From: Florian Westphal <fw@strlen.de>
To: Patrick McHardy <kaber@trash.net>
Cc: Florian Westphal <fw@strlen.de>, netfilter-devel@vger.kernel.org
Subject: Re: [PATCH nf-next 1/6] netfilter: nf_tables: extend tracing infrastructure
Date: Wed, 25 Nov 2015 09:39:07 +0100 [thread overview]
Message-ID: <20151125083907.GF23215@breakpoint.cc> (raw)
In-Reply-To: <20151125005523.GB27315@macbook.localdomain>
Patrick McHardy <kaber@trash.net> wrote:
> > diff --git a/include/uapi/linux/netfilter/nf_tables.h b/include/uapi/linux/netfilter/nf_tables.h
> > index d8c8a7c..88bcd00 100644
> > --- a/include/uapi/linux/netfilter/nf_tables.h
> > +++ b/include/uapi/linux/netfilter/nf_tables.h
> > @@ -970,4 +972,34 @@ enum nft_gen_attributes {
> > };
> > #define NFTA_GEN_MAX (__NFTA_GEN_MAX - 1)
> >
> > +enum nft_trace_attibutes {
> > + NFTA_TRACE_UNSPEC,
> > + NFTA_TRACE_CHAIN,
> > + NFTA_TRACE_DEV_TYPE,
> > + NFTA_TRACE_ID,
> > + NFTA_TRACE_IIF,
> > + NFTA_TRACE_OIF,
> > + NFTA_TRACE_LL_HEADER,
> > + NFTA_TRACE_MARK,
> > + NFTA_TRACE_NETWORK_HEADER,
> > + NFTA_TRACE_TABLE,
> > + NFTA_TRACE_TRANSPORT_HEADER,
> > + NFTA_TRACE_TRANSPORT_PROTO,
> > + NFTA_TRACE_TYPE,
> > + NFTA_TRACE_RULE_HANDLE,
> > + NFTA_TRACE_VERDICT,
> > + NFTA_TRACE_VLAN_TAG,
> > + __NFTA_TRACE_MAX
> > +};
> > +#define NFTA_TRACE_MAX (__NFTA_TRACE_MAX - 1)
>
> The ordering appears to be a bit random (or I'm missing something), I'd
> expect basic information like TABLE/CHAIN/RULE_HANDLE to be at the beginning
> (in that order), similar for TYPE, VERDICT etc.
NFTA_TRACE_UNSPEC,
NFTA_TRACE_TABLE,
NFTA_TRACE_CHAIN,
NFTA_TRACE_RULE_HANDLE,
NFTA_TRACE_TYPE,
NFTA_TRACE_VERDICT,
NFTA_TRACE_DEV_TYPE,
NFTA_TRACE_ID,
NFTA_TRACE_LL_HEADER,
NFTA_TRACE_NETWORK_HEADER,
NFTA_TRACE_TRANSPORT_HEADER,
NFTA_TRACE_TRANSPORT_PROTO,
NFTA_TRACE_IIF,
NFTA_TRACE_OIF,
NFTA_TRACE_MARK,
NFTA_TRACE_VLAN_TAG,
better? If not, please just tell me what ordering you'd prefer and
thats what I'll use.
> > diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
> > index 93cc473..25d8168 100644
> > --- a/net/netfilter/nf_tables_api.c
> > +++ b/net/netfilter/nf_tables_api.c
> > @@ -21,6 +23,10 @@
> > #include <net/net_namespace.h>
> > #include <net/sock.h>
> >
> > +#define NFT_TRACETYPE_LL_HSIZE 20
> > +#define NFT_TRACETYPE_NETWORK_HSIZE 32
> > +#define NFT_TRACETYPE_TRANSPORT_HSIZE 4
>
> 4 seems to be too small for some header types like GRE. If the key is present
> it seems like information we'd want to log.
>
> Also since people probably want to use this to determine why or why not rules
> match, I think it would be good to have the entire transport header present.
