netfilter: nf_tables: add trace support

 *	@list: used internally

 *	@list: used internally

 *	@rcu_head: used internally

 *	@rcu_head: used internally

 *	@net: net namespace that this chain belongs to

 *	@net: net namespace that this chain belongs to

 *	@table: table that this chain belongs to

 *	@handle: chain handle

 *	@handle: chain handle

 *	@flags: bitmask of enum nft_chain_flags

 *	@flags: bitmask of enum nft_chain_flags

 *	@use: number of jump references to this chain

 *	@use: number of jump references to this chain

	struct list_head		list;

	struct list_head		list;

	struct rcu_head			rcu_head;

	struct rcu_head			rcu_head;

	struct net			*net;

	struct net			*net;

	struct nft_table		*table;

	u64				handle;

	u64				handle;

	u8				flags;

	u8				flags;

	u16				use;

	u16				use;

	INIT_LIST_HEAD(&chain->rules);

	INIT_LIST_HEAD(&chain->rules);

	chain->handle = nf_tables_alloc_handle(table);

	chain->handle = nf_tables_alloc_handle(table);

	chain->net = net;

	chain->net = net;

	chain->table = table;

	nla_strlcpy(chain->name, name, NFT_CHAIN_MAXNAMELEN);

	nla_strlcpy(chain->name, name, NFT_CHAIN_MAXNAMELEN);

	if (!(table->flags & NFT_TABLE_F_DORMANT) &&

	if (!(table->flags & NFT_TABLE_F_DORMANT) &&

#include <linux/netfilter/nf_tables.h>

#include <linux/netfilter/nf_tables.h>

#include <net/netfilter/nf_tables_core.h>

#include <net/netfilter/nf_tables_core.h>

#include <net/netfilter/nf_tables.h>

#include <net/netfilter/nf_tables.h>

#include <net/netfilter/nf_log.h>

static void nft_cmp_fast_eval(const struct nft_expr *expr,

static void nft_cmp_fast_eval(const struct nft_expr *expr,

			      struct nft_data data[NFT_REG_MAX + 1])

			      struct nft_data data[NFT_REG_MAX + 1])

struct nft_jumpstack {

struct nft_jumpstack {

	const struct nft_chain	*chain;

	const struct nft_chain	*chain;

	const struct nft_rule	*rule;

	const struct nft_rule	*rule;

	int			rulenum;

};

};

static inline void

static inline void

	rcu_read_unlock_bh();

	rcu_read_unlock_bh();

}

}

enum nft_trace {

	NFT_TRACE_RULE,

	NFT_TRACE_RETURN,

	NFT_TRACE_POLICY,

};

static const char *const comments[] = {

	[NFT_TRACE_RULE]	= "rule",

	[NFT_TRACE_RETURN]	= "return",

	[NFT_TRACE_POLICY]	= "policy",

};

static struct nf_loginfo trace_loginfo = {

	.type = NF_LOG_TYPE_LOG,

	.u = {

		.log = {

			.level = 4,

			.logflags = NF_LOG_MASK,

	        },

	},

};

static inline void nft_trace_packet(const struct nft_pktinfo *pkt,

				    const struct nft_chain *chain,

				    int rulenum, enum nft_trace type)

{

	struct net *net = dev_net(pkt->in ? pkt->in : pkt->out);

	nf_log_packet(net, pkt->xt.family, pkt->hooknum, pkt->skb, pkt->in,

		      pkt->out, &trace_loginfo, "TRACE: %s:%s:%s:%u ",

		      chain->table->name, chain->name, comments[type],

		      rulenum);

}

unsigned int

unsigned int

nft_do_chain_pktinfo(struct nft_pktinfo *pkt, const struct nf_hook_ops *ops)

nft_do_chain_pktinfo(struct nft_pktinfo *pkt, const struct nf_hook_ops *ops)

{

{

	struct nft_data data[NFT_REG_MAX + 1];

	struct nft_data data[NFT_REG_MAX + 1];

	unsigned int stackptr = 0;

	unsigned int stackptr = 0;

	struct nft_jumpstack jumpstack[NFT_JUMP_STACK_SIZE];

	struct nft_jumpstack jumpstack[NFT_JUMP_STACK_SIZE];

	int rulenum = 0;

	/*

	/*

	 * Cache cursor to avoid problems in case that the cursor is updated

	 * Cache cursor to avoid problems in case that the cursor is updated

	 * while traversing the ruleset.

