Re: [RFC PATCH] netfilter: add connlabel conntrack extension

netfilter-devel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Florian Westphal <fw@strlen.de>
To: Pablo Neira Ayuso <pablo@netfilter.org>
Cc: Florian Westphal <fw@strlen.de>,
	netfilter-devel <netfilter-devel@vger.kernel.org>
Subject: Re: [RFC PATCH] netfilter: add connlabel conntrack extension
Date: Fri, 19 Oct 2012 15:52:15 +0200	[thread overview]
Message-ID: <20121019135215.GE18674@breakpoint.cc> (raw)
In-Reply-To: <20121019131533.GB30731@1984>

Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> I just think that having some clear use case for this is important.
> 
> If you're original idea is just to attach labels to help sysadmins to
> understand what's going on through the gateway, then we can leave this
> as is and add some new specific extension for nfgrep once it comes
> into place.

No, I intend for userspace to assign labels to connections, e.g.
via NFQUEUE.

Also, labels should also be made available via ctnetlink, e.g. for
logging/accounting.

Example: Conntracks are interface agnostic, so you would be able
to provide "came in via interface X" information via connlabels.

My main problem is currently understanding what nfgrep needs.
Since you suggested to do all labelname<->number mapping in
userspace, how would the nfgrep part assign a label?

Is that also done via netfilter rules, or via some "module magic"
feature?  It would be nice to come up with something that
fits nfgrep needs, too.

Best regards,
Florian

next prev parent reply	other threads:[~2012-10-19 13:52 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2012-10-18 16:22 [RFC PATCH] netfilter: add connlabel conntrack extension Florian Westphal
2012-10-18 16:51 ` Pablo Neira Ayuso
2012-10-18 20:38   ` Florian Westphal
2012-10-19  8:19     ` Pablo Neira Ayuso
2012-10-19  8:50       ` Florian Westphal
2012-10-19 13:15         ` Pablo Neira Ayuso
2012-10-19 13:52           ` Florian Westphal [this message]
2012-10-20 13:15           ` Ed W

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20121019135215.GE18674@breakpoint.cc \
    --to=fw@strlen.de \
    --cc=netfilter-devel@vger.kernel.org \
    --cc=pablo@netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).