Re: [PATCH nf-next 1/6] netfilter: nf_tables: extend tracing infrastructure

netfilter-devel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Florian Westphal <fw@strlen.de>
To: Patrick McHardy <kaber@trash.net>
Cc: Florian Westphal <fw@strlen.de>, netfilter-devel@vger.kernel.org
Subject: Re: [PATCH nf-next 1/6] netfilter: nf_tables: extend tracing infrastructure
Date: Wed, 25 Nov 2015 11:13:29 +0100	[thread overview]
Message-ID: <20151125101329.GH23215@breakpoint.cc> (raw)
In-Reply-To: <20151125093554.GA31023@macbook.localdomain>

Patrick McHardy <kaber@trash.net> wrote:
> > > > +     if (nla_put_be32(skb, NFTA_TRACE_ID, htonl(hash32_ptr(pkt->skb)))) 
> > 
> > > This could lead to duplicate IDs quite quickly. I can't think of any other
> > > values where we know for sure they will stay constant while the skb is within
> > > netfilter. How about combining this with a per CPU counter or something
> > > similar?
> > 
> > I would not mind, it would result in ID change though for nfqueue case.
> > If thats ok I'll use a pcpu counter that gets incremented when nft_meta
> > sets skb->nftrace=1 and use __this_cpu_read(trace_id) instead (if we
> > have pcpu id counter, is there any point in also using skb address...?)
> 
> Not sure, I guess not.

Ok, I'll move to pcpu id counter in v2

> > > > +	switch (type) {
> > > > +	case NFT_TRACETYPE_POLICY:
> > > > +	case NFT_TRACETYPE_RETURN:
> > > > +	case NFT_TRACETYPE_RULE:
> > > > +		if (nla_put_be32(skb, NFTA_TRACE_VERDICT, htonl(verdict)))
> > > > +			goto nla_put_failure;
> > > 
> > > It would be nice to have the full verdict available, IOW also the jump target.
> > > 
> > > You could simply pass struct nft_verdict to this function and adapt
> > > nft_verdict_dump() to take the attribute value as parameter.
> > 
> > Will add NFTA_TRACE_JUMP/NFTA_TRACE_GOTO for that, ok?
> 
> Any reason not to use the standard verdict encoding? We even have an almost
> ready to use function for that.

Sorry, could you be more specific?
How would you tell userspace where the jump/goto is going to?

What I am doing now in my local version:

NFTA_TRACE_VERDICT is the verbatim result of the hook (i.e. might
contain errno or queue id).

NFTA_TRACE_JUMP_TARGET is the name of the chain that we goto or jump to,
set when verdict == NFT_JUMP/_GOTO.

Alternative suggestions welcome.

This approach means that userspace must try a bit harder to decode
the verdict since we cannot use 'verdict & NF_VERDICT_MASK' if we're
looking at a NFT_* verdict when translating the integer to a string.

next prev parent reply	other threads:[~2015-11-25 10:13 UTC|newest]

