[PATCH] nfnetlink: add a new subsystem to advertise tables update

[PATCH] nfnetlink: add a new subsystem to advertise tables update

[Nicolas Dichtel]

For now, there is no way to be informed, when a netfilter table is updated.

With this patch a netlink message is sent when a table is updated, with the
name of the table and the family.
For this purpose, a new subsystem (with a new group) has been added.

Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
---
 include/linux/netfilter/nfnetlink.h        |  5 ++-
 include/linux/netfilter/nfnetlink_compat.h |  1 +
 include/linux/netfilter/nfnetlink_tables.h | 24 +++++++++++
 include/linux/netfilter/x_tables.h         |  3 +-
 include/net/netfilter/nfnetlink_tables.h   |  6 +++
 net/ipv4/netfilter/arp_tables.c            |  2 +-
 net/ipv4/netfilter/ip_tables.c             |  2 +-
 net/ipv6/netfilter/ip6_tables.c            |  2 +-
 net/netfilter/Kconfig                      |  9 +++++
 net/netfilter/Makefile                     |  1 +
 net/netfilter/nfnetlink_tables.c           | 65 ++++++++++++++++++++++++++++++
 net/netfilter/x_tables.c                   | 11 ++++-
 12 files changed, 124 insertions(+), 7 deletions(-)
 create mode 100644 include/linux/netfilter/nfnetlink_tables.h
 create mode 100644 include/net/netfilter/nfnetlink_tables.h
 create mode 100644 net/netfilter/nfnetlink_tables.c

diff --git a/include/linux/netfilter/nfnetlink.h b/include/linux/netfilter/nfnetlink.h
index 18341cd..2470a1c 100644
--- a/include/linux/netfilter/nfnetlink.h
+++ b/include/linux/netfilter/nfnetlink.h
@@ -18,6 +18,8 @@ enum nfnetlink_groups {
 #define NFNLGRP_CONNTRACK_EXP_UPDATE	NFNLGRP_CONNTRACK_EXP_UPDATE
 	NFNLGRP_CONNTRACK_EXP_DESTROY,
 #define NFNLGRP_CONNTRACK_EXP_DESTROY	NFNLGRP_CONNTRACK_EXP_DESTROY
+	NFNLGRP_TABLES,
+#define NFNLGRP_TABLES			NFNLGRP_TABLES
 	__NFNLGRP_MAX,
 };
 #define NFNLGRP_MAX	(__NFNLGRP_MAX - 1)
@@ -51,7 +53,8 @@ struct nfgenmsg {
 #define NFNL_SUBSYS_ACCT		7
 #define NFNL_SUBSYS_CTNETLINK_TIMEOUT	8
 #define NFNL_SUBSYS_CTHELPER		9
-#define NFNL_SUBSYS_COUNT		10
+#define NFNL_SUBSYS_TABLES		10
+#define NFNL_SUBSYS_COUNT		11
 
 #ifdef __KERNEL__
 
diff --git a/include/linux/netfilter/nfnetlink_compat.h b/include/linux/netfilter/nfnetlink_compat.h
index ffb9503..a4cab85 100644
--- a/include/linux/netfilter/nfnetlink_compat.h
+++ b/include/linux/netfilter/nfnetlink_compat.h
@@ -13,6 +13,7 @@
 #define NF_NETLINK_CONNTRACK_EXP_NEW		0x00000008
 #define NF_NETLINK_CONNTRACK_EXP_UPDATE		0x00000010
 #define NF_NETLINK_CONNTRACK_EXP_DESTROY	0x00000020
+#define NF_NETLINK_TABLES			0x00000040
 
 /* Generic structure for encapsulation optional netfilter information.
  * It is reminiscent of sockaddr, but with sa_family replaced
diff --git a/include/linux/netfilter/nfnetlink_tables.h b/include/linux/netfilter/nfnetlink_tables.h
new file mode 100644
index 0000000..630dc9b
--- /dev/null
+++ b/include/linux/netfilter/nfnetlink_tables.h
@@ -0,0 +1,24 @@
+#ifndef _NFNETLINK_TABLES_H
+#define _NFNETLINK_TABLES_H
+
+/* This file describes the netlink messages (i.e. 'protocol packets'),
+ * and not any kind of function definitions.  It is shared between kernel and
+ * userspace.  Don't put kernel specific stuff in here */
+
+#include <linux/types.h>
+#include <linux/netfilter/nfnetlink.h>
+
+enum nftbl_types {
+	NFTBL_UPDATE,
+
+	NFTBL_MSG_MAX
+};
+
+enum nfnl_tables_attr_type {
+        NFTBLA_UNSPEC,
+        NFTBLA_TABLENAME,
+        __NFTBLA_MAX
+};
+#define NFTBLA_MAX (__NFTBLA_MAX - 1)
+
+#endif /* _NFNETLINK_TABLES_H */
diff --git a/include/linux/netfilter/x_tables.h b/include/linux/netfilter/x_tables.h
index 8d674a7..280612d 100644
--- a/include/linux/netfilter/x_tables.h
+++ b/include/linux/netfilter/x_tables.h
@@ -432,7 +432,8 @@ extern struct xt_table *xt_register_table(struct net *net,
 					  struct xt_table_info *newinfo);
 extern void *xt_unregister_table(struct xt_table *table);
 
