Hi Patrick,
On Wed, Jan 08, 2014 at 08:58:13PM +0000, Patrick McHardy wrote:
> commit 8ca6730e9c8fd59d8a03ae505777a8a6b97898b1
> Author: Patrick McHardy <kaber@xxxxxxxxx>
> Date: Wed Jan 8 20:57:11 2014 +0000
>
> nftables: fix surpression of "permission denied" errors
>
> ntroduction of batch support broke displaying of EPERM since those are
> generated by the kernel before batch processing start and thus have the
> sequence number of the NFNL_MSG_BATCH_BEGIN message instead of the
> command messages. Also only a single error message is generated for the
> entire batch.
>
> This patch fixes this by noting the batch sequence number and displaying
> the error for all commands since this is what would happen if the
> permission check was inside batch processing as every other check.
One error message per line can be too much if we have a big batch,
perhaps we can just point to the first rule in the batch and print
something like: "7 error suppressed.", similar to syslog, where 7 is
the number of rules that follow up after EPERM message.
BTW, with really really big batches, the kernel may fail to allocate
the acknowledgment. We discussed this already with David, and he
thinks it doesn't make sense to send such a big message back to
sender. We can add:
void netlink_ack_len(struct sk_buff *in_skb, struct nlmsghdr *nlh,
int err, int len)
where len specifies the length would be the original netlink header +
nfnetlink header, so the rules are not sent back to userspace.
Let me know, thanks!
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
