[nft PATCH v3] configure: Implement --enable-profiling option

[nft PATCH v3] configure: Implement --enable-profiling option

[Phil Sutter]

This will set compiler flag --coverage so code coverage may be inspected
using gcov.

In order to successfully profile processes which are killed or
interrupted as well, add a signal handler for those cases which calls
exit(). This is relevant for test cases invoking nft monitor.

Signed-off-by: Phil Sutter <phil@nwl.cc>
---
Changes since v2:
- Include profiling option value in configure's final status report
- Fix build for --enable-profiling
- Add copyright statement to new source file

Changes since v1:
- Add src/profiling.c and include/profiling.h to keep conditionally
  built code separate
---
 .gitignore          |  5 +++++
 Makefile.am         | 21 +++++++++++++++++++++
 configure.ac        | 10 +++++++++-
 include/profiling.h | 10 ++++++++++
 src/main.c          |  3 +++
 src/profiling.c     | 36 ++++++++++++++++++++++++++++++++++++
 6 files changed, 84 insertions(+), 1 deletion(-)
 create mode 100644 include/profiling.h
 create mode 100644 src/profiling.c

diff --git a/.gitignore b/.gitignore
index 719829b65d212..8673393fac397 100644
--- a/.gitignore
+++ b/.gitignore
@@ -19,6 +19,11 @@ nftversion.h
 # cscope files
 /cscope.*
 
+# gcov-related
+*.gcda
+*.gcno
+*.gcov
+
 # Generated by tests
 *.payload.got
 tests/build/tests.log
diff --git a/Makefile.am b/Makefile.am
index bff746b53a0b4..5dfd2606e0fc7 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -96,6 +96,7 @@ noinst_HEADERS = \
 	include/owner.h \
 	include/parser.h \
 	include/payload.h \
+	include/profiling.h \
 	include/proto.h \
 	include/rt.h \
 	include/rule.h \
@@ -163,6 +164,10 @@ AM_CFLAGS = \
 
 AM_YFLAGS = -d -Wno-yacc
 
+if BUILD_PROFILING
+AM_CFLAGS += --coverage
+endif
+
 ###############################################################################
 
 BUILT_SOURCES += src/parser_bison.h
@@ -297,6 +302,10 @@ if BUILD_CLI
 src_nft_SOURCES += src/cli.c
 endif
 
+if BUILD_PROFILING
+src_nft_SOURCES += src/profiling.c
+endif
+
 src_nft_LDADD = src/libnftables.la
 
 ###############################################################################
@@ -453,3 +462,15 @@ TESTS = tests/build/run-tests.sh \
 	tests/py/nft-test.py \
 	tests/shell/run-tests.sh
 endif
+
+all_c_sources = $(filter %.c,$(src_libnftables_la_SOURCES)) $(src_nft_SOURCES)
+if BUILD_MINIGMP
+all_c_sources += $(src_libminigmp_la_SOURCES)
+endif
+if BUILD_AFL
+all_c_sources += $(tools_nft_afl_SOURCES)
+endif
+CLEANFILES += src/libparser_la-parser_bison.gcno
+CLEANFILES += src/libparser_la-scanner.gcno
+CLEANFILES += $(all_c_sources:.c=.gcno)
+CLEANFILES += $(src_nft_SOURCES:.c=.gcda)
diff --git a/configure.ac b/configure.ac
index 022608627908a..0d3ee2ac89f69 100644
--- a/configure.ac
+++ b/configure.ac
@@ -156,6 +156,13 @@ AC_ARG_ENABLE([distcheck],
 	      [enable_distcheck=yes], [])
 AM_CONDITIONAL([BUILD_DISTCHECK], [test "x$enable_distcheck" = "xyes"])
 
+AC_ARG_ENABLE([profiling],
+	      AS_HELP_STRING([--enable-profiling], [build for use of gcov/gprof]),
+	      [enable_profiling="$enableval"], [enable_profiling="no"])
+AM_CONDITIONAL([BUILD_PROFILING], [test "x$enable_profiling" = xyes])
+AM_COND_IF([BUILD_PROFILING],
+	   [AC_DEFINE([BUILD_PROFILING], [1], [Define for profiling])])
+
 AC_CONFIG_FILES([					\
 		Makefile				\
 		libnftables.pc				\
@@ -170,7 +177,8 @@ echo "
   use mini-gmp:			${with_mini_gmp}
   enable man page:              ${enable_man_doc}
   libxtables support:		${with_xtables}
-  json output support:          ${with_json}"
+  json output support:          ${with_json}
+  collect profiling data:       ${enable_profiling}"
 
 if test "x$unitdir" != "x"; then
 AC_SUBST([unitdir])
diff --git a/include/profiling.h b/include/profiling.h
new file mode 100644
index 0000000000000..75531184614c3
--- /dev/null
+++ b/include/profiling.h
@@ -0,0 +1,10 @@
+#ifndef NFTABLES_PROFILING_H
+#define NFTABLES_PROFILING_H
+
+#ifdef BUILD_PROFILING
+void setup_sighandler(void);
+#else
+static inline void setup_sighandler(void) { /* empty */ }
+#endif
+
+#endif /* NFTABLES_PROFILING_H */
diff --git a/src/main.c b/src/main.c
index 29b0533dee7c9..163d9312b20f4 100644
--- a/src/main.c
+++ b/src/main.c
@@ -19,6 +19,7 @@
 #include <sys/types.h>
 
