|
|
ea9c6b |
From 07f51d26e405b4a328813f35bc27015eb9324330 Mon Sep 17 00:00:00 2001
|
|
|
ea9c6b |
From: Florian Westphal <fw@strlen.de>
|
|
|
ea9c6b |
Date: Sat, 12 Dec 2020 16:15:34 +0100
|
|
|
ea9c6b |
Subject: [PATCH] xtables-monitor: print packet first
|
|
|
ea9c6b |
|
|
|
ea9c6b |
The trace mode should first print the packet that was received and
|
|
|
ea9c6b |
then the rule/verdict.
|
|
|
ea9c6b |
|
|
|
ea9c6b |
Furthermore, the monitor did sometimes print an extra newline.
|
|
|
ea9c6b |
|
|
|
ea9c6b |
After this patch, output is more consistent with nft monitor.
|
|
|
ea9c6b |
|
|
|
ea9c6b |
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
ea9c6b |
(cherry picked from commit 180ba723d0b305fab9287d3bc5f845a43d9eb793)
|
|
|
ea9c6b |
Signed-off-by: Phil Sutter <psutter@redhat.com>
|
|
|
ea9c6b |
---
|
|
|
ea9c6b |
iptables/xtables-monitor.c | 34 +++++++++++++++++++++++-----------
|
|
|
ea9c6b |
1 file changed, 23 insertions(+), 11 deletions(-)
|
|
|
ea9c6b |
|
|
|
ea9c6b |
diff --git a/iptables/xtables-monitor.c b/iptables/xtables-monitor.c
|
|
|
ea9c6b |
index 9fa1ca166a61e..23e828988bb8b 100644
|
|
|
ea9c6b |
--- a/iptables/xtables-monitor.c
|
|
|
ea9c6b |
+++ b/iptables/xtables-monitor.c
|
|
|
ea9c6b |
@@ -106,6 +106,7 @@ static int rule_cb(const struct nlmsghdr *nlh, void *data)
|
|
|
ea9c6b |
printf("-0 ");
|
|
|
ea9c6b |
break;
|
|
|
ea9c6b |
default:
|
|
|
ea9c6b |
+ puts("");
|
|
|
ea9c6b |
goto err_free;
|
|
|
ea9c6b |
}
|
|
|
ea9c6b |
|
|
|
ea9c6b |
@@ -433,9 +434,18 @@ static void trace_print_packet(const struct nftnl_trace *nlt, struct cb_arg *arg
|
|
|
ea9c6b |
mark = nftnl_trace_get_u32(nlt, NFTNL_TRACE_MARK);
|
|
|
ea9c6b |
if (mark)
|
|
|
ea9c6b |
printf("MARK=0x%x ", mark);
|
|
|
ea9c6b |
+ puts("");
|
|
|
ea9c6b |
+}
|
|
|
ea9c6b |
+
|
|
|
ea9c6b |
+static void trace_print_hdr(const struct nftnl_trace *nlt)
|
|
|
ea9c6b |
+{
|
|
|
ea9c6b |
+ printf(" TRACE: %d %08x %s:%s", nftnl_trace_get_u32(nlt, NFTNL_TABLE_FAMILY),
|
|
|
ea9c6b |
+ nftnl_trace_get_u32(nlt, NFTNL_TRACE_ID),
|
|
|
ea9c6b |
+ nftnl_trace_get_str(nlt, NFTNL_TRACE_TABLE),
|
|
|
ea9c6b |
+ nftnl_trace_get_str(nlt, NFTNL_TRACE_CHAIN));
|
|
|
ea9c6b |
}
|
|
|
ea9c6b |
|
|
|
ea9c6b |
-static void print_verdict(struct nftnl_trace *nlt, uint32_t verdict)
|
|
|
ea9c6b |
+static void print_verdict(const struct nftnl_trace *nlt, uint32_t verdict)
|
|
|
ea9c6b |
{
|
|
|
ea9c6b |
const char *chain;
|
|
|
ea9c6b |
|
|
|
ea9c6b |
@@ -496,35 +506,37 @@ static int trace_cb(const struct nlmsghdr *nlh, struct cb_arg *arg)
|
|
|
ea9c6b |
arg->nfproto != nftnl_trace_get_u32(nlt, NFTNL_TABLE_FAMILY))
|
|
|
ea9c6b |
goto err_free;
|
|
|
ea9c6b |
|
|
|
ea9c6b |
- printf(" TRACE: %d %08x %s:%s", nftnl_trace_get_u32(nlt, NFTNL_TABLE_FAMILY),
|
|
|
ea9c6b |
- nftnl_trace_get_u32(nlt, NFTNL_TRACE_ID),
|
|
|
ea9c6b |
- nftnl_trace_get_str(nlt, NFTNL_TRACE_TABLE),
|
|
|
ea9c6b |
- nftnl_trace_get_str(nlt, NFTNL_TRACE_CHAIN));
|
|
|
ea9c6b |
-
|
|
|
ea9c6b |
switch (nftnl_trace_get_u32(nlt, NFTNL_TRACE_TYPE)) {
|
|
|
ea9c6b |
case NFT_TRACETYPE_RULE:
|
|
|
ea9c6b |
verdict = nftnl_trace_get_u32(nlt, NFTNL_TRACE_VERDICT);
|
|
|
ea9c6b |
- printf(":rule:0x%llx:", (unsigned long long)nftnl_trace_get_u64(nlt, NFTNL_TRACE_RULE_HANDLE));
|
|
|
ea9c6b |
- print_verdict(nlt, verdict);
|
|
|
ea9c6b |
|
|
|
ea9c6b |
- if (nftnl_trace_is_set(nlt, NFTNL_TRACE_RULE_HANDLE))
|
|
|
ea9c6b |
- trace_print_rule(nlt, arg);
|
|
|
ea9c6b |
if (nftnl_trace_is_set(nlt, NFTNL_TRACE_LL_HEADER) ||
|
|
|
ea9c6b |
nftnl_trace_is_set(nlt, NFTNL_TRACE_NETWORK_HEADER))
|
|
|
ea9c6b |
trace_print_packet(nlt, arg);
|
|
|
ea9c6b |
+
|
|
|
ea9c6b |
+ if (nftnl_trace_is_set(nlt, NFTNL_TRACE_RULE_HANDLE)) {
|
|
|
ea9c6b |
+ trace_print_hdr(nlt);
|
|
|
ea9c6b |
+ printf(":rule:0x%" PRIx64":", nftnl_trace_get_u64(nlt, NFTNL_TRACE_RULE_HANDLE));
|
|
|
ea9c6b |
+ print_verdict(nlt, verdict);
|
|
|
ea9c6b |
+ printf(" ");
|
|
|
ea9c6b |
+ trace_print_rule(nlt, arg);
|
|
|
ea9c6b |
+ }
|
|
|
ea9c6b |
break;
|
|
|
ea9c6b |
case NFT_TRACETYPE_POLICY:
|
|
|
ea9c6b |
+ trace_print_hdr(nlt);
|
|
|
ea9c6b |
printf(":policy:");
|
|
|
ea9c6b |
verdict = nftnl_trace_get_u32(nlt, NFTNL_TRACE_POLICY);
|
|
|
ea9c6b |
|
|
|
ea9c6b |
print_verdict(nlt, verdict);
|
|
|
ea9c6b |
+ puts("");
|
|
|
ea9c6b |
break;
|
|
|
ea9c6b |
case NFT_TRACETYPE_RETURN:
|
|
|
ea9c6b |
+ trace_print_hdr(nlt);
|
|
|
ea9c6b |
printf(":return:");
|
|
|
ea9c6b |
trace_print_return(nlt);
|
|
|
ea9c6b |
+ puts("");
|
|
|
ea9c6b |
break;
|
|
|
ea9c6b |
}
|
|
|
ea9c6b |
- puts("");
|
|
|
ea9c6b |
err_free:
|
|
|
ea9c6b |
nftnl_trace_free(nlt);
|
|
|
ea9c6b |
err:
|
|
|
ea9c6b |
--
|
|
|
ea9c6b |
2.31.1
|
|
|
ea9c6b |
|