-extern struct xt_table_info *xt_replace_table(struct xt_table *table,
+extern struct xt_table_info *xt_replace_table(struct net *net,
+					      struct xt_table *table,
 					      unsigned int num_counters,
 					      struct xt_table_info *newinfo,
 					      int *error);
diff --git a/include/net/netfilter/nfnetlink_tables.h b/include/net/netfilter/nfnetlink_tables.h
new file mode 100644
index 0000000..0d87b69
--- /dev/null
+++ b/include/net/netfilter/nfnetlink_tables.h
@@ -0,0 +1,6 @@
+#ifndef _KER_NFNETLINK_TABLES_H
+#define _KER_NFNETLINK_TABLES_H
+
+int nfnl_msgtables_send_update(struct net *net, const struct xt_table *table);
+
+#endif /* _KER_NFNETLINK_TABLES_H */
diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c
index 97e61ea..6fd6002 100644
--- a/net/ipv4/netfilter/arp_tables.c
+++ b/net/ipv4/netfilter/arp_tables.c
@@ -1014,7 +1014,7 @@ static int __do_replace(struct net *net, const char *name,
 		goto put_module;
 	}
 
-	oldinfo = xt_replace_table(t, num_counters, newinfo, &ret);
+	oldinfo = xt_replace_table(net, t, num_counters, newinfo, &ret);
 	if (!oldinfo)
 		goto put_module;
 
diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
index 170b1fd..04dfa7f 100644
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -1202,7 +1202,7 @@ __do_replace(struct net *net, const char *name, unsigned int valid_hooks,
 		goto put_module;
 	}
 
-	oldinfo = xt_replace_table(t, num_counters, newinfo, &ret);
+	oldinfo = xt_replace_table(net, t, num_counters, newinfo, &ret);
 	if (!oldinfo)
 		goto put_module;
 
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
index d7cb045..6741442 100644
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -1212,7 +1212,7 @@ __do_replace(struct net *net, const char *name, unsigned int valid_hooks,
 		goto put_module;
 	}
 
-	oldinfo = xt_replace_table(t, num_counters, newinfo, &ret);
+	oldinfo = xt_replace_table(net, t, num_counters, newinfo, &ret);
 	if (!oldinfo)
 		goto put_module;
 
diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index 3f4b3b4..3ca9de4 100644
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@@ -32,6 +32,15 @@ config NETFILTER_NETLINK_LOG
 	  and is also scheduled to replace the old syslog-based ipt_LOG
 	  and ip6t_LOG modules.
 
+config NETFILTER_NETLINK_TABLES
+	tristate "Netfilter Tables events over NFNETLINK interface"
+	depends on NETFILTER_XTABLES
+	select NETFILTER_NETLINK
+	default m
+	help
+	  If this option is enabled, the kernel will avertise operations
+	  on xt_tables via NFNETLINK.
+
 config NF_CONNTRACK
 	tristate "Netfilter connection tracking support"
 	default m if NETFILTER_ADVANCED=n
diff --git a/net/netfilter/Makefile b/net/netfilter/Makefile
index 0baa3f1..07d5c5e 100644
--- a/net/netfilter/Makefile
+++ b/net/netfilter/Makefile
@@ -13,6 +13,7 @@ nfnetlink_queue-y := nfnetlink_queue_core.o
 nfnetlink_queue-$(CONFIG_NETFILTER_NETLINK_QUEUE_CT) += nfnetlink_queue_ct.o
 obj-$(CONFIG_NETFILTER_NETLINK_QUEUE) += nfnetlink_queue.o
 obj-$(CONFIG_NETFILTER_NETLINK_LOG) += nfnetlink_log.o
+obj-$(CONFIG_NETFILTER_NETLINK_TABLES) += nfnetlink_tables.o
 
