netfilter: add new hook nfnl subsystem

This nfnl subsystem allows to dump the list of all active netfiler hooks, e.g. defrag, conntrack, nf/ip/arp/ip6tables and so on. This helps to see what kind of features are currently enabled in the network stack. Sample output from nft tool using this infra: $ nft list hook ip input family ip hook input { +0000000010 nft_do_chain_inet [nf_tables] # nft table firewalld INPUT +0000000100 nf_nat_ipv4_local_in [nf_nat] +2147483647 ipv4_confirm [nf_conntrack] } Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
author: Florian Westphal <fw@strlen.de> 2021-06-04 12:27:07 +0200
committer: Pablo Neira Ayuso <pablo@netfilter.org> 2021-06-07 12:41:10 +0200
commit: e2cf17d3774c323ef6dab6e9f7c0cfc5e742afd9 (patch)
tree: df417e59ee44a55fba64916b025486feb12090b0 /net/netfilter/Kconfig
parent: 7b4b2fa37587394fb89fa51a4bea0820a1b37a5d (diff)
1 files changed, 9 insertions, 0 deletions
diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index 172d74560632..c81321372198 100644
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@@ -19,6 +19,15 @@ config NETFILTER_FAMILY_BRIDGE
 config NETFILTER_FAMILY_ARP
 	bool
 
+config NETFILTER_NETLINK_HOOK
+	tristate "Netfilter base hook dump support"
+	depends on NETFILTER_ADVANCED
+	select NETFILTER_NETLINK
+	help
+	  If this option is enabled, the kernel will include support
+	  to list the base netfilter hooks via NFNETLINK.
+	  This is helpful for debugging.
+
 config NETFILTER_NETLINK_ACCT
 	tristate "Netfilter NFACCT over NFNETLINK interface"
 	depends on NETFILTER_ADVANCED
author	Florian Westphal <fw@strlen.de>	2021-06-04 12:27:07 +0200
committer	Pablo Neira Ayuso <pablo@netfilter.org>	2021-06-07 12:41:10 +0200
commit	e2cf17d3774c323ef6dab6e9f7c0cfc5e742afd9 (patch)
tree	df417e59ee44a55fba64916b025486feb12090b0 /net/netfilter/Kconfig
parent	7b4b2fa37587394fb89fa51a4bea0820a1b37a5d (diff)