[PATCH v1 1/6] netlink_netfilter: decode base attributes

Mathis Marion Mathis.Marion at silabs.com
Thu Jun 12 09:56:01 UTC 2025 

From: Mathis Marion <mathis.marion at silabs.com>

Signed-off-by: Mathis Marion <mathis.marion at silabs.com>
---
 src/netlink_netfilter.c             | 239 ++++++++++++++++++++++++++++
 src/xlat/nft_chain_attrs.in         |  15 ++
 src/xlat/nft_flowtable_attrs.in     |  10 ++
 src/xlat/nft_gen_attrs.in           |   6 +
 src/xlat/nft_obj_attrs.in           |  11 ++
 src/xlat/nft_rule_attrs.in          |  14 ++
 src/xlat/nft_set_attrs.in           |  21 +++
 src/xlat/nft_set_elem_list_attrs.in |   7 +
 src/xlat/nft_table_attrs.in         |  10 ++
 src/xlat/nft_trace_attrs.in         |  20 +++
 10 files changed, 353 insertions(+)
 create mode 100644 src/xlat/nft_chain_attrs.in
 create mode 100644 src/xlat/nft_flowtable_attrs.in
 create mode 100644 src/xlat/nft_gen_attrs.in
 create mode 100644 src/xlat/nft_obj_attrs.in
 create mode 100644 src/xlat/nft_rule_attrs.in
 create mode 100644 src/xlat/nft_set_attrs.in
 create mode 100644 src/xlat/nft_set_elem_list_attrs.in
 create mode 100644 src/xlat/nft_table_attrs.in
 create mode 100644 src/xlat/nft_trace_attrs.in

diff --git a/src/netlink_netfilter.c b/src/netlink_netfilter.c
index 45e3dcbb3..029a9bdf7 100644
--- a/src/netlink_netfilter.c
+++ b/src/netlink_netfilter.c
@@ -13,10 +13,241 @@
 #include <arpa/inet.h>
 #include "netlink.h"
 #include <linux/netfilter/nfnetlink.h>
+#include <linux/netfilter/nf_tables.h>
 
 #include "xlat/netfilter_versions.h"
 #include "xlat/nl_netfilter_msg_types.h"
 #include "xlat/nl_netfilter_subsys_ids.h"
+#include "xlat/nft_chain_attrs.h"
+#include "xlat/nft_flowtable_attrs.h"
+#include "xlat/nft_gen_attrs.h"
+#include "xlat/nft_obj_attrs.h"
+#include "xlat/nft_rule_attrs.h"
+#include "xlat/nft_set_attrs.h"
+#include "xlat/nft_set_elem_list_attrs.h"
+#include "xlat/nft_table_attrs.h"
+#include "xlat/nft_trace_attrs.h"
+
+struct nfta_decoder {
+	const struct xlat *xlat;
+	const char *dflt;
+	const nla_decoder_t *decoders;
+	unsigned int size;
+};
+
+static const nla_decoder_t nfta_table_decoders[] = {
+	[NFTA_TABLE_NAME]	= decode_nla_str,
+	[NFTA_TABLE_FLAGS]	= decode_nla_be32,
+	[NFTA_TABLE_USE]	= decode_nla_be32,
+	[NFTA_TABLE_HANDLE]	= decode_nla_be64,
+	[NFTA_TABLE_PAD]	= NULL,
+	[NFTA_TABLE_USERDATA]	= NULL,
