From: Florian Westphal <fw@strlen.de>
To: Patrick McHardy <kaber@trash.net>
Cc: Florian Westphal <fw@strlen.de>, netfilter-devel@vger.kernel.org
Subject: Re: [PATCH nf-next 1/6] netfilter: nf_tables: extend tracing infrastructure
Date: Wed, 25 Nov 2015 09:39:07 +0100 [thread overview]
Message-ID: <20151125083907.GF23215@breakpoint.cc> (raw)
In-Reply-To: <20151125005523.GB27315@macbook.localdomain>
Patrick McHardy <kaber@trash.net> wrote:
> > diff --git a/include/uapi/linux/netfilter/nf_tables.h b/include/uapi/linux/netfilter/nf_tables.h
> > index d8c8a7c..88bcd00 100644
> > --- a/include/uapi/linux/netfilter/nf_tables.h
> > +++ b/include/uapi/linux/netfilter/nf_tables.h
> > @@ -970,4 +972,34 @@ enum nft_gen_attributes {
> > };
> > #define NFTA_GEN_MAX (__NFTA_GEN_MAX - 1)
> >
> > +enum nft_trace_attibutes {
> > + NFTA_TRACE_UNSPEC,
> > + NFTA_TRACE_CHAIN,
> > + NFTA_TRACE_DEV_TYPE,
> > + NFTA_TRACE_ID,
> > + NFTA_TRACE_IIF,
> > + NFTA_TRACE_OIF,
> > + NFTA_TRACE_LL_HEADER,
> > + NFTA_TRACE_MARK,
> > + NFTA_TRACE_NETWORK_HEADER,
> > + NFTA_TRACE_TABLE,
> > + NFTA_TRACE_TRANSPORT_HEADER,
> > + NFTA_TRACE_TRANSPORT_PROTO,
> > + NFTA_TRACE_TYPE,
> > + NFTA_TRACE_RULE_HANDLE,
> > + NFTA_TRACE_VERDICT,
> > + NFTA_TRACE_VLAN_TAG,
> > + __NFTA_TRACE_MAX
> > +};
> > +#define NFTA_TRACE_MAX (__NFTA_TRACE_MAX - 1)
>
> The ordering appears to be a bit random (or I'm missing something), I'd
> expect basic information like TABLE/CHAIN/RULE_HANDLE to be at the beginning
> (in that order), similar for TYPE, VERDICT etc.
NFTA_TRACE_UNSPEC,
NFTA_TRACE_TABLE,
NFTA_TRACE_CHAIN,
NFTA_TRACE_RULE_HANDLE,
NFTA_TRACE_TYPE,
NFTA_TRACE_VERDICT,
NFTA_TRACE_DEV_TYPE,
NFTA_TRACE_ID,
NFTA_TRACE_LL_HEADER,
NFTA_TRACE_NETWORK_HEADER,
NFTA_TRACE_TRANSPORT_HEADER,
NFTA_TRACE_TRANSPORT_PROTO,
NFTA_TRACE_IIF,
NFTA_TRACE_OIF,
NFTA_TRACE_MARK,
NFTA_TRACE_VLAN_TAG,
better? If not, please just tell me what ordering you'd prefer and
thats what I'll use.
> > diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
> > index 93cc473..25d8168 100644
> > --- a/net/netfilter/nf_tables_api.c
> > +++ b/net/netfilter/nf_tables_api.c
> > @@ -21,6 +23,10 @@
> > #include <net/net_namespace.h>
> > #include <net/sock.h>
> >
> > +#define NFT_TRACETYPE_LL_HSIZE 20
> > +#define NFT_TRACETYPE_NETWORK_HSIZE 32
> > +#define NFT_TRACETYPE_TRANSPORT_HSIZE 4
>
> 4 seems to be too small for some header types like GRE. If the key is present
> it seems like information we'd want to log.
>
> Also since people probably want to use this to determine why or why not rules
> match, I think it would be good to have the entire transport header present.
