Skip to content

guestagent: start iptables audit watcher when auditing already enabled #4059

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Sep 25, 2025
Merged

guestagent: start iptables audit watcher when auditing already enabled #4059

merged 1 commit into from
Sep 25, 2025

Conversation

@ashwat287
Copy link
Contributor

@ashwat287 ashwat287 commented Sep 19, 2025

Fixes: #4049
Fixes a logic gap where, if auditing was already enabled at startup, the code only set worthCheckingIPTables=true and did not launch setWorthCheckingIPTablesRoutine. Without the routine the flag never changes (never set false after idle, never toggled by NETFILTER_CFG events), so the cached a.latestIPTables path is never used and behavior differs from the “auditing just enabled” case.

Change:

  • After confirming auditing is (or becomes) enabled, always set worthCheckingIPTables=true for the initial scan and always start setWorthCheckingIPTablesRoutine.
  • Leave the non‑auditing fallback path unchanged.

This makes flag state transitions consistent regardless of initial auditStatus.Enabled.

@ashwat287
guestagent: start iptables audit watcher when auditing already enabled
a0d760b 
Fixes a logic gap where, if auditing was already enabled at startup, the
code only set worthCheckingIPTables=true and did not launch
setWorthCheckingIPTablesRoutine. Without the routine the flag never
changes (never set false after idle, never toggled by NETFILTER_CFG
events), so the cached a.latestIPTables path is never used and behavior
differs from the “auditing just enabled” case.

Change:
- After confirming auditing is (or becomes) enabled, always set
  worthCheckingIPTables=true for the initial scan and always start
  setWorthCheckingIPTablesRoutine.
- Leave the non‑auditing fallback path unchanged.

This makes flag state transitions consistent regardless of initial
auditStatus.Enabled.

Signed-off-by: ashwat287 <[email protected]>
@AkihiroSuda
Copy link
Member

AkihiroSuda commented Sep 20, 2025

Thanks, how to test this?

@AkihiroSuda AkihiroSuda added this to the v2.0.0 milestone Sep 22, 2025
@ashwat287
Copy link
Contributor Author

ashwat287 commented Sep 22, 2025

Shall we create an integration test?

@AkihiroSuda
Copy link
Member

AkihiroSuda commented Sep 23, 2025

Shall we create an integration test?

That would be ideal, but in this case you can just explain how you tested this PR by yourself

@ashwat287
Copy link
Contributor Author

ashwat287 commented Sep 24, 2025
edited
Loading

To compare and test the behavior before and after the code changes,

  1. I built separate executables for cmd/lima-guestagent.
  2. Executed them separately and ran the daemon.
  3. Made iptables changes.
  4. kept observing the logs.

Observations:
In the logs after running the executable with the changes in the commit, I observed:

  • Just at the start up of daemon, time="2025-09-24T08:34:30Z" level=info msg="setWorthCheckingIPTablesRoutine(): monitoring netfilter audit events". This concludes that, function setWorthCheckingIPTablesRoutine is being called which initializes latestTrue := time.Now() and enables a.worthCheckingIPTables to be set false when left idle.
  • After some time: time="2025-09-24T08:34:50Z" level=debug msg="setWorthCheckingIPTablesRoutine(): setting to false". This concludes that a.worthCheckingIPTables is set to false when left idle.
  • after making iptables changes: time="2025-09-24T08:36:05Z" level=debug msg="setWorthCheckingIPTablesRoutine(): setting to true". Concludes that after changing the iptables a.worthCheckingIPTables is again set to true.
  • Then again after some idle time: time="2025-09-24T08:36:30Z" level=debug msg="setWorthCheckingIPTablesRoutine(): setting to false"

Above log events were not logged for the executable without the changes in the commit, which is undesirable as explained in the above comment:

Fixes a logic gap where, if auditing was already enabled at startup, the code only set worthCheckingIPTables=true and did not launch setWorthCheckingIPTablesRoutine. Without the routine the flag never changes (never set false after idle, never toggled by NETFILTER_CFG events), so the cached a.latestIPTables path is never used and behavior differs from the “auditing just enabled” case.

The above testing strategy shows the difference in behaviors before and after the code changes.

AkihiroSuda
AkihiroSuda approved these changes Sep 25, 2025
View reviewed changes
Copy link
Member

@AkihiroSuda AkihiroSuda left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks

@AkihiroSuda AkihiroSuda merged commit 7dcdf6a into lima-vm:master Sep 25, 2025
36 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@AkihiroSuda AkihiroSuda AkihiroSuda approved these changes

@balajiv113 balajiv113 Awaiting requested review from balajiv113

Assignees

No one assigned

Labels

area/portfwd

Projects

None yet

Milestone

v2.0.0

Development

Successfully merging this pull request may close these issues.

guestagent: worthCheckingIPTables logic seems incorrect

2 participants

@ashwat287 @AkihiroSuda