From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Phil Sutter <phil@nwl.cc>,
netfilter-devel@vger.kernel.org, Florian Westphal <fw@strlen.de>
Subject: Re: libnftables extended API proposal (Was: Re: [nft PATCH] libnftables: Fix for multiple context instances)
Date: Thu, 7 Dec 2017 01:05:45 +0100 [thread overview]
Message-ID: <20171207000545.GA27739@salvia> (raw)
In-Reply-To: <20171205134317.GE32305@orbyte.nwl.cc>
Hi Phil,
On Tue, Dec 05, 2017 at 02:43:17PM +0100, Phil Sutter wrote:
[...]
> My "vision" for an extended API which actually provides an additional
> benefit is something that allows to work with the entities nft language
> defines in an abstract manner, ideally without having to invoke the
> parser all the time.
>
> Naturally, nftables entities are hierarchical: rules are contained in
> chains, chains contained in tables, etc. At the topmost level, there is
> something I call 'ruleset', which is basically just an instance of
> struct nft_cache. Since we have that in nft context already, it was
> optimized out (for now at least). As a leftover, I have a function which
> does a cache update (although this might be done implicitly as well).
>
> For each entity contained in the ruleset, I wrote two functions, lookup
> and create, to reference them later. Due to the hierarchical layout,
> both functions take the higher-level entity as an argument. For
> instance:
>
> | struct nft_table *nft_table_lookup(struct nft_ctx *nft,
> | unsigned int family,
> | const char *name);
> | struct nft_chain *nft_chain_new(struct nft_ctx *nft,
> | struct nft_table *table,
> | const char *name);
>
> Family and name are enough to uniquely identify a table. By passing the
> returned object to the second function and a name, a new chain in that
> table can be created - or more precisely, a command (struct cmd
> instance) is created and stored in a new field of struct nft_ctx for
> later, when calling:
>
> | int nft_ruleset_commit(struct nft_ctx *nft);
>
> This constructs a new batch job using the previously created commands
> and calls netlink_batch_send().
>
> The entities I've defined so far are:
>
> struct nft_table;
> struct nft_chain;
> struct nft_rule;
> struct nft_set;
> struct nft_expr; /* actually this should be setelem */
>
> The implementation is very incomplete and merely a playground at this
> point. I started with using the parser for everything, then tried to
> eliminate as much as possible. E.g. the first version to add an element
> to a set looked roughly like this (pseudo-code):
>
> | int nft_set_add_element(struct nft_ctx *nft, struct nft_set *set,
> | const char *elem)
> | {
> | char buf[1024];
> |
> | sprintf(buf, "add element ip t %s %s", set->name, elem);
> | scanner_push_buffer(scanner, &indesc_cmdline, buf);
> | nft_parse(nft, scanner, &state);
> | list_splice_tail(&state.cmds, &nft->cmds);
> | }
>
> After tweaking the parser a bit, I can use it now to parse just a
> set_list_member_expr and use the struct expr it returns. This made it
> possible to create the desired struct cmd in above function without
> having to invoke the parser there.
>
> Exercising this refining consequently should allow to reach arbitrary
> levels of granularity. For instance, one could stop at statement level,
> i.e. statements are created using a string representation. Or one could
> go down to expression level, and statements are created using one or two
> expressions (depending on whether it is relational or not). Of course
> this means the library will eventually become as complicated as the
> parser itself, not necessarily a good thing.
Yes, and we'll expose all internal representation details, that we
will need to maintain forever if we don't want to break backward.
> On the other hand, having an abstract representation for set elements is
> quite convenient - their string representations might differ (take e.g.
> "22" vs. "ssh") so strcmp() is not sufficient to compare them.
>
> I hope this allows you to get an idea of how I imagine extended API
> although certainly details are missing here. What do you think about it?
> Are you fine with the general concept so we can discuss details or do
> you see a fundamental problem with it?
OK, my understanding is that you would like to operate with some
native library object representation.
Most objects (table, chain...) are easy to represent, as you
mentioned. Rules are the most complex ones internally, but you can
probably abstract a simplified representation that suits well for your
usecases, e.g expose them in an iptables like representation -
something like adding matches and actions - Obviously, this needs to
allow to take sets as input, eg.
int meta_match_immediate(struct nft_rule *r, enum nft_meta_type, void *data);
int meta_match_set(struct nft_rule *r, enum nft_meta_type, struct nft_set *set);
meta_match_immediate() adds a meta + cmp to the rule, to compare for
an immediate value. meta_match_set() adds meta + lookup.
A list of use-cases, for the third party application, would be good to
have to design this API.
next prev parent reply other threads:[~2017-12-07 0:05 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-11-16 19:10 [nft PATCH] libnftables: Fix for multiple context instances Phil Sutter
2017-11-20 12:37 ` Pablo Neira Ayuso
2017-11-20 12:54 ` Phil Sutter
2017-11-20 13:07 ` Pablo Neira Ayuso
2017-11-20 15:58 ` Phil Sutter
2017-11-20 16:53 ` Pablo Neira Ayuso
2017-11-22 17:49 ` Phil Sutter
2017-11-22 18:18 ` Pablo Neira Ayuso
[not found] ` <20171204100955.GA1822@salvia>
[not found] ` <20171204105324.GX32305@orbyte.nwl.cc>
[not found] ` <20171204110142.GA19776@salvia>
[not found] ` <20171204164327.GA32305@orbyte.nwl.cc>
[not found] ` <20171204184604.GA1556@salvia>
2017-12-05 13:43 ` libnftables extended API proposal (Was: Re: [nft PATCH] libnftables: Fix for multiple context instances) Phil Sutter
2017-12-07 0:05 ` Pablo Neira Ayuso [this message]
2017-12-07 11:34 ` Phil Sutter
2017-12-10 21:55 ` Pablo Neira Ayuso
2017-12-16 16:06 ` libnftables extended API proposal Phil Sutter
2017-12-18 23:00 ` Pablo Neira Ayuso
2017-12-20 12:32 ` Phil Sutter
2017-12-20 22:23 ` Pablo Neira Ayuso
2017-12-22 13:08 ` Phil Sutter
2017-12-22 13:49 ` Pablo Neira Ayuso
2017-12-22 15:30 ` Phil Sutter
2017-12-22 20:39 ` Pablo Neira Ayuso
2017-12-23 13:19 ` Phil Sutter
2017-12-28 19:21 ` Pablo Neira Ayuso
2017-12-29 14:58 ` Phil Sutter
2018-01-02 18:02 ` Pablo Neira Ayuso
2018-01-05 17:52 ` Phil Sutter
2018-01-09 23:31 ` Pablo Neira Ayuso
2018-01-10 4:46 ` mark diener
2018-01-10 10:39 ` Phil Sutter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20171207000545.GA27739@salvia \
--to=pablo@netfilter.org \
--cc=fw@strlen.de \
--cc=netfilter-devel@vger.kernel.org \
--cc=phil@nwl.cc \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).