[PATCHv6 0/3] Interface group patches

[PATCHv6 0/3] Interface group patches

[Laszlo Attila Toth]

Hi Dave,

This is the 6th version of our interface group patches.

The interface group value can be used to manage different interfaces
at the same time such as in netfilter/iptables. The netfilter patch
is ready but future plan is the same for ip/tc commands (except
the ifgroup value change which happens via "ip link set" command).

The first patch is a fix in the rtnl socket interface.

An u_int32_t member was added to net devices indicating the interface
group number of the device which can be get/set via netlink.

The xt_ifgroup netfilter match is for checking this value with an
optional mask.

Other patches are for userpace programs:
 * iptables
 
 * iproute2. Because kernel 2.6.24-rc1 introduced a new enum value,
   IFLA_NET_NS_PID, and it wasn't in the iproute2 code, the first
   patch simply adds this value. The second patch adds support of
   interface group.

Usage:
 ip link set eth0 group 4    # set
 ip link set eth0 group 0    # unset
 iptables -A INPUT -m ifgroup --ifgroup-in 4/0xf -j ACCEPT
 iptables -A FORWARD -m ifgroup --ifgroup-in 4  ! --ifgroup-out 5 -j DROP

Patches:
 [1/3] rtnetlink: setlink changes are unprotected; with single notification
 [2/3] Interface group: core (netlink) part
 [3/3] Netfilter Interface group match
 [iptables]Interface group match
 [iproute 1/2] Added IFLA_NET_NS_PID as in kernel v2.6.24-rc1
 [iproute 2/2] Interface group as new ip link optio
--
Laszlo Attila Toth

[PATCHv6 1/3] rtnetlink: setlink changes are unprotected; with single notification

[Laszlo Attila Toth]

In do_setlink the device changes don't need to be protected. Notification
is sent at the end of the function once if any modification occured
and once if an address has been changed.

Signed-off-by: Laszlo Attila Toth <panther@balabit.hu>
---
 net/core/rtnetlink.c |   32 ++++++++++++++++++++------------
 1 files changed, 20 insertions(+), 12 deletions(-)

diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
index 4a07e83..20cb67e 100644
--- a/net/core/rtnetlink.c
+++ b/net/core/rtnetlink.c
@@ -542,7 +542,7 @@ int rtnl_put_cacheinfo(struct sk_buff *skb, struct dst_entry *dst, u32 id,
 
 EXPORT_SYMBOL_GPL(rtnl_put_cacheinfo);
 
-static void set_operstate(struct net_device *dev, unsigned char transition)
+static int set_operstate(struct net_device *dev, unsigned char transition)
 {
 	unsigned char operstate = dev->operstate;
 
@@ -562,11 +562,10 @@ static void set_operstate(struct net_device *dev, unsigned char transition)
 	}
 
 	if (dev->operstate != operstate) {
-		write_lock_bh(&dev_base_lock);
 		dev->operstate = operstate;
-		write_unlock_bh(&dev_base_lock);
-		netdev_state_change(dev);
-	}
+		return 1;
+	} else
+		return 0;
 }
 
 static void copy_rtnl_link_stats(struct rtnl_link_stats *a,
@@ -860,6 +859,7 @@ static int do_setlink(struct net_device *dev, struct ifinfomsg *ifm,
 	if (tb[IFLA_BROADCAST]) {
 		nla_memcpy(dev->broadcast, tb[IFLA_BROADCAST], dev->addr_len);
 		send_addr_notify = 1;
+		modified = 1;
 	}
 
 	if (ifm->ifi_flags || ifm->ifi_change) {
@@ -872,16 +872,22 @@ static int do_setlink(struct net_device *dev, struct ifinfomsg *ifm,
 		dev_change_flags(dev, flags);
 	}
 
-	if (tb[IFLA_TXQLEN])
-		dev->tx_queue_len = nla_get_u32(tb[IFLA_TXQLEN]);
+	if (tb[IFLA_TXQLEN]) {
+		if (dev->tx_queue_len != nla_get_u32(tb[IFLA_TXQLEN])) {
+			dev->tx_queue_len = nla_get_u32(tb[IFLA_TXQLEN]);
+			modified = 1;
+		}
+	}
 
