[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
|
|
Subscribe / Log in / New account

Better visibility into packet-dropping decisions

Better visibility into packet-dropping decisions

Posted Feb 25, 2022 20:29 UTC (Fri) by atnot (subscriber, #124910)
Parent article: Better visibility into packet-dropping decisions

Has this been considered for other things too? I regularly find myself wishing something like this existed for figuring out which of the many mechanism an EPERM/EACCES was caused by (unix permissions, acl, selinux and other LSMs, file systems, dm layers, cgroups, namespaces, seccomp, capabilities, API misuse, ...)

to post comments

Better visibility into packet-dropping decisions

Posted Feb 26, 2022 2:04 UTC (Sat) by shemminger (subscriber, #5739) [Link] (2 responses)

Netlink was enhanced to provide error messages (not just errno).
Many places have it, but lots still need work -- volunteers wanted.

Better visibility into packet-dropping decisions

Posted Feb 26, 2022 5:52 UTC (Sat) by tititou (subscriber, #75162) [Link] (1 responses)

Hi,
Can you provide a link or an example about it ?

Better visibility into packet-dropping decisions

Posted Feb 26, 2022 19:03 UTC (Sat) by johill (subscriber, #25196) [Link]

Check out commit 2d4bc93368f5a ("netlink: extended ACK reporting") which added the bare minimum infrastructure a long time ago, and you can find many users of NL_SET_ERR_MSG/GENL_SET_ERR_MSG (and similar macros) these days.

It supports reporting a string (error message), a pointer to a bad attribute, and if NL_SET_ERR_MSG_ATTR_POL was used (which it is in the general policy-based parsing) will even return the policy for the attribute back to userspace to explain why the attribute failed (e.g. if it's NLA_RANGE(U32, 1,2) and you gave a value 3).

return -Exxxxx;

Posted Feb 26, 2022 15:20 UTC (Sat) by jreiser (subscriber, #11027) [Link] (4 responses)

There is a need for a facility to locate at run time every failed subroutine call. The source code be edited with sed so that return -Exxxxx; becomes return ErrorCode(Exxxxx); with a default macro definiton something like 
     #ifndef ErrorCode
     #define ErrorCode(errnum) -(errnum)
     #endif
Then the determined investigator can re-compile selected source files with something like 
     #define ErrorCode(errnum) myErrorDiagnostic(errnum, __builtin_return_address(0), __FUNCTION__, __LINE__)
and supply a definition for the added subroutine myErrorDiagnostic. Of course there are a handful of cases where error numbers are variables or the syntax is complex, and also a few places where simple automated editing fails. Rate limiting the reporting can be a problem. But I did this once, and got the answer I wanted.

return -Exxxxx;

Posted Feb 26, 2022 19:05 UTC (Sat) by johill (subscriber, #25196) [Link] (2 responses)

In most files you can even just 
#define EINVAL ({printk(...); 22;})
if you really want :-)

return -Exxxxx;

Posted Feb 27, 2022 3:21 UTC (Sun) by roc (subscriber, #30627) [Link] (1 responses)

That would surely fail to build with EINVAL being used in a case label.

return -Exxxxx;

Posted Feb 27, 2022 9:17 UTC (Sun) by jengelh (subscriber, #33263) [Link]

Good thing the main kernel has just two `case EINVAL` across its ~30 million lines.

return -Exxxxx;

Posted Mar 11, 2022 8:44 UTC (Fri) by njs (guest, #40338) [Link]

Someone actually implemented this and released the patches so you can to:

https://github.com/nviennot/linux-trace-error


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds