From: Phil Sutter <phil@nwl.cc>
To: Pablo Neira Ayuso <pablo@netfilter.org>
Cc: netfilter-devel@vger.kernel.org, Florian Westphal <fw@strlen.de>,
Thomas Haller <thaller@redhat.com>
Subject: [nf-next PATCH 0/5] Dynamic hook interface binding
Date: Fri, 3 May 2024 21:50:40 +0200 [thread overview]
Message-ID: <20240503195045.6934-1-phil@nwl.cc> (raw)
Currently, netdev-family chains and flowtables expect their interfaces
to exist at creation time. In practice, this bites users of virtual
interfaces if these happen to be created after the nftables service
starts up and loads the stored ruleset.
Vice-versa, if an interface disappears at run-time (via module unloading
or 'ip link del'), it also disappears from the ruleset, along with the
chain and its rules which binds to it. This is at least problematic for
setups which store the running ruleset during system shutdown.
This series attempts to solve these problems by effectively making
netdev hooks name-based: If no matching interface is found at hook
creation time, it will be inactive until a matching interface appears.
If a bound interface is renamed, a matching inactive hook is searched
for it.
Ruleset dumps will stabilize in that regard. To still provide
information about which existing interfaces a chain/flowtable currently
binds to, new netlink attributes *_ACT_DEVS are introduced which are
filled from the active hooks only.
This series is also prep work for a simple ildcard interface binding
similar to the wildcard interface matching in meta expression. It should
suffice to turn struct nft_hook::ops into an array of all matching
interfaces, but the respective code does not exist yet.
Phil Sutter (5):
netfilter: nf_tables: Store user-defined hook ifname
netfilter: nf_tables: Relax hook interface binding
netfilter: nf_tables: Report active interfaces to user space
netfilter: nf_tables: Dynamic hook interface binding
netfilter: nf_tables: Correctly handle NETDEV_RENAME events
include/net/netfilter/nf_tables.h | 4 +-
include/uapi/linux/netfilter/nf_tables.h | 6 +-
net/netfilter/nf_tables_api.c | 185 +++++++++++++++--------
net/netfilter/nft_chain_filter.c | 70 +++++----
4 files changed, 172 insertions(+), 93 deletions(-)
--
2.43.0
next reply other threads:[~2024-05-03 19:50 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-05-03 19:50 Phil Sutter [this message]
2024-05-03 19:50 ` [nf-next PATCH 1/5] netfilter: nf_tables: Store user-defined hook ifname Phil Sutter
2024-05-03 19:50 ` [nf-next PATCH 2/5] netfilter: nf_tables: Relax hook interface binding Phil Sutter
2024-05-03 19:50 ` [nf-next PATCH 3/5] netfilter: nf_tables: Report active interfaces to user space Phil Sutter
2024-05-03 19:50 ` [nf-next PATCH 4/5] netfilter: nf_tables: Dynamic hook interface binding Phil Sutter
2024-05-03 19:50 ` [nf-next PATCH 5/5] netfilter: nf_tables: Correctly handle NETDEV_RENAME events Phil Sutter
2024-05-10 0:13 ` [nf-next PATCH 0/5] Dynamic hook interface binding Pablo Neira Ayuso
2024-05-15 12:30 ` Phil Sutter
2024-05-15 13:24 ` Florian Westphal
2024-05-15 15:32 ` Phil Sutter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240503195045.6934-1-phil@nwl.cc \
--to=phil@nwl.cc \
--cc=fw@strlen.de \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
--cc=thaller@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).