netfilter: make nftables drops visible in net dropmonitor

net_dropmonitor blames core.c:nf_hook_slow. Add NF_DROP_REASON() helper and use it in nft_do_chain(). The helper releases the skb, so exact drop location becomes available. Calling code will observe the NF_STOLEN verdict instead. Adjust nf_hook_slow so we can embed an erro value wih NF_STOLEN verdicts, just like we do for NF_DROP. After this, drop in nftables can be pinpointed to a drop due to a rule or the chain policy. Signed-off-by: Florian Westphal <fw@strlen.de>
author: Florian Westphal <fw@strlen.de> 2023-10-11 09:59:38 +0200
committer: Florian Westphal <fw@strlen.de> 2023-10-18 10:26:43 +0200
commit: e0d4593140b01b8da513a0c88c26da28b4906413 (patch)
tree: 38aa2be18abfbdb974535a1530910a8b6c25cca2 /include/linux/netfilter.h
parent: 35c038b0a4be197679deefaf96998241cb7efc88 (diff)
1 files changed, 10 insertions, 0 deletions
diff --git a/include/linux/netfilter.h b/include/linux/netfilter.h
index d68644b7c299..80900d910992 100644
--- a/include/linux/netfilter.h
+++ b/include/linux/netfilter.h
@@ -22,6 +22,16 @@ static inline int NF_DROP_GETERR(int verdict)
 	return -(verdict >> NF_VERDICT_QBITS);
 }
 
+static __always_inline int
+NF_DROP_REASON(struct sk_buff *skb, enum skb_drop_reason reason, u32 err)
+{
+	BUILD_BUG_ON(err > 0xffff);
+
+	kfree_skb_reason(skb, reason);
+
+	return ((err << 16) | NF_STOLEN);
+}
+
 static inline int nf_inet_addr_cmp(const union nf_inet_addr *a1,
 				   const union nf_inet_addr *a2)
 {
author	Florian Westphal <fw@strlen.de>	2023-10-11 09:59:38 +0200
committer	Florian Westphal <fw@strlen.de>	2023-10-18 10:26:43 +0200
commit	e0d4593140b01b8da513a0c88c26da28b4906413 (patch)
tree	38aa2be18abfbdb974535a1530910a8b6c25cca2 /include/linux/netfilter.h
parent	35c038b0a4be197679deefaf96998241cb7efc88 (diff)