[PATCH ulogd2,v2 1/4] ulogd: add linux namespace helper

[PATCH ulogd2,v2 1/4] ulogd: add linux namespace helper

[Corubba Smith]

The new namespace helper provides an internal stable interface for
plugins to use for switching various linux namespaces. Currently only
network namespaces are supported/implemented, but can easily be extended
if needed. autoconf will enable it automatically if the required symbols
are available. If ulogd is compiled without namespace support, the
functions will simply return an error, there is no need for conditional
compilation or special handling in plugin code.

Signed-off-by: Corubba Smith <corubba@gmx.de>
---
Changes in v2:
  - Split the single patch into multiple
  - Moved the namespace code to a dedicated helper (Florian Westphal)
  - Implemented network namespace support for NFCT polling mode, NFLOG
    and NFACCT plugins. I skipped ULOG because it's removed from the
    kernel since 7200135bc1e6 ("netfilter: kill ulog targets") aka v3.17
  - Link to v1: https://lore.kernel.org/netfilter-devel/7d1478b6-ec25-4286-a365-ce28293f4a40@gmx.de/

 configure.ac              |  22 ++++
 include/ulogd/Makefile.am |   4 +-
 include/ulogd/namespace.h |   8 ++
 src/Makefile.am           |   3 +-
 src/namespace.c           | 237 ++++++++++++++++++++++++++++++++++++++
 5 files changed, 272 insertions(+), 2 deletions(-)
 create mode 100644 include/ulogd/namespace.h
 create mode 100644 src/namespace.c

diff --git a/configure.ac b/configure.ac
index 3c9249e..2b193d8 100644
--- a/configure.ac
+++ b/configure.ac
@@ -243,6 +243,27 @@ AS_IF([test "x$enable_json" != "xno"],
 AS_IF([test "x$libjansson_LIBS" != "x"], [enable_json=yes], [enable_json=no])
 AM_CONDITIONAL([HAVE_JANSSON], [test "x$libjansson_LIBS" != "x"])

+AC_ARG_ENABLE([namespace],
+              [AS_HELP_STRING([--enable-namespace], [Enable linux namespace functionality in plugins supporting it [default=test]])])
+AS_IF([test "x$enable_namespace" != "xno"], [
+  AC_CHECK_DECLS([setns, CLONE_NEWNET], [
+    enable_namespace=yes
+  ], [
+    AS_IF([test "x$enable_namespace" = "xyes"], [
+      AC_MSG_ERROR([linux namespace support enabled, but required symbols not available])
+    ], [
+      enable_namespace=no
+    ])
+  ], [[
+    #define _GNU_SOURCE 1
+    #include <fcntl.h>
+    #include <sched.h>
+  ]])
+])
+AS_IF([test "x$enable_namespace" = "xyes"], [
+  AC_DEFINE([ENABLE_NAMESPACE], [1], [Define to 1 if you want linux namespace support.])
+])
+
 AC_ARG_WITH([ulogd2libdir],
             [AS_HELP_STRING([--with-ulogd2libdir=PATH], [Default directory to load ulogd2 plugin from [[LIBDIR/ulogd]]])],
             [ulogd2libdir="$withval"],
@@ -293,6 +314,7 @@ EXPAND_VARIABLE(ulogd2libdir, e_ulogd2libdir)
 echo "
 Ulogd configuration:
   Default plugins directory:		${e_ulogd2libdir}
+  Linux namespace support:		${enable_namespace}
   Input plugins:
     NFLOG plugin:			${enable_nflog}
     NFCT plugin:			${enable_nfct}
diff --git a/include/ulogd/Makefile.am b/include/ulogd/Makefile.am
index e4b41c4..65d74ba 100644
--- a/include/ulogd/Makefile.am
+++ b/include/ulogd/Makefile.am
@@ -1 +1,3 @@
-noinst_HEADERS = conffile.h db.h ipfix_protocol.h linuxlist.h ulogd.h printpkt.h printflow.h common.h linux_rbtree.h timer.h slist.h hash.h jhash.h addr.h
+noinst_HEADERS = addr.h common.h conffile.h db.h hash.h ipfix_protocol.h \
+                 jhash.h linux_rbtree.h linuxlist.h namespace.h printflow.h \
+                 printpkt.h slist.h timer.h ulogd.h
diff --git a/include/ulogd/namespace.h b/include/ulogd/namespace.h
new file mode 100644
index 0000000..48e2e9a
--- /dev/null
+++ b/include/ulogd/namespace.h
@@ -0,0 +1,8 @@
+#ifndef _NAMESPACE_H_
+#define _NAMESPACE_H_
+
+int join_netns_fd(const int target_netns_fd, int *const source_netns_fd_ptr);
+int join_netns_path(const char *const target_netns_path,
+                    int *const source_netns_fd_ptr);
+
+#endif
diff --git a/src/Makefile.am b/src/Makefile.am
index 7a12a72..4004c2b 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -6,6 +6,7 @@ AM_CPPFLAGS += -DULOGD_CONFIGFILE='"$(sysconfdir)/ulogd.conf"' \