 #include <nftables/libnftables.h>
+#include <profiling.h>
 #include <utils.h>
 #include <cli.h>
 
@@ -375,6 +376,8 @@ int main(int argc, char * const *argv)
 	if (getuid() != geteuid())
 		_exit(111);
 
+	setup_sighandler();
+
 	if (!nft_options_check(argc, argv))
 		exit(EXIT_FAILURE);
 
diff --git a/src/profiling.c b/src/profiling.c
new file mode 100644
index 0000000000000..912ead9d7eb94
--- /dev/null
+++ b/src/profiling.c
@@ -0,0 +1,36 @@
+/*
+ * Copyright (c) Red Hat GmbH.  Author: Phil Sutter <phil@nwl.cc>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 (or any
+ * later) as published by the Free Software Foundation.
+ */
+
+#include <nft.h>
+#include <profiling.h>
+
+#include <signal.h>
+#include <stdio.h>
+
+static void termhandler(int signo)
+{
+	switch (signo) {
+	case SIGTERM:
+		exit(143);
+	case SIGINT:
+		exit(130);
+	}
+}
+
+void setup_sighandler(void)
+{
+	struct sigaction act = {
+		.sa_handler = termhandler,
+	};
+
+	if (sigaction(SIGTERM, &act, NULL) == -1 ||
+	    sigaction(SIGINT, &act, NULL) == -1) {
+		perror("sigaction");
+		exit(1);
+	}
+}
-- 
2.51.0

Re: [nft PATCH v3] configure: Implement --enable-profiling option

[Florian Westphal]

Phil Sutter <phil@nwl.cc> wrote:
> This will set compiler flag --coverage so code coverage may be inspected
> using gcov.
> 
> In order to successfully profile processes which are killed or
> interrupted as well, add a signal handler for those cases which calls
> exit(). This is relevant for test cases invoking nft monitor.
>
> index 0000000000000..912ead9d7eb94
> --- /dev/null
> +++ b/src/profiling.c
> @@ -0,0 +1,36 @@
> +/*
> + * Copyright (c) Red Hat GmbH.  Author: Phil Sutter <phil@nwl.cc>
> + *
> + * This program is free software; you can redistribute it and/or modify
> + * it under the terms of the GNU General Public License version 2 (or any
> + * later) as published by the Free Software Foundation.
> + */
> +
> +#include <nft.h>
> +#include <profiling.h>
> +
> +#include <signal.h>
> +#include <stdio.h>
> +
> +static void termhandler(int signo)
> +{
> +	switch (signo) {
> +	case SIGTERM:
> +		exit(143);
> +	case SIGINT:
> +		exit(130);

Unfortunately I can't find exit(3) in the list of async-signal safe
functions, so I have to assume this isn't allowed.

From a quick glance, I would suggest to either use self-pipe-trick, or,
given nft is linux specific anyway, use signalfd(2) instead of a
traditional handler; then, stuff the fd into mnl_nft_event_listener
select().

Sorry, I did not think of this earlier.  If I'm wrong and this is safe,

Re: [nft PATCH v3] configure: Implement --enable-profiling option

[Florian Westphal]

Florian Westphal <fw@strlen.de> wrote:
> Sorry, I did not think of this earlier.  If I'm wrong and this is safe,

Grrr, this was supposed to go on with:
"... then please just push this out."

Re: [nft PATCH v3] configure: Implement --enable-profiling option

[Phil Sutter]

On Thu, Feb 12, 2026 at 01:08:17AM +0100, Florian Westphal wrote:
> Phil Sutter <phil@nwl.cc> wrote:
> > This will set compiler flag --coverage so code coverage may be inspected
> > using gcov.
> > 
> > In order to successfully profile processes which are killed or
> > interrupted as well, add a signal handler for those cases which calls
> > exit(). This is relevant for test cases invoking nft monitor.
> >
> > index 0000000000000..912ead9d7eb94
> > --- /dev/null
> > +++ b/src/profiling.c
> > @@ -0,0 +1,36 @@
> > +/*
> > + * Copyright (c) Red Hat GmbH.  Author: Phil Sutter <phil@nwl.cc>
> > + *
> > + * This program is free software; you can redistribute it and/or modify
> > + * it under the terms of the GNU General Public License version 2 (or any
> > + * later) as published by the Free Software Foundation.
> > + */
> > +
> > +#include <nft.h>
> > +#include <profiling.h>
> > +
> > +#include <signal.h>
> > +#include <stdio.h>
> > +
> > +static void termhandler(int signo)
> > +{
> > +	switch (signo) {
> > +	case SIGTERM:
> > +		exit(143);
> > +	case SIGINT:
> > +		exit(130);
> 
> Unfortunately I can't find exit(3) in the list of async-signal safe
> functions, so I have to assume this isn't allowed.

You're right. At least since exit() runs atexit() callbacks, it is very
unlikely this is async-signal-safe.

> From a quick glance, I would suggest to either use self-pipe-trick, or,
> given nft is linux specific anyway, use signalfd(2) instead of a
> traditional handler; then, stuff the fd into mnl_nft_event_listener
> select().

I'll go with signalfd() as it's simpler than the self-pipe and hooking
into mnl_nft_event_listener is required in both cases.

> Sorry, I did not think of this earlier.  If I'm wrong and this is safe,

Thanks for the pointers! I'm not very familiar with writing signal
handlers.

Cheers, Phil