From: Phil Sutter <phil@nwl.cc>
To: netfilter-devel@vger.kernel.org
Cc: Florian Westphal <fw@strlen.de>, Pablo Neira Ayuso <pablo@netfilter.org>
Subject: [iptables PATCH 1/8] xtables-monitor: Proper re-init for rule's family
Date: Tue, 16 Jul 2024 14:27:58 +0200 [thread overview]
Message-ID: <20240716122805.22331-2-phil@nwl.cc> (raw)
In-Reply-To: <20240716122805.22331-1-phil@nwl.cc>
When not running for a specific family only (via -4/-6 flags),
xtables-monitor potentially sees events/traces for all families. To
correctly parse rules when printing for NEWRULE, DELRULE or TRACE
messages, nft_handle has to be reinitialized for the rule's family.
It is not sufficient to reset nft_handle::ops: Some expression parsers
rely upon nft_handle::family to be properly set, too (cf. references to
'ctx->h->family in nft-ruleparse.c). Adjusting the 'afinfo' pointer
provided by libxtables is even more crucial, as e.g. do_parse() in
xshared.c relies upon it for the proper optstring.
This is actually a day-1 bug in xtables-monitor which surfaced due to
commit 9075c3aa983d9 ("nft: Increase rule parser strictness"). Therefore
make this fix the commit it is following-up.
Fixes: ca69b0290dc50 ("xtables-monitor: Fix ip6tables rule printing")
Signed-off-by: Phil Sutter <phil@nwl.cc>
---
iptables/xtables-monitor.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/iptables/xtables-monitor.c b/iptables/xtables-monitor.c
index cf2729d87968b..cf92355f76f8a 100644
--- a/iptables/xtables-monitor.c
+++ b/iptables/xtables-monitor.c
@@ -92,7 +92,9 @@ static int rule_cb(const struct nlmsghdr *nlh, void *data)
if (arg->nfproto && arg->nfproto != family)
goto err_free;
+ xtables_set_nfproto(family);
arg->h->ops = nft_family_ops_lookup(family);
+ arg->h->family = family;
if (arg->is_event)
printf(" EVENT: ");
--
2.43.0
next prev parent reply other threads:[~2024-07-16 12:28 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-07-16 12:27 [iptables PATCH 0/8] Fix xtables-monitor rule printing, partially RFC Phil Sutter
2024-07-16 12:27 ` Phil Sutter [this message]
2024-07-16 12:27 ` [iptables PATCH 2/8] xtables-monitor: Flush stdout after all lines of output Phil Sutter
2024-07-16 12:28 ` [iptables PATCH 3/8] xtables-monitor: Align builtin chain and table output Phil Sutter
2024-07-16 12:28 ` [iptables PATCH 4/8] xtables-monitor: Support arptables chain events Phil Sutter
2024-07-16 12:28 ` [iptables PATCH 5/8] tests: shell: New xtables-monitor test Phil Sutter
2024-07-16 12:28 ` [iptables PATCH 6/8] xtables-monitor: Fix for ebtables rule events Phil Sutter
2024-07-16 12:28 ` [iptables PATCH 7/8] xtables-monitor: Ignore ebtables policy rules unless tracing Phil Sutter
2024-07-16 12:28 ` [RFC iptables PATCH 8/8] xtables-monitor: Print commands instead of -4/-6/-0 flags Phil Sutter
2024-07-27 12:33 ` [iptables PATCH 0/8] Fix xtables-monitor rule printing, partially RFC Phil Sutter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240716122805.22331-2-phil@nwl.cc \
--to=phil@nwl.cc \
--cc=fw@strlen.de \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.