 sbin_PROGRAMS = ulogd

-ulogd_SOURCES = ulogd.c select.c timer.c rbtree.c conffile.c hash.c addr.c
+ulogd_SOURCES = ulogd.c select.c timer.c rbtree.c conffile.c hash.c \
+                addr.c namespace.c
 ulogd_LDADD   = ${libdl_LIBS} ${libpthread_LIBS}
 ulogd_LDFLAGS = -export-dynamic
diff --git a/src/namespace.c b/src/namespace.c
new file mode 100644
index 0000000..f9f23d4
--- /dev/null
+++ b/src/namespace.c
@@ -0,0 +1,237 @@
+/* namespace helper
+ *
+ * userspace logging daemon for the netfilter subsystem
+ *
+ * (C) 2025 The netfilter project
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License version 2
+ *  as published by the Free Software Foundation.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program; if not, write to the Free Software
+ *  Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+ *
+ * Description:
+ *  Helper library to switch linux namespaces, primarily network. Provides
+ *  ulogd-internally a stable api regardless whether namespace support is
+ *  compiled in. Library-internally uses conditional compilation to allow the
+ *  wanted level (full/none) of namespace support. Namespaces can be specified
+ *  as open file descriptor or file path.
+ */
+
+#include "config.h"
+
+/* Enable GNU extension */
+#define _GNU_SOURCE 1
+
+#include <errno.h>
+#include <fcntl.h>
+#include <sched.h>
+#include <string.h>
+#include <unistd.h>
+
+#include "ulogd/ulogd.h"
+#include "ulogd/namespace.h"
+
+
+#ifdef ENABLE_NAMESPACE
+/**
+ * open_namespace_path() - Open a namespace link by path.
+ * @ns_path: Path of the file to open.
+ *
+ * Effectively just a wrapper around the open() syscall with fixed flags
+ * suitable for namespaces.
+ *
+ * Return: Open fd on success, -1 on error (and set errno).
+ */
+static int open_namespace_path(const char *const ns_path) {
+	return open(ns_path, O_RDONLY | O_CLOEXEC);
+}
+
+/**
+ * SELF_NAMESPACE_PATH() - Path for own current namespace.
+ * @x: Name of the namespace link.
+ *
+ * Return: String-constant of the absolute path to the namespace link.
+ */
+#define SELF_NAMESPACE_PATH(x) "/proc/self/ns/" #x
+
+/**
+ * open_source_namespace() - Get file descriptor to current namespace.
+ * @nstype: Namespace type, use one of the CLONE_NEW* constants.
+ *
+ * Return: Open fd on success, -1 on error.
+ */
+static int open_source_namespace(const int nstype) {
+	const char *ns_path = NULL;
+	int ns_fd = -1;
+
+	switch (nstype) {
+	case CLONE_NEWNET:
+		ns_path = SELF_NAMESPACE_PATH(net);
+		break;
+	default:
+		ulogd_log(ULOGD_FATAL,
+		          "unsupported namespace type: %d\n", nstype);
+		return -1;
+	}
+
+	ns_fd = open_namespace_path(ns_path);
+	if (ns_fd < 0) {
+		ulogd_log(ULOGD_FATAL,
+		          "error opening namespace '%s': %s\n",
+		          ns_path, strerror(errno));
+		return -1;
+	}
+
+	return ns_fd;
+}
+#else
+
+/* These constants are used by the nstype-specific functions, and need to be
+ * defined even when no namespace support is available because only the generic
+ * functions will error.
+ */
+#define CLONE_NEWNET -1
+
+#endif /* ENABLE_NAMESPACE */
+
+/**
+ * join_namespace_fd() - Join a namespace by file descriptor.
+ * @nstype: Namespace type, use one of the CLONE_NEW* constants.
+ * @target_ns_fd: Open file descriptor of the namespace to join. Will be closed
+ *                after successful join.
+ * @source_ns_fd_ptr: If not NULL, write an open fd of the previous namespace to
+ *                    it if join was successful. May point to negative value
+ *                    after return.
+ *
+ * Return: ULOGD_IRET_OK on success, ULOGD_IRET_ERR otherwise.
+ */
+static int join_namespace_fd(const int nstype, const int target_ns_fd,
+                             int *const source_ns_fd_ptr)
+{
+#ifdef ENABLE_NAMESPACE
+	if (target_ns_fd < 0) {
