Skip to content

Commit bc8c43a

Browse files
Phil Sutterummakynes
Phil Sutter
authored and
ummakynes
committed
netfilter: nfnetlink_hook: Dump flowtable info
Introduce NFNL_HOOK_TYPE_NFT_FLOWTABLE to distinguish flowtable hooks from base chain ones. Nested attributes are shared with the old NFTABLES hook info type since they fit apart from their misleading name. Old nftables in user space will ignore this new hook type and thus continue to print flowtable hooks just like before, e.g.: | family netdev { | hook ingress device test0 { | 0000000000 nf_flow_offload_ip_hook [nf_flow_table] | } | } With this patch in place and support for the new hook info type, output becomes more useful: | family netdev { | hook ingress device test0 { | 0000000000 flowtable ip mytable myft [nf_flow_table] | } | } Suggested-by: Florian Westphal <fw@strlen.de> Signed-off-by: Phil Sutter <phil@nwl.cc> Reviewed-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
1 parent b65504e commit bc8c43a

4 files changed

Lines changed: 51 additions & 11 deletions

File tree

include/linux/netfilter.h

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -92,6 +92,7 @@ enum nf_hook_ops_type {
9292
NF_HOOK_OP_UNDEFINED,
9393
NF_HOOK_OP_NF_TABLES,
9494
NF_HOOK_OP_BPF,
95+
NF_HOOK_OP_NFT_FT,
9596
};
9697

9798
struct nf_hook_ops {

include/uapi/linux/netfilter/nfnetlink_hook.h

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -61,10 +61,12 @@ enum nfnl_hook_chain_desc_attributes {
6161
*
6262
* @NFNL_HOOK_TYPE_NFTABLES: nf_tables base chain
6363
* @NFNL_HOOK_TYPE_BPF: bpf program
64+
* @NFNL_HOOK_TYPE_NFT_FLOWTABLE: nf_tables flowtable
6465
*/
6566
enum nfnl_hook_chaintype {
6667
NFNL_HOOK_TYPE_NFTABLES = 0x1,
6768
NFNL_HOOK_TYPE_BPF,
69+
NFNL_HOOK_TYPE_NFT_FLOWTABLE,
6870
};
6971

7072
/**

net/netfilter/nf_tables_api.c

Lines changed: 13 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -8895,11 +8895,12 @@ static int nft_flowtable_parse_hook(const struct nft_ctx *ctx,
88958895

88968896
list_for_each_entry(hook, &flowtable_hook->list, list) {
88978897
list_for_each_entry(ops, &hook->ops_list, list) {
8898-
ops->pf = NFPROTO_NETDEV;
8899-
ops->hooknum = flowtable_hook->num;
8900-
ops->priority = flowtable_hook->priority;
8901-
ops->priv = &flowtable->data;
8902-
ops->hook = flowtable->data.type->hook;
8898+
ops->pf = NFPROTO_NETDEV;
8899+
ops->hooknum = flowtable_hook->num;
8900+
ops->priority = flowtable_hook->priority;
8901+
ops->priv = &flowtable->data;
8902+
ops->hook = flowtable->data.type->hook;
8903+
ops->hook_ops_type = NF_HOOK_OP_NFT_FT;
89038904
}
89048905
}
89058906

@@ -9727,12 +9728,13 @@ static int nft_flowtable_event(unsigned long event, struct net_device *dev,
97279728
if (!ops)
97289729
return 1;
97299730

9730-
ops->pf = NFPROTO_NETDEV;
9731-
ops->hooknum = flowtable->hooknum;
9732-
ops->priority = flowtable->data.priority;
9733-
ops->priv = &flowtable->data;
9734-
ops->hook = flowtable->data.type->hook;
9735-
ops->dev = dev;
9731+
ops->pf = NFPROTO_NETDEV;
9732+
ops->hooknum = flowtable->hooknum;
9733+
ops->priority = flowtable->data.priority;
9734+
ops->priv = &flowtable->data;
9735+
ops->hook = flowtable->data.type->hook;
9736+
ops->hook_ops_type = NF_HOOK_OP_NFT_FT;
9737+
ops->dev = dev;
97369738
if (nft_register_flowtable_ops(dev_net(dev),
97379739
flowtable, ops)) {
97389740
kfree(ops);

net/netfilter/nfnetlink_hook.c

Lines changed: 35 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -156,6 +156,38 @@ static int nfnl_hook_put_nft_chain_info(struct sk_buff *nlskb,
156156
return 0;
157157
}
158158

159+
static int nfnl_hook_put_nft_ft_info(struct sk_buff *nlskb,
160+
const struct nfnl_dump_hook_data *ctx,
161+
unsigned int seq,
162+
struct nf_flowtable *nf_ft)
163+
{
164+
struct nft_flowtable *ft =
165+
container_of(nf_ft, struct nft_flowtable, data);
166+
struct net *net = sock_net(nlskb->sk);
167+
struct nlattr *nest;
168+
int ret = 0;
169+
170+
if (WARN_ON_ONCE(!nf_ft))
171+
return 0;
172+
173+
if (!nft_is_active(net, ft))
174+
return 0;
175+
176+
nest = nfnl_start_info_type(nlskb, NFNL_HOOK_TYPE_NFT_FLOWTABLE);
177+
if (!nest)
178+
return -EMSGSIZE;
179+
180+
ret = nfnl_hook_put_nft_info_desc(nlskb, ft->table->name,
181+
ft->name, ft->table->family);
182+
if (ret) {
183+
nla_nest_cancel(nlskb, nest);
184+
return ret;
185+
}
186+
187+
nla_nest_end(nlskb, nest);
188+
return 0;
189+
}
190+
159191
static int nfnl_hook_dump_one(struct sk_buff *nlskb,
160192
const struct nfnl_dump_hook_data *ctx,
161193
const struct nf_hook_ops *ops,
@@ -223,6 +255,9 @@ static int nfnl_hook_dump_one(struct sk_buff *nlskb,
223255
case NF_HOOK_OP_BPF:
224256
ret = nfnl_hook_put_bpf_prog_info(nlskb, ctx, seq, ops->priv);
225257
break;
258+
case NF_HOOK_OP_NFT_FT:
259+
ret = nfnl_hook_put_nft_ft_info(nlskb, ctx, seq, ops->priv);
260+
break;
226261
case NF_HOOK_OP_UNDEFINED:
227262
break;
228263
default:

0 commit comments

Comments
 (0)