On Thu, Sep 29, 2022 at 12:32:48AM +0200, Phil Sutter wrote:
> During startup, 'nft monitor' first fetches the current ruleset and then
> keeps this cache up to date based on received events. This is racey, as
> any ruleset changes in between the initial fetch and the socket opening
> are not recognized.
>
> This script demonstrates the problem:
>
> | #!/bin/bash
> |
> | while true; do
> | nft flush ruleset
> | iptables-nft -A FORWARD
> | done &
> | maniploop=$!
> |
> | trap "kill $maniploop; kill \$!; wait" EXIT
> |
> | while true; do
> | nft monitor rules >/dev/null &
> | sleep 0.2
> | kill $!
> | done
>
> If the table add event is missed, the rule add event callback fails to
> deserialize the rule and calls abort().
>
> Avoid the inconvenient program exit by returning NULL from
> netlink_delinearize_rule() instead of aborting and make callers check
> the return value.
Fine to apply this meanwhile.
I wanted to fix this, but I found a few kernel bugs at that time, such as:
commit 6fb721cf781808ee2ca5e737fb0592cc68de3381
Author: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
Date: Sun Sep 26 09:59:35 2021 +0200
netfilter: nf_tables: honor NLM_F_CREATE and NLM_F_EXCL in event notification
which were not allowing me to infer the location accordingly, for
incrementally updating the cache.
So I stopped for a while until these fixes propagate to the kernel.
It's been 1 year even since, times flies...