+		ulogd_log(ULOGD_DEBUG, "invalid target namespace fd\n");
+		return ULOGD_IRET_ERR;
+	}
+
+	if (source_ns_fd_ptr != NULL) {
+		*source_ns_fd_ptr = open_source_namespace(nstype);
+		if (*source_ns_fd_ptr < 0) {
+			ulogd_log(ULOGD_FATAL,
+			          "error opening source namespace\n");
+			return ULOGD_IRET_ERR;
+		}
+	}
+
+	if (setns(target_ns_fd, nstype) < 0) {
+		ulogd_log(ULOGD_FATAL, "error joining target namespace: %s\n",
+		          strerror(errno));
+
+		if (source_ns_fd_ptr != NULL) {
+			if (close(*source_ns_fd_ptr) < 0) {
+				ulogd_log(ULOGD_NOTICE,
+				          "error closing source namespace: %s\n",
+				          strerror(errno));
+			}
+			*source_ns_fd_ptr = -1;
+		}
+
+		return ULOGD_IRET_ERR;
+	}
+	ulogd_log(ULOGD_DEBUG, "successfully switched namespace\n");
+
+	if (close(target_ns_fd) < 0) {
+		ulogd_log(ULOGD_NOTICE, "error closing target namespace: %s\n",
+		          strerror(errno));
+	}
+
+	return ULOGD_IRET_OK;
+#else
+	if (source_ns_fd_ptr != NULL) {
+		*source_ns_fd_ptr = -1;
+	}
+	ulogd_log(ULOGD_FATAL,
+	          "ulogd was compiled without linux namespace support.\n");
+	return ULOGD_IRET_ERR;
+#endif /* ENABLE_NAMESPACE */
+}
+
+/**
+ * join_namespace_path() - Join a namespace by path.
+ * @nstype: Namespace type, use one of the CLONE_NEW* constants.
+ * @target_ns_path: Path of the namespace to join.
+ * @source_ns_fd_ptr: If not NULL, write an open fd of the previous namespace to
+ *                    it if join was successful. May point to negative value
+ *                    after return.
+ *
+ * Return: ULOGD_IRET_OK on success, ULOGD_IRET_ERR otherwise.
+ */
+static int join_namespace_path(const int nstype, const char *const target_ns_path,
+                               int *const source_ns_fd_ptr)
+{
+#ifdef ENABLE_NAMESPACE
+	int target_ns_fd, ret;
+
+	target_ns_fd = open_namespace_path(target_ns_path);
+	if (target_ns_fd < 0) {
+		ulogd_log(ULOGD_FATAL, "error opening target namespace: %s\n",
+		          strerror(errno));
+		return ULOGD_IRET_ERR;
+	}
+
+	ret = join_namespace_fd(nstype, target_ns_fd, source_ns_fd_ptr);
+	if (ret != ULOGD_IRET_OK) {
+		if (close(target_ns_fd) < 0) {
+			ulogd_log(ULOGD_NOTICE,
+			          "error closing target namespace: %s\n",
+			          strerror(errno));
+		}
+		return ULOGD_IRET_ERR;
+	}
+
+	return ULOGD_IRET_OK;
+#else
+	return join_namespace_fd(nstype, -1, source_ns_fd_ptr);
+#endif /* ENABLE_NAMESPACE */
+}
+
+
+/**
+ * join_netns_fd() - Join a network namespace by file descriptor.
+ * @target_netns_fd: Open file descriptor of the network namespace to join. Will
+ *                   be closed after successful join.
+ * @source_netns_fd_ptr: If not NULL, write an open fd of the previous network
+ *                       namespace to it if join was successful. May point to
+ *                       negative value after return.
+ *
+ * Return: ULOGD_IRET_OK on success, ULOGD_IRET_ERR otherwise.
+ */
+int join_netns_fd(const int target_netns_fd, int *const source_netns_fd_ptr)
+{
+	return join_namespace_fd(CLONE_NEWNET, target_netns_fd,
+	                         source_netns_fd_ptr);
+}
+
+/**
+ * join_netns_path() - Join a network namespace by path.
+ * @target_netns_path: Path of the network namespace to join.
+ * @source_netns_fd_ptr: If not NULL, write an open fd of the previous network
+ *                       namespace to it if join was successful. May point to
+ *                       negative value after return.
+ *
+ * Return: ULOGD_IRET_OK on success, ULOGD_IRET_ERR otherwise.
+ */
+int join_netns_path(const char *const target_netns_path,
+                    int *const source_netns_fd_ptr)
+{
+	return join_namespace_path(CLONE_NEWNET, target_netns_path,
+	                           source_netns_fd_ptr);
+}
--
2.49.0

