The netfilter hook mechanism is a legacy linux kernel mechanism that (in the absence of tracepoints) could be an attractive alternative to kprobes for monitoring or even manipulating network traffic. See <linux/netfilter.h>, net/netfilter/core.c nf_iterate(). Possible basic probe point syntax: probe netfilter.hook { do_something_with ($skb, $in, $out) # dunno what to do with $okfn $verdict = NF_DROP } With extensions expressed as filters on those $values possibly expressed as: probe netfilter.hook.sk_family("PF_INET").indev("eth0").outdev("eth0") { do_something_with ($skb) $verdict = NF_QUEUE|nf_queue_number(4) }
The code that's in git now seems to be roughly working. Missing bits: - possible extension to pf/hook supported tuples for netfilter_arp.h, netfilter_bridge.h, tweak netfilter_ipv6.h - documentation (new section in stapprobes.5.in) - tapset functions to extract data from the given skb, like IP addresses - semok / semko testcases to check pf/hook/prio sanity checking, including -g - sample under testsuite/systemtap.examples
Basic functionality has been exposed in netfilter.stp. Remaining: - ipv6 protocol header extraction (see http://sourceware.org/bugzilla/show_bug.cgi?id=14165) - arp/bridge protocol header extraction (see http://sourceware.org/bugzilla/show_bug.cgi?id=14164) Once PR10602 and/or PR11207 are resolved, we will also have to revisit netfilter.stp to clean up the code.
(In reply to comment #2) > Once PR10602 and/or PR11207 are resolved, we will also have to revisit > netfilter.stp to clean up the code. Sorry, that should have been "PR10607 and/or PR11207".
Collaboratively implemented with a number of commits from 92318adced7 through 5aa9ca3882