[RFC] libnfnetlink, libnetfilter_log, libnetfilter

All of lore.kernel.org
 help / color / mirror / Atom feed

* [RFC] libnfnetlink, libnetfilter_log, libnetfilter_queue  error handling
@ 2006-06-09 16:01 Gregor Maier
  2006-06-11 22:04 ` Pablo Neira Ayuso
  2006-06-12 12:34 ` Holger Eitzenberger
  0 siblings, 2 replies; 3+ messages in thread
From: Gregor Maier @ 2006-06-09 16:01 UTC (permalink / raw)
  To: netfilter-devel

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,


I noticed that libnfnetlink, libnetfilter_* are currently missing decent
error handling and reporting mechanisms.

libnetfilter_log and libnetfilter_queue define a nflog_errno resp.
nfq_errno but those aren't really used. libnfnetlink uses fprintf for
error handling/reporting.



What do you think about the following suggestions:
* add a nfnl_errno variable
* add #defines for nfnl_errno values also add a nfnl_strerror and a
nfnl_perror function
* add #defines for nflog_errno and nfq_errno and nf{log|q}_strerror and
nf{log|q}_perror functions.

* make nflog_errno and nfq_errno a superset of the nfnl_errnos. E.g. by
defining that error values from 1...N are for nfnl and values above N
are for nfq_errno and nflog_errno.
* nflog_strerror (and nfq_strerror) check if nflog_errno (resp.
nfq_errno) is <= N. If so, they call nfnl_strerror otherwise they handle
the error themselves.

A user of the libnetfilter_{queue|log} only has to use the nfq_strerror
or nflog_strerror (resp. perror) functions without getting in touch with
the libnfnetlink errors. And by making nf{q|log}_errnos a superset of
nfnl_errnos, reporting netlink errors is straightforward.



How this could look like in code:

/**** libnfnetlink ****/
#define   ENFNL_NOERR    0
#define   ENFNL_FOO      1
#define   ENFNL_FOOBAR   2
....
#define   ENFNL_MAXERR   1024



static const char *const nfnl_errlist[] =
{
   "No error",                  /* 0 */
   "Error foo occured",         /* 1 = ENFNL_FOO */
 .....
};

const char *nfnl_strerror(int errnum) {
	static char buf[1024];

	if (errnum >= nfnl_nerr) {
		snprintf(buf, sizeof(buf), "No such nfnetlink error number %d", errnum);
	}
	else {
		strncpy(buf, nfnl_errlist[errnum], sizeof(buf)-1);
      	buf[sizeof(buf)-1] = '\0'; /* terminate if the error was too long */
	}
	return buf;
		
}



void nfnl_perror(const char *s);

static const int nfnl_nerr =  sizeof (nfnl_errlist) / sizeof
(nfnl_errlist[0]);


/*******************************/
/***** libnetfilter_queue *****/
#define   ENFQ_DUMMY    (ENFQ_MAXERR+1)
#define   ENFQ_BLUB     (ENFQ_MAXERR+2)

...
const char *nfq_strerror(int errnum) {
	static char buf[1024];

	if (errnum <= ENFNL_MAXERR) {
		snprintf(buf, sizeof(buf), "%s", nfnl_strerror(errnum));
	}
	else if (errnum >= ENFNL_MAXERR+1+nfq_nerr) {
		snprintf(buf, sizeof(buf), "No such netfilter_queue error number %d",
errnum);
	}
	else {
		strncpy(buf, nfq_errlist[errnum-ENFNL_MAXERR-1], sizeof(buf)-1);
      	buf[sizeof(buf)-1] = '\0'; /* terminate if the error was too long */
	}
	return buf;
		
}




/*******************************/
/***** libnetfilter_log *****/
#define   ENFLOG_FOO      (ENFNL_MAXERR+1)
#define   ENFLOG_BARFOO   (ENFNL_MAXERR+2)

...
const char *nflog_strerror(int errnum) {
	static char buf[1024];

	if (errnum <= ENFNL_MAXERR) {
		snprintf(buf, sizeof(buf), "%s", nfnl_strerror(errnum));
	}
	else if (errnum >= ENFNL_MAXERR+1+nflog_nerr) {
		snprintf(buf, sizeof(buf), "No such netfilter_log error number %d",
errnum);
	}
	else {
		strncpy(buf, nflog_errlist[errnum-ENFNL_MAXERR-1], sizeof(buf)-1);
      	buf[sizeof(buf)-1] = '\0'; /* terminate if the error was too long */
	}
	return buf;
		
}



Comments?