>
> > +static bool
> > +trace_notify_put_packet(struct sk_buff *nlskb, const struct nft_pktinfo *pkt)
> > +{
> > + const struct sk_buff *skb = pkt->skb;
> > + unsigned int plen = min_t(unsigned int,
> > + pkt->xt.thoff - skb_network_offset(skb),
> > + NFT_TRACETYPE_NETWORK_HSIZE);
> > + int mac_off;
> > +
> > + if (plen >= 20u && /* minimum iphdr size */
> > + !trace_notify_put_data(nlskb, NFTA_TRACE_NETWORK_HEADER,
> > + skb, skb_network_offset(skb), plen))
> > + return false;
>
> Does that check for 20u have any deeper meaning? It seems this will always
> be true for all currently supported protocols and if we were to add support
> for one that has a smaller size it won't work.
OK, I'll change all checks to 'len &&'.
> > + if (nla_put_be32(skb, NFTA_TRACE_ID, htonl(hash32_ptr(pkt->skb))))
> This could lead to duplicate IDs quite quickly. I can't think of any other
> values where we know for sure they will stay constant while the skb is within
> netfilter. How about combining this with a per CPU counter or something
> similar?
I would not mind, it would result in ID change though for nfqueue case.
If thats ok I'll use a pcpu counter that gets incremented when nft_meta
sets skb->nftrace=1 and use __this_cpu_read(trace_id) instead (if we
have pcpu id counter, is there any point in also using skb address...?)
> > + if (chain) {
> > + if (nla_put_string(skb, NFTA_TRACE_TABLE, chain->table->name))
> > + goto nla_put_failure;
> > + if (nla_put_string(skb, NFTA_TRACE_CHAIN, chain->name))
> > + goto nla_put_failure;
> > + }
> > +
> > + if (rule && nla_put_be64(skb, NFTA_TRACE_RULE_HANDLE,
> > + cpu_to_be64(rule->handle)))
>
> Minor nitpick: below you use
>
> if (condition &&
> nla_put_...
>
> which I think is more readable.
ok. I only used the former if line would go over 80, but i can convert
this too of course.
> > + if (pkt->in &&
> > + nla_put_be32(skb, NFTA_TRACE_IIF, htonl(pkt->in->ifindex)))
> > + goto nla_put_failure;
> > + if (pkt->out &&
> > + nla_put_be32(skb, NFTA_TRACE_OIF, htonl(pkt->out->ifindex)))
> > + goto nla_put_failure;
> > + if (pkt->skb->mark &&
> > + nla_put_be32(skb, NFTA_TRACE_MARK, htonl(pkt->skb->mark)))
> > + goto nla_put_failure;
> > +
> > + switch (type) {
> > + case NFT_TRACETYPE_POLICY:
> > + case NFT_TRACETYPE_RETURN:
> > + case NFT_TRACETYPE_RULE:
> > + if (nla_put_be32(skb, NFTA_TRACE_VERDICT, htonl(verdict)))
> > + goto nla_put_failure;
>
> It would be nice to have the full verdict available, IOW also the jump target.
>
> You could simply pass struct nft_verdict to this function and adapt
> nft_verdict_dump() to take the attribute value as parameter.
Will add NFTA_TRACE_JUMP/NFTA_TRACE_GOTO for that, ok?
