diff mbox series

[nft] netlink: Show the handles of unknown rules in "nft monitor trace"

Message ID 20200326152229.5923-1-aranea@aixah.de
State Accepted
Delegated to: Pablo Neira
Headers show
Series [nft] netlink: Show the handles of unknown rules in "nft monitor trace" | expand

Commit Message

Mira Ressel March 26, 2020, 3:22 p.m. UTC 
When "nft monitor trace" doesn't know a rule (because it was only added
to the ruleset after nft was invoked), that rule is silently omitted in
the trace output, which can come as a surprise when debugging issues.

Instead, we can at least show the information we got via netlink, i.e.
the family, table and chain name, rule handle and verdict.

Signed-off-by: Luis Ressel <aranea@aixah.de>
---
 src/netlink.c | 42 +++++++++++++++++++++++++++---------------
 1 file changed, 27 insertions(+), 15 deletions(-)

Comments

Pablo Neira Ayuso April 1, 2020, 10:41 a.m. UTC | #1 
On Thu, Mar 26, 2020 at 03:22:29PM +0000, Luis Ressel wrote:
> When "nft monitor trace" doesn't know a rule (because it was only added
> to the ruleset after nft was invoked), that rule is silently omitted in
> the trace output, which can come as a surprise when debugging issues.
> 
> Instead, we can at least show the information we got via netlink, i.e.
> the family, table and chain name, rule handle and verdict.

Applied, thanks.
diff mbox series

Patch

diff --git a/src/netlink.c b/src/netlink.c
index b254753f..0f6af73e 100644
--- a/src/netlink.c
+++ b/src/netlink.c
@@ -1447,38 +1447,50 @@  static void trace_print_policy(const struct nftnl_trace *nlt,
 	expr_free(expr);
 }
 
-static void trace_print_rule(const struct nftnl_trace *nlt,
-			      struct output_ctx *octx, struct nft_cache *cache)
+static struct rule *trace_lookup_rule(const struct nftnl_trace *nlt,
+				      uint64_t rule_handle,
+				      struct nft_cache *cache)
 {
-	const struct table *table;
-	uint64_t rule_handle;
 	struct chain *chain;
-	struct rule *rule;
+	struct table *table;
 	struct handle h;
 
 	h.family = nftnl_trace_get_u32(nlt, NFTNL_TRACE_FAMILY);
-	h.table.name  = nftnl_trace_get_str(nlt, NFTNL_TRACE_TABLE);
-	h.chain.name  = nftnl_trace_get_str(nlt, NFTNL_TRACE_CHAIN);
+	h.table.name = nftnl_trace_get_str(nlt, NFTNL_TRACE_TABLE);
+	h.chain.name = nftnl_trace_get_str(nlt, NFTNL_TRACE_CHAIN);
 
 	if (!h.table.name)
-		return;
+		return NULL;
 
 	table = table_lookup(&h, cache);
 	if (!table)
-		return;
+		return NULL;
 
 	chain = chain_lookup(table, &h);
 	if (!chain)
-		return;
+		return NULL;
+
+	return rule_lookup(chain, rule_handle);
+}
+
+static void trace_print_rule(const struct nftnl_trace *nlt,
+			      struct output_ctx *octx, struct nft_cache *cache)
+{
+	uint64_t rule_handle;
+	struct rule *rule;
 
 	rule_handle = nftnl_trace_get_u64(nlt, NFTNL_TRACE_RULE_HANDLE);
-	rule = rule_lookup(chain, rule_handle);
-	if (!rule)
-		return;
+	rule = trace_lookup_rule(nlt, rule_handle, cache);
 
 	trace_print_hdr(nlt, octx);
-	nft_print(octx, "rule ");
-	rule_print(rule, octx);
+
+	if (rule) {
+		nft_print(octx, "rule ");
+		rule_print(rule, octx);
+	} else {
+		nft_print(octx, "unknown rule handle %" PRIu64, rule_handle);
+	}
+
 	nft_print(octx, " (");
 	trace_print_verdict(nlt, octx);
 	nft_print(octx, ")\n");