-	if (tb[IFLA_OPERSTATE])
-		set_operstate(dev, nla_get_u8(tb[IFLA_OPERSTATE]));
+	if (tb[IFLA_OPERSTATE]) {
+		modified |= set_operstate(dev, nla_get_u8(tb[IFLA_OPERSTATE]));
+	}
 
 	if (tb[IFLA_LINKMODE]) {
-		write_lock_bh(&dev_base_lock);
-		dev->link_mode = nla_get_u8(tb[IFLA_LINKMODE]);
-		write_unlock_bh(&dev_base_lock);
+		if (dev->link_mode != nla_get_u8(tb[IFLA_LINKMODE])) {
+			dev->link_mode = nla_get_u8(tb[IFLA_LINKMODE]);
+			modified = 1;
+		}
 	}
 
 	err = 0;
@@ -895,6 +901,8 @@ errout:
 
 	if (send_addr_notify)
 		call_netdevice_notifiers(NETDEV_CHANGEADDR, dev);
+	if (modified)
+		netdev_state_change(dev);
 	return err;
 }
 
-- 
1.5.2.5

[PATCHv6 2/3] Interface group: core (netlink) part

[Laszlo Attila Toth]

Interface groups let handle different interfaces together.
Modified net device structure and netlink interface.

Signed-off-by: Laszlo Attila Toth <panther@balabit.hu>
---
 include/linux/if_link.h   |    2 ++
 include/linux/netdevice.h |    2 ++
 net/core/rtnetlink.c      |   11 +++++++++++
 3 files changed, 15 insertions(+), 0 deletions(-)

diff --git a/include/linux/if_link.h b/include/linux/if_link.h
index 84c3492..722b25c 100644
--- a/include/linux/if_link.h
+++ b/include/linux/if_link.h
@@ -79,6 +79,8 @@ enum
 	IFLA_LINKINFO,
 #define IFLA_LINKINFO IFLA_LINKINFO
 	IFLA_NET_NS_PID,
+	IFLA_IFGROUP,
+#define IFLA_IFGROUP IFLA_IFGROUP
 	__IFLA_MAX
 };
 
diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h
index 1e6af4f..b1bdcb2 100644
--- a/include/linux/netdevice.h
+++ b/include/linux/netdevice.h
@@ -519,6 +519,8 @@ struct net_device
 	/* Interface index. Unique device identifier	*/
 	int			ifindex;
 	int			iflink;
+	/* interface group this interface belongs to */
+	u_int32_t		ifgroup;
 
 
 	struct net_device_stats* (*get_stats)(struct net_device *dev);
diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
index 20cb67e..a710813 100644
--- a/net/core/rtnetlink.c
+++ b/net/core/rtnetlink.c
@@ -614,6 +614,7 @@ static inline size_t if_nlmsg_size(const struct net_device *dev)
 	       + nla_total_size(4) /* IFLA_MTU */
 	       + nla_total_size(4) /* IFLA_LINK */
 	       + nla_total_size(4) /* IFLA_MASTER */
+	       + nla_total_size(4) /* IFLA_IFGROUP */
 	       + nla_total_size(1) /* IFLA_OPERSTATE */
 	       + nla_total_size(1) /* IFLA_LINKMODE */
 	       + rtnl_link_get_size(dev); /* IFLA_LINKINFO */
@@ -651,6 +652,9 @@ static int rtnl_fill_ifinfo(struct sk_buff *skb, struct net_device *dev,
 	if (dev->master)
 		NLA_PUT_U32(skb, IFLA_MASTER, dev->master->ifindex);
 
+	if (dev->ifgroup)
+		NLA_PUT_U32(skb, IFLA_IFGROUP, dev->ifgroup);
+
 	if (dev->qdisc_sleeping)
 		NLA_PUT_STRING(skb, IFLA_QDISC, dev->qdisc_sleeping->ops->id);
 
@@ -890,6 +894,13 @@ static int do_setlink(struct net_device *dev, struct ifinfomsg *ifm,
 		}
 	}
 
+	if (tb[IFLA_IFGROUP]) {
+		if (dev->ifgroup != nla_get_u32(tb[IFLA_IFGROUP])) {
+			dev->ifgroup = nla_get_u32(tb[IFLA_IFGROUP]);
+			modified = 1;
+		}
+	}
+
 	err = 0;
 
 errout:
-- 
1.5.2.5

[PATCHv6 3/3] Netfilter Interface group match

[Laszlo Attila Toth]

Interface group values can be checked on both input and output interfaces.