Thread overview: 80+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-11-24 10:02 [PATCH 0/6] nftables trace support Florian Westphal
2015-11-24 10:02 ` [PATCH nf-next 1/6] netfilter: nf_tables: extend tracing infrastructure Florian Westphal
2015-11-24 10:17   ` Pablo Neira Ayuso
2015-11-24 10:27     ` Florian Westphal
2015-11-24 10:30       ` Pablo Neira Ayuso
2015-11-24 10:35         ` Patrick McHardy
2015-11-24 11:11         ` Florian Westphal
2015-11-24 10:22   ` Pablo Neira Ayuso
2015-11-24 10:28     ` Florian Westphal
2015-11-24 10:33       ` Patrick McHardy
2015-11-24 10:44         ` Pablo Neira Ayuso
2015-11-24 10:45           ` Pablo Neira Ayuso
2015-11-24 10:47             ` Patrick McHardy
2015-11-24 10:36       ` Pablo Neira Ayuso
2015-11-24 10:44   ` Patrick McHardy
2015-11-25  0:55   ` Patrick McHardy
2015-11-25  8:39     ` Florian Westphal
2015-11-25  8:48       ` Florian Westphal
2015-11-25  9:35       ` Patrick McHardy
2015-11-25 10:13         ` Florian Westphal [this message]
2015-11-25 11:51           ` Patrick McHardy
2015-11-25 12:20             ` Florian Westphal
2015-11-24 10:02 ` [PATCH nf-next 2/6] netfilter: nf_tables: wrap tracing with a static key Florian Westphal
2015-11-24 10:13   ` Patrick McHardy
2015-11-24 10:21     ` Florian Westphal
2015-11-24 10:28       ` Patrick McHardy
2015-11-24 10:19   ` Pablo Neira Ayuso
2015-11-24 10:02 ` [PATCH nf-next 3/6] netfilter: nf_tables: disable old tracing if listener is present Florian Westphal
2015-11-24 10:16   ` Patrick McHardy
2015-11-24 10:24   ` Pablo Neira Ayuso
2015-11-24 10:31     ` Florian Westphal
2015-11-24 10:39       ` Pablo Neira Ayuso
2015-11-24 10:53         ` Patrick McHardy
2015-11-24 11:10           ` Florian Westphal
2015-11-24 11:33             ` Patrick McHardy
2015-11-24 15:15               ` Florian Westphal
2015-11-24 15:26                 ` Patrick McHardy
2015-11-24 15:35                   ` Florian Westphal
2015-11-24 15:42                     ` Patrick McHardy
2015-11-25 15:06                       ` Patrick McHardy
2015-11-25 16:23                         ` Pablo Neira Ayuso
2015-11-25 16:34                           ` Patrick McHardy
2015-11-25 16:24                         ` Florian Westphal
2015-11-25 16:46                           ` Patrick McHardy
2015-11-25 17:32                             ` Patrick McHardy
2015-11-25 22:27                               ` Florian Westphal
2015-11-25 23:04                                 ` Patrick McHardy
2015-11-25 23:16                                   ` Florian Westphal
2015-11-25 23:30                                     ` Patrick McHardy
2015-11-25 23:42                                 ` Patrick McHardy
2015-11-25 23:56                                   ` Florian Westphal
2015-11-25 22:52                             ` Florian Westphal
2015-11-25 23:15                               ` Patrick McHardy
2015-11-25 23:19                                 ` Florian Westphal
2015-11-26 10:50                             ` Patrick McHardy
2015-11-26 11:03                               ` Florian Westphal
2015-11-26 11:42                                 ` Patrick McHardy
2015-11-25 16:49                         ` Jan Engelhardt
2015-11-25 16:53                           ` Patrick McHardy
2015-11-25 17:14                             ` Jan Engelhardt
2015-11-25 17:24                               ` Patrick McHardy
2015-11-25  0:57   ` Patrick McHardy
2015-11-24 10:02 ` [PATCH libnftnl 4/6] src: rename EXPORT_SYMBOL to EXPORT_SYMBOL_ALIAS Florian Westphal
2015-11-24 10:11   ` Pablo Neira Ayuso
2015-11-24 10:02 ` [PATCH libnftnl 5/6] src: add trace infrastructure support Florian Westphal
2015-11-24 12:16   ` Patrick McHardy
2015-11-24 14:53     ` Patrick McHardy
2015-11-24 10:02 ` [PATCH nftables 6/6] src: add trace support to nft monitor mode Florian Westphal
2015-11-24 10:25   ` Patrick McHardy
2015-11-24 10:48     ` Florian Westphal
2015-11-24 10:58       ` Patrick McHardy
2015-11-24 11:01         ` Pablo Neira Ayuso
2015-11-24 11:07           ` Patrick McHardy
2015-11-24 11:14             ` Pablo Neira Ayuso
2015-11-24 11:14         ` Florian Westphal
2015-11-24 11:41           ` Patrick McHardy
2015-11-24 10:53     ` Pablo Neira Ayuso
2015-11-24 11:04       ` Patrick McHardy
2015-11-24 11:12         ` Pablo Neira Ayuso
2015-11-24 11:36           ` Patrick McHardy

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20151125101329.GH23215@breakpoint.cc \
    --to=fw@strlen.de \
    --cc=kaber@trash.net \
    --cc=netfilter-devel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).