On Wed, Sep 13, 2023 at 09:31:46PM +0200, Florian Westphal wrote: > Phil Sutter <phil@xxxxxx> wrote: > > The value in idx and the number of rules handled in that particular > > __nf_tables_dump_rules() call is not identical. The former is a cursor > > to pick up from if multiple netlink messages are needed, so its value is > > ever increasing. Fixing this is not just a matter of subtracting s_idx > > from it, though: When resetting rules in multiple chains, > > __nf_tables_dump_rules() is called for each and cb->args[0] is not > > adjusted in between. Introduce a dedicated counter to record the number > > of rules reset in this call in a less confusing way. > > > > While being at it, prevent the direct return upon buffer exhaustion: Any > > rules previously dumped into that skb would evade audit logging > > otherwise. > > Reviewed-by: Florian Westphal <fw@xxxxxxxxx> > > We can investigate ways to compress/coalesce (read: make this more > complicated) in case somebody complains about too many audit messages. It is only about reset command. Anything following the transaction path is coalesced already (on a per-table basis, so there's more work needed if consistent per-chain logging is desired). > But I would not go ahead and keep it simple for now. I just want to avoid a second rhbz#2001815[1]. As we both know, OpenShift likes to have both excessively big chains and excessively many small ones. %) Cheers, Phil [1] https://bugzilla.redhat.com/show_bug.cgi?id=2001815