	 * while traversing the ruleset.

		if (unlikely(rule->genmask & (1 << gencursor)))

		if (unlikely(rule->genmask & (1 << gencursor)))

			continue;

			continue;

		rulenum++;

		nft_rule_for_each_expr(expr, last, rule) {

		nft_rule_for_each_expr(expr, last, rule) {

			if (expr->ops == &nft_cmp_fast_ops)

			if (expr->ops == &nft_cmp_fast_ops)

				nft_cmp_fast_eval(expr, data);

				nft_cmp_fast_eval(expr, data);

	case NF_ACCEPT:

	case NF_ACCEPT:

	case NF_DROP:

	case NF_DROP:

	case NF_QUEUE:

	case NF_QUEUE:

		if (unlikely(pkt->skb->nf_trace))

			nft_trace_packet(pkt, chain, rulenum, NFT_TRACE_RULE);

		return data[NFT_REG_VERDICT].verdict;

		return data[NFT_REG_VERDICT].verdict;

	case NFT_JUMP:

	case NFT_JUMP:

		if (unlikely(pkt->skb->nf_trace))

			nft_trace_packet(pkt, chain, rulenum, NFT_TRACE_RULE);

		BUG_ON(stackptr >= NFT_JUMP_STACK_SIZE);

		BUG_ON(stackptr >= NFT_JUMP_STACK_SIZE);

		jumpstack[stackptr].chain = chain;

		jumpstack[stackptr].chain = chain;

		jumpstack[stackptr].rule  = rule;

		jumpstack[stackptr].rule  = rule;

		jumpstack[stackptr].rulenum = rulenum;

		stackptr++;

		stackptr++;

		/* fall through */

		/* fall through */

	case NFT_GOTO:

	case NFT_GOTO:

		chain = data[NFT_REG_VERDICT].chain;

		chain = data[NFT_REG_VERDICT].chain;

		goto do_chain;

		goto do_chain;

	case NFT_RETURN:

	case NFT_RETURN:

		if (unlikely(pkt->skb->nf_trace))

			nft_trace_packet(pkt, chain, rulenum, NFT_TRACE_RETURN);

		/* fall through */

	case NFT_CONTINUE:

	case NFT_CONTINUE:

		break;

		break;

	default:

	default:

	}

	}

	if (stackptr > 0) {

	if (stackptr > 0) {

		if (unlikely(pkt->skb->nf_trace))

			nft_trace_packet(pkt, chain, ++rulenum, NFT_TRACE_RETURN);

		stackptr--;

		stackptr--;

		chain = jumpstack[stackptr].chain;

		chain = jumpstack[stackptr].chain;

		rule  = jumpstack[stackptr].rule;

		rule  = jumpstack[stackptr].rule;

		rulenum = jumpstack[stackptr].rulenum;

		goto next_rule;

		goto next_rule;

	}

	}

	nft_chain_stats(chain, pkt, jumpstack, stackptr);

	nft_chain_stats(chain, pkt, jumpstack, stackptr);

	if (unlikely(pkt->skb->nf_trace))

		nft_trace_packet(pkt, chain, ++rulenum, NFT_TRACE_POLICY);

	return nft_base_chain(chain)->policy;

	return nft_base_chain(chain)->policy;

}

}

EXPORT_SYMBOL_GPL(nft_do_chain_pktinfo);

EXPORT_SYMBOL_GPL(nft_do_chain_pktinfo);