 1 - EVENT: -6 -t filter -A FORWARD -j ACCEPT" + EVENT: ip6tables -t filter -A FORWARD -j ACCEPT" monitorcheck ip6tables -A FORWARD -j ACCEPT EXP="\ @@ -60,68 +60,68 @@ monitorcheck ebtables -A FORWARD -j ACCEPT EXP="\ EVENT: nft: NEW table: table filter arp flags 0 use 1 handle 0 EVENT: nft: NEW chain: arp filter INPUT use 1 type filter hook input prio 0 policy accept packets 0 bytes 0 flags 1 - EVENT: -0 -t filter -A INPUT -j ACCEPT" + EVENT: arptables -t filter -A INPUT -j ACCEPT" monitorcheck arptables -A INPUT -j ACCEPT -EXP=" EVENT: -4 -t filter -N foo" +EXP=" EVENT: iptables -t filter -N foo" monitorcheck iptables -N foo -EXP=" EVENT: -6 -t filter -N foo" +EXP=" EVENT: ip6tables -t filter -N foo" monitorcheck ip6tables -N foo -EXP=" EVENT: nft: NEW chain: bridge filter foo use 1" +EXP=" EVENT: ebtables -t filter -N foo" monitorcheck ebtables -N foo -EXP=" EVENT: -0 -t filter -N foo" +EXP=" EVENT: arptables -t filter -N foo" monitorcheck arptables -N foo # meta l4proto matches require proper nft_handle:family value -EXP=" EVENT: -4 -t filter -A FORWARD -i eth1 -o eth2 -p tcp -m tcp --dport 22 -j ACCEPT" +EXP=" EVENT: iptables -t filter -A FORWARD -i eth1 -o eth2 -p tcp -m tcp --dport 22 -j ACCEPT" monitorcheck iptables -A FORWARD -i eth1 -o eth2 -p tcp --dport 22 -j ACCEPT -EXP=" EVENT: -6 -t filter -A FORWARD -i eth1 -o eth2 -p udp -m udp --sport 1337 -j ACCEPT" +EXP=" EVENT: ip6tables -t filter -A FORWARD -i eth1 -o eth2 -p udp -m udp --sport 1337 -j ACCEPT" monitorcheck ip6tables -A FORWARD -i eth1 -o eth2 -p udp --sport 1337 -j ACCEPT EXP=" EVENT: ebtables -t filter -A FORWARD -p IPv4 -i eth1 -o eth2 --ip-proto udp --ip-sport 1337 -j ACCEPT" monitorcheck ebtables -A FORWARD -i eth1 -o eth2 -p ip --ip-protocol udp --ip-source-port 1337 -j ACCEPT -EXP=" EVENT: -0 -t filter -A INPUT -j ACCEPT -i eth1 -s 1.2.3.4 --src-mac 01:02:03:04:05:06" +EXP=" EVENT: arptables -t filter -A INPUT -j ACCEPT -i eth1 -s 1.2.3.4 --src-mac 01:02:03:04:05:06" monitorcheck arptables -A INPUT -i eth1 -s 1.2.3.4 --src-mac 01:02:03:04:05:06 -j ACCEPT -EXP=" EVENT: -4 -t filter -D FORWARD -i eth1 -o eth2 -p tcp -m tcp --dport 22 -j ACCEPT" +EXP=" EVENT: iptables -t filter -D FORWARD -i eth1 -o eth2 -p tcp -m tcp --dport 22 -j ACCEPT" monitorcheck iptables -D FORWARD -i eth1 -o eth2 -p tcp --dport 22 -j ACCEPT -EXP=" EVENT: -6 -t filter -D FORWARD -i eth1 -o eth2 -p udp -m udp --sport 1337 -j ACCEPT" +EXP=" EVENT: ip6tables -t filter -D FORWARD -i eth1 -o eth2 -p udp -m udp --sport 1337 -j ACCEPT" monitorcheck ip6tables -D FORWARD -i eth1 -o eth2 -p udp --sport 1337 -j ACCEPT EXP=" EVENT: ebtables -t filter -D FORWARD -p IPv4 -i eth1 -o eth2 --ip-proto udp --ip-sport 1337 -j ACCEPT" monitorcheck ebtables -D FORWARD -i eth1 -o eth2 -p ip --ip-protocol udp --ip-source-port 1337 -j ACCEPT -EXP=" EVENT: -0 -t filter -D INPUT -j ACCEPT -i eth1 -s 1.2.3.4 --src-mac 01:02:03:04:05:06" +EXP=" EVENT: arptables -t filter -D INPUT -j ACCEPT -i eth1 -s 1.2.3.4 --src-mac 01:02:03:04:05:06" monitorcheck arptables -D INPUT -i eth1 -s 1.2.3.4 --src-mac 01:02:03:04:05:06 -j ACCEPT -EXP=" EVENT: -4 -t filter -X foo" +EXP=" EVENT: iptables -t filter -X foo" monitorcheck iptables -X foo -EXP=" EVENT: -6 -t filter -X foo" +EXP=" EVENT: ip6tables -t filter -X foo" monitorcheck ip6tables -X foo -EXP=" EVENT: nft: DEL chain: bridge filter foo use 0" +EXP=" EVENT: ebtables -t filter -X foo" monitorcheck ebtables -X foo -EXP=" EVENT: -0 -t filter -X foo" +EXP=" EVENT: arptables -t filter -X foo" monitorcheck arptables -X foo -EXP=" EVENT: -4 -t filter -D FORWARD -j ACCEPT" +EXP=" EVENT: iptables -t filter -D FORWARD -j ACCEPT" monitorcheck iptables -F FORWARD -EXP=" EVENT: -6 -t filter -D FORWARD -j ACCEPT" +EXP=" EVENT: ip6tables -t filter -D FORWARD -j ACCEPT" monitorcheck ip6tables -F FORWARD EXP=" EVENT: ebtables -t filter -D FORWARD -j ACCEPT" monitorcheck ebtables -F FORWARD -EXP=" EVENT: -0 -t filter -D INPUT -j ACCEPT" +EXP=" EVENT: arptables -t filter -D INPUT -j ACCEPT" monitorcheck arptables -F INPUT EXP=" EVENT: nft: DEL chain: ip filter FORWARD use 0 type filter hook forward prio 0 policy accept packets 0 bytes 0 flags 1" diff --git a/iptables/xtables-monitor.c b/iptables/xtables-monitor.c index b54a704bb1786..9561bd177dee4 100644 --- a/iptables/xtables-monitor.c +++ b/iptables/xtables-monitor.c @@ -70,6 +70,22 @@ static int table_cb(const struct nlmsghdr *nlh, void *data) return MNL_CB_OK; } +static const char *family_cmd(int family) +{ + switch (family) { + case NFPROTO_IPV4: + return "iptables"; + case NFPROTO_IPV6: + return "ip6tables"; + case NFPROTO_ARP: + return "arptables"; + case NFPROTO_BRIDGE: + return "ebtables"; + default: + return NULL; + } +} + static bool counters; static bool trace; static bool events; @@ -103,27 +119,16 @@ static int rule_cb(const struct nlmsghdr *nlh, void *data) nft_rule_is_policy_rule(r)) goto err_free; - if (arg->is_event) - printf(" EVENT: "); - switch (family) { - case AF_INET: - case AF_INET6: - printf("-%c ", family == AF_INET ? '4' : '6'); - break; - case NFPROTO_ARP: - printf("-0 "); - break; - case NFPROTO_BRIDGE: - printf("ebtables "); - break; - default: - puts(""); + if (!family_cmd(family)) goto err_free; - } - printf("-t %s ", nftnl_rule_get_str(r, NFTNL_RULE_TABLE)); - nft_rule_print_save(arg->h, r, type == NFT_MSG_NEWRULE ? NFT_RULE_APPEND : - NFT_RULE_DEL, + printf("%s%s -t %s ", + arg->is_event ? " EVENT: " : "", + family_cmd(family), + nftnl_rule_get_str(r, NFTNL_RULE_TABLE)); + nft_rule_print_save(arg->h, r, + type == NFT_MSG_NEWRULE ? NFT_RULE_APPEND + : NFT_RULE_DEL, counters ? 0 : FMT_NOCOUNTS); err_free: nftnl_rule_free(r); @@ -150,29 +155,18 @@ static int chain_cb(const struct nlmsghdr *nlh, void *data) if (arg->nfproto && arg->nfproto != family) goto err_free; - if (nftnl_chain_is_set(c, NFTNL_CHAIN_PRIO)) - family = -1; - printf(" EVENT: "); - switch (family) { - case NFPROTO_IPV4: - family = 4; - break; - case NFPROTO_IPV6: - family = 6; - break; - case NFPROTO_ARP: - family = 0; - break; - default: - nftnl_chain_snprintf(buf, sizeof(buf), c, NFTNL_OUTPUT_DEFAULT, 0); + + if (nftnl_chain_is_set(c, NFTNL_CHAIN_PRIO) || !family_cmd(family)) { + nftnl_chain_snprintf(buf, sizeof(buf), + c, NFTNL_OUTPUT_DEFAULT, 0); printf("nft: %s chain: %s\n", type == NFT_MSG_NEWCHAIN ? "NEW" : "DEL", buf); goto err_free; } - printf("-%d -t %s -%c %s\n", - family, + printf("%s -t %s -%c %s\n", + family_cmd(family), nftnl_chain_get_str(c, NFTNL_CHAIN_TABLE), type == NFT_MSG_NEWCHAIN ? 'N' : 'X', nftnl_chain_get_str(c, NFTNL_CHAIN_NAME));