From: Pablo Neira Ayuso <pablo@netfilter.org>
To: netfilter-devel@vger.kernel.org
Cc: davem@davemloft.net, kaber@trash.net, netdev@vger.kernel.org
Subject: [PATCH 16/17] netfilter: nf_tables: add trace support
Date: Mon, 14 Oct 2013 18:38:57 +0200 [thread overview]
Message-ID: <1381768738-17739-17-git-send-email-pablo@netfilter.org> (raw)
In-Reply-To: <1381768738-17739-1-git-send-email-pablo@netfilter.org>
This patch adds support for tracing the packet travel through
the ruleset, in a similar fashion to x_tables.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
include/net/netfilter/nf_tables.h | 2 ++
net/netfilter/nf_tables_api.c | 1 +
net/netfilter/nf_tables_core.c | 57 +++++++++++++++++++++++++++++++++++++
3 files changed, 60 insertions(+)
diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h
index 975ad3c..54c4a5c 100644
--- a/include/net/netfilter/nf_tables.h
+++ b/include/net/netfilter/nf_tables.h
@@ -392,6 +392,7 @@ enum nft_chain_flags {
* @list: used internally
* @rcu_head: used internally
* @net: net namespace that this chain belongs to
+ * @table: table that this chain belongs to
* @handle: chain handle
* @flags: bitmask of enum nft_chain_flags
* @use: number of jump references to this chain
@@ -403,6 +404,7 @@ struct nft_chain {
struct list_head list;
struct rcu_head rcu_head;
struct net *net;
+ struct nft_table *table;
u64 handle;
u8 flags;
u16 use;
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 79e1418..dcddc49 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -979,6 +979,7 @@ static int nf_tables_newchain(struct sock *nlsk, struct sk_buff *skb,
INIT_LIST_HEAD(&chain->rules);
chain->handle = nf_tables_alloc_handle(table);
chain->net = net;
+ chain->table = table;
nla_strlcpy(chain->name, name, NFT_CHAIN_MAXNAMELEN);
if (!(table->flags & NFT_TABLE_F_DORMANT) &&
diff --git a/net/netfilter/nf_tables_core.c b/net/netfilter/nf_tables_core.c
index d581ef6..cb9e685 100644
--- a/net/netfilter/nf_tables_core.c
+++ b/net/netfilter/nf_tables_core.c
@@ -19,6 +19,7 @@
#include <linux/netfilter/nf_tables.h>
#include <net/netfilter/nf_tables_core.h>
#include <net/netfilter/nf_tables.h>
+#include <net/netfilter/nf_log.h>
static void nft_cmp_fast_eval(const struct nft_expr *expr,
struct nft_data data[NFT_REG_MAX + 1])
@@ -63,6 +64,7 @@ static bool nft_payload_fast_eval(const struct nft_expr *expr,
struct nft_jumpstack {
const struct nft_chain *chain;
const struct nft_rule *rule;
+ int rulenum;
};
static inline void
@@ -79,6 +81,40 @@ nft_chain_stats(const struct nft_chain *this, const struct nft_pktinfo *pkt,
rcu_read_unlock_bh();
}
+enum nft_trace {
+ NFT_TRACE_RULE,
+ NFT_TRACE_RETURN,
+ NFT_TRACE_POLICY,
+};
+
+static const char *const comments[] = {
+ [NFT_TRACE_RULE] = "rule",
+ [NFT_TRACE_RETURN] = "return",
+ [NFT_TRACE_POLICY] = "policy",
+};
+
+static struct nf_loginfo trace_loginfo = {
+ .type = NF_LOG_TYPE_LOG,
+ .u = {
+ .log = {
+ .level = 4,
+ .logflags = NF_LOG_MASK,
+ },
+ },
+};
+
+static inline void nft_trace_packet(const struct nft_pktinfo *pkt,
+ const struct nft_chain *chain,
+ int rulenum, enum nft_trace type)
+{
+ struct net *net = dev_net(pkt->in ? pkt->in : pkt->out);
+
+ nf_log_packet(net, pkt->xt.family, pkt->hooknum, pkt->skb, pkt->in,
+ pkt->out, &trace_loginfo, "TRACE: %s:%s:%s:%u ",
+ chain->table->name, chain->name, comments[type],
+ rulenum);
+}
+
unsigned int
nft_do_chain_pktinfo(struct nft_pktinfo *pkt, const struct nf_hook_ops *ops)
{
@@ -88,6 +124,7 @@ nft_do_chain_pktinfo(struct nft_pktinfo *pkt, const struct nf_hook_ops *ops)
struct nft_data data[NFT_REG_MAX + 1];
unsigned int stackptr = 0;
struct nft_jumpstack jumpstack[NFT_JUMP_STACK_SIZE];
+ int rulenum = 0;
/*
* Cache cursor to avoid problems in case that the cursor is updated
* while traversing the ruleset.
@@ -104,6 +141,8 @@ next_rule:
if (unlikely(rule->genmask & (1 << gencursor)))
continue;
+ rulenum++;
+
nft_rule_for_each_expr(expr, last, rule) {
if (expr->ops == &nft_cmp_fast_ops)
nft_cmp_fast_eval(expr, data);
@@ -129,17 +168,28 @@ next_rule:
case NF_ACCEPT:
case NF_DROP:
case NF_QUEUE:
+ if (unlikely(pkt->skb->nf_trace))
+ nft_trace_packet(pkt, chain, rulenum, NFT_TRACE_RULE);
+
return data[NFT_REG_VERDICT].verdict;
case NFT_JUMP:
+ if (unlikely(pkt->skb->nf_trace))
+ nft_trace_packet(pkt, chain, rulenum, NFT_TRACE_RULE);
+
BUG_ON(stackptr >= NFT_JUMP_STACK_SIZE);
jumpstack[stackptr].chain = chain;
jumpstack[stackptr].rule = rule;
+ jumpstack[stackptr].rulenum = rulenum;
stackptr++;
/* fall through */
case NFT_GOTO:
chain = data[NFT_REG_VERDICT].chain;
goto do_chain;
case NFT_RETURN:
+ if (unlikely(pkt->skb->nf_trace))
+ nft_trace_packet(pkt, chain, rulenum, NFT_TRACE_RETURN);
+
+ /* fall through */
case NFT_CONTINUE:
break;
default:
@@ -147,13 +197,20 @@ next_rule:
}
if (stackptr > 0) {
+ if (unlikely(pkt->skb->nf_trace))
+ nft_trace_packet(pkt, chain, ++rulenum, NFT_TRACE_RETURN);
+
stackptr--;
chain = jumpstack[stackptr].chain;
rule = jumpstack[stackptr].rule;
+ rulenum = jumpstack[stackptr].rulenum;
goto next_rule;
}
nft_chain_stats(chain, pkt, jumpstack, stackptr);
+ if (unlikely(pkt->skb->nf_trace))
+ nft_trace_packet(pkt, chain, ++rulenum, NFT_TRACE_POLICY);
+
return nft_base_chain(chain)->policy;
}
EXPORT_SYMBOL_GPL(nft_do_chain_pktinfo);
--
1.7.10.4
next prev parent reply other threads:[~2013-10-14 16:38 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-10-14 16:38 [PATCH 00/17] netfilter updates: nf_tables pull request Pablo Neira Ayuso
2013-10-14 16:38 ` [PATCH 01/17] netfilter: pass hook ops to hookfn Pablo Neira Ayuso
2013-10-14 16:38 ` [PATCH 02/17] netfilter: nf_nat: move alloc_null_binding to nf_nat_core.c Pablo Neira Ayuso
2013-10-14 16:38 ` [PATCH 03/17] netfilter: add nftables Pablo Neira Ayuso
2013-10-20 11:46 ` Jan Engelhardt
2013-10-14 16:38 ` [PATCH 04/17] netfilter: nf_tables: add netlink set API Pablo Neira Ayuso
2013-10-14 16:38 ` [PATCH 05/17] netfilter: nf_tables: expression ops overloading Pablo Neira Ayuso
2013-10-14 16:38 ` [PATCH 06/17] netfilter: nf_tables: add optimized data comparison for small values Pablo Neira Ayuso
2013-10-14 16:38 ` [PATCH 07/17] netfilter: nft_payload: add optimized payload implementation for small loads Pablo Neira Ayuso
2013-10-14 16:38 ` [PATCH 08/17] netfilter: nf_tables: convert built-in tables/chains to chain types Pablo Neira Ayuso
2013-10-14 16:38 ` [PATCH 09/17] netfilter: nf_tables: add compatibility layer for x_tables Pablo Neira Ayuso
2013-10-14 16:38 ` [PATCH 10/17] netfilter: nf_tables: nft_payload: fix transport header base Pablo Neira Ayuso
2013-10-14 16:38 ` [PATCH 11/17] netfilter: nf_tables: add support for dormant tables Pablo Neira Ayuso
2013-10-14 16:38 ` [PATCH 12/17] netfilter: nf_tables: Add support for IPv6 NAT Pablo Neira Ayuso
2013-10-14 16:38 ` [PATCH 13/17] netfilter: nf_tables: complete net namespace support Pablo Neira Ayuso
2013-10-14 16:38 ` [PATCH 14/17] netfilter: nf_tables: add insert operation Pablo Neira Ayuso
2013-10-14 16:38 ` [PATCH 15/17] netfilter: nfnetlink: add batch support and use it from nf_tables Pablo Neira Ayuso
2013-10-14 16:38 ` Pablo Neira Ayuso [this message]
2013-10-14 16:38 ` [PATCH 17/17] netfilter: nf_tables: add ARP filtering support Pablo Neira Ayuso
2013-10-17 19:23 ` [PATCH 00/17] netfilter updates: nf_tables pull request David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1381768738-17739-17-git-send-email-pablo@netfilter.org \
--to=pablo@netfilter.org \
--cc=davem@davemloft.net \
--cc=kaber@trash.net \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).