cu
Gregor

- --
Gregor Maier                                      Lehrstuhl Informatik 8
gregor@net.in.tum.de                              Tel: +49 89  289-18010
http://www.net.in.tum.de                                     TU Muenchen
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (Darwin)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFEiZtEdGiwgbikMYMRAmiWAJ9vKqp5xdOLeI3dZzh8xsMEw+bxWgCgmC0t
lYaGuEyxlMa7Rvma4qhRdbA=
=ZmGE
-----END PGP SIGNATURE-----

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [RFC] libnfnetlink, libnetfilter_log, libnetfilter_queue  error handling
  2006-06-09 16:01 [RFC] libnfnetlink, libnetfilter_log, libnetfilter_queue error handling Gregor Maier
@ 2006-06-11 22:04 ` Pablo Neira Ayuso
  2006-06-12 12:34 ` Holger Eitzenberger
  1 sibling, 0 replies; 3+ messages in thread
From: Pablo Neira Ayuso @ 2006-06-11 22:04 UTC (permalink / raw)
  To: Gregor Maier; +Cc: netfilter-devel

Gregor Maier wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Hi,
> 
> 
> I noticed that libnfnetlink, libnetfilter_* are currently missing decent
> error handling and reporting mechanisms.
> 
> libnetfilter_log and libnetfilter_queue define a nflog_errno resp.
> nfq_errno but those aren't really used. libnfnetlink uses fprintf for
> error handling/reporting.
> 
> What do you think about the following suggestions:
> * add a nfnl_errno variable
> * add #defines for nfnl_errno values also add a nfnl_strerror and a
> nfnl_perror function
> * add #defines for nflog_errno and nfq_errno and nf{log|q}_strerror and
> nf{log|q}_perror functions.
> 
> * make nflog_errno and nfq_errno a superset of the nfnl_errnos. E.g. by
> defining that error values from 1...N are for nfnl and values above N
> are for nfq_errno and nflog_errno.
> * nflog_strerror (and nfq_strerror) check if nflog_errno (resp.
> nfq_errno) is <= N. If so, they call nfnl_strerror otherwise they handle
> the error themselves.

All those seem a good idea, I have currently enqueued a set of patches 
for libnfnetlink and friends that I'll post in some days, still want to 
give them some spins. I think that we could integrate this changes that 
you propose.

-- 
The dawn of the fourth age of Linux firewalling is coming; a time of 
great struggle and heroic deeds -- J.Kadlecsik got inspired by J.Morris

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [RFC] libnfnetlink, libnetfilter_log, libnetfilter_queue  error handling
  2006-06-09 16:01 [RFC] libnfnetlink, libnetfilter_log, libnetfilter_queue error handling Gregor Maier
  2006-06-11 22:04 ` Pablo Neira Ayuso
@ 2006-06-12 12:34 ` Holger Eitzenberger
  1 sibling, 0 replies; 3+ messages in thread
From: Holger Eitzenberger @ 2006-06-12 12:34 UTC (permalink / raw)
  To: Gregor Maier; +Cc: netfilter-devel

[-- Attachment #1: Type: text/plain, Size: 811 bytes --]

On Fri, Jun 09, 2006 at 06:01:08PM +0200, Gregor Maier wrote:

> I noticed that libnfnetlink, libnetfilter_* are currently missing decent
> error handling and reporting mechanisms.

Yes, go ahead and implement proper error handling in the library.  For
ctsyncd I basically commented out all those printf's.

Another point: at least libnetfilter_conntrack is far from "const
clean".  That is: no even a single function in libnetfilter-conntrack
uses 'const' for one of its paramters, though it could.  This is quite
annoying if you use const in your programs.  I have a patch at hand
which does this for functions such as nfct_conntrack_compare and some
others.

I have attached my current version of the patch, status: works-for-me.
May someone please comment on it, I will update if need be.

Thanks.  /holger

[-- Attachment #2: libnetfilter_conntrack_const_clean.patch --]
[-- Type: text/plain, Size: 10802 bytes --]

[NETFILTER] libnetfilter_conntrack: make partly const clean

Not using 'const' in libnetfilter_conntrack does is make hard to
use 'const' in programs using it.  This patch fixes it partly for
the compare and extension libs.

