From: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
To: pablo@netfilter.org
Cc: netfilter-devel@vger.kernel.org,
Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
Subject: [iptables-nftables RFC v3 PATCH 00/16] Xtables extensions: full support (pure nft or compat layer)
Date: Fri, 9 Aug 2013 16:31:14 +0300 [thread overview]
Message-ID: <1376055090-26551-1-git-send-email-tomasz.bursztyka@linux.intel.com> (raw)
Rebased patch set of my RFC, against latest trunk.
Still requires to be built with --enable-static due to patch 10 (and that's something to be fixed, see below)
@Pablo: could you spend some time reviewing it, please? Don't spend too much yet on the code (though I have tested it and it works very well),
but I would like your opinion on the idea it implements. Code could be then changed/adapted if necessary.
To sum up:
- Parsing of rule happen one time in only one place (nft_rule_expr_iter() is called only once for good), via an expression pattern matching mechanism.
- Centralized parsing strategy for both usual stuff (ips, ifs, verdicts...) and also all xtables extensions.
It recreates an iptables_command_structure. That's why there is a lot of refactoring (it removes a lot of duplicate expression list loops etc...)
- And of course transparent support on xtables extensions for both full nft based expressions list or when using xt compat layer in nftables.
(so it will require now to "translate" little by little all xtables extensions, but the result will be transparent to the user. It will just get rid of the old fashioned xtables memory blob
one after another. So at some point it will work without any xtables modules in kernel side. DNAT is provided as an example here).
- Same strategy woulde be used in futur xtables-arptables and xtables-ebtables.
That's why, all in all, code base does not grow much (only ~40+ lines added).
The only "drawback" is this patch 10. It's required to know before hand every xtables extensions's nft expressions patterns so it's necessary for
them to be "pre-loaded", that's why currently it only works with --enable-static. We could add a function in xtables to pre-load shared libs to support --enable-shared without --enable-static.
It's not perfect here, I really would lik to get your input on that.
Tomasz Bursztyka (16):
xtables: Add support for injecting xtables target into nft rule
xtables: add support for injecting xtables matches into nft rule
nft: Add nft expressions translation engine as a library
nft: Integrate nft translator engine in current core
nft: Manage xtables target parsing through translation tree
nft: Manage xtables matches through nft translation tree
nft: Add support for xtables extensions callback to change cs
xtables: Add support for registering nft translation function for
target
xtables: Add support for registering nft translation function for
match
nft: Register all relevant xtables extensions into translation tree
nft: Refactor firewall printing so it reuses already parsed cs struct
nft: Refactor rule deletion so it compares both cs structure
xtables: nft: Complete refactoring on how rules are saved
xtables: Support pure nft expressions for DNAT extension
nft: Add a function to reset the counters of an existing rule
xtables: Support -Z options for a given rule number
Makefile.am | 3 +
configure.ac | 8 +
extensions/GNUmakefile.in | 1 +
extensions/libipt_DNAT.c | 221 ++++++++++++++++
include/nft-translator.h | 81 ++++++
include/xtables.h | 13 +
iptables/Makefile.am | 3 +-
iptables/nft-ipv4.c | 138 ++++------
iptables/nft-ipv6.c | 94 +++----
iptables/nft-shared.c | 447 ++++++++++++++++++---------------
iptables/nft-shared.h | 36 ++-
