* [PATCH nft] netlink: Show the handles of unknown rules in "nft monitor trace"
@ 2020-03-26 15:22 Luis Ressel
2020-04-01 10:41 ` Pablo Neira Ayuso
0 siblings, 1 reply; 2+ messages in thread
From: Luis Ressel @ 2020-03-26 15:22 UTC (permalink / raw)
To: netfilter-devel; +Cc: Luis Ressel
When "nft monitor trace" doesn't know a rule (because it was only added
to the ruleset after nft was invoked), that rule is silently omitted in
the trace output, which can come as a surprise when debugging issues.
Instead, we can at least show the information we got via netlink, i.e.
the family, table and chain name, rule handle and verdict.
Signed-off-by: Luis Ressel <aranea@aixah.de>
---
src/netlink.c | 42 +++++++++++++++++++++++++++---------------
1 file changed, 27 insertions(+), 15 deletions(-)
diff --git a/src/netlink.c b/src/netlink.c
index b254753f..0f6af73e 100644
--- a/src/netlink.c
+++ b/src/netlink.c
@@ -1447,38 +1447,50 @@ static void trace_print_policy(const struct nftnl_trace *nlt,
expr_free(expr);
}
-static void trace_print_rule(const struct nftnl_trace *nlt,
- struct output_ctx *octx, struct nft_cache *cache)
+static struct rule *trace_lookup_rule(const struct nftnl_trace *nlt,
+ uint64_t rule_handle,
+ struct nft_cache *cache)
{
- const struct table *table;
- uint64_t rule_handle;
struct chain *chain;
- struct rule *rule;
+ struct table *table;
struct handle h;
h.family = nftnl_trace_get_u32(nlt, NFTNL_TRACE_FAMILY);
- h.table.name = nftnl_trace_get_str(nlt, NFTNL_TRACE_TABLE);
- h.chain.name = nftnl_trace_get_str(nlt, NFTNL_TRACE_CHAIN);
+ h.table.name = nftnl_trace_get_str(nlt, NFTNL_TRACE_TABLE);
+ h.chain.name = nftnl_trace_get_str(nlt, NFTNL_TRACE_CHAIN);
if (!h.table.name)
- return;
+ return NULL;
table = table_lookup(&h, cache);
if (!table)
- return;
+ return NULL;
chain = chain_lookup(table, &h);
if (!chain)
- return;
+ return NULL;
+
+ return rule_lookup(chain, rule_handle);
+}
+
+static void trace_print_rule(const struct nftnl_trace *nlt,
+ struct output_ctx *octx, struct nft_cache *cache)
+{
+ uint64_t rule_handle;
+ struct rule *rule;
rule_handle = nftnl_trace_get_u64(nlt, NFTNL_TRACE_RULE_HANDLE);
- rule = rule_lookup(chain, rule_handle);
- if (!rule)
- return;
+ rule = trace_lookup_rule(nlt, rule_handle, cache);
trace_print_hdr(nlt, octx);
- nft_print(octx, "rule ");
- rule_print(rule, octx);
+
+ if (rule) {
+ nft_print(octx, "rule ");
+ rule_print(rule, octx);
+ } else {
+ nft_print(octx, "unknown rule handle %" PRIu64, rule_handle);
+ }
+
nft_print(octx, " (");
trace_print_verdict(nlt, octx);
nft_print(octx, ")\n");
--
2.25.0
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH nft] netlink: Show the handles of unknown rules in "nft monitor trace"
2020-03-26 15:22 [PATCH nft] netlink: Show the handles of unknown rules in "nft monitor trace" Luis Ressel
@ 2020-04-01 10:41 ` Pablo Neira Ayuso
0 siblings, 0 replies; 2+ messages in thread
From: Pablo Neira Ayuso @ 2020-04-01 10:41 UTC (permalink / raw)
To: Luis Ressel; +Cc: netfilter-devel
On Thu, Mar 26, 2020 at 03:22:29PM +0000, Luis Ressel wrote:
> When "nft monitor trace" doesn't know a rule (because it was only added
> to the ruleset after nft was invoked), that rule is silently omitted in
> the trace output, which can come as a surprise when debugging issues.
>
> Instead, we can at least show the information we got via netlink, i.e.
> the family, table and chain name, rule handle and verdict.
Applied, thanks.
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2020-04-01 10:41 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-03-26 15:22 [PATCH nft] netlink: Show the handles of unknown rules in "nft monitor trace" Luis Ressel
2020-04-01 10:41 ` Pablo Neira Ayuso
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.