netfilter-devel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH nft 1/2] src: handle rule tracing as an monitor object
@ 2017-08-02 12:15 Pablo Neira Ayuso
  2017-08-02 12:15 ` [PATCH nft 2/2] src: netlink: Subscribe nft monitor and nft monitor trace to respective groups Pablo Neira Ayuso
  0 siblings, 1 reply; 2+ messages in thread
From: Pablo Neira Ayuso @ 2017-08-02 12:15 UTC (permalink / raw)
  To: netfilter-devel; +Cc: rvarsha016

Traces are not an event type, they should be handled as an object.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 include/rule.h     |  1 +
 src/evaluate.c     | 31 ++++---------------------------
 src/parser_bison.y |  2 ++
 src/scanner.l      |  1 +
 4 files changed, 8 insertions(+), 27 deletions(-)

diff --git a/include/rule.h b/include/rule.h
index e22002724f90..a0edda2fec83 100644
--- a/include/rule.h
+++ b/include/rule.h
@@ -397,6 +397,7 @@ enum {
 	CMD_MONITOR_OBJ_SETS,
 	CMD_MONITOR_OBJ_ELEMS,
 	CMD_MONITOR_OBJ_RULESET,
+	CMD_MONITOR_OBJ_TRACE,
 	CMD_MONITOR_OBJ_MAX
 };
 
diff --git a/src/evaluate.c b/src/evaluate.c
index 959e8542dfff..d24526fef295 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -3218,7 +3218,6 @@ enum {
 	CMD_MONITOR_EVENT_ANY,
 	CMD_MONITOR_EVENT_NEW,
 	CMD_MONITOR_EVENT_DEL,
-	CMD_MONITOR_EVENT_TRACE,
 	CMD_MONITOR_EVENT_MAX
 };
 
@@ -3247,6 +3246,7 @@ static uint32_t monitor_flags[CMD_MONITOR_EVENT_MAX][CMD_MONITOR_OBJ_MAX] = {
 						  (1 << NFT_MSG_DELSETELEM) |
 						  (1 << NFT_MSG_NEWOBJ)	  |
 						  (1 << NFT_MSG_DELOBJ),
+		[CMD_MONITOR_OBJ_TRACE]		= (1 << NFT_MSG_TRACE),
 	},
 	[CMD_MONITOR_EVENT_NEW] = {
 		[CMD_MONITOR_OBJ_ANY]		= (1 << NFT_MSG_NEWTABLE) |
@@ -3264,7 +3264,8 @@ static uint32_t monitor_flags[CMD_MONITOR_EVENT_MAX][CMD_MONITOR_OBJ_MAX] = {
 						  (1 << NFT_MSG_NEWRULE)  |
 						  (1 << NFT_MSG_NEWSET)   |
 						  (1 << NFT_MSG_NEWSETELEM) |
-						  (1 << NFT_MSG_NEWOBJ)
+						  (1 << NFT_MSG_NEWOBJ),
+		[CMD_MONITOR_OBJ_TRACE]		= 0,
 	},
 	[CMD_MONITOR_EVENT_DEL] = {
 		[CMD_MONITOR_OBJ_ANY]		= (1 << NFT_MSG_DELTABLE) |
@@ -3283,29 +3284,7 @@ static uint32_t monitor_flags[CMD_MONITOR_EVENT_MAX][CMD_MONITOR_OBJ_MAX] = {
 						  (1 << NFT_MSG_DELSET)   |
 						  (1 << NFT_MSG_DELSETELEM) |
 						  (1 << NFT_MSG_DELOBJ),
-	},
-	[CMD_MONITOR_EVENT_TRACE] = {
-		[CMD_MONITOR_OBJ_ANY]		= (1 << NFT_MSG_NEWTABLE) |
-						  (1 << NFT_MSG_NEWCHAIN) |
-						  (1 << NFT_MSG_NEWRULE)  |
-						  (1 << NFT_MSG_DELTABLE) |
-						  (1 << NFT_MSG_DELCHAIN) |
-						  (1 << NFT_MSG_DELRULE)  |
-						  (1 << NFT_MSG_TRACE),
-		[CMD_MONITOR_OBJ_TABLES]	= (1 << NFT_MSG_NEWTABLE) |
-						  (1 << NFT_MSG_DELTABLE),
-		[CMD_MONITOR_OBJ_CHAINS]	= (1 << NFT_MSG_NEWCHAIN) |
-						  (1 << NFT_MSG_DELCHAIN),
-		[CMD_MONITOR_OBJ_RULES]		= (1 << NFT_MSG_NEWRULE) |
-						  (1 << NFT_MSG_DELRULE),
-		[CMD_MONITOR_OBJ_RULESET]       = (1 << NFT_MSG_NEWTABLE) |
-						  (1 << NFT_MSG_NEWCHAIN) |
-						  (1 << NFT_MSG_NEWRULE)  |
-						  (1 << NFT_MSG_NEWOBJ)	  |
-						  (1 << NFT_MSG_DELTABLE) |
-						  (1 << NFT_MSG_DELCHAIN) |
-						  (1 << NFT_MSG_DELRULE)  |
-						  (1 << NFT_MSG_DELOBJ),
+		[CMD_MONITOR_OBJ_TRACE]		= 0,
 	},
 };
 