 # connection tracking
 obj-$(CONFIG_NF_CONNTRACK) += nf_conntrack.o
diff --git a/net/netfilter/nfnetlink_tables.c b/net/netfilter/nfnetlink_tables.c
new file mode 100644
index 0000000..dce1092
--- /dev/null
+++ b/net/netfilter/nfnetlink_tables.c
@@ -0,0 +1,65 @@
+/*
+ * (C) 2012 by Nicolas Dichtel <nicolas.dichtel@6wind.com>
+ * (C) 2012 by 6WIND <http://www.6wind.com>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation (or any later at your option).
+ */
+#include <linux/module.h>
+#include <linux/skbuff.h>
+#include <linux/init.h>
+#include <linux/netfilter.h>
+#include <linux/netlink.h>
+#include <linux/netfilter/x_tables.h>
+#include <linux/netfilter/nfnetlink.h>
+#include <linux/netfilter/nfnetlink_tables.h>
+
+int nfnl_msgtables_send_update(struct net *net, const struct xt_table *table)
+{
+	struct sk_buff *skb;
+	struct nlmsghdr *nlh;
+	struct nfgenmsg *nfmsg;
+	int size, err;
+
+	size = NLMSG_ALIGN(sizeof(struct nfgenmsg)) +
+	       nla_total_size(sizeof(char[XT_TABLE_MAXNAMELEN]));
+	skb = nlmsg_new(size, GFP_ATOMIC);
+	if (skb == NULL)
+		goto errout;
+
+	nlh = nlmsg_put(skb, 0, 0, NFNL_SUBSYS_TABLES << 8 | NFTBL_UPDATE,
+			sizeof(struct nfgenmsg), 0);
+	if (nlh == NULL)
+		goto nlmsg_failure;
+
+	nfmsg = nlmsg_data(nlh);
+	nfmsg->nfgen_family = table->af;
+	nfmsg->version = NFNETLINK_V0;
+	nfmsg->res_id = 0;
+
+	if (nla_put_string(skb, NFTBLA_TABLENAME, table->name))
+		 goto nla_put_failure;
+
+	nlmsg_end(skb, nlh);
+
+	err = nfnetlink_send(skb, net, 0, NFNLGRP_TABLES, 0, 0);
+	if (err == -ENOBUFS || err == -EAGAIN)
+		return -ENOBUFS;
+
+	return 0;
+
+nla_put_failure:
+	nlmsg_cancel(skb, nlh);
+nlmsg_failure:
+	kfree_skb(skb);
+errout:
+	if (nfnetlink_set_err(net, 0, NFNLGRP_TABLES, -ENOBUFS) > 0)
+		return -ENOBUFS;
+
+	return 0;
+}
+EXPORT_SYMBOL_GPL(nfnl_msgtables_send_update);
+
+MODULE_LICENSE("GPL");
+MODULE_AUTHOR("Nicolas Dichtel <nicolas.dichtel@6wind.com>");
diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
index 8d987c3..8ea4dc3 100644
--- a/net/netfilter/x_tables.c
+++ b/net/netfilter/x_tables.c
@@ -32,6 +32,9 @@
 #include <linux/netfilter_ipv4/ip_tables.h>
 #include <linux/netfilter_ipv6/ip6_tables.h>
 #include <linux/netfilter_arp/arp_tables.h>
+#if IS_ENABLED (CONFIG_NETFILTER_NETLINK_TABLES)
+#include <net/netfilter/nfnetlink_tables.h>
+#endif
 
 MODULE_LICENSE("GPL");
 MODULE_AUTHOR("Harald Welte <laforge@netfilter.org>");
@@ -805,7 +808,7 @@ static int xt_jumpstack_alloc(struct xt_table_info *i)
 }
 
 struct xt_table_info *
-xt_replace_table(struct xt_table *table,
+xt_replace_table(struct net *net, struct xt_table *table,
 	      unsigned int num_counters,
 	      struct xt_table_info *newinfo,
 	      int *error)
@@ -843,6 +846,10 @@ xt_replace_table(struct xt_table *table,
 	 */
 	local_bh_enable();
 
+#if IS_ENABLED(CONFIG_NETFILTER_NETLINK_TABLES)
+	nfnl_msgtables_send_update(net, table);
+#endif
+
 #ifdef CONFIG_AUDIT
 	if (audit_enabled) {
 		struct audit_buffer *ab;
@@ -893,7 +900,7 @@ struct xt_table *xt_register_table(struct net *net,
 	/* Simplifies replace_table code. */
 	table->private = bootstrap;
 
-	if (!xt_replace_table(table, 0, newinfo, &ret))
+	if (!xt_replace_table(net, table, 0, newinfo, &ret))
 		goto unlock;
 
 	private = table->private;
-- 
1.7.12

[RFC PATCH 0/1] xtables: allow to monitor table update event

[Nicolas Dichtel]

The following patch is an example of a userspace tools (in fact, iptables)
that use the new netlink API to monitor tables activity.

I will also send a patch against libnfnetlink to update linux includes with
this new feature.

Maybe another API can be used for this feature: adding a setsockopt() on an
iptc socket to enable monitoring. When a table is updated, a packet (built with
CMSG_* macro for example) can be sent over all sockets that monitor tables
acitivity (like km sockets in IPsec). I know that this socket was used only with
[g|s]etsockopt(), but this can avoid adding another netlink API.

Comments are welcome.

Regards,
Nicolas

[RFC PATCH 1/1] xtables: allow to monitor table update event

[Nicolas Dichtel]

A new command (--monitor-table-update or -T) is added to be able to monitor
netlink event that inform when a table is updated.

Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
---
 include/linux/netfilter/nfnetlink_tables.h | 24 +++++++++
 include/xtables.h                          | 10 ++++
 iptables/ip6tables.c                       | 16 +++++-
 iptables/iptables.c                        | 16 +++++-
 libxtables/Makefile.am                     |  4 ++
 libxtables/xtables.c                       | 87 ++++++++++++++++++++++++++++++
 6 files changed, 153 insertions(+), 4 deletions(-)
 create mode 100644 include/linux/netfilter/nfnetlink_tables.h

diff --git a/include/linux/netfilter/nfnetlink_tables.h b/include/linux/netfilter/nfnetlink_tables.h
new file mode 100644
index 0000000..bb70039
--- /dev/null
+++ b/include/linux/netfilter/nfnetlink_tables.h
@@ -0,0 +1,24 @@
+#ifndef _NFNETLINK_TABLES_H
+#define _NFNETLINK_TABLES_H
+
+/* This file describes the netlink messages (i.e. 'protocol packets'),
+ * and not any kind of function definitions.  It is shared between kernel and
+ * userspace.  Don't put kernel specific stuff in here */
+
+#include <linux/types.h>
+#include <linux/netfilter/nfnetlink.h>
+
+enum nftbl_types {
+	NFTBL_UPDATE,
+
+	NFTBL_MSG_MAX
+};
+
+enum nfnl_tables_attr_type {
+	NFTBLA_UNSPEC,
+	NFTBLA_TABLENAME,
+	__NFTBLA_MAX
+};
+#define NFTBLA_MAX (__NFTBLA_MAX - 1)
+
+#endif /* _NFNETLINK_TABLES_H */
diff --git a/include/xtables.h b/include/xtables.h
index 2cc1a02..32c42b1 100644
--- a/include/xtables.h
+++ b/include/xtables.h
@@ -18,6 +18,11 @@
 #include <linux/netfilter.h>
 #include <linux/netfilter/x_tables.h>
 
+#ifdef HAVE_LIBNFNETLINK
+#include <libnfnetlink/libnfnetlink.h>
+#include <linux/netfilter/nfnetlink_tables.h>
+#endif
+
 #ifndef IPPROTO_SCTP
 #define IPPROTO_SCTP 132
 #endif
@@ -432,8 +437,11 @@ extern u_int16_t xtables_parse_port(const char *port, const char *proto);
 extern void
 xtables_parse_interface(const char *arg, char *vianame, unsigned char *mask);
 
+#ifndef HAVE_LIBNFNETLINK
+/* already defined libnfnetlink/libnfnetlink.h */
 /* this is a special 64bit data type that is 8-byte aligned */
 #define aligned_u64 u_int64_t __attribute__((aligned(8)))
+#endif
 
 extern struct xtables_globals *xt_params;
 #define xtables_error (xt_params->exit_err)
@@ -511,6 +519,8 @@ extern void xtables_lmap_free(struct xtables_lmap *);
 extern int xtables_lmap_name2id(const struct xtables_lmap *, const char *);
 extern const char *xtables_lmap_id2name(const struct xtables_lmap *, int);
 
+extern int nfnl_monitor_table_udpate(void);
+
 #ifdef XTABLES_INTERNAL
 
 /* Shipped modules rely on this... */
diff --git a/iptables/ip6tables.c b/iptables/ip6tables.c
index 3661216..408c91e 100644
--- a/iptables/ip6tables.c
+++ b/iptables/ip6tables.c
@@ -83,7 +83,8 @@
 #define CMD_LIST_RULES		0x1000U
 #define CMD_ZERO_NUM		0x2000U
 #define CMD_CHECK		0x4000U
-#define NUMBER_OF_CMD	16
+#define CMD_MONITOR_TBLUPDT	0x8000U
+#define NUMBER_OF_CMD	17
 static const char cmdflags[] = { 'I', 'D', 'D', 'R', 'A', 'L', 'F', 'Z',
 				 'N', 'X', 'P', 'E', 'S', 'Z', 'C' };
 
@@ -105,6 +106,7 @@ static struct option original_opts[] = {
 	{.name = "delete-chain",  .has_arg = 2, .val = 'X'},
 	{.name = "rename-chain",  .has_arg = 1, .val = 'E'},
 	{.name = "policy",        .has_arg = 1, .val = 'P'},
+	{.name = "monitor-table-update",.has_arg = 0, .val = 'T'},
 	{.name = "source",        .has_arg = 1, .val = 's'},
 	{.name = "destination",   .has_arg = 1, .val = 'd'},
 	{.name = "src",           .has_arg = 1, .val = 's'}, /* synonym */
@@ -165,6 +167,7 @@ static const char commands_v_options[NUMBER_OF_CMD][NUMBER_OF_OPT] =
 /*RENAME*/    {'x','x','x','x','x',' ','x','x','x','x','x'},
 /*LIST_RULES*/{'x','x','x','x','x',' ','x','x','x','x','x'},
 /*CHECK*/     {'x',' ',' ',' ',' ',' ','x',' ',' ','x','x'},
+/*MONITOR*/   {' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' '},
 };
 
 static const unsigned int inverse_for_options[NUMBER_OF_OPT] =
@@ -248,6 +251,7 @@ exit_printhelp(const struct xtables_rule_match *matches)
 "  --rename-chain\n"
 "            -E old-chain new-chain\n"
 "				Change chain name, (moving any references)\n"
+"  --monitor-table-update	Monitor table update\n"
 
