This series adds the skeleton to improve drop statistics in
netfilter and converts nf_tables core and bridge netfilter to use it.
"return NF_DROP" can now optionally be replaced with
"return NF_DROP_REASON(skb, REASON_CODE, errno)".
This allows drop monitoring tools to pinpoint the exact location
where the packet drop occured. For example,
"ip saddr @deny drop"
will now be attributed to nft_do_chain(). Thanks to location
information, its even possible to differentiate between a
drop rule and a 'fallthrough' to a 'drop policy'.
Before this series, all netfilter packet drops got attributed
to the same location in nf_hook_slow().
Florian Westphal (6):
netfilter: xt_mangle: only check verdict part of return value
netfilter: nf_tables: mask out non-verdict bits when checking return
value
netfilter: conntrack: convert nf_conntrack_update to netfilter
verdicts
netfilter: nf_nat: mask out non-verdict bits when checking return
value
netfilter: make nftables drops visible in net dropmonitor
netfilter: bridge: convert br_netfilter to NF_DROP_REASON
include/linux/netfilter.h | 10 +++++
net/bridge/br_netfilter_hooks.c | 26 ++++++-------
net/bridge/br_netfilter_ipv6.c | 6 +--
net/ipv4/netfilter/iptable_mangle.c | 9 +++--
net/ipv6/netfilter/ip6table_mangle.c | 9 +++--
net/netfilter/core.c | 6 +--
net/netfilter/nf_conntrack_core.c | 58 ++++++++++++++++------------
net/netfilter/nf_nat_proto.c | 5 ++-
net/netfilter/nf_tables_core.c | 8 +++-
net/netfilter/nf_tables_trace.c | 8 +++-
net/netfilter/nfnetlink_queue.c | 15 ++++---
11 files changed, 96 insertions(+), 64 deletions(-)
--
2.41.0
