Enable dump of the registered netfilter hooks to userspace.
This allows userspace to peek at the active hooks for each family/hook
point.
Example:
$ nft list hook ip type input
family ip hook input {
+0000000000 nft_do_chain_inet [nf_tables] # nft table ip filter chain input
+0000000010 nft_do_chain_inet [nf_tables] # nft table ip firewalld chain filter_INPUT
+0000000100 nf_nat_ipv4_local_in [nf_nat]
+2147483647 ipv4_confirm [nf_conntrack]
}
Implementation is done in nf_tables.
Alternative would be to add this as a separate/new nfnetlink family.
Let me know if thats the preferred route and I will respin.
I did this in nf_tables because it allows re-use of the existing
nft_hook_attributes and it seemed strange to add a new kernel module
for this.
Florian Westphal (4):
netfilter: nf_tables: allow to dump all registered base hooks
netfilter: nf_tables: include function and module name in hook dumps
netfilter: annotate nf_tables base hook ops
netfilter: nf_tables: include table and chain name when dumping hooks
include/linux/netfilter.h | 12 +-
include/uapi/linux/netfilter/nf_tables.h | 7 +
net/netfilter/core.c | 6 +
net/netfilter/nf_queue.c | 4 +-
net/netfilter/nf_tables_api.c | 275 ++++++++++++++++++++++-
5 files changed, 300 insertions(+), 4 deletions(-)
--
2.26.3