 "Options:\n"
 "    --ipv4	-4		Error (line is ignored by ip6tables-restore)\n"
@@ -1381,7 +1385,7 @@ int do_command6(int argc, char *argv[], char **table, struct xtc_handle **handle
 
 	opts = xt_params->orig_opts;
 	while ((cs.c = getopt_long(argc, argv,
-	   "-:A:C:D:R:I:L::S::M:F::Z::N:X::E:P:Vh::o:p:s:d:j:i:bvnt:m:xc:g:46",
+	   "-:A:C:D:R:I:L::S::M:F::Z::N:X::E:P:VTh::o:p:s:d:j:i:bvnt:m:xc:g:46",
 					   opts, NULL)) != -1) {
 		switch (cs.c) {
 			/*
@@ -1530,6 +1534,11 @@ int do_command6(int argc, char *argv[], char **table, struct xtc_handle **handle
 					   cmd2char(CMD_SET_POLICY));
 			break;
 
+		case 'T':
+			add_command(&command, CMD_MONITOR_TBLUPDT, CMD_NONE,
+				    cs.invert);
+			break;
+
 		case 'h':
 			if (!optarg)
 				optarg = argv[optind];
@@ -1777,6 +1786,9 @@ int do_command6(int argc, char *argv[], char **table, struct xtc_handle **handle
 			   "chain name `%s' too long (must be under %u chars)",
 			   chain, XT_EXTENSION_MAXNAMELEN);
 
+	if (command ==  CMD_MONITOR_TBLUPDT)
+		ret = nfnl_monitor_table_udpate();
+
 	/* only allocate handle if we weren't called with a handle */
 	if (!*handle)
 		*handle = ip6tc_init(*table);
diff --git a/iptables/iptables.c b/iptables/iptables.c
index e935f65..b8a99ab 100644
--- a/iptables/iptables.c
+++ b/iptables/iptables.c
@@ -79,7 +79,8 @@
 #define CMD_LIST_RULES		0x1000U
 #define CMD_ZERO_NUM		0x2000U
 #define CMD_CHECK		0x4000U
-#define NUMBER_OF_CMD	16
+#define CMD_MONITOR_TBLUPDT	0x8000U
+#define NUMBER_OF_CMD	17
 static const char cmdflags[] = { 'I', 'D', 'D', 'R', 'A', 'L', 'F', 'Z',
 				 'N', 'X', 'P', 'E', 'S', 'Z', 'C' };
 
@@ -102,6 +103,7 @@ static struct option original_opts[] = {
 	{.name = "delete-chain",  .has_arg = 2, .val = 'X'},
 	{.name = "rename-chain",  .has_arg = 1, .val = 'E'},
 	{.name = "policy",        .has_arg = 1, .val = 'P'},
+	{.name = "monitor-table-update",.has_arg = 0, .val = 'T'},
 	{.name = "source",        .has_arg = 1, .val = 's'},
 	{.name = "destination",   .has_arg = 1, .val = 'd'},
 	{.name = "src",           .has_arg = 1, .val = 's'}, /* synonym */
@@ -164,6 +166,7 @@ static const char commands_v_options[NUMBER_OF_CMD][NUMBER_OF_OPT] =
 /*RENAME*/    {'x','x','x','x','x',' ','x','x','x','x','x','x'},
 /*LIST_RULES*/{'x','x','x','x','x',' ','x','x','x','x','x','x'},
 /*CHECK*/     {'x',' ',' ',' ',' ',' ','x',' ',' ','x','x',' '},
+/*MONITOR*/   {' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' ',' '},
 };
 
 static const int inverse_for_options[NUMBER_OF_OPT] =
@@ -258,6 +261,7 @@ exit_printhelp(const struct xtables_rule_match *matches)
 "  --rename-chain\n"
 "            -E old-chain new-chain\n"
 "				Change chain name, (moving any references)\n"
+"  --monitor-table-update	Monitor table update\n"
 
 "Options:\n"
 "    --ipv4	-4		Nothing (line is ignored by ip6tables-restore)\n"
@@ -1394,7 +1398,7 @@ int do_command4(int argc, char *argv[], char **table, struct xtc_handle **handle
 
 	opts = xt_params->orig_opts;
 	while ((cs.c = getopt_long(argc, argv,
-	   "-:A:C:D:R:I:L::S::M:F::Z::N:X::E:P:Vh::o:p:s:d:j:i:fbvnt:m:xc:g:46",
+	   "-:A:C:D:R:I:L::S::M:F::Z::N:X::E:P:VTh::o:p:s:d:j:i:fbvnt:m:xc:g:46",
 					   opts, NULL)) != -1) {
 		switch (cs.c) {
 			/*
@@ -1543,6 +1547,11 @@ int do_command4(int argc, char *argv[], char **table, struct xtc_handle **handle
 					   cmd2char(CMD_SET_POLICY));
 			break;
 
