netfilter: nfnetlink_hook: Dump flowtable info

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

Introduce NFNL_HOOK_TYPE_NFT_FLOWTABLE to distinguish flowtable hooks
from base chain ones. Nested attributes are shared with the old NFTABLES
hook info type since they fit apart from their misleading name.

Old nftables in user space will ignore this new hook type and thus
continue to print flowtable hooks just like before, e.g.:

| family netdev {
| hook ingress device test0 {
| 0000000000 nf_flow_offload_ip_hook [nf_flow_table]
| }
| }

With this patch in place and support for the new hook info type, output
becomes more useful:

| family netdev {
| hook ingress device test0 {
| 0000000000 flowtable ip mytable myft [nf_flow_table]
| }
| }

Suggested-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Phil Sutter <phil@nwl.cc>
Reviewed-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

authored by

Phil Sutter and committed by

Pablo Neira Ayuso 8 months ago bc8c43ad b65504e7

+51 -11

4 changed files

expand all

include

linux

netfilter.h

uapi

linux

netfilter

nfnetlink_hook.h

net

netfilter

nf_tables_api.c

nfnetlink_hook.c

include/linux/netfilter.h

··· 92 92 NF_HOOK_OP_UNDEFINED, 93 93 NF_HOOK_OP_NF_TABLES, 94 94 NF_HOOK_OP_BPF, 95 + NF_HOOK_OP_NFT_FT, 95 96 }; 96 97 97 98 struct nf_hook_ops {

include/uapi/linux/netfilter/nfnetlink_hook.h

··· 61 61 * 62 62 * @NFNL_HOOK_TYPE_NFTABLES: nf_tables base chain 63 63 * @NFNL_HOOK_TYPE_BPF: bpf program 64 + * @NFNL_HOOK_TYPE_NFT_FLOWTABLE: nf_tables flowtable 64 65 */ 65 66 enum nfnl_hook_chaintype { 66 67 NFNL_HOOK_TYPE_NFTABLES = 0x1, 67 68 NFNL_HOOK_TYPE_BPF, 69 + NFNL_HOOK_TYPE_NFT_FLOWTABLE, 68 70 }; 69 71 70 72 /**

+13 -11

net/netfilter/nf_tables_api.c

··· 8895 8895 8896 8896 list_for_each_entry(hook, &flowtable_hook->list, list) { 8897 8897 list_for_each_entry(ops, &hook->ops_list, list) { 8898 - ops->pf = NFPROTO_NETDEV; 8899 - ops->hooknum = flowtable_hook->num; 8900 - ops->priority = flowtable_hook->priority; 8901 - ops->priv = &flowtable->data; 8902 - ops->hook = flowtable->data.type->hook; 8898 + ops->pf = NFPROTO_NETDEV; 8899 + ops->hooknum = flowtable_hook->num; 8900 + ops->priority = flowtable_hook->priority; 8901 + ops->priv = &flowtable->data; 8902 + ops->hook = flowtable->data.type->hook; 8903 + ops->hook_ops_type = NF_HOOK_OP_NFT_FT; 8903 8904 } 8904 8905 } 8905 8906 ··· 9728 9727 if (!ops) 9729 9728 return 1; 9730 9729 9731 - ops->pf = NFPROTO_NETDEV; 9732 - ops->hooknum = flowtable->hooknum; 9733 - ops->priority = flowtable->data.priority; 9734 - ops->priv = &flowtable->data; 9735 - ops->hook = flowtable->data.type->hook; 9736 - ops->dev = dev; 9730 + ops->pf = NFPROTO_NETDEV; 9731 + ops->hooknum = flowtable->hooknum; 9732 + ops->priority = flowtable->data.priority; 9733 + ops->priv = &flowtable->data; 9734 + ops->hook = flowtable->data.type->hook; 9735 + ops->hook_ops_type = NF_HOOK_OP_NFT_FT; 9736 + ops->dev = dev; 9737 9737 if (nft_register_flowtable_ops(dev_net(dev), 9738 9738 flowtable, ops)) { 9739 9739 kfree(ops);

+35

net/netfilter/nfnetlink_hook.c

··· 156 156 return 0; 157 157 } 158 158 159 + static int nfnl_hook_put_nft_ft_info(struct sk_buff *nlskb, 160 + const struct nfnl_dump_hook_data *ctx, 161 + unsigned int seq, 162 + struct nf_flowtable *nf_ft) 163 + { 164 + struct nft_flowtable *ft = 165 + container_of(nf_ft, struct nft_flowtable, data); 166 + struct net *net = sock_net(nlskb->sk); 167 + struct nlattr *nest; 168 + int ret = 0; 169 + 170 + if (WARN_ON_ONCE(!nf_ft)) 171 + return 0; 172 + 173 + if (!nft_is_active(net, ft)) 174 + return 0; 175 + 176 + nest = nfnl_start_info_type(nlskb, NFNL_HOOK_TYPE_NFT_FLOWTABLE); 177 + if (!nest) 178 + return -EMSGSIZE; 179 + 180 + ret = nfnl_hook_put_nft_info_desc(nlskb, ft->table->name, 181 + ft->name, ft->table->family); 182 + if (ret) { 183 + nla_nest_cancel(nlskb, nest); 184 + return ret; 185 + } 186 + 187 + nla_nest_end(nlskb, nest); 188 + return 0; 189 + } 190 + 159 191 static int nfnl_hook_dump_one(struct sk_buff *nlskb, 160 192 const struct nfnl_dump_hook_data *ctx, 161 193 const struct nf_hook_ops *ops, ··· 254 222 break; 255 223 case NF_HOOK_OP_BPF: 256 224 ret = nfnl_hook_put_bpf_prog_info(nlskb, ctx, seq, ops->priv); 225 + break; 226 + case NF_HOOK_OP_NFT_FT: 227 + ret = nfnl_hook_put_nft_ft_info(nlskb, ctx, seq, ops->priv); 257 228 break; 258 229 case NF_HOOK_OP_UNDEFINED: 259 230 break;