Re: [nf PATCH v3 1/2] netfilter: nf_tables: Fix entries val in rule reset audit log

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


On Wed, Sep 13, 2023 at 09:31:46PM +0200, Florian Westphal wrote:
> Phil Sutter <phil@xxxxxx> wrote:
> > The value in idx and the number of rules handled in that particular
> > __nf_tables_dump_rules() call is not identical. The former is a cursor
> > to pick up from if multiple netlink messages are needed, so its value is
> > ever increasing. Fixing this is not just a matter of subtracting s_idx
> > from it, though: When resetting rules in multiple chains,
> > __nf_tables_dump_rules() is called for each and cb->args[0] is not
> > adjusted in between. Introduce a dedicated counter to record the number
> > of rules reset in this call in a less confusing way.
> > 
> > While being at it, prevent the direct return upon buffer exhaustion: Any
> > rules previously dumped into that skb would evade audit logging
> > otherwise.
> Reviewed-by: Florian Westphal <fw@xxxxxxxxx>
> We can investigate ways to compress/coalesce (read: make this more
> complicated) in case somebody complains about too many audit messages.

It is only about reset command. Anything following the transaction path
is coalesced already (on a per-table basis, so there's more work needed
if consistent per-chain logging is desired).

> But I would not go ahead and keep it simple for now.

I just want to avoid a second rhbz#2001815[1]. As we both know,
OpenShift likes to have both excessively big chains and excessively many
small ones. %)

Cheers, Phil


[Index of Archives]     [Netfitler Users]     [Berkeley Packet Filter]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux