From: Pablo Neira Ayuso <pablo@netfilter.org>
To: netfilter-devel@vger.kernel.org
Subject: [PATCH nf-next 0/5] support for anonymous non-base chains in nftables
Date: Thu, 25 Jun 2020 20:16:46 +0200 [thread overview]
Message-ID: <20200625181651.1481-1-pablo@netfilter.org> (raw)
Hi,
This patchset extends the nftables netlink API to support for anonymous
non-base chains. Anonymous non-base chains have two properties:
1) The kernel dynamically allocates the (internal) chain name.
2) If the rule that refers to the anonymous chain is removed, then the
anonymous chain and its content is also released.
This new infrastructure allows for the following syntax from userspace:
table inet x {
chain y {
type filter hook input priority 0;
tcp dport 22 chain {
ip saddr { 127.0.0.0/8, 172.23.0.0/16, 192.168.13.0/24 } accept
ip6 saddr ::1/128 accept;
}
}
}
The bytecode actually looks like this:
tcp dport 22 chain { ...
[ meta load l4proto => reg 1 ]
[ cmp eq reg 1 0x00000006 ]
[ payload load 2b @ transport header + 2 => reg 1 ]
[ cmp eq reg 1 0x00001600 ]
[ immediate reg 0 jump __chain%llu ]
where the anonymous chain block:
ip saddr { 127.0.0.0/8, 172.23.0.0/16, 192.168.13.0/24 } accept
ip6 saddr ::1/128 accept;
is added to the __chain%llu chain.
The %llu is replaced by a 64-bit identifier which is dynamically
allocated from the kernel. This is actually an incremental 64-bit
chain ID that is used to allocated the internal name.
A few notes:
* The existing approach assumes an implicit jump to chain action for
implicit chains.
* Depending on the use-case, jumpto chain through dictionary (a.k.a. verdict
map) provides a more efficient ruleset evaluation.
Pablo Neira Ayuso (5):
netfilter: nf_tables: add NFTA_CHAIN_ID attribute
netfilter: nf_tables: add NFTA_RULE_CHAIN_ID attribute
netfilter: nf_tables: add NFTA_VERDICT_CHAIN_ID attribute
netfilter: nf_tables: expose enum nft_chain_flags through UAPI
netfilter: nf_tables: add NFT_CHAIN_ANONYMOUS
include/net/netfilter/nf_tables.h | 23 +++--
include/uapi/linux/netfilter/nf_tables.h | 11 +++
net/netfilter/nf_tables_api.c | 117 +++++++++++++++++++----
net/netfilter/nft_immediate.c | 54 +++++++++++
4 files changed, 178 insertions(+), 27 deletions(-)
--
2.20.1
next reply other threads:[~2020-06-25 18:16 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-06-25 18:16 Pablo Neira Ayuso [this message]
2020-06-25 18:16 ` [PATCH nf-next 1/5] netfilter: nf_tables: add NFTA_CHAIN_ID attribute Pablo Neira Ayuso
2020-06-25 18:16 ` [PATCH nf-next 2/5] netfilter: nf_tables: add NFTA_RULE_CHAIN_ID attribute Pablo Neira Ayuso
2020-06-25 18:16 ` [PATCH nf-next 3/5] netfilter: nf_tables: add NFTA_VERDICT_CHAIN_ID attribute Pablo Neira Ayuso
2020-06-25 18:16 ` [PATCH nf-next 4/5] netfilter: nf_tables: expose enum nft_chain_flags through UAPI Pablo Neira Ayuso
2020-06-25 18:16 ` [PATCH nf-next 5/5] netfilter: nf_tables: add NFT_CHAIN_ANONYMOUS Pablo Neira Ayuso
2020-06-25 18:28 ` [PATCH nf-next 0/5] support for anonymous non-base chains in nftables Florian Westphal
2020-06-25 18:35 ` Pablo Neira Ayuso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200625181651.1481-1-pablo@netfilter.org \
--to=pablo@netfilter.org \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).