[PATCH nft] src: trace: fix policy printing

Florian Westphal Wed, 20 Jun 2018 14:04:27 -0700

policy type is erronously handled via verdict, this is wrong.
It is a different event type and needs to be handled as such.


before:
trace id 42b54e71 inet filter input packet: iif "lo" ip saddr 127.0.0.1 ..
trace id 42b54e71 inet filter input rule ip protocol icmp nftrace set 1 
(verdict continue)
trace id 42b54e71 inet filter input verdict continue
trace id 42b54e71 inet filter input

after:
trace id 9f40c5c7 inet filter input packet: iif "lo" ip saddr 127.0.0.1 ..
trace id 9f40c5c7 inet filter input rule ip protocol icmp nftrace set 1 
(verdict continue)
trace id 9f40c5c7 inet filter input verdict continue
trace id 9f40c5c7 inet filter input policy drop

Reported-by: v...@gmx.net
Signed-off-by: Florian Westphal <f...@strlen.de>
---
 src/netlink.c | 31 ++++++++++++++++++++++++++++++-
 1 file changed, 30 insertions(+), 1 deletion(-)

diff --git a/src/netlink.c b/src/netlink.c
index 864947b4d2f0..394af2f0ca4d 100644
--- a/src/netlink.c
+++ b/src/netlink.c
@@ -1704,7 +1704,22 @@ static void trace_print_verdict(const struct nftnl_trace 
*nlt,
                chain = xstrdup(nftnl_trace_get_str(nlt, 
NFTNL_TRACE_JUMP_TARGET));
        expr = verdict_expr_alloc(&netlink_location, verdict, chain);
 
-       printf("verdict ");
+       nft_print(octx, "verdict ");
+       expr_print(expr, octx);
+       expr_free(expr);
+}
+
+static void trace_print_policy(const struct nftnl_trace *nlt,
+                              struct output_ctx *octx)
+{
+       unsigned int policy;
+       struct expr *expr;
+
+       policy = nftnl_trace_get_u32(nlt, NFTNL_TRACE_POLICY);
+
+       expr = verdict_expr_alloc(&netlink_location, policy, NULL);
+
+       nft_print(octx, "policy ");
        expr_print(expr, octx);
        expr_free(expr);
 }
@@ -1920,6 +1935,20 @@ int netlink_events_trace_cb(const struct nlmsghdr *nlh, 
int type,
                        trace_print_rule(nlt, monh->ctx->octx, monh->cache);
                break;
        case NFT_TRACETYPE_POLICY:
+               trace_print_hdr(nlt, monh->ctx->octx);
+
+               if (nftnl_trace_is_set(nlt, NFTNL_TRACE_POLICY)) {
+                       trace_print_policy(nlt, monh->ctx->octx);
+                       nft_mon_print(monh, " ");
+               }
+
+               if (nftnl_trace_is_set(nlt, NFTNL_TRACE_MARK))
+                       trace_print_expr(nlt, NFTNL_TRACE_MARK,
+                                        meta_expr_alloc(&netlink_location,
+                                                        NFT_META_MARK),
+                                        monh->ctx->octx);
+               nft_mon_print(monh, "\n");
+               break;
        case NFT_TRACETYPE_RETURN:
                trace_print_hdr(nlt, monh->ctx->octx);
 
-- 
2.16.4

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH nft] src: trace: fix policy printing

Reply via email to