+		case 'T':
+			add_command(&command, CMD_MONITOR_TBLUPDT, CMD_NONE,
+				    cs.invert);
+			break;
+
 		case 'h':
 			if (!optarg)
 				optarg = argv[optind];
@@ -1791,6 +1800,9 @@ int do_command4(int argc, char *argv[], char **table, struct xtc_handle **handle
 			   "chain name `%s' too long (must be under %u chars)",
 			   chain, XT_EXTENSION_MAXNAMELEN);
 
+	if (command ==  CMD_MONITOR_TBLUPDT)
+		ret = nfnl_monitor_table_udpate();
+
 	/* only allocate handle if we weren't called with a handle */
 	if (!*handle)
 		*handle = iptc_init(*table);
diff --git a/libxtables/Makefile.am b/libxtables/Makefile.am
index c5795fe..b6b83a1 100644
--- a/libxtables/Makefile.am
+++ b/libxtables/Makefile.am
@@ -18,3 +18,7 @@ libxtables_la_LIBADD += -ldl
 else
 libxtables_la_CFLAGS  = ${AM_CFLAGS} -DNO_SHARED_LIBS=1
 endif
+if HAVE_LIBNFNETLINK
+libxtables_la_CFLAGS += ${libnfnetlink_CFLAGS} -DHAVE_LIBNFNETLINK
+libxtables_la_LIBADD += ${libnfnetlink_LIBS} -lnfnetlink
+endif
diff --git a/libxtables/xtables.c b/libxtables/xtables.c
index 82c3643..348fcb1 100644
--- a/libxtables/xtables.c
+++ b/libxtables/xtables.c
@@ -1904,3 +1904,90 @@ void get_kernel_version(void)
 	sscanf(uts.release, "%d.%d.%d", &x, &y, &z);
 	kernel_version = LINUX_VERSION(x, y, z);
 }
+
+#ifdef HAVE_LIBNFNETLINK
+static int nfnl_monitor_table_udpate_cb(struct nlmsghdr *nlh,
+					struct nfattr *nfa[], void *data)
+{
+	struct nfgenmsg *nfmsg = NLMSG_DATA(nlh);
+
+	printf("Update table: family: ");
+	switch (nfmsg->nfgen_family) {
+	case NFPROTO_UNSPEC:
+		printf("unspec");
+		break;
+	case NFPROTO_IPV4:
+		printf("ipv4");
+		break;
+	case NFPROTO_ARP:
+		printf("arp");
+		break;
+	case NFPROTO_BRIDGE:
+		printf("bridge");
+		break;
+	case NFPROTO_IPV6:
+		printf("ipv6");
+		break;
+	case NFPROTO_DECNET:
+		printf("decnet");
+		break;
+	default:
+		printf("unknown");
+		break;
+	}
+
+	if (nfa[NFTBLA_TABLENAME-1] != NULL)
+		printf(", table: %s\n", (char *)NFA_DATA(nfa[NFTBLA_TABLENAME-1]));
+	else
+		printf(", NFTBLA_TABLENAME not set\n");
+
+	return NFNL_CB_CONTINUE;
+}
+#endif
+
+int nfnl_monitor_table_udpate(void)
+{
+#ifdef HAVE_LIBNFNETLINK
+	struct nfnl_handle *nfnlh;
+	struct nfnl_subsys_handle *nfnlsh;
+	struct nfnl_callback cb;
+	int err;
+
+	cb.call = nfnl_monitor_table_udpate_cb;
+	cb.data = NULL;
+	cb.attr_count = NFTBLA_MAX;
+
+	nfnlh = nfnl_open();
+	if (!nfnlh) {
+		err = -EINVAL;
+		perror("nfnl_open()");
+		goto err_out_exit;
+	}
+
+	nfnlsh = nfnl_subsys_open(nfnlh, NFNL_SUBSYS_TABLES, NFTBL_MSG_MAX,
+				  NF_NETLINK_TABLES);
+	if (!nfnlsh) {
+		err = -EINVAL;
+		perror("nfnl_subsys_open()");
+		goto err_out_close;
+	}
+
+	if ((err = nfnl_callback_register(nfnlsh, NFTBL_UPDATE, &cb)) < 0) {
+		perror("nfnl_callback_register()");
+		goto err_out_close_subsys;
+	}
+
+	if ((err = nfnl_catch(nfnlh)) < 0)
+		perror("nfnl_catch()");
+
+err_out_close_subsys:
+	nfnl_subsys_close(nfnlsh);
+err_out_close:
+	nfnl_close(nfnlh);
+err_out_exit:
+	return err;
+#else
+	fprintf(stderr, "tools compiled without nfnetlink support\n");
+	return -ENOTSUP;
+#endif
+}
-- 
1.7.12

