All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH nf-next v2 0/4] netfilter: add hook dump feature
@ 2021-05-25 20:51 Florian Westphal
  2021-05-25 20:51 ` [PATCH nf-next 1/4] netfilter: nf_tables: allow to dump all registered base hooks Florian Westphal
                   ` (3 more replies)
  0 siblings, 4 replies; 11+ messages in thread
From: Florian Westphal @ 2021-05-25 20:51 UTC (permalink / raw)
  To: netfilter-devel; +Cc: Florian Westphal

Changes in v2:
 Patch 1: init 'ret' to avoid unitialised value
 Patch 4:
 - include attribute that this is about nf_tables to
   allow later extension to x_tables if needed for some reason.

Enable dump of the registered netfilter hooks to userspace.
This allows userspace to peek at the active hooks for each family/hook
point.

Example:
    $ nft list hook ip type input
    family ip hook input {
            +0000000000 nft_do_chain_inet [nf_tables]       # nft table ip filter chain input
            +0000000010 nft_do_chain_inet [nf_tables]       # nft table ip firewalld chain filter_INPUT
            +0000000100 nf_nat_ipv4_local_in [nf_nat]
            +2147483647 ipv4_confirm [nf_conntrack]
    }

Implementation is done in nf_tables.
Alternative would be to add this as a separate/new nfnetlink family.

Let me know if thats the preferred route and I will respin.
I did this in nf_tables because it allows re-use of the existing
nft_hook_attributes and it seemed strange to add a new kernel module
for this.

Florian Westphal (4):
  netfilter: nf_tables: allow to dump all registered base hooks
  netfilter: nf_tables: include function and module name in hook dumps
  netfilter: annotate nf_tables base hook ops
  netfilter: nf_tables: include table and chain name when dumping hooks

 include/linux/netfilter.h                |  12 +-
 include/uapi/linux/netfilter/nf_tables.h |  30 +++
 net/netfilter/core.c                     |   6 +
 net/netfilter/nf_queue.c                 |   4 +-
 net/netfilter/nf_tables_api.c            | 286 ++++++++++++++++++++++-
 5 files changed, 334 insertions(+), 4 deletions(-)

-- 
2.26.3


^ permalink raw reply	[flat|nested] 11+ messages in thread
* [PATCH nf-next 0/4] netfilter: add hook dump feature
@ 2021-05-21 11:39 Florian Westphal
  2021-05-21 11:39 ` [PATCH nf-next 4/4] netfilter: nf_tables: include table and chain name when dumping hooks Florian Westphal
  0 siblings, 1 reply; 11+ messages in thread
From: Florian Westphal @ 2021-05-21 11:39 UTC (permalink / raw)
  To: netfilter-devel; +Cc: Florian Westphal

Enable dump of the registered netfilter hooks to userspace.
This allows userspace to peek at the active hooks for each family/hook
point.

Example:
    $ nft list hook ip type input
    family ip hook input {
            +0000000000 nft_do_chain_inet [nf_tables]       # nft table ip filter chain input
            +0000000010 nft_do_chain_inet [nf_tables]       # nft table ip firewalld chain filter_INPUT
            +0000000100 nf_nat_ipv4_local_in [nf_nat]
            +2147483647 ipv4_confirm [nf_conntrack]
    }

Implementation is done in nf_tables.
Alternative would be to add this as a separate/new nfnetlink family.

Let me know if thats the preferred route and I will respin.
I did this in nf_tables because it allows re-use of the existing
nft_hook_attributes and it seemed strange to add a new kernel module
for this.

Florian Westphal (4):
  netfilter: nf_tables: allow to dump all registered base hooks
  netfilter: nf_tables: include function and module name in hook dumps
  netfilter: annotate nf_tables base hook ops
  netfilter: nf_tables: include table and chain name when dumping hooks

 include/linux/netfilter.h                |  12 +-
 include/uapi/linux/netfilter/nf_tables.h |   7 +
 net/netfilter/core.c                     |   6 +
 net/netfilter/nf_queue.c                 |   4 +-
 net/netfilter/nf_tables_api.c            | 275 ++++++++++++++++++++++-
 5 files changed, 300 insertions(+), 4 deletions(-)

-- 
2.26.3


^ permalink raw reply	[flat|nested] 11+ messages in thread

end of thread, other threads:[~2021-05-25 20:52 UTC | newest]

Thread overview: 11+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-05-25 20:51 [PATCH nf-next v2 0/4] netfilter: add hook dump feature Florian Westphal
2021-05-25 20:51 ` [PATCH nf-next 1/4] netfilter: nf_tables: allow to dump all registered base hooks Florian Westphal
2021-05-25 20:51 ` [PATCH nf-next 2/4] netfilter: nf_tables: include function and module name in hook dumps Florian Westphal
2021-05-25 20:51 ` [PATCH nf-next 3/4] netfilter: annotate nf_tables base hook ops Florian Westphal
2021-05-25 20:51 ` [PATCH nf-next 4/4] netfilter: nf_tables: include table and chain name when dumping hooks Florian Westphal
  -- strict thread matches above, loose matches on Subject: below --
2021-05-21 11:39 [PATCH nf-next 0/4] netfilter: add hook dump feature Florian Westphal
2021-05-21 11:39 ` [PATCH nf-next 4/4] netfilter: nf_tables: include table and chain name when dumping hooks Florian Westphal
2021-05-23  8:52   ` Pablo Neira Ayuso
2021-05-23 18:54     ` Florian Westphal
2021-05-23 21:03       ` Pablo Neira Ayuso
2021-05-23 21:26         ` Florian Westphal
2021-05-23 21:36           ` Pablo Neira Ayuso

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.