[PATCH ulogd2,v2 2/4] nfct: add network namespace support

[Corubba Smith]

Allow the plugin to fetch data from a different network namespace. This
is possible by changing the network namespace before opening the netlink
socket, and immediately changing back to the original network namespace
once the socket is open. The number of nfct_open usages here warranted a
dedicated wrapper function.

If changing back to the original network namespace fails, ulogd will
log an error, but continue to run in a different network namespace than
it was started in, which may cause unexpected behaviour. But I don't see
a way to properly "escalate" it such that ulogd aborts entirely.

Also slightly adjust the error log messages to specify which socket
failed to open.

Signed-off-by: Corubba Smith <corubba@gmx.de>
---
 input/flow/ulogd_inpflow_NFCT.c | 81 +++++++++++++++++++++++++++------
 ulogd.conf.in                   |  1 +
 2 files changed, 69 insertions(+), 13 deletions(-)

diff --git a/input/flow/ulogd_inpflow_NFCT.c b/input/flow/ulogd_inpflow_NFCT.c
index 93edb76..7168b24 100644
--- a/input/flow/ulogd_inpflow_NFCT.c
+++ b/input/flow/ulogd_inpflow_NFCT.c
@@ -45,6 +45,7 @@
 #include <ulogd/timer.h>
 #include <ulogd/ipfix_protocol.h>
 #include <ulogd/addr.h>
+#include <ulogd/namespace.h>

 #include <libnetfilter_conntrack/libnetfilter_conntrack.h>

@@ -78,7 +79,7 @@ struct nfct_pluginstance {
 #define EVENT_MASK	NF_NETLINK_CONNTRACK_NEW | NF_NETLINK_CONNTRACK_DESTROY

 static struct config_keyset nfct_kset = {
-	.num_ces = 12,
+	.num_ces = 13,
 	.ces = {
 		{
 			.key	 = "pollinterval",
@@ -149,6 +150,11 @@ static struct config_keyset nfct_kset = {
 			.type	 = CONFIG_TYPE_STRING,
 			.options = CONFIG_OPT_NONE,
 		},
+		{
+			.key     = "network_namespace_path",
+			.type    = CONFIG_TYPE_STRING,
+			.options = CONFIG_OPT_NONE,
+		},
 	},
 };
 #define pollint_ce(x)	(x->ces[0])
@@ -163,6 +169,7 @@ static struct config_keyset nfct_kset = {
 #define src_filter_ce(x)	((x)->ces[9])
 #define dst_filter_ce(x)	((x)->ces[10])
 #define proto_filter_ce(x)	((x)->ces[11])
+#define network_namespace_path_ce(x)	((x)->ces[12])

 enum nfct_keys {
 	NFCT_ORIG_IP_SADDR = 0,
@@ -979,6 +986,54 @@ static int read_cb_ovh(int fd, unsigned int what, void *param)
 	return 0;
 }