Signed-off-by: Laszlo Attila Toth <panther@balabit.hu>
---
 include/linux/netfilter/xt_ifgroup.h |   17 +++++
 net/netfilter/Kconfig                |   10 +++
 net/netfilter/Makefile               |    1 +
 net/netfilter/xt_ifgroup.c           |  120 ++++++++++++++++++++++++++++++++++
 4 files changed, 148 insertions(+), 0 deletions(-)

diff --git a/include/linux/netfilter/xt_ifgroup.h b/include/linux/netfilter/xt_ifgroup.h
new file mode 100644
index 0000000..3aa4d61
--- /dev/null
+++ b/include/linux/netfilter/xt_ifgroup.h
@@ -0,0 +1,17 @@
+#ifndef _XT_IFGROUP_H
+#define _XT_IFGROUP_H
+
+#define XT_IFGROUP_INVERT_IN	0x01
+#define XT_IFGROUP_INVERT_OUT	0x02
+#define XT_IFGROUP_MATCH_IN	0x04
+#define XT_IFGROUP_MATCH_OUT	0x08
+
+struct xt_ifgroup_info {
+	u_int32_t in_group;
+	u_int32_t in_mask;
+	u_int32_t out_group;
+	u_int32_t out_mask;
+	u_int8_t flags;
+};
+
+#endif /*_XT_IFGROUP_H*/
diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index 21a9fcc..07ee4a7 100644
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@@ -508,6 +508,16 @@ config NETFILTER_XT_MATCH_HELPER
 
 	  To compile it as a module, choose M here.  If unsure, say Y.
 
