From: "Puustinen, Ismo" <ismo.puustinen@intel.com>
To: "phil@nwl.cc" <phil@nwl.cc>, "fw@strlen.de" <fw@strlen.de>,
"pablo@netfilter.org" <pablo@netfilter.org>,
"netfilter-devel@vger.kernel.org"
<netfilter-devel@vger.kernel.org>
Subject: Re: [nft PATCH] List handles of added rules if requested
Date: Fri, 5 May 2017 11:18:37 +0000 [thread overview]
Message-ID: <1493983116.2675.4.camel@intel.com> (raw)
In-Reply-To: <20170505104954.GA1676@salvia>
On Fri, 2017-05-05 at 12:49 +0200, Pablo Neira Ayuso wrote:
> This does not integrate at all into the scripting features we have in
>
> nftables. We don't want people to use bash (or like) shell scripts
> anymore, they are bad, they break atomicity for us. We should extend
> native nftables scripting capabilities to support what user need,
> natively. Look, this will not work with nft -i either...
>
> And this also will not work for robots using incremental updates via
> nft -f. And we very much want to support such transaction like
> scheme,
> ie. place a bunch of incremental updates in one single file and apply
> that in one single transaction.
>
> This is just covering one very specific usecase, that is, users have
> a
> quick way to delete the rule that just added. And we have better ways
> to achieve this, and that will work from all the scenarios that I
> described above.
I would be interested in any documentation you might have concerning
the "better ways" of creating modular rulesets, that is, automatically
adding and deleting rules and rule groups. This is a real issue that
I'm currently struggling with.
My use case is pretty simple: when a service is loaded, it also loads
the firewall rules associated with it. When a service is stopped, the
rules corresponding to the service are unloaded. There is no
interactive user present in the system.
Having "nft add rule ..." return a rule handle would fix this, so I was
happy to see Phil's patches. Currently I have to load the rules in
their own chains (one chain per service) and then use a packet marking
scheme to see if the packet has been marked to be accepted by at least
one service chain. When a service is stopped, I then remove the
corresponding chain. The packet marking scheme is quite ugly though,
and the service chains need to know how the packets need to be marked
so that they get accepted by the final chain.
I can't use the "jump" facility to jump to the service chains, because
then I would need to be able to remove the "jump" rule when the service
is unloaded, which is again not possible without the rule handle.
Ismo
next prev parent reply other threads:[~2017-05-05 11:18 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-05-04 12:34 [nft PATCH] List handles of added rules if requested Phil Sutter
2017-05-04 13:36 ` Pablo Neira Ayuso
2017-05-04 13:44 ` Florian Westphal
2017-05-04 14:00 ` Pablo Neira Ayuso
2017-05-04 22:26 ` Phil Sutter
2017-05-05 10:49 ` Pablo Neira Ayuso
2017-05-05 11:18 ` Puustinen, Ismo [this message]
2017-05-08 17:35 ` Pablo Neira Ayuso
2017-05-05 11:56 ` Florian Westphal
2017-05-04 15:37 ` Thomas Woerner
2017-05-04 22:38 ` Phil Sutter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1493983116.2675.4.camel@intel.com \
--to=ismo.puustinen@intel.com \
--cc=fw@strlen.de \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
--cc=phil@nwl.cc \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).