+/**
+ * nfct_open_in_netns() - Open conntrack netlink socket in a namespace
+ * @subscriptions: ctnetlink groups to subscribe to events
+ * @target_netns_path: path to the network namespace, can be NULL
+ *
+ * On error, NULL is returned and errno is explicitly set.
+ */
+struct nfct_handle *nfct_open_in_netns(unsigned int subscriptions,
+                                       const char *const target_netns_path)
+{
+	struct nfct_handle *result = NULL;
+	int source_netns_fd = -1;
+
+	if ((target_netns_path != NULL) &&
+	    (strlen(target_netns_path) > 0) &&
+	    (join_netns_path(target_netns_path, &source_netns_fd) != ULOGD_IRET_OK)) {
+		ulogd_log(ULOGD_FATAL, "error joining target network "
+		                       "namespace\n");
+		goto err_tns;
+	}
+
+	result = nfct_open(NFNL_SUBSYS_CTNETLINK, subscriptions);
+	if (result == NULL) {
+		ulogd_log(ULOGD_FATAL, "error opening ctnetlink: %s\n",
+		                       strerror(errno));
+		goto err_nfct;
+	}
+
+	if ((target_netns_path != NULL) &&
+	    (strlen(target_netns_path) > 0) &&
+	    (join_netns_fd(source_netns_fd, NULL) != ULOGD_IRET_OK)) {
+		ulogd_log(ULOGD_FATAL, "error joining source network "
+		                       "namespace\n");
+		goto err_sns;
+	}
+	source_netns_fd = -1;
+
+	return result;
+
+err_sns:
+	nfct_close(result);
+err_nfct:
+	if (source_netns_fd >= 0)
+		close(source_netns_fd);
+err_tns:
+	return NULL;
+}
+
 static int
 dump_reset_handler(enum nf_conntrack_msg_type type,
 		   struct nf_conntrack *ct, void *data)
@@ -1025,7 +1080,7 @@ static void get_ctr_zero(struct ulogd_pluginstance *upi)
 	struct nfct_handle *h;
 	int family = AF_UNSPEC;

-	h = nfct_open(CONNTRACK, 0);
+	h = nfct_open_in_netns(0, network_namespace_path_ce(upi->config_kset).u.string);
 	if (h == NULL) {
 		ulogd_log(ULOGD_FATAL, "Cannot dump and reset counters\n");
 		return;
@@ -1301,10 +1356,10 @@ static int constructor_nfct_events(struct ulogd_pluginstance *upi)
 			(struct nfct_pluginstance *)upi->private;


-	cpi->cth = nfct_open(NFNL_SUBSYS_CTNETLINK,
-			     eventmask_ce(upi->config_kset).u.value);
+	cpi->cth = nfct_open_in_netns(eventmask_ce(upi->config_kset).u.value,
+	                              network_namespace_path_ce(upi->config_kset).u.string);
 	if (!cpi->cth) {
-		ulogd_log(ULOGD_FATAL, "error opening ctnetlink\n");
+		ulogd_log(ULOGD_FATAL, "error opening event netlink socket\n");
 		goto err_cth;
 	}

@@ -1372,9 +1427,9 @@ static int constructor_nfct_events(struct ulogd_pluginstance *upi)
 		/* populate the hashtable: we use a disposable handler, we
 		 * may hit overrun if we use cpi->cth. This ensures that the
 		 * initial dump is successful. */
-		h = nfct_open(CONNTRACK, 0);
+		h = nfct_open_in_netns(0, network_namespace_path_ce(upi->config_kset).u.string);
 		if (!h) {
-			ulogd_log(ULOGD_FATAL, "error opening ctnetlink\n");
+			ulogd_log(ULOGD_FATAL, "error opening initial-fill netlink socket\n");
 			goto err_ovh;
 		}
 		nfct_callback_register(h, NFCT_T_ALL,
@@ -1384,9 +1439,9 @@ static int constructor_nfct_events(struct ulogd_pluginstance *upi)

 		/* the overrun handler only make sense with the hashtable,
 		 * if we hit overrun, we resync with ther kernel table. */
-		cpi->ovh = nfct_open(NFNL_SUBSYS_CTNETLINK, 0);
+		cpi->ovh = nfct_open_in_netns(0, network_namespace_path_ce(upi->config_kset).u.string);
 		if (!cpi->ovh) {
-			ulogd_log(ULOGD_FATAL, "error opening ctnetlink\n");
+			ulogd_log(ULOGD_FATAL, "error opening overrun-read netlink socket\n");
 			goto err_ovh;
 		}

@@ -1403,9 +1458,9 @@ static int constructor_nfct_events(struct ulogd_pluginstance *upi)
 		ulogd_register_fd(&cpi->nfct_ov);

 		/* we use this to purge old entries during overruns.*/
-		cpi->pgh = nfct_open(NFNL_SUBSYS_CTNETLINK, 0);
+		cpi->pgh = nfct_open_in_netns(0, network_namespace_path_ce(upi->config_kset).u.string);
 		if (!cpi->pgh) {
-			ulogd_log(ULOGD_FATAL, "error opening ctnetlink\n");
+			ulogd_log(ULOGD_FATAL, "error opening overrun-purge netlink socket\n");
 			goto err_pgh;
 		}
 	}
@@ -1438,9 +1493,9 @@ static int constructor_nfct_polling(struct ulogd_pluginstance *upi)
 		goto err;
 	}