>
> > +static bool
> > +trace_notify_put_packet(struct sk_buff *nlskb, const struct nft_pktinfo *pkt)
> > +{
> > + const struct sk_buff *skb = pkt->skb;
> > + unsigned int plen = min_t(unsigned int,
> > + pkt->xt.thoff - skb_network_offset(skb),
> > + NFT_TRACETYPE_NETWORK_HSIZE);
> > + int mac_off;
> > +
> > + if (plen >= 20u && /* minimum iphdr size */
> > + !trace_notify_put_data(nlskb, NFTA_TRACE_NETWORK_HEADER,
> > + skb, skb_network_offset(skb), plen))
> > + return false;
>
> Does that check for 20u have any deeper meaning? It seems this will always
> be true for all currently supported protocols and if we were to add support
> for one that has a smaller size it won't work.
OK, I'll change all checks to 'len &&'.
> > + if (nla_put_be32(skb, NFTA_TRACE_ID, htonl(hash32_ptr(pkt->skb))))
> This could lead to duplicate IDs quite quickly. I can't think of any other
> values where we know for sure they will stay constant while the skb is within
> netfilter. How about combining this with a per CPU counter or something
> similar?
I would not mind, it would result in ID change though for nfqueue case.
If thats ok I'll use a pcpu counter that gets incremented when nft_meta
sets skb->nftrace=1 and use __this_cpu_read(trace_id) instead (if we
have pcpu id counter, is there any point in also using skb address...?)
> > + if (chain) {
> > + if (nla_put_string(skb, NFTA_TRACE_TABLE, chain->table->name))
> > + goto nla_put_failure;
> > + if (nla_put_string(skb, NFTA_TRACE_CHAIN, chain->name))
> > + goto nla_put_failure;
> > + }
> > +
> > + if (rule && nla_put_be64(skb, NFTA_TRACE_RULE_HANDLE,
> > + cpu_to_be64(rule->handle)))
>
> Minor nitpick: below you use
>
> if (condition &&
> nla_put_...
>
> which I think is more readable.
ok. I only used the former if line would go over 80, but i can convert
this too of course.
> > + if (pkt->in &&
> > + nla_put_be32(skb, NFTA_TRACE_IIF, htonl(pkt->in->ifindex)))
> > + goto nla_put_failure;
> > + if (pkt->out &&
> > + nla_put_be32(skb, NFTA_TRACE_OIF, htonl(pkt->out->ifindex)))
> > + goto nla_put_failure;
> > + if (pkt->skb->mark &&
> > + nla_put_be32(skb, NFTA_TRACE_MARK, htonl(pkt->skb->mark)))
> > + goto nla_put_failure;
> > +
> > + switch (type) {
> > + case NFT_TRACETYPE_POLICY:
> > + case NFT_TRACETYPE_RETURN:
> > + case NFT_TRACETYPE_RULE:
> > + if (nla_put_be32(skb, NFTA_TRACE_VERDICT, htonl(verdict)))
> > + goto nla_put_failure;
>
> It would be nice to have the full verdict available, IOW also the jump target.
>
> You could simply pass struct nft_verdict to this function and adapt
> nft_verdict_dump() to take the attribute value as parameter.
Will add NFTA_TRACE_JUMP/NFTA_TRACE_GOTO for that, ok?