Signed-off-by: Holger Eitzenberger <holger@my-eitzenberger.de>

---
commit 49ead977ec32613b05082a7b583c8abd407e723a
tree 8518d270c18ccb1d1529d956ee6683b4f0b33921
parent 07f71e55c5d9413114661a8d878cf68c698eb7fb
author Holger Eitzenberger <holger@my-eitzenberger.de> Sat, 03 Jun 2006 22:10:58 +0200
committer Holger Eitzenberger <holger@jonathan.my-eitzenberger.de> Sat, 03 Jun 2006 22:10:58 +0200

 extensions/libnetfilter_conntrack_icmp.c           |    7 +++----
 extensions/libnetfilter_conntrack_sctp.c           |    9 ++++-----
 extensions/libnetfilter_conntrack_tcp.c            |    9 ++++-----
 extensions/libnetfilter_conntrack_udp.c            |    7 +++----
 .../libnetfilter_conntrack.h                       |    6 +++---
 .../libnetfilter_conntrack_extensions.h            |    8 ++++----
 .../libnetfilter_conntrack_l3extensions.h          |    7 ++++---
 l3extensions/libnetfilter_conntrack_ipv4.c         |    7 +++----
 l3extensions/libnetfilter_conntrack_ipv6.c         |    7 +++----
 src/libnetfilter_conntrack.c                       |    6 +++---
 10 files changed, 34 insertions(+), 39 deletions(-)

diff --git a/extensions/libnetfilter_conntrack_icmp.c b/extensions/libnetfilter_conntrack_icmp.c
index 72a7eb0..a6efb7b 100644
--- a/extensions/libnetfilter_conntrack_icmp.c
+++ b/extensions/libnetfilter_conntrack_icmp.c
@@ -43,7 +43,7 @@ static void build_tuple_proto(struct nfn
 		       &t->l4src.icmp.id, sizeof(u_int16_t));
 }
 
-static int print_proto(char *buf, struct nfct_tuple *t)
+static int print_proto(char *buf, const struct nfct_tuple *t)
 {
 	/* The ID only makes sense some ICMP messages but we want to
 	 * display the same output that /proc/net/ip_conntrack does */
@@ -52,9 +52,8 @@ static int print_proto(char *buf, struct
 						      ntohs(t->l4src.icmp.id)));
 }
 
-static int compare(struct nfct_conntrack *ct1,
-		   struct nfct_conntrack *ct2,
-		   unsigned int flags)
+static int compare(const struct nfct_conntrack *ct1,
+		   const struct nfct_conntrack *ct2, unsigned int flags)
 {
 	if (flags & ICMP_TYPE)
 		if (ct1->tuple[NFCT_DIR_ORIGINAL].l4dst.icmp.type !=
diff --git a/extensions/libnetfilter_conntrack_sctp.c b/extensions/libnetfilter_conntrack_sctp.c
index 3785c2e..1aea39a 100644
--- a/extensions/libnetfilter_conntrack_sctp.c
+++ b/extensions/libnetfilter_conntrack_sctp.c
@@ -44,21 +44,20 @@ static void build_tuple_proto(struct nfn
 		       &t->l4dst.sctp.port, sizeof(u_int16_t));
 }
 
-static int print_protoinfo(char *buf, union nfct_protoinfo *protoinfo)
+static int print_protoinfo(char *buf, const union nfct_protoinfo *protoinfo)
 {
 /*	fprintf(stdout, "%s ", states[protoinfo->sctp.state]); */
 	return 0;
 }
 
-static int print_proto(char *buf, struct nfct_tuple *tuple)
+static int print_proto(char *buf, const struct nfct_tuple *tuple)
 {
 	return(sprintf(buf, "sport=%u dport=%u ", htons(tuple->l4src.sctp.port),
 						  htons(tuple->l4dst.sctp.port)));
 }
 
-static int compare(struct nfct_conntrack *ct1,
-		   struct nfct_conntrack *ct2,
-		   unsigned int flags)
+static int compare(const struct nfct_conntrack *ct1,
+				   const struct nfct_conntrack *ct2, unsigned int flags)
 {
 	if (flags & SCTP_ORIG_SPORT)
 		if (ct1->tuple[NFCT_DIR_ORIGINAL].l4src.sctp.port !=
diff --git a/extensions/libnetfilter_conntrack_tcp.c b/extensions/libnetfilter_conntrack_tcp.c
index 9efdbb7..9c6aa04 100644
--- a/extensions/libnetfilter_conntrack_tcp.c
+++ b/extensions/libnetfilter_conntrack_tcp.c
@@ -83,20 +83,19 @@ static void build_protoinfo(struct nfnlh
 	nfnl_nest_end(&req->nlh, nest_proto);
 }
 
-static int print_protoinfo(char *buf, union nfct_protoinfo *protoinfo)
+static int print_protoinfo(char *buf, const union nfct_protoinfo *protoinfo)
 {
 	return(sprintf(buf, "%s ", states[protoinfo->tcp.state]));
 }
 
