Re: [nf PATCH v3 1/2] netfilter: nf_tables: Fix entries val in rule reset audit log

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


Phil Sutter <phil@xxxxxx> wrote:
> The value in idx and the number of rules handled in that particular
> __nf_tables_dump_rules() call is not identical. The former is a cursor
> to pick up from if multiple netlink messages are needed, so its value is
> ever increasing. Fixing this is not just a matter of subtracting s_idx
> from it, though: When resetting rules in multiple chains,
> __nf_tables_dump_rules() is called for each and cb->args[0] is not
> adjusted in between. Introduce a dedicated counter to record the number
> of rules reset in this call in a less confusing way.
> While being at it, prevent the direct return upon buffer exhaustion: Any
> rules previously dumped into that skb would evade audit logging
> otherwise.

Reviewed-by: Florian Westphal <fw@xxxxxxxxx>

We can investigate ways to compress/coalesce (read: make this more
complicated) in case somebody complains about too many audit messages.

But I would not go ahead and keep it simple for now.

[Index of Archives]     [Netfitler Users]     [Berkeley Packet Filter]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux