From: Florian Westphal <fw@strlen.de>
To: <netfilter-devel@vger.kernel.org>
Cc: Florian Westphal <fw@strlen.de>
Subject: [PATCH nf-next v2 0/4] netfilter: add hook dump feature
Date: Tue, 25 May 2021 22:51:29 +0200 [thread overview]
Message-ID: <20210525205133.5718-1-fw@strlen.de> (raw)
Changes in v2:
Patch 1: init 'ret' to avoid unitialised value
Patch 4:
- include attribute that this is about nf_tables to
allow later extension to x_tables if needed for some reason.
Enable dump of the registered netfilter hooks to userspace.
This allows userspace to peek at the active hooks for each family/hook
point.
Example:
$ nft list hook ip type input
family ip hook input {
+0000000000 nft_do_chain_inet [nf_tables] # nft table ip filter chain input
+0000000010 nft_do_chain_inet [nf_tables] # nft table ip firewalld chain filter_INPUT
+0000000100 nf_nat_ipv4_local_in [nf_nat]
+2147483647 ipv4_confirm [nf_conntrack]
}
Implementation is done in nf_tables.
Alternative would be to add this as a separate/new nfnetlink family.
Let me know if thats the preferred route and I will respin.
I did this in nf_tables because it allows re-use of the existing
nft_hook_attributes and it seemed strange to add a new kernel module
for this.
Florian Westphal (4):
netfilter: nf_tables: allow to dump all registered base hooks
netfilter: nf_tables: include function and module name in hook dumps
netfilter: annotate nf_tables base hook ops
netfilter: nf_tables: include table and chain name when dumping hooks
include/linux/netfilter.h | 12 +-
include/uapi/linux/netfilter/nf_tables.h | 30 +++
net/netfilter/core.c | 6 +
net/netfilter/nf_queue.c | 4 +-
net/netfilter/nf_tables_api.c | 286 ++++++++++++++++++++++-
5 files changed, 334 insertions(+), 4 deletions(-)
--
2.26.3
next reply other threads:[~2021-05-25 20:52 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-05-25 20:51 Florian Westphal [this message]
2021-05-25 20:51 ` [PATCH nf-next 1/4] netfilter: nf_tables: allow to dump all registered base hooks Florian Westphal
2021-05-25 20:51 ` [PATCH nf-next 2/4] netfilter: nf_tables: include function and module name in hook dumps Florian Westphal
2021-05-25 20:51 ` [PATCH nf-next 3/4] netfilter: annotate nf_tables base hook ops Florian Westphal
2021-05-25 20:51 ` [PATCH nf-next 4/4] netfilter: nf_tables: include table and chain name when dumping hooks Florian Westphal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210525205133.5718-1-fw@strlen.de \
--to=fw@strlen.de \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.