next prev parent reply other threads:[~2015-11-25 8:39 UTC|newest]
Thread overview: 80+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-11-24 10:02 [PATCH 0/6] nftables trace support Florian Westphal
2015-11-24 10:02 ` [PATCH nf-next 1/6] netfilter: nf_tables: extend tracing infrastructure Florian Westphal
2015-11-24 10:17 ` Pablo Neira Ayuso
2015-11-24 10:27 ` Florian Westphal
2015-11-24 10:30 ` Pablo Neira Ayuso
2015-11-24 10:35 ` Patrick McHardy
2015-11-24 11:11 ` Florian Westphal
2015-11-24 10:22 ` Pablo Neira Ayuso
2015-11-24 10:28 ` Florian Westphal
2015-11-24 10:33 ` Patrick McHardy
2015-11-24 10:44 ` Pablo Neira Ayuso
2015-11-24 10:45 ` Pablo Neira Ayuso
2015-11-24 10:47 ` Patrick McHardy
2015-11-24 10:36 ` Pablo Neira Ayuso
2015-11-24 10:44 ` Patrick McHardy
2015-11-25 0:55 ` Patrick McHardy
2015-11-25 8:39 ` Florian Westphal [this message]
2015-11-25 8:48 ` Florian Westphal
2015-11-25 9:35 ` Patrick McHardy
2015-11-25 10:13 ` Florian Westphal
2015-11-25 11:51 ` Patrick McHardy
2015-11-25 12:20 ` Florian Westphal
2015-11-24 10:02 ` [PATCH nf-next 2/6] netfilter: nf_tables: wrap tracing with a static key Florian Westphal
2015-11-24 10:13 ` Patrick McHardy
2015-11-24 10:21 ` Florian Westphal
2015-11-24 10:28 ` Patrick McHardy
2015-11-24 10:19 ` Pablo Neira Ayuso
2015-11-24 10:02 ` [PATCH nf-next 3/6] netfilter: nf_tables: disable old tracing if listener is present Florian Westphal
2015-11-24 10:16 ` Patrick McHardy
2015-11-24 10:24 ` Pablo Neira Ayuso
2015-11-24 10:31 ` Florian Westphal
2015-11-24 10:39 ` Pablo Neira Ayuso
2015-11-24 10:53 ` Patrick McHardy
2015-11-24 11:10 ` Florian Westphal
2015-11-24 11:33 ` Patrick McHardy
2015-11-24 15:15 ` Florian Westphal
2015-11-24 15:26 ` Patrick McHardy
2015-11-24 15:35 ` Florian Westphal
2015-11-24 15:42 ` Patrick McHardy
2015-11-25 15:06 ` Patrick McHardy
2015-11-25 16:23 ` Pablo Neira Ayuso
2015-11-25 16:34 ` Patrick McHardy
2015-11-25 16:24 ` Florian Westphal
2015-11-25 16:46 ` Patrick McHardy
2015-11-25 17:32 ` Patrick McHardy
2015-11-25 22:27 ` Florian Westphal
2015-11-25 23:04 ` Patrick McHardy
2015-11-25 23:16 ` Florian Westphal
2015-11-25 23:30 ` Patrick McHardy
2015-11-25 23:42 ` Patrick McHardy
2015-11-25 23:56 ` Florian Westphal
2015-11-25 22:52 ` Florian Westphal
2015-11-25 23:15 ` Patrick McHardy
2015-11-25 23:19 ` Florian Westphal
2015-11-26 10:50 ` Patrick McHardy
2015-11-26 11:03 ` Florian Westphal
2015-11-26 11:42 ` Patrick McHardy
2015-11-25 16:49 ` Jan Engelhardt
2015-11-25 16:53 ` Patrick McHardy
2015-11-25 17:14 ` Jan Engelhardt
2015-11-25 17:24 ` Patrick McHardy
2015-11-25 0:57 ` Patrick McHardy
2015-11-24 10:02 ` [PATCH libnftnl 4/6] src: rename EXPORT_SYMBOL to EXPORT_SYMBOL_ALIAS Florian Westphal
2015-11-24 10:11 ` Pablo Neira Ayuso
2015-11-24 10:02 ` [PATCH libnftnl 5/6] src: add trace infrastructure support Florian Westphal
2015-11-24 12:16 ` Patrick McHardy
2015-11-24 14:53 ` Patrick McHardy
2015-11-24 10:02 ` [PATCH nftables 6/6] src: add trace support to nft monitor mode Florian Westphal
2015-11-24 10:25 ` Patrick McHardy
2015-11-24 10:48 ` Florian Westphal
2015-11-24 10:58 ` Patrick McHardy
2015-11-24 11:01 ` Pablo Neira Ayuso
2015-11-24 11:07 ` Patrick McHardy
2015-11-24 11:14 ` Pablo Neira Ayuso
2015-11-24 11:14 ` Florian Westphal
2015-11-24 11:41 ` Patrick McHardy
2015-11-24 10:53 ` Pablo Neira Ayuso
2015-11-24 11:04 ` Patrick McHardy
2015-11-24 11:12 ` Pablo Neira Ayuso
2015-11-24 11:36 ` Patrick McHardy
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20151125083907.GF23215@breakpoint.cc \
--to=fw@strlen.de \
--cc=kaber@trash.net \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.