-	cpi->pgh = nfct_open(NFNL_SUBSYS_CTNETLINK, 0);
+	cpi->pgh = nfct_open_in_netns(0, network_namespace_path_ce(upi->config_kset).u.string);
 	if (!cpi->pgh) {
-		ulogd_log(ULOGD_FATAL, "error opening ctnetlink\n");
+		ulogd_log(ULOGD_FATAL, "error opening polling netlink socket\n");
 		goto err;
 	}
 	nfct_callback_register(cpi->pgh, NFCT_T_ALL, &polling_handler, upi);
diff --git a/ulogd.conf.in b/ulogd.conf.in
index 9a04bf7..f7e3fa3 100644
--- a/ulogd.conf.in
+++ b/ulogd.conf.in
@@ -139,6 +139,7 @@ logfile="/var/log/ulogd.log"
 #netlink_socket_buffer_size=217088
 #netlink_socket_buffer_maxsize=1085440
 #reliable=1 # enable reliable flow-based logging (may drop packets)
+#network_namespace_path=/run/netns/other # import flows from a different network namespace
 hash_enable=0

 # Logging of system packet through NFLOG
--
2.49.0

[PATCH ulogd2,v2 3/4] nflog: add network namespace support

[Corubba Smith]

Signed-off-by: Corubba Smith <corubba@gmx.de>
---
 input/packet/ulogd_inppkt_NFLOG.c | 31 ++++++++++++++++++++++++++++++-
 1 file changed, 30 insertions(+), 1 deletion(-)

diff --git a/input/packet/ulogd_inppkt_NFLOG.c b/input/packet/ulogd_inppkt_NFLOG.c
index 62b3963..f99272e 100644
--- a/input/packet/ulogd_inppkt_NFLOG.c
+++ b/input/packet/ulogd_inppkt_NFLOG.c
@@ -10,6 +10,7 @@
 #include <stdbool.h>

 #include <ulogd/ulogd.h>
+#include <ulogd/namespace.h>
 #include <libnfnetlink/libnfnetlink.h>
 #include <libnetfilter_log/libnetfilter_log.h>
 #ifdef BUILD_NFCT
@@ -40,7 +41,7 @@ struct nflog_input {
 /* configuration entries */

 static struct config_keyset libulog_kset = {
-	.num_ces = 12,
+	.num_ces = 13,
 	.ces = {
 		{
 			.key 	 = "bufsize",
@@ -115,6 +116,11 @@ static struct config_keyset libulog_kset = {
 			.options = CONFIG_OPT_NONE,
 			.u.value = 0,
 		},
+		{
+			.key     = "network_namespace_path",
+			.type    = CONFIG_TYPE_STRING,
+			.options = CONFIG_OPT_NONE,
+		},
 	}
 };

@@ -130,6 +136,7 @@ static struct config_keyset libulog_kset = {
 #define nlthreshold_ce(x) (x->ces[9])
 #define nltimeout_ce(x) (x->ces[10])
 #define attach_conntrack_ce(x) (x->ces[11])
+#define network_namespace_path_ce(x) (x->ces[12])

 enum nflog_keys {
 	NFLOG_KEY_RAW_MAC = 0,
@@ -585,11 +592,31 @@ static int start(struct ulogd_pluginstance *upi)
 	if (!ui->nfulog_buf)
 		goto out_buf;

+	const char *const target_netns_path =
+			network_namespace_path_ce(upi->config_kset).u.string;
+	int source_netns_fd = -1;
+	if ((strlen(target_netns_path) > 0) &&
+	    (join_netns_path(target_netns_path, &source_netns_fd) != ULOGD_IRET_OK)
+	   ) {
+		ulogd_log(ULOGD_FATAL, "error joining target network "
+		                       "namespace\n");
+		goto out_ns;
+	}
+
 	ulogd_log(ULOGD_DEBUG, "opening nfnetlink socket\n");
 	ui->nful_h = nflog_open();
 	if (!ui->nful_h)
 		goto out_handle;