+config NETFILTER_XT_MATCH_IFGROUP
+	tristate '"ifgroup" interface group match support'
+	depends on NETFILTER_XTABLES
+	help
+	  Interface group matching allows you to match a packet by
+	  its incoming interface "group", settable using ip link set
+	  group
+
+	  To compile it as a module, choose M here.  If unsure, say N.
+
 config NETFILTER_XT_MATCH_LENGTH
 	tristate '"length" match support'
 	depends on NETFILTER_XTABLES
diff --git a/net/netfilter/Makefile b/net/netfilter/Makefile
index ad0e36e..5107c86 100644
--- a/net/netfilter/Makefile
+++ b/net/netfilter/Makefile
@@ -61,6 +61,7 @@ obj-$(CONFIG_NETFILTER_XT_MATCH_DSCP) += xt_dscp.o
 obj-$(CONFIG_NETFILTER_XT_MATCH_ESP) += xt_esp.o
 obj-$(CONFIG_NETFILTER_XT_MATCH_HASHLIMIT) += xt_hashlimit.o
 obj-$(CONFIG_NETFILTER_XT_MATCH_HELPER) += xt_helper.o
+obj-$(CONFIG_NETFILTER_XT_MATCH_IFGROUP) += xt_ifgroup.o
 obj-$(CONFIG_NETFILTER_XT_MATCH_LENGTH) += xt_length.o
 obj-$(CONFIG_NETFILTER_XT_MATCH_LIMIT) += xt_limit.o
 obj-$(CONFIG_NETFILTER_XT_MATCH_MAC) += xt_mac.o
diff --git a/net/netfilter/xt_ifgroup.c b/net/netfilter/xt_ifgroup.c
new file mode 100644
index 0000000..712ee54
--- /dev/null
+++ b/net/netfilter/xt_ifgroup.c
@@ -0,0 +1,120 @@
+/*
+ * An x_tables match module to match interface groups
+ *
+ * (C) 2006,2007 Balazs Scheidler <bazsi@balabit.hu>,
+ *   Laszlo Attila Toth <panther@balabit.hu>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ */
+
+#include <linux/module.h>
+#include <linux/skbuff.h>
+
+#include <linux/netfilter/xt_ifgroup.h>
+#include <linux/netfilter/x_tables.h>
+
+MODULE_LICENSE("GPL");
+MODULE_AUTHOR("Laszlo Attila Toth <panther@balabit.hu>");
+MODULE_DESCRIPTION("Xtables interface group matching module");
+MODULE_ALIAS("ipt_ifgroup");
+MODULE_ALIAS("ip6t_ifgroup");
+
+
+static inline bool
+ifgroup_match_in(const struct net_device *in,
+		 const struct xt_ifgroup_info *info)
+{
+	return ((in->ifgroup & info->in_mask) == info->in_group) ^
+		((info->flags & XT_IFGROUP_INVERT_IN) == XT_IFGROUP_INVERT_IN);
+}
+
+static inline bool
+ifgroup_match_out(const struct net_device *out,
+		 const struct xt_ifgroup_info *info)
+{
+	return ((out->ifgroup & info->out_mask) == info->out_group) ^
+		((info->flags & XT_IFGROUP_INVERT_OUT) == XT_IFGROUP_INVERT_OUT);
+}
+
+static bool
+ifgroup_match(const struct sk_buff *skb,
+	     const struct net_device *in,
+	     const struct net_device *out,
+	     const struct xt_match *match,
+	     const void *matchinfo,
+	     int offset,
+	     unsigned int protoff,
+	     bool *hotdrop)
+{
+	const struct xt_ifgroup_info *info = matchinfo;
+	
+	if (info->flags & XT_IFGROUP_MATCH_IN && !ifgroup_match_in(in, info))
+		return false;
+	if (info->flags & XT_IFGROUP_MATCH_OUT && !ifgroup_match_out(out, info))
+		return false;
+	
+	return true;
+}
+
+static bool ifgroup_checkentry(const char *tablename, const void *ip_void,
+			       const struct xt_match *match,
+			       void *matchinfo, unsigned int hook_mask)
+{
+	struct xt_ifgroup_info *info = matchinfo;
+
+	if (!(info->flags & (XT_IFGROUP_MATCH_IN|XT_IFGROUP_MATCH_OUT))) {
+		printk(KERN_ERR "xt_ifgroup: neither incoming nor "
+				"outgoing device selected\n");
+		return false;
+	}
+	if (hook_mask & (1 << NF_INET_PRE_ROUTING | 1 << NF_INET_LOCAL_IN)
+	    && info->flags & XT_IFGROUP_MATCH_OUT) {
+		printk(KERN_ERR "xt_ifgroup: output device not valid in "
+				"PRE_ROUTING and INPUT\n");
+		return false;
+	}
+	if (hook_mask & (1 << NF_INET_POST_ROUTING | 1 << NF_INET_LOCAL_OUT)
+	    && info->flags & XT_IFGROUP_MATCH_IN) {
+		printk(KERN_ERR "xt_ifgroup: input device not valid in "
+				"POST_ROUTING and OUTPUT\n");
+		return false;
+	}
+	return true;
+}
+
+static struct xt_match xt_ifgroup_match[] __read_mostly  = {
+	{
+		.name		= "ifgroup",
+		.match		= ifgroup_match,
+		.checkentry	= ifgroup_checkentry,
+		.matchsize	= sizeof(struct xt_ifgroup_info),
+		.family		= AF_INET,
+		.me		= THIS_MODULE,
+	
+	},
+	{
+		.name		= "ifgroup",
+		.match		= ifgroup_match,
+		.checkentry	= ifgroup_checkentry,
+		.matchsize	= sizeof(struct xt_ifgroup_info),
+		.family		= AF_INET6,
+		.me		= THIS_MODULE,
+	},
+};
+
+static int __init xt_ifgroup_init(void)
+{
+	return xt_register_matches(xt_ifgroup_match,
+			ARRAY_SIZE(xt_ifgroup_match));
+}
+
+static void __exit xt_ifgroup_fini(void)
+{
+	xt_unregister_matches(xt_ifgroup_match,
+			ARRAY_SIZE(xt_ifgroup_match));
+}
+
+module_init(xt_ifgroup_init);
+module_exit(xt_ifgroup_fini);
-- 
1.5.2.5

[PATCHv6 iptables]Interface group match

[Laszlo Attila Toth]

Interface group values can be checked on both input and output interfaces
with optional mask.