iptables/nft-xt-ext.c | 178 +++++++++++++
iptables/nft-xt-ext.h | 14 ++
iptables/nft.c | 556 ++++++++++------------------------------
iptables/nft.h | 5 +-
iptables/xtables-events.c | 21 +-
iptables/xtables.c | 15 +-
libnfttrans/Makefile.am | 28 +++
libnfttrans/libnfttrans.pc | 11 +
libnfttrans/libnfttrans.pc.in | 11 +
libnfttrans/nft-translator.c | 571 ++++++++++++++++++++++++++++++++++++++++++
21 files changed, 1651 insertions(+), 804 deletions(-)
create mode 100644 include/nft-translator.h
create mode 100644 iptables/nft-xt-ext.c
create mode 100644 iptables/nft-xt-ext.h
create mode 100644 libnfttrans/Makefile.am
create mode 100644 libnfttrans/libnfttrans.pc
create mode 100644 libnfttrans/libnfttrans.pc.in
create mode 100644 libnfttrans/nft-translator.c
--
1.8.3.2
next reply other threads:[~2013-08-09 13:31 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-08-09 13:31 Tomasz Bursztyka [this message]
2013-08-09 13:31 ` [iptables-nftables RFC v3 PATCH 01/16] xtables: Add support for injecting xtables target into nft rule Tomasz Bursztyka
2013-08-09 13:31 ` [iptables-nftables RFC v3 PATCH 02/16] xtables: add support for injecting xtables matches " Tomasz Bursztyka
2013-08-09 13:31 ` [iptables-nftables RFC v3 PATCH 03/16] nft: Add nft expressions translation engine as a library Tomasz Bursztyka
2013-08-09 13:31 ` [iptables-nftables RFC v3 PATCH 04/16] nft: Integrate nft translator engine in current core Tomasz Bursztyka
2013-08-09 21:24 ` Pablo Neira Ayuso
2013-08-12 7:15 ` Tomasz Bursztyka
2013-08-09 13:31 ` [iptables-nftables RFC v3 PATCH 05/16] nft: Manage xtables target parsing through translation tree Tomasz Bursztyka
2013-08-09 13:31 ` [iptables-nftables RFC v3 PATCH 06/16] nft: Manage xtables matches through nft " Tomasz Bursztyka
2013-08-09 13:31 ` [iptables-nftables RFC v3 PATCH 07/16] nft: Add support for xtables extensions callback to change cs Tomasz Bursztyka
2013-08-09 13:31 ` [iptables-nftables RFC v3 PATCH 08/16] xtables: Add support for registering nft translation function for target Tomasz Bursztyka
2013-08-09 13:31 ` [iptables-nftables RFC v3 PATCH 09/16] xtables: Add support for registering nft translation function for match Tomasz Bursztyka
2013-08-09 13:31 ` [iptables-nftables RFC v3 PATCH 10/16] nft: Register all relevant xtables extensions into translation tree Tomasz Bursztyka
2013-08-09 13:31 ` [iptables-nftables RFC v3 PATCH 11/16] nft: Refactor firewall printing so it reuses already parsed cs struct Tomasz Bursztyka
2013-08-09 21:51 ` Pablo Neira Ayuso
2013-08-12 7:54 ` Tomasz Bursztyka
2013-08-12 9:30 ` Pablo Neira Ayuso
2013-08-12 10:54 ` Tomasz Bursztyka
2013-08-09 13:31 ` [iptables-nftables RFC v3 PATCH 12/16] nft: Refactor rule deletion so it compares both cs structure Tomasz Bursztyka
2013-08-09 13:31 ` [iptables-nftables RFC v3 PATCH 13/16] xtables: nft: Complete refactoring on how rules are saved Tomasz Bursztyka
2013-08-09 13:31 ` [iptables-nftables RFC v3 PATCH 14/16] xtables: Support pure nft expressions for DNAT extension Tomasz Bursztyka
2013-08-09 21:56 ` Pablo Neira Ayuso
2013-08-12 7:42 ` Tomasz Bursztyka
2013-08-09 13:31 ` [iptables-nftables RFC v3 PATCH 15/16] nft: Add a function to reset the counters of an existing rule Tomasz Bursztyka
2013-08-09 22:00 ` Pablo Neira Ayuso
2013-08-09 13:31 ` [iptables-nftables RFC v3 PATCH 16/16] xtables: Support -Z options for a given rule number Tomasz Bursztyka
2013-08-09 22:02 ` Pablo Neira Ayuso
2013-08-12 7:45 ` Tomasz Bursztyka
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1376055090-26551-1-git-send-email-tomasz.bursztyka@linux.intel.com \
--to=tomasz.bursztyka@linux.intel.com \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).