[RFC PATCH] includes: add definitions of nfnl_tables

[Nicolas Dichtel]

Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
---
 include/libnfnetlink/linux_nfnetlink.h        | 3 +++
 include/libnfnetlink/linux_nfnetlink_compat.h | 1 +
 2 files changed, 4 insertions(+)

diff --git a/include/libnfnetlink/linux_nfnetlink.h b/include/libnfnetlink/linux_nfnetlink.h
index 76a8550..82785d9 100644
--- a/include/libnfnetlink/linux_nfnetlink.h
+++ b/include/libnfnetlink/linux_nfnetlink.h
@@ -18,6 +18,8 @@ enum nfnetlink_groups {
 #define NFNLGRP_CONNTRACK_EXP_UPDATE	NFNLGRP_CONNTRACK_EXP_UPDATE
 	NFNLGRP_CONNTRACK_EXP_DESTROY,
 #define NFNLGRP_CONNTRACK_EXP_DESTROY	NFNLGRP_CONNTRACK_EXP_DESTROY
+	NFNLGRP_TABLES,
+#define NFNLGRP_TABLES			NFNLGRP_TABLES
 	__NFNLGRP_MAX,
 };
 #define NFNLGRP_MAX	(__NFNLGRP_MAX - 1)
@@ -47,6 +49,7 @@ struct nfgenmsg {
 #define NFNL_SUBSYS_QUEUE		3
 #define NFNL_SUBSYS_ULOG		4
 #define NFNL_SUBSYS_COUNT		5
+#define NFNL_SUBSYS_TABLES		10
 
 #ifdef __KERNEL__
 
diff --git a/include/libnfnetlink/linux_nfnetlink_compat.h b/include/libnfnetlink/linux_nfnetlink_compat.h
index e145176..2546e01 100644
--- a/include/libnfnetlink/linux_nfnetlink_compat.h
+++ b/include/libnfnetlink/linux_nfnetlink_compat.h
@@ -10,6 +10,7 @@
 #define NF_NETLINK_CONNTRACK_EXP_NEW		0x00000008
 #define NF_NETLINK_CONNTRACK_EXP_UPDATE		0x00000010
 #define NF_NETLINK_CONNTRACK_EXP_DESTROY	0x00000020
+#define NF_NETLINK_TABLES			0x00000040
 
 /* Generic structure for encapsulation optional netfilter information.
  * It is reminiscent of sockaddr, but with sa_family replaced
-- 
1.7.12

Re: [RFC PATCH 0/1] xtables: allow to monitor table update event

[Nicolas Dichtel]

Le 02/10/2012 15:06, Nicolas Dichtel a écrit :
> The following patch is an example of a userspace tools (in fact, iptables)
> that use the new netlink API to monitor tables activity.
>
> I will also send a patch against libnfnetlink to update linux includes with
> this new feature.
>
> Maybe another API can be used for this feature: adding a setsockopt() on an
> iptc socket to enable monitoring. When a table is updated, a packet (built with
> CMSG_* macro for example) can be sent over all sockets that monitor tables
> acitivity (like km sockets in IPsec). I know that this socket was used only with
> [g|s]etsockopt(), but this can avoid adding another netlink API.
>
> Comments are welcome.
Any feedback about this patch or the other proposed API?


Regards,
Nicolas
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [RFC PATCH 0/1] xtables: allow to monitor table update event

[Nicolas Dichtel]

Le 15/10/2012 15:10, Nicolas Dichtel a écrit :
> Le 02/10/2012 15:06, Nicolas Dichtel a écrit :
>> The following patch is an example of a userspace tools (in fact, iptables)
>> that use the new netlink API to monitor tables activity.
>>
>> I will also send a patch against libnfnetlink to update linux includes with
>> this new feature.
>>
>> Maybe another API can be used for this feature: adding a setsockopt() on an
>> iptc socket to enable monitoring. When a table is updated, a packet (built with
>> CMSG_* macro for example) can be sent over all sockets that monitor tables
>> acitivity (like km sockets in IPsec). I know that this socket was used only with
>> [g|s]etsockopt(), but this can avoid adding another netlink API.
>>
>> Comments are welcome.
> Any feedback about this patch or the other proposed API?
Still no comment about this feature? Maybe another option to solve the problem?


Regards,
Nicolas
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [RFC PATCH 0/1] xtables: allow to monitor table update event

[Pablo Neira Ayuso]

Hi Nicolas,

On Thu, Oct 25, 2012 at 02:52:48PM +0200, Nicolas Dichtel wrote:
> Le 15/10/2012 15:10, Nicolas Dichtel a écrit :
> >Le 02/10/2012 15:06, Nicolas Dichtel a écrit :
> >>The following patch is an example of a userspace tools (in fact, iptables)
> >>that use the new netlink API to monitor tables activity.
> >>
> >>I will also send a patch against libnfnetlink to update linux includes with
> >>this new feature.
> >>
> >>Maybe another API can be used for this feature: adding a setsockopt() on an
> >>iptc socket to enable monitoring. When a table is updated, a packet (built with
> >>CMSG_* macro for example) can be sent over all sockets that monitor tables
> >>acitivity (like km sockets in IPsec). I know that this socket was used only with
> >>[g|s]etsockopt(), but this can avoid adding another netlink API.
> >>
> >>Comments are welcome.
> >Any feedback about this patch or the other proposed API?
>
> Still no comment about this feature? Maybe another option to solve the problem?

Adding a new nfnetlink subsystem to just reports table updates seems
a bit too much to me.

I'd aim to the nftables proposal that I just made. If this doesn't
happen in a reasonable amount of time, get back to the mailing list
and push us again to get this in.

Thanks.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [RFC PATCH 0/1] xtables: allow to monitor table update event

[Nicolas Dichtel]

Le 25/10/2012 19:19, Pablo Neira Ayuso a écrit :
> Hi Nicolas,
>
> On Thu, Oct 25, 2012 at 02:52:48PM +0200, Nicolas Dichtel wrote:
>> Le 15/10/2012 15:10, Nicolas Dichtel a écrit :
>>> Le 02/10/2012 15:06, Nicolas Dichtel a écrit :
>>>> The following patch is an example of a userspace tools (in fact, iptables)
>>>> that use the new netlink API to monitor tables activity.
>>>>
>>>> I will also send a patch against libnfnetlink to update linux includes with
>>>> this new feature.
>>>>
>>>> Maybe another API can be used for this feature: adding a setsockopt() on an
>>>> iptc socket to enable monitoring. When a table is updated, a packet (built with
>>>> CMSG_* macro for example) can be sent over all sockets that monitor tables
>>>> acitivity (like km sockets in IPsec). I know that this socket was used only with
>>>> [g|s]etsockopt(), but this can avoid adding another netlink API.
>>>>
>>>> Comments are welcome.
>>> Any feedback about this patch or the other proposed API?
>>
>> Still no comment about this feature? Maybe another option to solve the problem?
>
> Adding a new nfnetlink subsystem to just reports table updates seems
> a bit too much to me.
What about the second proposal? Sending messages through the iptc socket?
If you have some other ideas, we can change the design of the implementation, 
it's not a problem.

>
> I'd aim to the nftables proposal that I just made. If this doesn't
> happen in a reasonable amount of time, get back to the mailing list
> and push us again to get this in.
There seems to be two competitors for the next generation: nftables vs xtables2. 
Can we not start with a first implementation with the current xtables. Then, we 
will work to have a continuity of this feature in the next generation.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [RFC PATCH 0/1] xtables: allow to monitor table update event

[Pablo Neira Ayuso]

Hi Nicolas,

On Fri, Oct 26, 2012 at 10:05:25AM +0200, Nicolas Dichtel wrote:
> Le 25/10/2012 19:19, Pablo Neira Ayuso a écrit :
> >Hi Nicolas,
> >
> >On Thu, Oct 25, 2012 at 02:52:48PM +0200, Nicolas Dichtel wrote:
> >>Le 15/10/2012 15:10, Nicolas Dichtel a écrit :
> >>>Le 02/10/2012 15:06, Nicolas Dichtel a écrit :
> >>>>The following patch is an example of a userspace tools (in fact, iptables)
> >>>>that use the new netlink API to monitor tables activity.
> >>>>
> >>>>I will also send a patch against libnfnetlink to update linux includes with
> >>>>this new feature.
> >>>>
> >>>>Maybe another API can be used for this feature: adding a setsockopt() on an
> >>>>iptc socket to enable monitoring. When a table is updated, a packet (built with
> >>>>CMSG_* macro for example) can be sent over all sockets that monitor tables
> >>>>acitivity (like km sockets in IPsec). I know that this socket was used only with
> >>>>[g|s]etsockopt(), but this can avoid adding another netlink API.
> >>>>
> >>>>Comments are welcome.
> >>>Any feedback about this patch or the other proposed API?
> >>
> >>Still no comment about this feature? Maybe another option to solve the problem?
> >
> >Adding a new nfnetlink subsystem to just reports table updates seems
> >a bit too much to me.
>
> What about the second proposal? Sending messages through the iptc socket?
> If you have some other ideas, we can change the design of the
> implementation, it's not a problem.

It's been four weeks since you posted your patch and you've been
asking for feedback *every single week* with no results at all. So,
nobody cares.

I see no existing FOSS projects using using this (apart from you
iptables change to report events).

And I already told you, I don't think it makes sense to maintain more
than one firewalling subsystem using netlink as interface.

Please, stop.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html