Signed-off-by: Laszlo Attila Toth <panther@balabit.hu>
---
 extensions/Makefile                  |    2 
 extensions/libxt_ifgroup.c           |  201 +++++++++++++++++++++++++++++++++++
 extensions/libxt_ifgroup.man         |   36 ++++++
 include/linux/netfilter/xt_ifgroup.h |   17 ++
 4 files changed, 255 insertions(+), 1 deletion(-)

Index: include/linux/netfilter/xt_ifgroup.h
===================================================================
--- include/linux/netfilter/xt_ifgroup.h	(revision 0)
+++ include/linux/netfilter/xt_ifgroup.h	(revision 0)
@@ -0,0 +1,17 @@
+#ifndef _XT_IFGROUP_H
+#define _XT_IFGROUP_H
+
+#define XT_IFGROUP_INVERT_IN	0x01
+#define XT_IFGROUP_INVERT_OUT	0x02
+#define XT_IFGROUP_MATCH_IN	0x04
+#define XT_IFGROUP_MATCH_OUT	0x08
+
+struct xt_ifgroup_info {
+	u_int32_t in_group;
+	u_int32_t in_mask;
+	u_int32_t out_group;
+	u_int32_t out_mask;
+	u_int8_t flags;
+};
+
+#endif /*_XT_IFGROUP_H*/
Index: extensions/libxt_ifgroup.c
===================================================================
--- extensions/libxt_ifgroup.c	(revision 0)
+++ extensions/libxt_ifgroup.c	(revision 0)
@@ -0,0 +1,201 @@
+/* 
+ * Shared library add-on to iptables to match 
+ * packets by the incoming interface group.
+ *
+ * (c) 2006, 2007 Balazs Scheidler <bazsi@balabit.hu>,
+ * Laszlo Attila Toth <panther@balabit.hu>
+ */
+#include <stdio.h>
+#include <netdb.h>
+#include <string.h>
+#include <stdlib.h>
+#include <getopt.h>
+#include <xtables.h>
+#include <linux/netfilter/xt_ifgroup.h>
+
+static void
+ifgroup_help(void)
+{
+	printf(
+"ifgroup v%s options:\n"
+"  --ifgroup-in  [!] group[/mask]  incoming interface group and its mask\n"
+"  --ifgroup-out [!] group[/mask]  outgoing interface group and its mask\n"
+"\n", IPTABLES_VERSION);
+}
+
+static struct option opts[] = {
+	{"ifgroup-in", 1, NULL, '1'},
+	{"ifgroup-out", 1, NULL, '2'},
+	{ }
+};
+
+#define PARAM_MATCH_IN	0x01
+#define PARAM_MATCH_OUT	0x02
+
+
+#define IFGROUP_DEFAULT_MASK 0xffffffffU
+
+static int
+ifgroup_parse(int c, char **argv, int invert, unsigned int *flags,
+	      const void *entry, struct xt_entry_match **match)
+{
+	struct xt_ifgroup_info *info =
+			 (struct xt_ifgroup_info *) (*match)->data;
+	char *end;
+
+	switch (c) {
+	case '1':
+		if (*flags & PARAM_MATCH_IN)
+			exit_error(PARAMETER_PROBLEM,
+			    "ifgroup match: Can't specify --ifgroup-in twice");
+
+		check_inverse(optarg, &invert, &optind, 0);
+
+		info->in_group = strtoul(optarg, &end, 0);
+		info->in_mask = IFGROUP_DEFAULT_MASK;
+
+		if (*end == '/')
+			info->in_mask = strtoul(end+1, &end, 0);
+
+		if (*end != '\0' || end == optarg)
+			exit_error(PARAMETER_PROBLEM,
+				  "ifgroup match: Bad ifgroup value `%s'", optarg);
+
+		if (invert)
+			info->flags |= XT_IFGROUP_INVERT_IN;
+
+		*flags |= PARAM_MATCH_IN;
+		info->flags |= XT_IFGROUP_MATCH_IN;
+		break;
+
+	case '2':
+		if (*flags & PARAM_MATCH_OUT)
+			exit_error(PARAMETER_PROBLEM,
+			    "ifgroup match: Can't specify --ifgroup-out twice");
+
+		check_inverse(optarg, &invert, &optind, 0);
+
+		info->out_group = strtoul(optarg, &end, 0);
+		info->out_mask = IFGROUP_DEFAULT_MASK;
+
+		if (*end == '/')
+			info->out_mask = strtoul(end+1, &end, 0);
+
+		if (*end != '\0' || end == optarg)
+			exit_error(PARAMETER_PROBLEM,