+	if ((strlen(target_netns_path) > 0) &&
+	    (join_netns_fd(source_netns_fd, NULL) != ULOGD_IRET_OK)
+	   ) {
+		ulogd_log(ULOGD_FATAL, "error joining source network "
+		                       "namespace\n");
+		goto out_handle;
+	}
+	source_netns_fd = -1;
+
 	/* This is the system logging (conntrack, ...) facility */
 	if ((group_ce(upi->config_kset).u.value == 0) ||
 			(bind_ce(upi->config_kset).u.value > 0)) {
@@ -685,6 +712,8 @@ out_bind:
 	}
 	nflog_close(ui->nful_h);
 out_handle:
+	if (source_netns_fd >= 0) close(source_netns_fd);
+out_ns:
 	free(ui->nfulog_buf);
 out_buf:
 	return -1;
--
2.49.0

[PATCH ulogd2,v2 4/4] nfacct: add network namespace support

[Corubba Smith]

Signed-off-by: Corubba Smith <corubba@gmx.de>
---
 input/sum/ulogd_inpflow_NFACCT.c | 32 ++++++++++++++++++++++++++++++--
 1 file changed, 30 insertions(+), 2 deletions(-)

diff --git a/input/sum/ulogd_inpflow_NFACCT.c b/input/sum/ulogd_inpflow_NFACCT.c
index bd45df4..97bfd8b 100644
--- a/input/sum/ulogd_inpflow_NFACCT.c
+++ b/input/sum/ulogd_inpflow_NFACCT.c
@@ -20,6 +20,7 @@

 #include <ulogd/ulogd.h>
 #include <ulogd/timer.h>
+#include <ulogd/namespace.h>

 #include <libmnl/libmnl.h>
 #include <libnetfilter_acct/libnetfilter_acct.h>
@@ -52,13 +53,19 @@ static struct config_keyset nfacct_kset = {
 			.type	 = CONFIG_TYPE_INT,
 			.options = CONFIG_OPT_NONE,
 			.u.value = 0,
-		}
+		},
+		{
+			.key	 = "network_namespace_path",
+			.type	 = CONFIG_TYPE_STRING,
+			.options = CONFIG_OPT_NONE,
+		},
 	},
-	.num_ces = 3,
+	.num_ces = 4,
 };
 #define pollint_ce(x)	(x->ces[0])
 #define zerocounter_ce(x) (x->ces[1])
 #define timestamp_ce(x) (x->ces[2])
+#define network_namespace_path_ce(x) (x->ces[3])

 enum ulogd_nfacct_keys {
 	ULOGD_NFACCT_NAME,
@@ -240,12 +247,33 @@ static int constructor_nfacct(struct ulogd_pluginstance *upi)
 	if (pollint_ce(upi->config_kset).u.value == 0)
 		return -1;

+	const char *const target_netns_path =
+			network_namespace_path_ce(upi->config_kset).u.string;
+	int source_netns_fd = -1;
+	if ((strlen(target_netns_path) > 0) &&
+	    (join_netns_path(target_netns_path, &source_netns_fd) != ULOGD_IRET_OK)
+	   ) {
+		ulogd_log(ULOGD_FATAL, "error joining target network "
+		                       "namespace\n");
+		return -1;
+	}
+
 	cpi->nl = mnl_socket_open(NETLINK_NETFILTER);
 	if (cpi->nl == NULL) {
 		ulogd_log(ULOGD_FATAL, "cannot open netlink socket\n");
 		return -1;
 	}

+	if ((strlen(target_netns_path) > 0) &&
+	    (join_netns_fd(source_netns_fd, NULL) != ULOGD_IRET_OK)
+	   ) {
+		ulogd_log(ULOGD_FATAL, "error joining source network "
+		                       "namespace\n");
+		close(source_netns_fd);
+		return -1;
+	}
+	source_netns_fd = -1;
+
 	if (mnl_socket_bind(cpi->nl, 0, MNL_SOCKET_AUTOPID) < 0) {
 		ulogd_log(ULOGD_FATAL, "cannot bind netlink socket\n");
 		return -1;
--
2.49.0

Re: [PATCH ulogd2,v2 1/4] ulogd: add linux namespace helper

[Florian Westphal]

Corubba Smith <corubba@gmx.de> wrote:
> The new namespace helper provides an internal stable interface for
> plugins to use for switching various linux namespaces. Currently only
> network namespaces are supported/implemented, but can easily be extended
> if needed. autoconf will enable it automatically if the required symbols
> are available. If ulogd is compiled without namespace support, the
> functions will simply return an error, there is no need for conditional
> compilation or special handling in plugin code.
> 
> Signed-off-by: Corubba Smith <corubba@gmx.de>

Looks good to me, I intend to apply this later this week unless
there are objections.