+	[NFTA_TABLE_OWNER]	= decode_nla_be32,
+};
+
+static const struct nfta_decoder nfta_table_decoder = {
+	.xlat = nft_table_attrs,
+	.dflt = "NFTA_TABLE_???",
+	.decoders = nfta_table_decoders,
+	.size = ARRAY_SIZE(nfta_table_decoders),
+};
+
+static const nla_decoder_t nfta_chain_decoders[] = {
+	[NFTA_CHAIN_TABLE]	= decode_nla_str,
+	[NFTA_CHAIN_HANDLE]	= decode_nla_be64,
+	[NFTA_CHAIN_NAME]	= decode_nla_str,
+	[NFTA_CHAIN_HOOK]	= NULL, // TODO
+	[NFTA_CHAIN_POLICY]	= decode_nla_be32,
+	[NFTA_CHAIN_USE]	= decode_nla_be32,
+	[NFTA_CHAIN_TYPE]	= decode_nla_str,
+	[NFTA_CHAIN_COUNTERS]	= NULL, // TODO
+	[NFTA_CHAIN_PAD]	= NULL,
+	[NFTA_CHAIN_FLAGS]	= decode_nla_be32,
+	[NFTA_CHAIN_ID]		= decode_nla_be32,
+	[NFTA_CHAIN_USERDATA]	= NULL,
+};
+
+static const struct nfta_decoder nfta_chain_decoder = {
+	.xlat = nft_chain_attrs,
+	.dflt = "NFTA_CHAIN_???",
+	.decoders = nfta_chain_decoders,
+	.size = ARRAY_SIZE(nfta_chain_decoders),
+};
+
+static const nla_decoder_t nfta_rule_decoders[] = {
+	[NFTA_RULE_TABLE]	= decode_nla_str,
+	[NFTA_RULE_CHAIN]	= decode_nla_str,
+	[NFTA_RULE_HANDLE]	= decode_nla_be64,
+	[NFTA_RULE_EXPRESSIONS]	= NULL, // TODO
+	[NFTA_RULE_COMPAT]	= NULL, // TODO
+	[NFTA_RULE_POSITION]	= decode_nla_be64,
+	[NFTA_RULE_USERDATA]	= NULL,
+	[NFTA_RULE_PAD]		= NULL,
+	[NFTA_RULE_ID]		= decode_nla_be32,
+	[NFTA_RULE_POSITION_ID]	= decode_nla_be32,
+	[NFTA_RULE_CHAIN_ID]	= decode_nla_be32,
+};
+
+static const struct nfta_decoder nfta_rule_decoder = {
+	.xlat = nft_rule_attrs,
+	.dflt = "NFTA_RULE_???",
+	.decoders = nfta_rule_decoders,
+	.size = ARRAY_SIZE(nfta_rule_decoders),
+};
+
+static const nla_decoder_t nfta_set_decoders[] = {
+	[NFTA_SET_TABLE]	= decode_nla_str,
+	[NFTA_SET_NAME]		= decode_nla_str,
+	[NFTA_SET_FLAGS]	= decode_nla_be32,
+	[NFTA_SET_KEY_TYPE]	= decode_nla_be32,
+	[NFTA_SET_KEY_LEN]	= decode_nla_be32,
+	[NFTA_SET_DATA_TYPE]	= decode_nla_be32,
+	[NFTA_SET_DATA_LEN]	= decode_nla_be32,
+	[NFTA_SET_POLICY]	= decode_nla_be32,
+	[NFTA_SET_DESC]		= NULL, // TODO
+	[NFTA_SET_ID]		= decode_nla_be32,
+	[NFTA_SET_TIMEOUT]	= decode_nla_be64,
+	[NFTA_SET_GC_INTERVAL]	= decode_nla_be32,
+	[NFTA_SET_USERDATA]	= NULL,
+	[NFTA_SET_PAD]		= NULL,
+	[NFTA_SET_OBJ_TYPE]	= decode_nla_be32,
+	[NFTA_SET_HANDLE]	= decode_nla_be64,
+	[NFTA_SET_EXPR]		= NULL, // TODO
+	[NFTA_SET_EXPRESSIONS]	= NULL, // TODO
+};
+
