On 24.11, Florian Westphal wrote:
> Patrick McHardy <kaber@xxxxxxxxx> wrote:
> > On more thing to consider it interaction with other netfilter subsystems.
> >
> > F.i. I think it would be very useful to have per connection tracing, so
> > we'd store a flag in the nfct and transfer it to every packet. This would
> > make them show up in the nft ruleset,
>
> I'd prefer to complete set support for labels for this, so we can do
> something like
> chain ct_trace {
> type filter hook prerouting priority 0;
> tcp dport 22 ct state new label set trace
> ct label trace meta set nftrace 1
> }
>
> chain ct_trace_out {
> type filter hook output priority 0;
> ct label trace meta set nftrace 1
> }
>
> Which would do in/out tracing without any additional code
> (except the label set support, of course).
That's of course one possibilty but it lacks one important point, we could
not trace the first packet going through conntrack.
> > but what about tracing in specific
> > points of conntrack/NAT itself? Can we send them to the same group and
> > make them integrate with ruleset tracing?
>
> Good point.
>
> I think we would first have to identify possible interesting tracing points.
> Did you have anything specific in mind?
I guess the hooks themselves, probably helper invocation and/or results,
possibly interesting points within helpers, errors in protocol tracking,
basically I think a good starting point would be what we now have as global
tracing points.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
