diff options
author | Pablo Neira Ayuso <pablo@netfilter.org> | 2021-08-02 12:32:52 +0200 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2021-08-06 13:13:06 +0200 |
commit | b98fee20bfe23c787ff1f00660a205865eb8bb95 (patch) | |
tree | 52e70f1f823246ebfe5771a06fb7b2ab75f886fc /include | |
parent | 874c70f98d38caac51328e69d81eefa6cca8b438 (diff) |
mnl: revisit hook listing
Update this command to display the hook datapath for a packet depending
on its family.
This patch also includes:
- Group of existing hooks based on the hook location.
- Order hooks by priority, from INT_MIN to INT_MAX.
- Do not add sign to priority zero.
- Refresh include/linux/netfilter/nfnetlink_hook.h cache copy.
- Use NFNLA_CHAIN_* attributes to print the chain family, table and name.
If NFNLA_CHAIN_* attributes are not available, display the hookfn name.
- Update syntax: remove optional hook parameter, promote the 'device'
argument.
The following example shows the hook datapath for IPv4 packets coming in
from netdevice 'eth0':
# nft list hooks ip device eth0
family ip {
hook ingress {
+0000000010 chain netdev x y [nf_tables]
+0000000300 chain inet m w [nf_tables]
}
hook input {
-0000000100 chain ip a b [nf_tables]
+0000000300 chain inet m z [nf_tables]
}
hook forward {
-0000000225 selinux_ipv4_forward
0000000000 chain ip a c [nf_tables]
}
hook output {
-0000000225 selinux_ipv4_output
}
hook postrouting {
+0000000225 selinux_ipv4_postroute
}
}
Note that the listing above includes the existing netdev and inet
hooks/chains which *might* interfer in the travel of an incoming IPv4
packet. This allows users to debug the pipeline, basically, to
understand in what order the hooks/chains are evaluated for the IPv4
packets.
If the netdevice is not specified, then the ingress hooks are not
shown.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'include')
-rw-r--r-- | include/linux/netfilter/nfnetlink_hook.h | 14 | ||||
-rw-r--r-- | include/rule.h | 1 |
2 files changed, 13 insertions, 2 deletions
diff --git a/include/linux/netfilter/nfnetlink_hook.h b/include/linux/netfilter/nfnetlink_hook.h index d8ac8278..bbcd285b 100644 --- a/include/linux/netfilter/nfnetlink_hook.h +++ b/include/linux/netfilter/nfnetlink_hook.h @@ -8,10 +8,10 @@ enum nfnl_hook_msg_types { }; /** - * enum nfnl_hook_attributes - nf_tables netfilter hook netlink attributes + * enum nfnl_hook_attributes - netfilter hook netlink attributes * * @NFNLA_HOOK_HOOKNUM: netfilter hook number (NLA_U32) - * @NFNLAA_HOOK_PRIORITY: netfilter hook priority (NLA_U32) + * @NFNLA_HOOK_PRIORITY: netfilter hook priority (NLA_U32) * @NFNLA_HOOK_DEV: netdevice name (NLA_STRING) * @NFNLA_HOOK_FUNCTION_NAME: hook function name (NLA_STRING) * @NFNLA_HOOK_MODULE_NAME: kernel module that registered this hook (NLA_STRING) @@ -43,6 +43,15 @@ enum nfnl_hook_chain_info_attributes { }; #define NFNLA_HOOK_INFO_MAX (__NFNLA_HOOK_INFO_MAX - 1) +enum nfnl_hook_chain_desc_attributes { + NFNLA_CHAIN_UNSPEC, + NFNLA_CHAIN_TABLE, + NFNLA_CHAIN_FAMILY, + NFNLA_CHAIN_NAME, + __NFNLA_CHAIN_MAX, +}; +#define NFNLA_CHAIN_MAX (__NFNLA_CHAIN_MAX - 1) + /** * enum nfnl_hook_chaintype - chain type * @@ -51,4 +60,5 @@ enum nfnl_hook_chain_info_attributes { enum nfnl_hook_chaintype { NFNL_HOOK_TYPE_NFTABLES = 0x1, }; + #endif /* _NFNL_HOOK_H */ diff --git a/include/rule.h b/include/rule.h index 357326a3..be316956 100644 --- a/include/rule.h +++ b/include/rule.h @@ -270,6 +270,7 @@ extern struct chain *chain_binding_lookup(const struct table *table, const char *chain_name); extern const char *family2str(unsigned int family); +#define __NF_ARP_INGRESS 255 extern const char *hooknum2str(unsigned int family, unsigned int hooknum); extern const char *chain_policy2str(uint32_t policy); extern void chain_print_plain(const struct chain *chain, |