From: Florian Westphal <fw@strlen.de>
To: Phil Sutter <phil@nwl.cc>
Cc: Pablo Neira Ayuso <pablo@netfilter.org>, netfilter-devel@vger.kernel.org
Subject: Re: [nf-next RFC] netfilter: nf_tables: Feature ifname-based hook registration
Date: Thu, 3 Jul 2025 00:39:32 +0200 [thread overview]
Message-ID: <aGW1JNPtUBb_DDAB@strlen.de> (raw)
In-Reply-To: <20250702174725.11371-1-phil@nwl.cc>
Phil Sutter <phil@nwl.cc> wrote:
> Require user space to set a flag upon flowtable or netdev-family chain
> creation explicitly relaxing the hook registration when it comes to
> non-existent interfaces. For the sake of simplicity, just restore error
> condition if a given hook does not find an interface to bind to, leave
> everyting else in place.
OK, but then this needs to go in via nf.git and:
Fixes: 6d07a289504a ("netfilter: nf_tables: Support wildcard netdev hook specs")
tag. We shouldn't introduce a "error" -> "no error" -> "error" semantic
change sequence in kernel releases, i.e. this change is urgent; its now
(before 6.16 release) or never.
> - A wildcard interface spec is accepted as long as at least a single
> interface matches.
Is there a reason for this? Why are they handled differently?
> - Dynamic unregistering and re-registering of vanishing/re-appearing
> interfaces is still happening.
You mean, without the flag? AFAIU old behaviour is:
For netdev chains:
- auto-removal AND free of device basechain -> no reappearance
- -ENOENT error on chain add if device name doesn't exist
For flowtable:
- device is removed from the list (and list can become empty), flowtable
stays 100%, just the device name disappears from the devices list.
Doesn't reappear (auto re-added) either.
- -ENOENT error on flowtable add if even one device doesn't exist
Neither netdev nor flowtable support "foo*" wildcards.
nf.git:
- netdev basechain kept alive, no freeing, auto-reregister (becomes
active again if device with same name reappears).
No error if device name doesn't exists -> delayed auto-register
instead, including multi-reg for "foo*" case.
- flowtable: same as old BUT device is auto-(re)added if same name
(re)appears.
- No -ENOENT error on flowtable add, even if no single device existed
Full "foo*" support.
Now (this patch, without new flag):
- netdev basechain: same as above.
But you do get an error if the device name did not exist.
Unless it was for "foo*", thats accepted even if no match is found.
AFAICS its a userspace/nft change, ie. the new flag is actually
provided silently in the "foo*" case?
- flowtable: same as old BUT device is auto-(re)added if same name
(re)appears.
- -ENOENT error on flowtable add if even one device doesn't exist
Except "foo*" case, then its ok even if no match found.
Maybe add a table that explains the old/new/wanted (this patch) behaviours?
And an explanation/rationale for the new flag?
Is there a concern that users depend on old behaviour?
If so, why are we only concerned about the "add" behaviour but not the
auto-reregistering?
Is it to protect users from typos going unnoticed?
I could imagine "wlp0s20f1" getting misspelled occasionally...
> Note that this flag is persistent, i.e. included in ruleset dumps. This
> effectively makes it "updatable": User space may create a "name-based"
> flowtable for a non-existent interface, then update the flowtable to
> drop the flag. What should happen then? Right now this is simply
> accepted, even though the flowtable still does not bind to an interface.
AFAIU:
If we accept off -> On, the flowtable should bind.
If we accept on -> off, then it looks we should continue to drop devices
from the list but just stop auto-readding?
If in doubt the flag should not be updateable (hard error), in
that case we can refine/relax later.
next prev parent reply other threads:[~2025-07-02 22:39 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-07-02 17:47 [nf-next RFC] netfilter: nf_tables: Feature ifname-based hook registration Phil Sutter
2025-07-02 22:39 ` Florian Westphal [this message]
2025-07-03 10:21 ` Phil Sutter
2025-07-03 11:35 ` Pablo Neira Ayuso
2025-07-03 12:09 ` Florian Westphal
2025-07-03 12:37 ` Phil Sutter
2025-07-03 12:25 ` Phil Sutter
2025-07-03 12:39 ` Florian Westphal
2025-07-03 12:47 ` Phil Sutter
2025-07-03 12:54 ` Florian Westphal
2025-07-03 13:17 ` Phil Sutter
2025-07-03 14:19 ` Pablo Neira Ayuso
2025-07-03 14:33 ` Phil Sutter
2025-07-03 21:32 ` Pablo Neira Ayuso
2025-07-04 12:41 ` Phil Sutter
2025-07-04 14:04 ` Florian Westphal
2025-07-04 15:33 ` Phil Sutter
2025-07-07 19:25 ` Pablo Neira Ayuso
2025-07-08 14:38 ` Phil Sutter
2025-07-09 22:43 ` Pablo Neira Ayuso
2025-07-10 13:55 ` Phil Sutter
2025-07-11 12:19 ` Phil Sutter
2025-07-11 13:16 ` Florian Westphal
2025-07-11 13:43 ` Phil Sutter
2025-07-11 13:48 ` Florian Westphal
2025-07-11 14:52 ` Pablo Neira Ayuso
2025-07-11 16:39 ` Phil Sutter
2025-07-14 14:02 ` Pablo Neira Ayuso
2025-07-03 11:55 ` Florian Westphal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aGW1JNPtUBb_DDAB@strlen.de \
--to=fw@strlen.de \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
--cc=phil@nwl.cc \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.