Re: [nf_tables] suggestion: system-wide sets

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Patrick Schaaf <netdev@bof.de>
To: Patrick McHardy <kaber@trash.net>
Cc: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>,
	Netfilter Development Mailing list
	<netfilter-devel@vger.kernel.org>,
	Pablo Neira Ayuso <pablo@netfilter.org>
Subject: Re: [nf_tables] suggestion: system-wide sets
Date: Mon, 03 Mar 2014 11:32:14 +0100	[thread overview]
Message-ID: <4515053.884CkpCZ1T@rofl> (raw)
In-Reply-To: <20140227140230.GA18385@macbook.localnet>

On Thursday 27 February 2014 14:02:30 Patrick McHardy wrote:

> Yeah, I agree. I think family wide sets and global (AF_UNSPEC) sets should
> bet quite easy to add. However there's the question how to expose them
> in the nft list table output. The idea is to be able to recreate the
> current ruleset, including sets and elements, by parsing the output of
> nft list table. If we don't include sets, the user will have to seperately
> save and restore them. OTOH if we simply include global and AF-specific
> sets, they will be restored once for each table and this will fail on
> the second table.
> 
> Any other ideas?

First of all I'd like to note that this needs-separate-saving, is exactly the 
situation we have right now with ipset, so it is not something totally 
unknown. Recreating a table that references nonexisting global sets, would 
fail, just like loading / restoring iptables rules that reference nonexisting 
ipsets, fails right now.

Alternatively - but I'm not sure how good an idea that would be - couldn't 
such nonexisting set references somehow create "forward declarations" to 
permit loading in any order, and threat as-yet-undefined sets as empty?

An additional issue that I imagine we'd have, is set names clashing between 
global and per-table sets. To this end, maybe it would be useful to have a 
syntactic means to differentiate the two cases when referencing sets. Maybe 
append a second '@' to reference global sets?

nfd add rule ip input ip saddr @sharedset@

Rule listing could be a bit flexibly when just a plain set name is given, 
showing per table or global sets as they exist.

Just some thoughts I have on the issue, looking from the outside. Use as you 
see fit :)

best regards
  Patrick

next prev parent reply	other threads:[~2014-03-03 10:32 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2014-02-27 12:15 [nf_tables] suggestion: system-wide sets Arturo Borrero Gonzalez
2014-02-27 14:02 ` Patrick McHardy
2014-02-27 14:46   ` Arturo Borrero Gonzalez
2014-02-27 14:58     ` Patrick McHardy
2014-03-03 10:32   ` Patrick Schaaf [this message]
2014-03-04  9:20     ` Patrick McHardy

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4515053.884CkpCZ1T@rofl \
    --to=netdev@bof.de \
    --cc=arturo.borrero.glez@gmail.com \
    --cc=kaber@trash.net \
    --cc=netfilter-devel@vger.kernel.org \
    --cc=pablo@netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.