Re: netfilter/nftables: chain rule dumps

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Pablo Neira Ayuso <pablo@netfilter.org>
To: jalvarez <jalvarez@toulouse.viveris.com>
Cc: netfilter@vger.kernel.org
Subject: Re: netfilter/nftables: chain rule dumps
Date: Tue, 19 Jul 2016 12:28:55 +0200	[thread overview]
Message-ID: <20160719102855.GA11848@salvia> (raw)
In-Reply-To: <578DEBF0.2090707@toulouse.viveris.com>

On Tue, Jul 19, 2016 at 10:59:28AM +0200, jalvarez wrote:
> I dug into the kernel code yesterday and I have come up with a small patch
> (see below).
> I am a complete newbie in kernel development, please feel free to correct me
> if there is anything I did wrong.
> 
> The kernel builds ok but I didn't tested my changes yet. Have you an idea of
> what the best approach
> should be to test these changes (using User Mode Linux maybe ?) ?

You can mangle one of the existing examples in libnftnl to set the
table and/or chain when listing rules, specifically examples/nft-rule-get.c

You only have to set the table and/or chain attributes.

> Also, I would like to know what is the exact meaning and expected behavior
> of the idx counter in nf_tables_dump_rules().

Every time you call recvmsg(), the dump routine runs and fill a page
with entries, if there are more entries that can fit into the page,
the idx tells us where to follow up from in the next recvmsg()
invocation.

> My current changes might actually break the expected behavior if it was some
> kind of "rule id counter" instead of "iteration counter". If it is possible,
> I would rather not put the continues in the rules loop, as the goal of these
> changes is mostly to avoid looping through the whole ruleset.
> 
> Again, I am very thankful for your help.
> 
> Here is the patch

Just sent a patch to netfilter-devel, I've Cc'ed you. It would be good
if you can test it.

Thanks.

next prev parent reply	other threads:[~2016-07-19 10:28 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-07-13 12:41 netfilter/nftables: chain rule dumps jalvarez
2016-07-13 14:40 ` Pablo Neira Ayuso
2016-07-19  8:59   ` jalvarez
2016-07-19 10:28     ` Pablo Neira Ayuso [this message]
2016-07-19 13:47       ` jalvarez
2016-07-19 13:55         ` Pablo Neira Ayuso
2016-07-20 14:03           ` jalvarez

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20160719102855.GA11848@salvia \
    --to=pablo@netfilter.org \
    --cc=jalvarez@toulouse.viveris.com \
    --cc=netfilter@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.