From: Phil Sutter <phil@nwl.cc>
To: Pablo Neira Ayuso <pablo@netfilter.org>
Cc: netfilter-devel@vger.kernel.org, Florian Westphal <fw@strlen.de>
Subject: Re: libnftables extended API proposal
Date: Fri, 5 Jan 2018 18:52:03 +0100 [thread overview]
Message-ID: <20180105175203.GN32305@orbyte.nwl.cc> (raw)
In-Reply-To: <20180102180219.6333nnbg2hgxyxrm@salvia>
Hi Pablo,
On Tue, Jan 02, 2018 at 07:02:19PM +0100, Pablo Neira Ayuso wrote:
> On Fri, Dec 29, 2017 at 03:58:16PM +0100, Phil Sutter wrote:
> > On Thu, Dec 28, 2017 at 08:21:41PM +0100, Pablo Neira Ayuso wrote:
> > > On Sat, Dec 23, 2017 at 02:19:41PM +0100, Phil Sutter wrote:
[...]
> > > > But isn't the problem of keeping the API compatible comparable to
> > > > the problem of keeping the JSON representation compatible?
> > >
> > > Well, keeping backward compatibility is always a burden to carry on.
> > > Even though, to me, JSON is as extensible as netlink is, ie. we can
> > > add new keys and deprecate things without breaking backward.
> >
> > Yes, the format is very flexible. But how does that help with
> > compatibility? You'll have to support the deprecated attributes or JSON
> > without the new attributes either way, no?
>
> Probably it's my subjective judging that maintaing json layout will be
> easier rather than a large bunch of APIs and internal object
> representations through getter/setter.
>
> Anyway, these days, we expect people to use modern languages to build
> upper layers in the stack, right? And that seems to mix well with JSON.
> Again core infrastructure person here talking about upper layers, so
> take this lightly ;-).
Yeah, for firewalld at least JSON is not a disadvantage. Not sure about
projects written in C though, but that's a different kettle of fish. :)
> [...]
> > > Oh, I can help you on that. Although you're very much closer to
> > > firewalld usecases that I'm, so probably a draft from you on this
> > > would be nice ;-)
> >
> > I went ahead and converted my local ruleset into JSON manually (until I
> > got bored), see attached ruleset.json. Then I wrote a schema to validate
> > it (also attached). Please let me know if you're OK with the base
> > format at least, i.e. everything except expressions and statements. Any
> > feedback on the few statements and expressions I put in there is highly
> > appreciated as well, of course! :)
>
> Probably instead of having left and right, we can replace it by:
>
> "match" : {
> "key": {
> ...
> },
> "value": "lo"
> }
>
> Then, allow to place expressions as "value" when it comes from a set
> lookup.
Yes, JSON Schema allows to define multiple possible types for an
attribute (see #/definitions/expression/val for instance). But I don't
follow regarding set lookup: There are other uses for an expression on
RHS as well, no?
> > > > > Regarding asynchronism between input and output, not sure I follow.
> > > >
> > > > I am grepping through tests/py/*/*.t for pattern 'ok;':
> > > >
> > > > - Adjacent ranges are combined.
> > >
> > > We should disable this, there was some discussion on this recently.
> > > User should request this explicitly to happen through some knob.
> >
> > I agree. While it's a nice idea, adding two adjacent ranges and later
> > wanting to delete one of them is troublesome. Do you have a name in mind
> > for that knob? Maybe something more generic which could cover other
> > cases of overly intelligent nft (in the future) as well?
>
> Probably "coalesce" or "merge".
So you'd prefer a specific flag just for that feature? I had a more
generic one in mind, something like "optimize" for instance.
[...]
> > > > - meta iif "lo" accept;ok;iif "lo" accept
> > > > -> Maybe less abstraction?
> > >
> > > This is just dealing with something that is causing us problems, that
> > > is, iif is handled as primary key, so we cannot reuse it in the
> > > grammar given it results in shift-reduce conflicts.
> >
> > The question is why allow both variants then? Since 'iif' is being used
> > as fib_flag as well, using 'iif' alone should be deprecated. Or is this
> > a case of backwards compatibility?
>
> It was compromise solution, not to break syntax all of a sudden,
> allowing old and new ways for a little while. But this one, I think it
> was not add this.
I couldn't parse your last sentence here. :)
> > > > - tcp dport 22 iiftype ether ip daddr 1.2.3.4 ether saddr 00:0f:54:0c:11:4 accept ok;tcp dport 22 ether saddr 00:0f:54:0c:11:04 ip daddr 1.2.3.4 accept
> > > > -> Here something is "optimized out", not sure if it should be kept in
> > > > JSON.
> > >
> > > This is testing redudant information, that we can remove given we can
> > > infer it.
> >
> > Yeah, similar situation to the 'meta l4proto' one above. The (still)
> > tricky part is to communicate assigned handles back to the application.
> > Maybe we could return an exact copy of their JSON with just handle
> > properties added?
>
> Yes, that should be fine. We already have the NLM_F_ECHO in place,
> just a matter of supporting json there.
>
> BTW, a simple testsuite for this would be good too.
Sure! Maybe the existing data in tests/py could be reused (the *.payload
files at least).
> P.S: Happy new year BTW.
Thanks, likewise! :)
Cheers, Phil
next prev parent reply other threads:[~2018-01-05 17:52 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-11-16 19:10 [nft PATCH] libnftables: Fix for multiple context instances Phil Sutter
2017-11-20 12:37 ` Pablo Neira Ayuso
2017-11-20 12:54 ` Phil Sutter
2017-11-20 13:07 ` Pablo Neira Ayuso
2017-11-20 15:58 ` Phil Sutter
2017-11-20 16:53 ` Pablo Neira Ayuso
2017-11-22 17:49 ` Phil Sutter
2017-11-22 18:18 ` Pablo Neira Ayuso
[not found] ` <20171204100955.GA1822@salvia>
[not found] ` <20171204105324.GX32305@orbyte.nwl.cc>
[not found] ` <20171204110142.GA19776@salvia>
[not found] ` <20171204164327.GA32305@orbyte.nwl.cc>
[not found] ` <20171204184604.GA1556@salvia>
2017-12-05 13:43 ` libnftables extended API proposal (Was: Re: [nft PATCH] libnftables: Fix for multiple context instances) Phil Sutter
2017-12-07 0:05 ` Pablo Neira Ayuso
2017-12-07 11:34 ` Phil Sutter
2017-12-10 21:55 ` Pablo Neira Ayuso
2017-12-16 16:06 ` libnftables extended API proposal Phil Sutter
2017-12-18 23:00 ` Pablo Neira Ayuso
2017-12-20 12:32 ` Phil Sutter
2017-12-20 22:23 ` Pablo Neira Ayuso
2017-12-22 13:08 ` Phil Sutter
2017-12-22 13:49 ` Pablo Neira Ayuso
2017-12-22 15:30 ` Phil Sutter
2017-12-22 20:39 ` Pablo Neira Ayuso
2017-12-23 13:19 ` Phil Sutter
2017-12-28 19:21 ` Pablo Neira Ayuso
2017-12-29 14:58 ` Phil Sutter
2018-01-02 18:02 ` Pablo Neira Ayuso
2018-01-05 17:52 ` Phil Sutter [this message]
2018-01-09 23:31 ` Pablo Neira Ayuso
2018-01-10 4:46 ` mark diener
2018-01-10 10:39 ` Phil Sutter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180105175203.GN32305@orbyte.nwl.cc \
--to=phil@nwl.cc \
--cc=fw@strlen.de \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).