Do not expose this implementation detail to users, otherwise new
user-defined chains are followed by a new rule event.
When tracing, they are useful as they potentially terminate rule
traversal.
Signed-off-by: Phil Sutter <phil@xxxxxx>
---
iptables/nft.c | 2 +-
iptables/nft.h | 1 +
.../shell/testcases/nft-only/0012-xtables-monitor_0 | 11 ++---------
iptables/xtables-monitor.c | 7 +++++++
4 files changed, 11 insertions(+), 10 deletions(-)
diff --git a/iptables/nft.c b/iptables/nft.c
index 884cc77e647ba..83fb81439ccb1 100644
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@ -1813,7 +1813,7 @@ nft_rule_print_save(struct nft_handle *h, const struct nftnl_rule *r,
return ret;
}
-static bool nft_rule_is_policy_rule(struct nftnl_rule *r)
+bool nft_rule_is_policy_rule(struct nftnl_rule *r)
{
const struct nftnl_udata *tb[UDATA_TYPE_MAX + 1] = {};
const void *data;
diff --git a/iptables/nft.h b/iptables/nft.h
index b2a8484f09f0a..8f17f3100a190 100644
--- a/iptables/nft.h
+++ b/iptables/nft.h
@@ -185,6 +185,7 @@ int nft_rule_list_save(struct nft_handle *h, const char *chain, const char *tabl
int nft_rule_save(struct nft_handle *h, const char *table, unsigned int format);
int nft_rule_flush(struct nft_handle *h, const char *chain, const char *table, bool verbose);
int nft_rule_zero_counters(struct nft_handle *h, const char *chain, const char *table, int rulenum);
+bool nft_rule_is_policy_rule(struct nftnl_rule *r);
/*
* Operations used in userspace tools
diff --git a/iptables/tests/shell/testcases/nft-only/0012-xtables-monitor_0 b/iptables/tests/shell/testcases/nft-only/0012-xtables-monitor_0
index 0f0295b05ec52..ef1ec3c9446ae 100755
--- a/iptables/tests/shell/testcases/nft-only/0012-xtables-monitor_0
+++ b/iptables/tests/shell/testcases/nft-only/0012-xtables-monitor_0
@@ -51,7 +51,6 @@ EXP="\
EVENT: -6 -t filter -A FORWARD -j ACCEPT"
monitorcheck ip6tables -A FORWARD -j ACCEPT
-# FIXME
EXP="\
EVENT: nft: NEW table: table filter bridge flags 0 use 1 handle 0
EVENT: nft: NEW chain: bridge filter FORWARD use 1 type filter hook forward prio -200 policy accept packets 0 bytes 0 flags 1
@@ -70,10 +69,7 @@ monitorcheck iptables -N foo
EXP=" EVENT: -6 -t filter -N foo"
monitorcheck ip6tables -N foo
-# FIXME
-EXP="\
- EVENT: nft: NEW chain: bridge filter foo use 1
- EVENT: ebtables -t filter -A foo -j ACCEPT"
+EXP=" EVENT: nft: NEW chain: bridge filter foo use 1"
monitorcheck ebtables -N foo
EXP=" EVENT: -0 -t filter -N foo"
@@ -110,10 +106,7 @@ monitorcheck iptables -X foo
EXP=" EVENT: -6 -t filter -X foo"
monitorcheck ip6tables -X foo
-# FIXME
-EXP="\
- EVENT: ebtables -t filter -D foo -j ACCEPT
- EVENT: nft: DEL chain: bridge filter foo use 0"
+EXP=" EVENT: nft: DEL chain: bridge filter foo use 0"
monitorcheck ebtables -X foo
EXP=" EVENT: -0 -t filter -X foo"
diff --git a/iptables/xtables-monitor.c b/iptables/xtables-monitor.c
index 7079a039fb28b..b54a704bb1786 100644
--- a/iptables/xtables-monitor.c
+++ b/iptables/xtables-monitor.c
@@ -96,6 +96,13 @@ static int rule_cb(const struct nlmsghdr *nlh, void *data)
arg->h->ops = nft_family_ops_lookup(family);
arg->h->family = family;
+ /* ignore policy rules unless tracing,
+ * they are reported when deleting user-defined chains */
+ if (family == NFPROTO_BRIDGE &&
+ arg->is_event &&
+ nft_rule_is_policy_rule(r))
+ goto err_free;
+
if (arg->is_event)
printf(" EVENT: ");
switch (family) {
--
2.43.0