+static const struct nfta_decoder nfta_set_decoder = {
+	.xlat = nft_set_attrs,
+	.dflt = "NFTA_SET_???",
+	.decoders = nfta_set_decoders,
+	.size = ARRAY_SIZE(nfta_set_decoders),
+};
+
+static const nla_decoder_t nfta_set_elem_list_decoders[] = {
+	[NFTA_SET_ELEM_LIST_TABLE]	= decode_nla_str,
+	[NFTA_SET_ELEM_LIST_SET]	= decode_nla_str,
+	[NFTA_SET_ELEM_LIST_ELEMENTS]	= NULL,
+	[NFTA_SET_ELEM_LIST_SET_ID]	= decode_nla_be32,
+};
+
+static const struct nfta_decoder nfta_setelem_decoder = {
+	.xlat = nft_set_elem_list_attrs,
+	.dflt = "NFTA_SET_ELEM_LIST_???",
+	.decoders = nfta_set_elem_list_decoders,
+	.size = ARRAY_SIZE(nfta_set_elem_list_decoders),
+};
+
+static const nla_decoder_t nfta_trace_decoders[] = {
+	[NFTA_TRACE_TABLE]		= decode_nla_str,
+	[NFTA_TRACE_CHAIN]		= decode_nla_str,
+	[NFTA_TRACE_RULE_HANDLE]	= decode_nla_be64,
+	[NFTA_TRACE_TYPE]		= decode_nla_be32,
+	[NFTA_TRACE_VERDICT]		= NULL, // TODO
+	[NFTA_TRACE_ID]			= decode_nla_u32,
+	[NFTA_TRACE_LL_HEADER]		= NULL,
+	[NFTA_TRACE_NETWORK_HEADER]	= NULL,
+	[NFTA_TRACE_TRANSPORT_HEADER]	= NULL,
+	[NFTA_TRACE_IIF]		= decode_nla_be32,
+	[NFTA_TRACE_IIFTYPE]		= decode_nla_be16,
+	[NFTA_TRACE_OIF]		= decode_nla_be32,
+	[NFTA_TRACE_OIFTYPE]		= decode_nla_be16,
+	[NFTA_TRACE_MARK]		= decode_nla_be32,
+	[NFTA_TRACE_NFPROTO]		= decode_nla_be32,
+	[NFTA_TRACE_POLICY]		= decode_nla_be32,
+	[NFTA_TRACE_PAD]		= NULL,
+};
+
+static const struct nfta_decoder nfta_trace_decoder = {
+	.xlat = nft_trace_attrs,
+	.dflt = "NFTA_TRACE_???",
+	.decoders = nfta_trace_decoders,
+	.size = ARRAY_SIZE(nfta_trace_decoders),
+};
+
+static const nla_decoder_t nfta_gen_decoders[] = {
+	[NFTA_GEN_ID]		= decode_nla_be32,
+	[NFTA_GEN_PROC_PID]	= decode_nla_be32,
+	[NFTA_GEN_PROC_NAME]	= decode_nla_str,
+};
+
+static const struct nfta_decoder nfta_gen_decoder = {
+	.xlat = nft_gen_attrs,
+	.dflt = "NFTA_GEN_???",
+	.decoders = nfta_gen_decoders,
+	.size = ARRAY_SIZE(nfta_gen_decoders),
+};
+
+static const nla_decoder_t nfta_obj_decoders[] = {
+	[NFTA_OBJ_TABLE]	= decode_nla_str,
+	[NFTA_OBJ_NAME]		= decode_nla_str,
+	[NFTA_OBJ_TYPE]		= decode_nla_be32,
+	[NFTA_OBJ_DATA]		= NULL,
+	[NFTA_OBJ_USE]		= decode_nla_be32,
+	[NFTA_OBJ_HANDLE]	= decode_nla_be64,
+	[NFTA_OBJ_PAD]		= NULL,
+	[NFTA_OBJ_USERDATA]	= NULL,
+};
+
+static const struct nfta_decoder nfta_obj_decoder = {
+	.xlat = nft_obj_attrs,
+	.dflt = "NFTA_OBJ_???",
+	.decoders = nfta_obj_decoders,
+	.size = ARRAY_SIZE(nfta_obj_decoders),
+};
+
+static const nla_decoder_t nfta_flowtable_decoders[] = {
+	[NFTA_FLOWTABLE_TABLE]	= decode_nla_str,
+	[NFTA_FLOWTABLE_NAME]	= decode_nla_str,
+	[NFTA_FLOWTABLE_HOOK]	= NULL,
+	[NFTA_FLOWTABLE_USE]	= decode_nla_be32,
+	[NFTA_FLOWTABLE_HANDLE]	= decode_nla_be64,
+	[NFTA_FLOWTABLE_PAD]	= NULL,
+	[NFTA_FLOWTABLE_FLAGS]	= decode_nla_be32,
+};
+
+static const struct nfta_decoder nfta_flowtable_decoder = {
+	.xlat = nft_flowtable_attrs,
+	.dflt = "NFTA_FLOWTABLE_???",
+	.decoders = nfta_flowtable_decoders,
+	.size = ARRAY_SIZE(nfta_flowtable_decoders),
+};
+
+static const struct nfta_decoder *decoders[NFT_MSG_MAX] = {
+	[NFT_MSG_NEWTABLE]		= &nfta_table_decoder,
+	[NFT_MSG_GETTABLE]		= &nfta_table_decoder,
+	[NFT_MSG_DELTABLE]		= &nfta_table_decoder,
+	[NFT_MSG_NEWCHAIN]		= &nfta_chain_decoder,
+	[NFT_MSG_GETCHAIN]		= &nfta_chain_decoder,
+	[NFT_MSG_DELCHAIN]		= &nfta_chain_decoder,
+	[NFT_MSG_NEWRULE]		= &nfta_rule_decoder,
+	[NFT_MSG_GETRULE]		= &nfta_rule_decoder,
+	[NFT_MSG_DELRULE]		= &nfta_rule_decoder,
+	[NFT_MSG_NEWSET]		= &nfta_set_decoder,
+	[NFT_MSG_GETSET]		= &nfta_set_decoder,
+	[NFT_MSG_DELSET]		= &nfta_set_decoder,
+	[NFT_MSG_NEWSETELEM]		= &nfta_setelem_decoder,
+	[NFT_MSG_GETSETELEM]		= &nfta_setelem_decoder,
+	[NFT_MSG_DELSETELEM]		= &nfta_setelem_decoder,
+	[NFT_MSG_NEWGEN]		= &nfta_gen_decoder,
+	[NFT_MSG_GETGEN]		= &nfta_gen_decoder,
+	[NFT_MSG_TRACE]			= &nfta_trace_decoder,
+	[NFT_MSG_NEWOBJ]		= &nfta_obj_decoder,
+	[NFT_MSG_GETOBJ]		= &nfta_obj_decoder,
+	[NFT_MSG_DELOBJ]		= &nfta_obj_decoder,
+	[NFT_MSG_GETOBJ_RESET]		= &nfta_obj_decoder,
+	[NFT_MSG_NEWFLOWTABLE]		= &nfta_flowtable_decoder,
+	[NFT_MSG_GETFLOWTABLE]		= &nfta_flowtable_decoder,
+	[NFT_MSG_DELFLOWTABLE]		= &nfta_flowtable_decoder,
+	[NFT_MSG_GETRULE_RESET]		= &nfta_rule_decoder,
+	[NFT_MSG_DESTROYTABLE]		= &nfta_table_decoder,
+	[NFT_MSG_DESTROYCHAIN]		= &nfta_chain_decoder,
+	[NFT_MSG_DESTROYRULE]		= &nfta_rule_decoder,
+	[NFT_MSG_DESTROYSET]		= &nfta_set_decoder,
+	[NFT_MSG_DESTROYSETELEM]	= &nfta_setelem_decoder,
+	[NFT_MSG_DESTROYOBJ]		= &nfta_obj_decoder,
+	[NFT_MSG_DESTROYFLOWTABLE]	= &nfta_flowtable_decoder,
+	[NFT_MSG_GETSETELEM_RESET]	= &nfta_setelem_decoder,
+};
 
 bool
 decode_netlink_netfilter(struct tcb *const tcp,
@@ -33,6 +264,7 @@ decode_netlink_netfilter(struct tcb *const tcp,
