From: Florian Westphal <fw@strlen.de>
To: <netfilter-devel@vger.kernel.org>
Cc: Florian Westphal <fw@strlen.de>
Subject: [PATCH nf-next 2/4] netfilter: nf_tables: include function and module name in hook dumps
Date: Fri, 21 May 2021 13:39:20 +0200 [thread overview]
Message-ID: <20210521113922.20798-3-fw@strlen.de> (raw)
In-Reply-To: <20210521113922.20798-1-fw@strlen.de>
If KALLSYMS are available, include the hook function name and the
module name that registered the hook.
This avoids need to manually annotate all existing hooks.
Example output:
family ip hook prerouting {
-0000000300 iptable_raw_hook [iptable_raw]
-0000000150 iptable_mangle_hook [iptable_mangle]
-0000000100 nf_nat_ipv4_pre_routing [nf_nat]
}
Signed-off-by: Florian Westphal <fw@strlen.de>
---
include/linux/netfilter.h | 4 ++++
include/uapi/linux/netfilter/nf_tables.h | 4 ++++
net/netfilter/core.c | 6 ++++++
net/netfilter/nf_tables_api.c | 13 +++++++++++++
4 files changed, 27 insertions(+)
diff --git a/include/linux/netfilter.h b/include/linux/netfilter.h
index f0f3a8354c3c..63f77794f5ed 100644
--- a/include/linux/netfilter.h
+++ b/include/linux/netfilter.h
@@ -195,6 +195,10 @@ int nf_hook_slow(struct sk_buff *skb, struct nf_hook_state *state,
void nf_hook_slow_list(struct list_head *head, struct nf_hook_state *state,
const struct nf_hook_entries *e);
+
+bool nf_get_hook_info(const struct nf_hook_ops *ops,
+ char fn[KSYM_NAME_LEN], char **module_name);
+
/**
* nf_hook - call a netfilter hook
*
diff --git a/include/uapi/linux/netfilter/nf_tables.h b/include/uapi/linux/netfilter/nf_tables.h
index 5810e41eff33..ba6545a32e34 100644
--- a/include/uapi/linux/netfilter/nf_tables.h
+++ b/include/uapi/linux/netfilter/nf_tables.h
@@ -147,6 +147,8 @@ enum nft_list_attributes {
* @NFTA_HOOK_PRIORITY: netfilter hook priority (NLA_U32)
* @NFTA_HOOK_DEV: netdevice name (NLA_STRING)
* @NFTA_HOOK_DEVS: list of netdevices (NLA_NESTED)
+ * @NFTA_HOOK_FUNCTION_NAME: hook function name (NLA_STRING)
+ * @NFTA_HOOK_MODULE_NAME: kernel module that registered this hook (NLA_STRING)
*/
enum nft_hook_attributes {
NFTA_HOOK_UNSPEC,
@@ -154,6 +156,8 @@ enum nft_hook_attributes {
NFTA_HOOK_PRIORITY,
NFTA_HOOK_DEV,
NFTA_HOOK_DEVS,
+ NFTA_HOOK_FUNCTION_NAME,
+ NFTA_HOOK_MODULE_NAME,
__NFTA_HOOK_MAX
};
#define NFTA_HOOK_MAX (__NFTA_HOOK_MAX - 1)
diff --git a/net/netfilter/core.c b/net/netfilter/core.c
index 63d032191e62..d14715c568c8 100644
--- a/net/netfilter/core.c
+++ b/net/netfilter/core.c
@@ -749,6 +749,12 @@ static struct pernet_operations netfilter_net_ops = {
.exit = netfilter_net_exit,
};
+bool nf_get_hook_info(const struct nf_hook_ops *ops, char fn[KSYM_NAME_LEN], char **modname)
+{
+ return kallsyms_lookup((unsigned long)ops->hook, NULL, NULL, modname, fn);
+}
+EXPORT_SYMBOL_GPL(nf_get_hook_info);
+
int __init netfilter_init(void)
{
int ret;
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 2bfa80e93658..216f2921be0f 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -7983,6 +7983,7 @@ static int nf_tables_dump_one_hook(struct sk_buff *nlskb,
{
unsigned int portid = NETLINK_CB(nlskb).portid;
struct net *net = sock_net(nlskb->sk);
+ char *module_name, fn[KSYM_NAME_LEN];
struct nlmsghdr *nlh;
int ret;
@@ -7991,6 +7992,18 @@ static int nf_tables_dump_one_hook(struct sk_buff *nlskb,
if (!nlh)
goto nla_put_failure;
+ if (nf_get_hook_info(ops, fn, &module_name)) {
+ ret = nla_put_string(nlskb, NFTA_HOOK_FUNCTION_NAME, fn);
+ if (ret)
+ goto nla_put_failure;
+
+ if (module_name) {
+ ret = nla_put_string(nlskb, NFTA_HOOK_MODULE_NAME, module_name);
+ if (ret)
+ goto nla_put_failure;
+ }
+ }
+
ret = nla_put_be32(nlskb, NFTA_HOOK_HOOKNUM, htonl(ops->hooknum));
if (ret)
goto nla_put_failure;
--
2.26.3
next prev parent reply other threads:[~2021-05-21 11:39 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-05-21 11:39 [PATCH nf-next 0/4] netfilter: add hook dump feature Florian Westphal
2021-05-21 11:39 ` [PATCH nf-next 1/4] netfilter: nf_tables: allow to dump all registered base hooks Florian Westphal
2021-05-22 22:49 ` kernel test robot
2021-05-21 11:39 ` Florian Westphal [this message]
2021-05-21 11:39 ` [PATCH nf-next 3/4] netfilter: annotate nf_tables base hook ops Florian Westphal
2021-05-21 11:39 ` [PATCH nf-next 4/4] netfilter: nf_tables: include table and chain name when dumping hooks Florian Westphal
2021-05-23 8:52 ` Pablo Neira Ayuso
2021-05-23 18:54 ` Florian Westphal
2021-05-23 21:03 ` Pablo Neira Ayuso
2021-05-23 21:26 ` Florian Westphal
2021-05-23 21:36 ` Pablo Neira Ayuso
-- strict thread matches above, loose matches on Subject: below --
2021-05-25 20:51 [PATCH nf-next v2 0/4] netfilter: add hook dump feature Florian Westphal
2021-05-25 20:51 ` [PATCH nf-next 2/4] netfilter: nf_tables: include function and module name in hook dumps Florian Westphal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210521113922.20798-3-fw@strlen.de \
--to=fw@strlen.de \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).