Re: [nf-next RFC] netfilter: nf_tables: Feature ifname-based hook registration

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Florian Westphal <fw@strlen.de>
To: Phil Sutter <phil@nwl.cc>,
	Pablo Neira Ayuso <pablo@netfilter.org>,
	netfilter-devel@vger.kernel.org
Subject: Re: [nf-next RFC] netfilter: nf_tables: Feature ifname-based hook registration
Date: Thu, 3 Jul 2025 13:55:26 +0200	[thread overview]
Message-ID: <aGZvriD0SSakTh-b@strlen.de> (raw)
In-Reply-To: <aGZZnbgZTXMwo_MS@orbyte.nwl.cc>

Phil Sutter <phil@nwl.cc> wrote:
> On Thu, Jul 03, 2025 at 12:39:32AM +0200, Florian Westphal wrote:
> > > - A wildcard interface spec is accepted as long as at least a single
> > >   interface matches.
> > 
> > Is there a reason for this? Why are they handled differently?
> 
> I wasn't sure if it's "required" to prevent it as well or not. This
> patch was motivated by Pablo reporting users would not notice mis-typed
> interface names anymore and asking for whether introducing a feature
> flag for it was possible. So I went ahead to have something for a
> discussion.

Ah, thanks, that makes sense.

> Actually, wildcards are not handled differently: If user specifies
> "eth123", kernel errors if no "eth123" exists and accepts otherwise. If
> user specifies "eth*", kernel errors if no interface with that prefix
> exists and accepts otherwise.

Indeed, thanks for clarifying.

> I don't know where to go with this. If the flag should turn interface
> specs name-based, its absence should fully restore the old behaviour (as
> you kindly summarized below). If it's just about the typo, this patch
> might be fine.

Yes.

> > Now (this patch, without new flag):
> > - netdev basechain: same as above.
> >   But you do get an error if the device name did not exist.
> >   Unless it was for "foo*", thats accepted even if no match is found.
> 
> No, this patch has the kernel error also if it doesn't find a match for
> the wildcard. It merely asserts that the hook's ops_list is non-empty
> after nft_netdev_hook_alloc() (which did the search for matching
> interfaces) returns.

Aaah, ok, I see now. Then its waaaay less confusing than I thought.

> > If in doubt the flag should not be updateable (hard error), in
> > that case we can refine/relax later.
> 
> My statement above was probably a bit confusing: With non-persistent, I
> meant for the flag to be recognized upon chain/flowtable creation but
> not added to chain->flags or flowtable->data.flags.

I see, thats a good question, I feel exposing it (add to ->flags member)
is better.

     prev parent reply	other threads:[~2025-07-03 11:55 UTC|newest]

Thread overview: 29+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-07-02 17:47 [nf-next RFC] netfilter: nf_tables: Feature ifname-based hook registration Phil Sutter
2025-07-02 22:39 ` Florian Westphal
2025-07-03 10:21   ` Phil Sutter
2025-07-03 11:35     ` Pablo Neira Ayuso
2025-07-03 12:09       ` Florian Westphal
2025-07-03 12:37         ` Phil Sutter
2025-07-03 12:25       ` Phil Sutter
2025-07-03 12:39         ` Florian Westphal
2025-07-03 12:47           ` Phil Sutter
2025-07-03 12:54             ` Florian Westphal
2025-07-03 13:17               ` Phil Sutter
2025-07-03 14:19                 ` Pablo Neira Ayuso
2025-07-03 14:33                   ` Phil Sutter
2025-07-03 21:32                     ` Pablo Neira Ayuso
2025-07-04 12:41                       ` Phil Sutter
2025-07-04 14:04                         ` Florian Westphal
2025-07-04 15:33                           ` Phil Sutter
2025-07-07 19:25                           ` Pablo Neira Ayuso
2025-07-08 14:38                             ` Phil Sutter
2025-07-09 22:43                               ` Pablo Neira Ayuso
2025-07-10 13:55                                 ` Phil Sutter
2025-07-11 12:19                                 ` Phil Sutter
2025-07-11 13:16                                   ` Florian Westphal
2025-07-11 13:43                                     ` Phil Sutter
2025-07-11 13:48                                       ` Florian Westphal
2025-07-11 14:52                                   ` Pablo Neira Ayuso
2025-07-11 16:39                                     ` Phil Sutter
2025-07-14 14:02                                       ` Pablo Neira Ayuso
2025-07-03 11:55     ` Florian Westphal [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=aGZvriD0SSakTh-b@strlen.de \
    --to=fw@strlen.de \
    --cc=netfilter-devel@vger.kernel.org \
    --cc=pablo@netfilter.org \
    --cc=phil@nwl.cc \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.