next prev parent reply other threads:[~2015-11-25 8:39 UTC|newest]
Thread overview: 80+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-11-24 10:02 [PATCH 0/6] nftables trace support Florian Westphal
2015-11-24 10:02 ` [PATCH nf-next 1/6] netfilter: nf_tables: extend tracing infrastructure Florian Westphal
2015-11-24 10:17 ` Pablo Neira Ayuso
2015-11-24 10:27 ` Florian Westphal
2015-11-24 10:30 ` Pablo Neira Ayuso
2015-11-24 10:35 ` Patrick McHardy
2015-11-24 11:11 ` Florian Westphal
2015-11-24 10:22 ` Pablo Neira Ayuso
2015-11-24 10:28 ` Florian Westphal
2015-11-24 10:33 ` Patrick McHardy
2015-11-24 10:44 ` Pablo Neira Ayuso
2015-11-24 10:45 ` Pablo Neira Ayuso
2015-11-24 10:47 ` Patrick McHardy
2015-11-24 10:36 ` Pablo Neira Ayuso
2015-11-24 10:44 ` Patrick McHardy
2015-11-25 0:55 ` Patrick McHardy
2015-11-25 8:39 ` Florian Westphal [this message]
2015-11-25 8:48 ` Florian Westphal
2015-11-25 9:35 ` Patrick McHardy
2015-11-25 10:13 ` Florian Westphal
2015-11-25 11:51 ` Patrick McHardy
2015-11-25 12:20 ` Florian Westphal
2015-11-24 10:02 ` [PATCH nf-next 2/6] netfilter: nf_tables: wrap tracing with a static key Florian Westphal
2015-11-24 10:13 ` Patrick McHardy
2015-11-24 10:21 ` Florian Westphal
2015-11-24 10:28 ` Patrick McHardy
2015-11-24 10:19 ` Pablo Neira Ayuso
2015-11-24 10:02 ` [PATCH nf-next 3/6] netfilter: nf_tables: disable old tracing if listener is present Florian Westphal
2015-11-24 10:16 ` Patrick McHardy
2015-11-24 10:24 ` Pablo Neira Ayuso
2015-11-24 10:31 ` Florian Westphal
2015-11-24 10:39 ` Pablo Neira Ayuso
2015-11-24 10:53 ` Patrick McHardy
2015-11-24 11:10 ` Florian Westphal
2015-11-24 11:33 ` Patrick McHardy
2015-11-24 15:15 ` Florian Westphal
2015-11-24 15:26 ` Patrick McHardy
2015-11-24 15:35 ` Florian Westphal
2015-11-24 15:42 ` Patrick McHardy
2015-11-25 15:06 ` Patrick McHardy
2015-11-25 16:23 ` Pablo Neira Ayuso
2015-11-25 16:34 ` Patrick McHardy
2015-11-25 16:24 ` Florian Westphal
2015-11-25 16:46 ` Patrick McHardy
2015-11-25 17:32 ` Patrick McHardy
2015-11-25 22:27 ` Florian Westphal
2015-11-25 23:04 ` Patrick McHardy
2015-11-25 23:16 ` Florian Westphal
2015-11-25 23:30 ` Patrick McHardy
2015-11-25 23:42 ` Patrick McHardy
2015-11-25 23:56 ` Florian Westphal
2015-11-25 22:52 ` Florian Westphal
2015-11-25 23:15 ` Patrick McHardy
2015-11-25 23:19 ` Florian Westphal
2015-11-26 10:50 ` Patrick McHardy
2015-11-26 11:03 ` Florian Westphal
2015-11-26 11:42 ` Patrick McHardy
2015-11-25 16:49 ` Jan Engelhardt
2015-11-25 16:53 ` Patrick McHardy
2015-11-25 17:14 ` Jan Engelhardt
2015-11-25 17:24 ` Patrick McHardy
2015-11-25 0:57 ` Patrick McHardy
2015-11-24 10:02 ` [PATCH libnftnl 4/6] src: rename EXPORT_SYMBOL to EXPORT_SYMBOL_ALIAS Florian Westphal
2015-11-24 10:11 ` Pablo Neira Ayuso
2015-11-24 10:02 ` [PATCH libnftnl 5/6] src: add trace infrastructure support Florian Westphal
2015-11-24 12:16 ` Patrick McHardy
2015-11-24 14:53 ` Patrick McHardy
2015-11-24 10:02 ` [PATCH nftables 6/6] src: add trace support to nft monitor mode Florian Westphal
2015-11-24 10:25 ` Patrick McHardy
2015-11-24 10:48 ` Florian Westphal
2015-11-24 10:58 ` Patrick McHardy
2015-11-24 11:01 ` Pablo Neira Ayuso
2015-11-24 11:07 ` Patrick McHardy
2015-11-24 11:14 ` Pablo Neira Ayuso
2015-11-24 11:14 ` Florian Westphal
2015-11-24 11:41 ` Patrick McHardy
2015-11-24 10:53 ` Pablo Neira Ayuso
2015-11-24 11:04 ` Patrick McHardy
2015-11-24 11:12 ` Pablo Neira Ayuso
2015-11-24 11:36 ` Patrick McHardy
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20151125083907.GF23215@breakpoint.cc \
--to=fw@strlen.de \
--cc=kaber@trash.net \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).