Re: [nf-next PATCH v2] netfilter: nf_tables: Introduce NFTA_RULE_ACTUAL_EXPR

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Phil Sutter <phil@nwl.cc>, Florian Westphal <fw@strlen.de>,
	netfilter-devel@vger.kernel.org
Subject: Re: [nf-next PATCH v2] netfilter: nf_tables: Introduce NFTA_RULE_ACTUAL_EXPR
Date: Fri, 3 Feb 2023 16:32:01 +0100	[thread overview]
Message-ID: <Y90o8eq3egHbtC3Z@salvia> (raw)
In-Reply-To: <Y90QrjOONoZmcCZL@orbyte.nwl.cc>

On Fri, Feb 03, 2023 at 02:48:30PM +0100, Phil Sutter wrote:
> Hi Pablo,
> 
> On Thu, Feb 02, 2023 at 10:31:58PM +0100, Pablo Neira Ayuso wrote:
> > On Wed, Jan 18, 2023 at 02:48:20PM +0100, Phil Sutter wrote:
> > [...]
> > > The crucial aspect of this implementation is to provide a compatible
> > > rule representation for old software which is not aware of it. This is
> > > only possible by dumping the compat representation in the well-known
> > > NFTA_RULE_EXPRESSIONS attribute.
> > 
> > OK, so NFTA_RULE_EXPRESSIONS contains the xt expressions.
> > 
> > Then, _ACTUAL_EXPR is taken if kernel supports it and these are
> > expressions that run from datapath, if present.
> 
> Yes, this is indeed somewhat of a downside of this approach: a kernel
> which doesn't support the new attribute will use the compatible version
> of the rule instead of the improved one. But apart from that, everything
> just works.

For old kernels, this behaviour is expected.

[...]
> > > B) Submit the new representation as additional attribute
> > > 
> > > This is the current approach: If the additional attribute is present,
> > > the kernel will use it to build the rule and leave NFTA_RULE_EXPRESSIONS
> > > alone (actually: store it for dumps). Otherwise it will "fall back" to
> > > using NFTA_RULE_EXPRESSIONS just as usual.
> > >
> > > When dumping, if a stored NFTA_RULE_EXPRESSIONS content is present, it
> > > will dump that as-is and serialize the active rule into an additional
> > > attribute. Otherwise the active rule will go into NFTA_RULE_EXPRESSIONS
> > > just as usual.
> > 
> > So this is not swapping things, right? Probably I am still getting
> > confused but the initial approach described in A.
> 
> No swap: The kernel will dump in NFTA_RULE_EXPRESSIONS exactly what it
> got in that attribute, same for the new one.

Good.

> > When, dumping back to userspace, NFTA_RULE_EXPRESSIONS still stores
> > the xt compat representation and NFTA_RULE_ACTUAL_EXPRS the one that
> > runs from kernel datapath (if the kernel supports this attribute).
> 
> Yes, exactly. And old user space or nft will put the "new"
> representation into NFTA_RULE_EXPRESSIONS, not attach
> NFTA_RULE_ACTUAL_EXPRS and thus the kernel will use the former in its
> data path.

That is:

= New kernels / new userspace =

- NFTA_RULE_EXPRESSIONS is used if no NFTA_RULE_ACTUAL_EXPRS is provided.
- if NFTA_RULE_ACTUAL_EXPRS is provided, then it is used.

= New kernels / old userspace =

- NFTA_RULE_EXPRESSIONS is always used.

= Old kernels / new userspace =

- NFTA_RULE_EXPRESSIONS is always used, NFTA_RULE_ACTUAL_EXPRS is ignored.

> > [...]
> > > I am swapping things around in libnftnl - it uses NFTA_RULE_ACTUAL_EXPRS
> > > if present and puts NFTA_RULE_EXPRESSIONS into a second list for
> > > verification only. In iptables, I parse both lists separately into
> > > iptables_command_state objects and compare them. If not identical,
> > > there's a bug.
> > 
> > Old kernels would simply discard the ACTUAL_ attribute. Maybe _ALT_
> > standing by alternative is a better name?
> 
> Fine with me! "ACTUAL" was suggested by Florian, probably to point out
> that it's what should take precedence if present. In my understanding,
> "ALT" means "as good as".

From old kernel perspective, this is an alternative representation (it
can be ignored).  From new kernel perspective, it is actual.

> > Sorry, this is a bit confusing but I understand something like this is
> > required as you explained during the NFWS.
> 
> Thanks. Irrespective of the "crazy container people" mixing iptables
> versions and variants like mad, I believe it will allow us to make more
> drastic changes in future.

Thanks for explaining. This will be also more work from userspace to
make sure both are consistent.

A user could abuse this API to add something completely different to
NFTA_RULE_EXPRESSIONS while providing NFTA_RULE_ACTUAL_EXPRS.

I also wonder if this might cause problems with nftables and implicit
sets, they are bound to one single lookup expression that, when gone,
the set is released. Now you will have two expressions pointing to an
implicit set. Same thing with implicit chains. This might get tricky
with the transaction interface.

iptables is rather simple representation (no sets), but nftables is
more expressive.

next prev parent reply	other threads:[~2023-02-03 15:32 UTC|newest]

Thread overview: 24+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-12-21 14:22 [nf-next PATCH v2] netfilter: nf_tables: Introduce NFTA_RULE_ACTUAL_EXPR Phil Sutter
2023-01-12 10:15 ` Phil Sutter
2023-01-12 11:06   ` Pablo Neira Ayuso
2023-01-12 12:02     ` Phil Sutter
2023-01-18 11:58       ` Pablo Neira Ayuso
2023-01-18 13:48         ` Phil Sutter
2023-02-02 21:31           ` Pablo Neira Ayuso
2023-02-03 13:48             ` Phil Sutter
2023-02-03 15:32               ` Pablo Neira Ayuso [this message]
2023-02-03 16:21                 ` Phil Sutter
2023-02-04  9:41                   ` Pablo Neira Ayuso
2023-02-04 21:00                     ` Phil Sutter
2023-02-06  9:52                       ` Pablo Neira Ayuso
2023-02-07 10:43                         ` Pablo Neira Ayuso
2023-02-07 10:56                           ` Phil Sutter
2023-02-16 10:55                             ` Phil Sutter
2023-02-16 11:29                               ` Pablo Neira Ayuso
2023-02-16 12:05                                 ` Phil Sutter
2023-04-26 19:58                                   ` Pablo Neira Ayuso
2023-04-27 10:57                                     ` Phil Sutter
2023-04-27 11:01                                       ` Pablo Neira Ayuso
2023-04-27 11:33                                         ` Phil Sutter
2023-04-27 13:07                                           ` Pablo Neira Ayuso
2023-04-27 22:45                                             ` Phil Sutter

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=Y90o8eq3egHbtC3Z@salvia \
    --to=pablo@netfilter.org \
    --cc=fw@strlen.de \
    --cc=netfilter-devel@vger.kernel.org \
    --cc=phil@nwl.cc \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.