-static int print_proto(char *buf, struct nfct_tuple *tuple)
+static int print_proto(char *buf, const struct nfct_tuple *tuple)
 {
 	return(sprintf(buf, "sport=%u dport=%u ", htons(tuple->l4src.tcp.port),
 					          htons(tuple->l4dst.tcp.port)));
 }
 
-static int compare(struct nfct_conntrack *ct1,
-		   struct nfct_conntrack *ct2,
-		   unsigned int flags)
+static int compare(const struct nfct_conntrack *ct1,
+				   const struct nfct_conntrack *ct2, unsigned int flags)
 {
 	if (flags & TCP_ORIG_SPORT)
 		if (ct1->tuple[NFCT_DIR_ORIGINAL].l4src.tcp.port !=
diff --git a/extensions/libnetfilter_conntrack_udp.c b/extensions/libnetfilter_conntrack_udp.c
index c1d20c3..a329c4a 100644
--- a/extensions/libnetfilter_conntrack_udp.c
+++ b/extensions/libnetfilter_conntrack_udp.c
@@ -27,7 +27,7 @@ static void parse_proto(struct nfattr *c
 			*(u_int16_t *)NFA_DATA(cda[CTA_PROTO_DST_PORT-1]);
 }
 
-static int print_proto(char *buf, struct nfct_tuple *tuple)
+static int print_proto(char *buf, const struct nfct_tuple *tuple)
 {
 	return (sprintf(buf, "sport=%u dport=%u ", htons(tuple->l4src.udp.port),
 					           htons(tuple->l4dst.udp.port)));
@@ -42,9 +42,8 @@ static void build_tuple_proto(struct nfn
 		       &t->l4dst.udp.port, sizeof(u_int16_t));
 }
 
-static int compare(struct nfct_conntrack *ct1,
-		   struct nfct_conntrack *ct2,
-		   unsigned int flags)
+static int compare(const struct nfct_conntrack *ct1,
+				   const struct nfct_conntrack *ct2, unsigned int flags)
 {
 	if (flags & UDP_ORIG_SPORT)
 		if (ct1->tuple[NFCT_DIR_ORIGINAL].l4src.udp.port !=
diff --git a/include/libnetfilter_conntrack/libnetfilter_conntrack.h b/include/libnetfilter_conntrack/libnetfilter_conntrack.h
index 3bd30ff..c9ae564 100644
--- a/include/libnetfilter_conntrack/libnetfilter_conntrack.h
+++ b/include/libnetfilter_conntrack/libnetfilter_conntrack.h
@@ -299,9 +299,9 @@ extern int nfct_sprintf_id(char *buf, u_
 /*
  * Conntrack comparison
  */
-extern int nfct_conntrack_compare(struct nfct_conntrack *ct1, 
-				  struct nfct_conntrack *ct2,
-				  struct nfct_conntrack_compare *cmp);
+extern int nfct_conntrack_compare(const struct nfct_conntrack *ct1, 
+				  const struct nfct_conntrack *ct2,
+				  const struct nfct_conntrack_compare *cmp);
 
 /* 
  * Expectations
diff --git a/include/libnetfilter_conntrack/libnetfilter_conntrack_extensions.h b/include/libnetfilter_conntrack/libnetfilter_conntrack_extensions.h
index db7828d..c678f01 100644
--- a/include/libnetfilter_conntrack/libnetfilter_conntrack_extensions.h
+++ b/include/libnetfilter_conntrack/libnetfilter_conntrack_extensions.h
@@ -27,10 +27,10 @@ struct nfct_proto {
 	void (*parse_protoinfo)(struct nfattr **, struct nfct_conntrack *);
 	void (*build_tuple_proto)(struct nfnlhdr *, int, struct nfct_tuple *);
 	void (*build_protoinfo)(struct nfnlhdr *, int, struct nfct_conntrack *);
-	int (*print_protoinfo)(char *, union nfct_protoinfo *);
-	int (*print_proto)(char *, struct nfct_tuple *);
-	int (*compare)(struct nfct_conntrack *, struct nfct_conntrack *,
-		       unsigned int);
+	int (*print_protoinfo)(char *, const union nfct_protoinfo *);
+	int (*print_proto)(char *, const struct nfct_tuple *);
+	int (*compare)(const struct nfct_conntrack *,
+				   const struct nfct_conntrack *, unsigned int);
 };
 
 extern void nfct_register_proto(struct nfct_proto *h);
diff --git a/include/libnetfilter_conntrack/libnetfilter_conntrack_l3extensions.h b/include/libnetfilter_conntrack/libnetfilter_conntrack_l3extensions.h
index 86e002a..2f840ec 100644
--- a/include/libnetfilter_conntrack/libnetfilter_conntrack_l3extensions.h
+++ b/include/libnetfilter_conntrack/libnetfilter_conntrack_l3extensions.h
@@ -19,9 +19,10 @@ struct nfct_l3proto {
 	
 	void (*parse_proto)(struct nfattr **, struct nfct_tuple *);
 	void (*build_tuple_proto)(struct nfnlhdr *, int, struct nfct_tuple *);
-	int (*print_proto)(char *, struct nfct_tuple *);
-	int (*compare)(struct nfct_conntrack *, struct nfct_conntrack *,
-		       unsigned int);
+	int (*print_proto)(char *, const struct nfct_tuple *);
+	int (*compare)(const struct nfct_conntrack *,
+				   const struct nfct_conntrack *,
+				   unsigned int);
 };
 
 extern void nfct_register_l3proto(struct nfct_l3proto *h);
diff --git a/l3extensions/libnetfilter_conntrack_ipv4.c b/l3extensions/libnetfilter_conntrack_ipv4.c
index 727ea01..08b24b7 100644
--- a/l3extensions/libnetfilter_conntrack_ipv4.c
+++ b/l3extensions/libnetfilter_conntrack_ipv4.c
@@ -32,7 +32,7 @@ static void build_tuple_proto(struct nfn
 		       sizeof(u_int32_t));
 }
 
-static int print_proto(char *buf, struct nfct_tuple *tuple)
+static int print_proto(char *buf, const struct nfct_tuple *tuple)
 {
 	struct in_addr src = { .s_addr = tuple->src.v4 };
 	struct in_addr dst = { .s_addr = tuple->dst.v4 };
@@ -44,9 +44,8 @@ static int print_proto(char *buf, struct
 	return size;
 }
 
-static int compare(struct nfct_conntrack *ct1,
-		   struct nfct_conntrack *ct2,
-		   unsigned int flags)
+static int compare(const struct nfct_conntrack *ct1,
+		   const struct nfct_conntrack *ct2, unsigned int flags)
 {
 	if (flags & IPV4_ORIG)
 		if (ct1->tuple[NFCT_DIR_ORIGINAL].l3protonum !=
diff --git a/l3extensions/libnetfilter_conntrack_ipv6.c b/l3extensions/libnetfilter_conntrack_ipv6.c
index b0c7a3f..ec16b8b 100644
--- a/l3extensions/libnetfilter_conntrack_ipv6.c
+++ b/l3extensions/libnetfilter_conntrack_ipv6.c
@@ -41,7 +41,7 @@ static void build_tuple_proto(struct nfn
 		       sizeof(u_int32_t)*4);
 }
 
-static int print_proto(char *buf, struct nfct_tuple *tuple)
+static int print_proto(char *buf, const struct nfct_tuple *tuple)
 {
 	struct in6_addr src;
 	struct in6_addr dst;
@@ -61,9 +61,8 @@ static int print_proto(char *buf, struct
 	return size;
 }
 
-static int compare(struct nfct_conntrack *ct1,
-		   struct nfct_conntrack *ct2,
-		   unsigned int flags)
+static int compare(const struct nfct_conntrack *ct1,
+		   const struct nfct_conntrack *ct2, unsigned int flags)
 {
 	if (flags & IPV6_ORIG)
 		if (ct1->tuple[NFCT_DIR_ORIGINAL].l3protonum !=
diff --git a/src/libnetfilter_conntrack.c b/src/libnetfilter_conntrack.c
index 0110261..1ec3231 100644
--- a/src/libnetfilter_conntrack.c
+++ b/src/libnetfilter_conntrack.c
@@ -926,9 +926,9 @@ void nfct_conntrack_free(struct nfct_con
 #define L3PROTONUM(ct) ct->tuple[NFCT_DIR_ORIGINAL].l3protonum
 #define L4PROTONUM(ct) ct->tuple[NFCT_DIR_ORIGINAL].protonum
 
-int nfct_conntrack_compare(struct nfct_conntrack *ct1,
-			   struct nfct_conntrack *ct2,
-			   struct nfct_conntrack_compare *cmp)
+int nfct_conntrack_compare(const struct nfct_conntrack *ct1,
+			   const struct nfct_conntrack *ct2,
+			   const struct nfct_conntrack_compare *cmp)
 {
 	struct nfct_l3proto *l3proto;
 	struct nfct_proto *proto;

^ permalink raw reply related	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2006-06-12 12:34 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2006-06-09 16:01 [RFC] libnfnetlink, libnetfilter_log, libnetfilter_queue error handling Gregor Maier
2006-06-11 22:04 ` Pablo Neira Ayuso
2006-06-12 12:34 ` Holger Eitzenberger

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.