 		printstr_ex(tcp, addr, len, QUOTE_FORCE_HEX);
 	else if (!umove_or_printaddr(tcp, addr, &nfmsg)) {
 		const uint8_t subsys_id = (uint8_t) (nlmsghdr->nlmsg_type >> 8);
+		const uint8_t msg_type = NFNL_MSG_TYPE(nlmsghdr->nlmsg_type);
 		uint16_t res_id = ntohs(nfmsg.res_id);
 
 		tprint_struct_begin();
@@ -71,6 +303,13 @@ decode_netlink_netfilter(struct tcb *const tcp,
 			    || nlmsghdr->nlmsg_type < NLMSG_MIN_TYPE)
 				printstr_ex(tcp, addr + offset,
 					    len - offset, QUOTE_FORCE_HEX);
+			else if (msg_type < ARRAY_SIZE(decoders) &&
+				 decoders[msg_type])
+				decode_nlattr(tcp, addr + offset, len - offset,
+					      decoders[msg_type]->xlat,
+					      decoders[msg_type]->dflt,
+					      decoders[msg_type]->decoders,
+					      decoders[msg_type]->size, NULL);
 			else
 				decode_nlattr(tcp, addr + offset, len - offset,
 					      NULL, NULL, NULL, 0, NULL);
diff --git a/src/xlat/nft_chain_attrs.in b/src/xlat/nft_chain_attrs.in
new file mode 100644
index 000000000..fb9dc1749
--- /dev/null
+++ b/src/xlat/nft_chain_attrs.in
@@ -0,0 +1,15 @@
+#unconditional
+#value_indexed
+NFTA_CHAIN_UNSPEC
+NFTA_CHAIN_TABLE
+NFTA_CHAIN_HANDLE
+NFTA_CHAIN_NAME
+NFTA_CHAIN_HOOK
+NFTA_CHAIN_POLICY
+NFTA_CHAIN_USE
+NFTA_CHAIN_TYPE
+NFTA_CHAIN_COUNTERS
+NFTA_CHAIN_PAD
+NFTA_CHAIN_FLAGS
+NFTA_CHAIN_ID
+NFTA_CHAIN_USERDATA
diff --git a/src/xlat/nft_flowtable_attrs.in b/src/xlat/nft_flowtable_attrs.in
new file mode 100644
index 000000000..b2080a100
--- /dev/null
+++ b/src/xlat/nft_flowtable_attrs.in
@@ -0,0 +1,10 @@
+#unconditional
+#value_indexed
+NFTA_FLOWTABLE_UNSPEC
+NFTA_FLOWTABLE_TABLE
+NFTA_FLOWTABLE_NAME
+NFTA_FLOWTABLE_HOOK
+NFTA_FLOWTABLE_USE
+NFTA_FLOWTABLE_HANDLE
+NFTA_FLOWTABLE_PAD
+NFTA_FLOWTABLE_FLAGS
diff --git a/src/xlat/nft_gen_attrs.in b/src/xlat/nft_gen_attrs.in
new file mode 100644
index 000000000..c38265367
--- /dev/null
+++ b/src/xlat/nft_gen_attrs.in
@@ -0,0 +1,6 @@
+#unconditional
+#value_indexed
+NFTA_GEN_UNSPEC
+NFTA_GEN_ID
+NFTA_GEN_PROC_PID
+NFTA_GEN_PROC_NAME
diff --git a/src/xlat/nft_obj_attrs.in b/src/xlat/nft_obj_attrs.in
new file mode 100644
index 000000000..089411d2d
--- /dev/null
+++ b/src/xlat/nft_obj_attrs.in
@@ -0,0 +1,11 @@
+#unconditional
+#value_indexed
+NFTA_OBJ_UNSPEC
+NFTA_OBJ_TABLE
+NFTA_OBJ_NAME
+NFTA_OBJ_TYPE
+NFTA_OBJ_DATA
+NFTA_OBJ_USE
+NFTA_OBJ_HANDLE
