|
 |
ea9c6b |
From 538acaef0d8424bd61047e6f1b81e3bc8bd421ec Mon Sep 17 00:00:00 2001
|
|
|
ea9c6b |
From: Phil Sutter <phil@nwl.cc>
|
|
|
ea9c6b |
Date: Fri, 7 Aug 2020 16:42:07 +0200
|
|
|
ea9c6b |
Subject: [PATCH] xtables-monitor: Fix ip6tables rule printing
|
|
|
ea9c6b |
|
|
|
ea9c6b |
When printing an ip6tables rule event, false family ops are used as they
|
|
|
ea9c6b |
are initially looked up for AF_INET and reused no matter the current
|
|
|
ea9c6b |
rule's family. In practice, this means that nft_rule_print_save() calls
|
|
|
ea9c6b |
the wrong rule_to_cs, save_rule and clear_cs callbacks. Therefore, if a
|
|
|
ea9c6b |
rule specifies a source or destination address, the address is not
|
|
|
ea9c6b |
printed.
|
|
|
ea9c6b |
|
|
|
ea9c6b |
Fix this by performing a family lookup each time rule_cb is called.
|
|
|
ea9c6b |
|
|
|
ea9c6b |
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
ea9c6b |
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
ea9c6b |
(cherry picked from commit ca69b0290dc509d72118f0a054a5c740cb913875)
|
|
|
ea9c6b |
Signed-off-by: Phil Sutter <psutter@redhat.com>
|
|
|
ea9c6b |
---
|
|
|
ea9c6b |
iptables/xtables-monitor.c | 2 ++
|
|
|
ea9c6b |
1 file changed, 2 insertions(+)
|
|
|
ea9c6b |
|
|
|
ea9c6b |
diff --git a/iptables/xtables-monitor.c b/iptables/xtables-monitor.c
|
|
|
ea9c6b |
index c2b31dbaa0795..92962a2a95f48 100644
|
|
|
ea9c6b |
--- a/iptables/xtables-monitor.c
|
|
|
ea9c6b |
+++ b/iptables/xtables-monitor.c
|
|
|
ea9c6b |
@@ -93,6 +93,8 @@ static int rule_cb(const struct nlmsghdr *nlh, void *data)
|
|
|
ea9c6b |
if (arg->nfproto && arg->nfproto != family)
|
|
|
ea9c6b |
goto err_free;
|
|
|
ea9c6b |
|
|
|
ea9c6b |
+ arg->h->ops = nft_family_ops_lookup(family);
|
|
|
ea9c6b |
+
|
|
|
ea9c6b |
if (arg->is_event)
|
|
|
ea9c6b |
printf(" EVENT: ");
|
|
|
ea9c6b |
switch (family) {
|
|
|
ea9c6b |
--
|
|
|
ea9c6b |
2.31.1
|
|
|
ea9c6b |
|