diff options
| author | Florian Westphal <fw@strlen.de> | 2024-11-13 16:35:51 +0100 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2024-11-14 12:40:55 +0100 |
| commit | 466c9b3b2a92602360e9fa25943b8aa191122dfc (patch) | |
| tree | 02ae26cccca5c10a0afa67a0722777779b28790c /net/netfilter | |
| parent | a8ee6b900c147d3bedced6c52ba6cb603226aaa3 (diff) | |
netfilter: nf_tables: prepare nft audit for set element compaction
nftables audit log format emits the number of added/deleted rules, sets,
set elements and so on, to userspace:
table=t1 family=2 entries=4 op=nft_register_set
~~~~~~~~~
At this time, the 'entries' key is the number of transactions that will
be applied.
The upcoming set element compression will coalesce subsequent
adds/deletes to the same set requests in the same transaction
request to conseve memory.
Without this patch, we'd under-report the number of altered elements.
Increment the audit counter by the number of elements to keep the reported
entries value the same.
Without this, nft_audit.sh selftest fails because the recorded
(expected) entries key is smaller than the expected one.
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'net/netfilter')
| -rw-r--r-- | net/netfilter/nf_tables_api.c | 21 |
1 files changed, 18 insertions, 3 deletions
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c index 0882f78c2204..5b5178841553 100644 --- a/net/netfilter/nf_tables_api.c +++ b/net/netfilter/nf_tables_api.c @@ -10398,9 +10398,24 @@ static void nf_tables_commit_audit_free(struct list_head *adl) } } +/* nft audit emits the number of elements that get added/removed/updated, + * so NEW/DELSETELEM needs to increment based on the total elem count. + */ +static unsigned int nf_tables_commit_audit_entrycount(const struct nft_trans *trans) +{ + switch (trans->msg_type) { + case NFT_MSG_NEWSETELEM: + case NFT_MSG_DELSETELEM: + return nft_trans_container_elem(trans)->nelems; + } + + return 1; +} + static void nf_tables_commit_audit_collect(struct list_head *adl, - struct nft_table *table, u32 op) + const struct nft_trans *trans, u32 op) { + const struct nft_table *table = trans->table; struct nft_audit_data *adp; list_for_each_entry(adp, adl, list) { @@ -10410,7 +10425,7 @@ static void nf_tables_commit_audit_collect(struct list_head *adl, WARN_ONCE(1, "table=%s not expected in commit list", table->name); return; found: - adp->entries++; + adp->entries += nf_tables_commit_audit_entrycount(trans); if (!adp->op || adp->op > op) adp->op = op; } @@ -10569,7 +10584,7 @@ static int nf_tables_commit(struct net *net, struct sk_buff *skb) nft_ctx_update(&ctx, trans); - nf_tables_commit_audit_collect(&adl, table, trans->msg_type); + nf_tables_commit_audit_collect(&adl, trans, trans->msg_type); switch (trans->msg_type) { case NFT_MSG_NEWTABLE: if (nft_trans_table_update(trans)) { |