>     and NFACCT plugins. I skipped ULOG because it's removed from the
>     kernel since 7200135bc1e6 ("netfilter: kill ulog targets") aka v3.17

Yeah, ULOG code should just be axed, there is no point in carrying this
in the tree anymore.

> --- a/src/Makefile.am
> +++ b/src/Makefile.am
> @@ -6,6 +6,7 @@ AM_CPPFLAGS += -DULOGD_CONFIGFILE='"$(sysconfdir)/ulogd.conf"' \
> 
>  sbin_PROGRAMS = ulogd
> 
> -ulogd_SOURCES = ulogd.c select.c timer.c rbtree.c conffile.c hash.c addr.c
> +ulogd_SOURCES = ulogd.c select.c timer.c rbtree.c conffile.c hash.c \
> +                addr.c namespace.c
>  ulogd_LDADD   = ${libdl_LIBS} ${libpthread_LIBS}
>  ulogd_LDFLAGS = -export-dynamic
> diff --git a/src/namespace.c b/src/namespace.c
> new file mode 100644
> index 0000000..f9f23d4
> --- /dev/null
> +++ b/src/namespace.c
> @@ -0,0 +1,237 @@
> +/* namespace helper
> + *
> + * userspace logging daemon for the netfilter subsystem
> + *
> + * (C) 2025 The netfilter project
> + *
> + *  This program is free software; you can redistribute it and/or modify
> + *  it under the terms of the GNU General Public License version 2
> + *  as published by the Free Software Foundation.

I intend to replace all of this with

/* SPDX-License-Identifier: GPL-2.0 */

No need for license boilerplate, IMO.

Re: [PATCH ulogd2,v2 3/4] nflog: add network namespace support

[Florian Westphal]

Corubba Smith <corubba@gmx.de> wrote:
> +	if ((strlen(target_netns_path) > 0) &&
> +	    (join_netns_fd(source_netns_fd, NULL) != ULOGD_IRET_OK)
> +	   ) {
> +		ulogd_log(ULOGD_FATAL, "error joining source network "
> +		                       "namespace\n");
> +		goto out_handle;
> +	}
> +	source_netns_fd = -1;
> +

This looks buggy, but I do realize that join_netns_fd() closes this
for us.

Maybe a comment would help?

Re: [PATCH ulogd2,v2 1/4] ulogd: add linux namespace helper

[Corubba Smith]

On 3/26/25 20:23, Florian Westphal wrote:
> Corubba Smith <corubba@gmx.de> wrote:
>> The new namespace helper provides an internal stable interface for
>> plugins to use for switching various linux namespaces. Currently only
>> network namespaces are supported/implemented, but can easily be extended
>> if needed. autoconf will enable it automatically if the required symbols
>> are available. If ulogd is compiled without namespace support, the
>> functions will simply return an error, there is no need for conditional
>> compilation or special handling in plugin code.
>>
>> Signed-off-by: Corubba Smith <corubba@gmx.de>
>
> Looks good to me, I intend to apply this later this week unless
> there are objections.

If I may be so bold: Friendly reminder that this patchset is not yet
applied, and in the meantime I also sent a v3 [0] incorporating your
feedback.

[0] https://lore.kernel.org/netfilter-devel/3f962848-fe38-4869-8422-f54dacc6a9d6@gmx.de/

--
Corubba

Re: [PATCH ulogd2,v2 1/4] ulogd: add linux namespace helper

[Florian Westphal]

Corubba Smith <corubba@gmx.de> wrote:
> On 3/26/25 20:23, Florian Westphal wrote:
> > Corubba Smith <corubba@gmx.de> wrote:
> >> The new namespace helper provides an internal stable interface for
> >> plugins to use for switching various linux namespaces. Currently only
> >> network namespaces are supported/implemented, but can easily be extended
> >> if needed. autoconf will enable it automatically if the required symbols
> >> are available. If ulogd is compiled without namespace support, the
> >> functions will simply return an error, there is no need for conditional
> >> compilation or special handling in plugin code.
> >>
> >> Signed-off-by: Corubba Smith <corubba@gmx.de>
> >
> > Looks good to me, I intend to apply this later this week unless
> > there are objections.
> 
> If I may be so bold: Friendly reminder that this patchset is not yet
> applied, and in the meantime I also sent a v3 [0] incorporating your
> feedback.

I know, the patches are deferred until after next ulogd2 release which
should happen next week.