From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Daniel Borkmann <daniel@iogearbox.net>
Cc: tgraf@suug.ch, challa@noironetworks.com, netfilter-devel@vger.kernel.org
Subject: Re: [PATCH v4 2/3] netfilter: nf_conntrack: add direction support for zones
Date: Wed, 12 Aug 2015 19:48:05 +0200 [thread overview]
Message-ID: <20150812174805.GA31037@salvia> (raw)
In-Reply-To: <b251daed7eaaaf751e0bf0104389e57876d5a1ba.1439059435.git.daniel@iogearbox.net>
Hi Daniel,
I have applied 1/3 so you don't need to resend, but I still need one
more change in this patch, see below.
On Sat, Aug 08, 2015 at 09:40:02PM +0200, Daniel Borkmann wrote:
> diff --git a/include/uapi/linux/netfilter/nfnetlink_conntrack.h b/include/uapi/linux/netfilter/nfnetlink_conntrack.h
> index acad6c5..3bf4cb0 100644
> --- a/include/uapi/linux/netfilter/nfnetlink_conntrack.h
> +++ b/include/uapi/linux/netfilter/nfnetlink_conntrack.h
> @@ -53,6 +53,7 @@ enum ctattr_type {
> CTA_MARK_MASK,
> CTA_LABELS,
> CTA_LABELS_MASK,
> + CTA_TUPLE_ZONE,
I remember to have suggested to place this in ctattr_tuple:
http://www.spinics.net/lists/netfilter-devel/msg37593.html
The zone is part of the tuple in an optional fashion, so it should
appear there. The direction is already implicit based on
CTA_TUPLE_ORIG or CTA_TUPLE_REPLY.
> __CTA_MAX
> };
> #define CTA_MAX (__CTA_MAX - 1)
> @@ -260,4 +261,19 @@ enum ctattr_expect_stats {
> };
> #define CTA_STATS_EXP_MAX (__CTA_STATS_EXP_MAX - 1)
>
> +enum ctattr_zone {
> + CTA_ZONE_UNSPEC,
> + CTA_ZONE_DIR,
> + __CTA_ZONE_MAX,
> +};
> +#define CTA_ZONE_MAX (__CTA_ZONE_MAX - 1)
> +
> +enum ctattr_zone_dir {
> + CTA_ZONE_DIR_UNSPEC,
> + CTA_ZONE_DIR_ORIG,
> + CTA_ZONE_DIR_REPL,
> + __CTA_ZONE_DIR_MAX
> +};
> +#define CTA_ZONE_DIR_MAX (__CTA_ZONE_DIR_MAX - 1)
With the change above we can skip this CTA_ZONE_DIR.
> +
> #endif /* _IPCONNTRACK_NETLINK_H */
[...]
> diff --git a/net/netfilter/nf_conntrack_standalone.c b/net/netfilter/nf_conntrack_standalone.c
> index 28c8b2b..5d81b99 100644
> --- a/net/netfilter/nf_conntrack_standalone.c
> +++ b/net/netfilter/nf_conntrack_standalone.c
> @@ -143,7 +143,20 @@ static inline void ct_show_secctx(struct seq_file *s, const struct nf_conn *ct)
> #ifdef CONFIG_NF_CONNTRACK_ZONES
> static void ct_show_zone(struct seq_file *s, const struct nf_conn *ct)
> {
> - seq_printf(s, "zone=%u ", nf_ct_zone(ct)->id);
> + const struct nf_conntrack_zone *zone = nf_ct_zone(ct);
> +
> + seq_printf(s, "zone=%u ", zone->id);
> +
> + switch (zone->dir) {
> + case NF_CT_ZONE_DIR_ORIG:
> + seq_puts(s, "zone-dir=ORIGINAL ");
> + break;
> + case NF_CT_ZONE_DIR_REPL:
> + seq_puts(s, "zone-dir=REPLY ");
> + break;
I'd suggest the output shows the zone on the corresponding tuple, eg.
in case it only applies to the original tuple:
udp 17 29 src=192.168.2.195 dst=192.168.2.1 sport=40446 dport=53 zone=1 \
src=192.168.2.1 dst=192.168.2.195 sport=53 dport=40446 [ASSURED] mark=0 use=1
We have a more compact output IMO.
Please, don't forget that you also have to update
libnetfilter_conntrack and conntrack to get this feature available
from there. I'll take this patchset to the kernel so you have the time
to update the userspace side later on without blocking this further.
Thanks.
next prev parent reply other threads:[~2015-08-12 17:41 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-08-08 19:40 [PATCH nf-next v4 0/3] Netfilter zone directions Daniel Borkmann
2015-08-08 19:40 ` [PATCH v4 1/3] netfilter: nf_conntrack: push zone object into functions Daniel Borkmann
2015-08-11 10:49 ` Pablo Neira Ayuso
2015-08-08 19:40 ` [PATCH v4 2/3] netfilter: nf_conntrack: add direction support for zones Daniel Borkmann
2015-08-12 17:48 ` Pablo Neira Ayuso [this message]
2015-08-12 20:05 ` Daniel Borkmann
2015-08-13 9:50 ` Pablo Neira Ayuso
2015-08-13 10:26 ` Daniel Borkmann
2015-08-08 19:40 ` [PATCH v4 3/3] netfilter: nf_conntrack: add efficient mark to zone mapping Daniel Borkmann
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150812174805.GA31037@salvia \
--to=pablo@netfilter.org \
--cc=challa@noironetworks.com \
--cc=daniel@iogearbox.net \
--cc=netfilter-devel@vger.kernel.org \
--cc=tgraf@suug.ch \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).