+NFTA_OBJ_PAD
+NFTA_OBJ_USERDATA
diff --git a/src/xlat/nft_rule_attrs.in b/src/xlat/nft_rule_attrs.in
new file mode 100644
index 000000000..c0d5cba1b
--- /dev/null
+++ b/src/xlat/nft_rule_attrs.in
@@ -0,0 +1,14 @@
+#unconditional
+#value_indexed
+NFTA_RULE_UNSPEC
+NFTA_RULE_TABLE
+NFTA_RULE_CHAIN
+NFTA_RULE_HANDLE
+NFTA_RULE_EXPRESSIONS
+NFTA_RULE_COMPAT
+NFTA_RULE_POSITION
+NFTA_RULE_USERDATA
+NFTA_RULE_PAD
+NFTA_RULE_ID
+NFTA_RULE_POSITION_ID
+NFTA_RULE_CHAIN_ID
diff --git a/src/xlat/nft_set_attrs.in b/src/xlat/nft_set_attrs.in
new file mode 100644
index 000000000..b1fea05cc
--- /dev/null
+++ b/src/xlat/nft_set_attrs.in
@@ -0,0 +1,21 @@
+#unconditional
+#value_indexed
+NFTA_SET_UNSPEC
+NFTA_SET_TABLE
+NFTA_SET_NAME
+NFTA_SET_FLAGS
+NFTA_SET_KEY_TYPE
+NFTA_SET_KEY_LEN
+NFTA_SET_DATA_TYPE
+NFTA_SET_DATA_LEN
+NFTA_SET_POLICY
+NFTA_SET_DESC
+NFTA_SET_ID
+NFTA_SET_TIMEOUT
+NFTA_SET_GC_INTERVAL
+NFTA_SET_USERDATA
+NFTA_SET_PAD
+NFTA_SET_OBJ_TYPE
+NFTA_SET_HANDLE
+NFTA_SET_EXPR
+NFTA_SET_EXPRESSIONS
diff --git a/src/xlat/nft_set_elem_list_attrs.in b/src/xlat/nft_set_elem_list_attrs.in
new file mode 100644
index 000000000..b8a48c91c
--- /dev/null
+++ b/src/xlat/nft_set_elem_list_attrs.in
@@ -0,0 +1,7 @@
+#unconditional
+#value_indexed
+NFTA_SET_ELEM_LIST_UNSPEC
+NFTA_SET_ELEM_LIST_TABLE
+NFTA_SET_ELEM_LIST_SET
+NFTA_SET_ELEM_LIST_ELEMENTS
+NFTA_SET_ELEM_LIST_SET_ID
diff --git a/src/xlat/nft_table_attrs.in b/src/xlat/nft_table_attrs.in
new file mode 100644
index 000000000..c1d84d1f6
--- /dev/null
+++ b/src/xlat/nft_table_attrs.in
@@ -0,0 +1,10 @@
+#unconditional
+#value_indexed
+NFTA_TABLE_UNSPEC
+NFTA_TABLE_NAME
+NFTA_TABLE_FLAGS
+NFTA_TABLE_USE
+NFTA_TABLE_HANDLE
+NFTA_TABLE_PAD
+NFTA_TABLE_USERDATA
+NFTA_TABLE_OWNER
diff --git a/src/xlat/nft_trace_attrs.in b/src/xlat/nft_trace_attrs.in
new file mode 100644
index 000000000..6d7869378
--- /dev/null
+++ b/src/xlat/nft_trace_attrs.in
@@ -0,0 +1,20 @@
+#unconditional
+#value_indexed
+NFTA_TRACE_UNSPEC
+NFTA_TRACE_TABLE
+NFTA_TRACE_CHAIN
+NFTA_TRACE_RULE_HANDLE
+NFTA_TRACE_TYPE
+NFTA_TRACE_VERDICT
+NFTA_TRACE_ID
+NFTA_TRACE_LL_HEADER
+NFTA_TRACE_NETWORK_HEADER
+NFTA_TRACE_TRANSPORT_HEADER
+NFTA_TRACE_IIF
+NFTA_TRACE_IIFTYPE
+NFTA_TRACE_OIF
+NFTA_TRACE_OIFTYPE
+NFTA_TRACE_MARK
+NFTA_TRACE_NFPROTO
+NFTA_TRACE_POLICY
+NFTA_TRACE_PAD
-- 
2.47.2

More information about the Strace-devel mailing list