From: Florian Westphal <fw@strlen.de>
To: Pablo Neira Ayuso <pablo@netfilter.org>
Cc: Florian Westphal <fw@strlen.de>,
netfilter-devel@vger.kernel.org, Phil Sutter <phil@nwl.cc>
Subject: Re: [PATCH nft 1/4] doc: add documentation about list hooks feature
Date: Mon, 29 Jul 2024 01:37:36 +0200 [thread overview]
Message-ID: <20240728233736.GA31560@breakpoint.cc> (raw)
In-Reply-To: <ZqbR0yOY87wI0VoS@calendula>
Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> > Not really, why would eth0 and eth1 be related here?
>
> Note that you can specify:
>
> list hooks ip device enp0s25
>
> this shows the hooks that will be exercised for a given packet family,
> ie. IPv4 packets will exercise the following hooks.
>
> family ip {
> hook ingress {
> 0000000000 chain netdev x y [nf_tables]
> }
> hook prerouting {
> -0000000400 ipv4_conntrack_defrag [nf_defrag_ipv4]
> -0000000200 ipv4_conntrack_in [nf_conntrack]
> }
> hook input {
> 0000000000 chain ip filter in [nf_tables]
> +2147483647 nf_confirm [nf_conntrack]
> }
> hook forward {
> -0000000225 selinux_ip_forward
> }
> hook output {
> -0000000400 ipv4_conntrack_defrag [nf_defrag_ipv4]
> -0000000225 selinux_ip_output
> -0000000200 ipv4_conntrack_local [nf_conntrack]
> }
> hook postrouting {
> +0000000225 selinux_ip_postroute
> +2147483647 nf_confirm [nf_conntrack]
> }
> }
>
> This is _not_ showing the list of hooks for a given family.
I now realize that whats in the tree today is not what I wrote originally.
So this is neither showing the hooks that will be execrised (packet
can't be input and forward...). But ok. I don't know what to do now.
> What I meant is that user could filter out by ingress and egress
> device to fetch the hooks that are traversed in such case, ie.
>
> list hooks ip iifname eth0 oifname eth1
>
> to get the traversal of hooks for IPv4 packets, assuming eth0 as
> ingress device and eth1 as egress device.
No idea how to make this, or I fail to understand.
> > What would make more sense to me is to allow
> >
> > list hooks netdev
> >
> > and then have nft fetch list of all network devices and then query them
> > all.
>
> Makes sense, it currently fails with EINVAL because no device has been
> specified.
I'll try to add it, but I don't know if I should toss these patches
first or not :/
next prev parent reply other threads:[~2024-07-28 23:37 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-07-26 1:58 [PATCH nft 0/4] list hooks refactoring Florian Westphal
2024-07-26 1:58 ` [PATCH nft 1/4] doc: add documentation about list hooks feature Florian Westphal
2024-07-26 9:00 ` Pablo Neira Ayuso
2024-07-26 12:31 ` Florian Westphal
2024-07-28 23:19 ` Pablo Neira Ayuso
2024-07-28 23:37 ` Florian Westphal [this message]
2024-07-29 0:21 ` Pablo Neira Ayuso
2024-07-29 15:32 ` Florian Westphal
2024-07-30 23:34 ` Pablo Neira Ayuso
2024-08-13 11:06 ` Phil Sutter
2024-08-19 10:56 ` Pablo Neira Ayuso
2024-08-19 12:10 ` Florian Westphal
2024-07-26 1:58 ` [PATCH nft 2/4] src: remove decnet support Florian Westphal
2024-07-29 23:23 ` Florian Westphal
2024-07-26 1:58 ` [PATCH nft 3/4] src: mnl: clean up hook listing code Florian Westphal
2024-07-26 1:58 ` [PATCH nft 4/4] src: add egress support for 'list hooks' Florian Westphal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240728233736.GA31560@breakpoint.cc \
--to=fw@strlen.de \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
--cc=phil@nwl.cc \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.