@@ -3324,8 +3303,6 @@ static int cmd_evaluate_monitor(struct eval_ctx *ctx, struct cmd *cmd)
 		event = CMD_MONITOR_EVENT_NEW;
 	else if (strcmp(cmd->monitor->event, "destroy") == 0)
 		event = CMD_MONITOR_EVENT_DEL;
-	else if (strcmp(cmd->monitor->event, "trace") == 0)
-		event = CMD_MONITOR_EVENT_TRACE;
 	else {
 		return monitor_error(ctx, cmd->monitor, "invalid event %s",
 				     cmd->monitor->event);
diff --git a/src/parser_bison.y b/src/parser_bison.y
index 86baf23a00c1..e7bb9097929b 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -194,6 +194,7 @@ static void location_update(struct location *loc, struct location *rhs, int n)
 %token MAPS			"maps"
 %token HANDLE			"handle"
 %token RULESET			"ruleset"
+%token TRACE			"trace"
 
 %token INET			"inet"
 %token NETDEV			"netdev"
@@ -1196,6 +1197,7 @@ monitor_object		:	/* empty */	{ $$ = CMD_MONITOR_OBJ_ANY; }
 			|	RULES		{ $$ = CMD_MONITOR_OBJ_RULES; }
 			|	ELEMENTS	{ $$ = CMD_MONITOR_OBJ_ELEMS; }
 			|	RULESET		{ $$ = CMD_MONITOR_OBJ_RULESET; }
+			|	TRACE		{ $$ = CMD_MONITOR_OBJ_TRACE; }
 			;
 
 monitor_format		:	/* empty */	{ $$ = NFTNL_OUTPUT_DEFAULT; }
diff --git a/src/scanner.l b/src/scanner.l
index 7d5437f123ce..b6ba32d88f4a 100644
--- a/src/scanner.l
+++ b/src/scanner.l
@@ -250,6 +250,7 @@ addrstring	({macaddr}|{ip4addr}|{ip6addr})
 "maps"			{ return MAPS; }
 "handle"		{ return HANDLE; }
 "ruleset"		{ return RULESET; }
+"trace"			{ return TRACE; }
 
 "accept"		{ return ACCEPT; }
 "drop"			{ return DROP; }
-- 
2.1.4


^ permalink raw reply related	[flat|nested] 2+ messages in thread
* [PATCH nft 2/2] src: netlink: Subscribe nft monitor and nft monitor trace to respective groups.
  2017-08-02 12:15 [PATCH nft 1/2] src: handle rule tracing as an monitor object Pablo Neira Ayuso
@ 2017-08-02 12:15 ` Pablo Neira Ayuso
  0 siblings, 0 replies; 2+ messages in thread
From: Pablo Neira Ayuso @ 2017-08-02 12:15 UTC (permalink / raw)
  To: netfilter-devel; +Cc: rvarsha016

From: Varsha Rao <rvarsha016@gmail.com>

Subscribe nft monitor to both NFNLGRP_NFTABLES and NFNLGRP_NFTRACE.
nft monitor trace subscribes only to NFNLGRP_NFTRACE. Other event
reporting options to only NFNLGRP_NFTABLES.

Joint work with Pablo Neira.

Signed-off-by: Varsha Rao <rvarsha016@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 src/netlink.c | 36 ++++++++++++++++++++----------------
 1 file changed, 20 insertions(+), 16 deletions(-)

diff --git a/src/netlink.c b/src/netlink.c
index 9cef4c48f805..c1f194e9b008 100644
--- a/src/netlink.c
+++ b/src/netlink.c
@@ -3080,22 +3080,26 @@ int netlink_monitor(struct netlink_mon_handler *monhandler,
 {
 	int group;
 
-	group = NFNLGRP_NFTABLES;
-	if (mnl_socket_setsockopt(nf_sock, NETLINK_ADD_MEMBERSHIP, &group,
-				  sizeof(int)) < 0)
-		return netlink_io_error(monhandler->ctx, monhandler->loc,
-					"Could not bind to netlink socket %s",
-					strerror(errno));
-
-	group = NFNLGRP_NFTRACE;
-	if (mnl_socket_setsockopt(nf_sock, NETLINK_ADD_MEMBERSHIP, &group,
-				  sizeof(int)) < 0)
-		return netlink_io_error(monhandler->ctx, monhandler->loc,
-					"Could not bind to netlink socket %s",
-					strerror(errno));
-
-	return mnl_nft_event_listener(nf_sock, netlink_events_cb,
-				      monhandler);
+	if (monhandler->monitor_flags & (1 << NFT_MSG_TRACE)) {
+		group = NFNLGRP_NFTRACE;
+		if (mnl_socket_setsockopt(nf_sock, NETLINK_ADD_MEMBERSHIP,
+					  &group, sizeof(int)) < 0)
+			return netlink_io_error(monhandler->ctx,
+						monhandler->loc,
+						"Could not bind to netlink socket %s",
+						strerror(errno));
+	}
+	if (monhandler->monitor_flags & ~(1 << NFT_MSG_TRACE)) {
+		group = NFNLGRP_NFTABLES;
+		if (mnl_socket_setsockopt(nf_sock, NETLINK_ADD_MEMBERSHIP,
+					  &group, sizeof(int)) < 0)
+			return netlink_io_error(monhandler->ctx,
+						monhandler->loc,
+						"Could not bind to netlink socket %s",
+						strerror(errno));
+	}
+
+	return mnl_nft_event_listener(nf_sock, netlink_events_cb, monhandler);
 }
 
 bool netlink_batch_supported(struct mnl_socket *nf_sock)
-- 
2.1.4


^ permalink raw reply related	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2017-08-02 12:15 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-08-02 12:15 [PATCH nft 1/2] src: handle rule tracing as an monitor object Pablo Neira Ayuso
2017-08-02 12:15 ` [PATCH nft 2/2] src: netlink: Subscribe nft monitor and nft monitor trace to respective groups Pablo Neira Ayuso

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).