+			    "ifgroup match: Bad ifgroup value `%s'", optarg);
+
+		if (invert)
+			info->flags |= XT_IFGROUP_INVERT_OUT;
+
+		*flags |= PARAM_MATCH_OUT;
+		info->flags |= XT_IFGROUP_MATCH_OUT;
+		break;
+
+	default: 
+		return 0;
+	}
+
+	return 1;
+}
+
+static void
+ifgroup_final_check(unsigned int flags)
+{
+	if (!flags)
+		exit_error(PARAMETER_PROBLEM,
+		    "You must specify either "
+		    "`--ifgroup-in' or `--ifgroup-out'");
+}
+
+static void
+ifgroup_print_value_in(struct xt_ifgroup_info *info)
+{
+	printf("0x%x", info->in_group);
+	if (info->in_mask != IFGROUP_DEFAULT_MASK)
+		printf("/0x%x", info->in_mask);
+	printf(" ");
+}
+
+static void
+ifgroup_print_value_out(struct xt_ifgroup_info *info)
+{
+	printf("0x%x", info->out_group);
+	if (info->out_mask != IFGROUP_DEFAULT_MASK)
+		printf("/0x%x", info->out_mask);
+	printf(" ");
+}
+
+static void
+ifgroup_print(const void *ip,
+	      const struct xt_entry_match *match,
+	      int numeric)
+{
+	struct xt_ifgroup_info *info =
+		(struct xt_ifgroup_info *) match->data;
+
+	printf("ifgroup ");
+
+	if (info->flags & XT_IFGROUP_MATCH_IN) {
+		printf("in %s",
+		       info->flags & XT_IFGROUP_INVERT_IN ? "! " : "");
+		ifgroup_print_value_in(info);
+	}
+	if (info->flags & XT_IFGROUP_MATCH_OUT) {
+		printf("out %s",
+		       info->flags & XT_IFGROUP_INVERT_OUT ? "! " : "");
+		ifgroup_print_value_out(info);
+	}
+}
+
+static void
+ifgroup_save(const void *ip, const struct xt_entry_match *match)
+{
+	struct xt_ifgroup_info *info =
+		(struct xt_ifgroup_info *) match->data;
+
+	if (info->flags & XT_IFGROUP_MATCH_IN) {
+		printf("%s--ifgroup-in ",
+		       info->flags & XT_IFGROUP_INVERT_IN ? "! " : "");
+		ifgroup_print_value_in(info);
+	}
+	if (info->flags & XT_IFGROUP_MATCH_OUT) {
+		printf("%s--ifgroup-out ",
+		       info->flags & XT_IFGROUP_INVERT_OUT ? "! " : "");
+		ifgroup_print_value_out(info);
+	}
+}
+
+static struct xtables_match ifgroup_match = {
+	.family		= AF_INET,
+	.name		= "ifgroup",
+	.version	= IPTABLES_VERSION,
+	.size		= XT_ALIGN(sizeof(struct xt_ifgroup_info)),
+	.userspacesize	= XT_ALIGN(sizeof(struct xt_ifgroup_info)),
+	.help		= ifgroup_help,
+	.parse		= ifgroup_parse,
+	.final_check	= ifgroup_final_check,
+	.print		= ifgroup_print,
+	.save		= ifgroup_save,
+	.extra_opts	= opts
+};
+
+static struct xtables_match ifgroup_match6 = {
+	.family		= AF_INET6,
+	.name		= "ifgroup",
+	.version	= IPTABLES_VERSION,
+	.size		= XT_ALIGN(sizeof(struct xt_ifgroup_info)),
+	.userspacesize	= XT_ALIGN(sizeof(struct xt_ifgroup_info)),
+	.help		= ifgroup_help,
+	.parse		= ifgroup_parse,
+	.final_check	= ifgroup_final_check,
+	.print		= ifgroup_print,
+	.save		= ifgroup_save,
+	.extra_opts	= opts
+};
+
+void _init(void)
+{
+	xtables_register_match(&ifgroup_match);
+	xtables_register_match(&ifgroup_match6);
+}
Index: extensions/Makefile
===================================================================
--- extensions/Makefile	(revision 7090)
+++ extensions/Makefile	(working copy)
@@ -7,7 +7,7 @@
 #
 PF_EXT_SLIB:=ah addrtype conntrack ecn icmp iprange owner policy realm recent tos ttl unclean CLUSTERIP DNAT ECN LOG MASQUERADE MIRROR NETMAP REDIRECT REJECT SAME SNAT TOS TTL ULOG
 PF6_EXT_SLIB:=ah dst eui64 frag hbh hl icmp6 ipv6header mh owner policy rt HL LOG REJECT
-PFX_EXT_SLIB:=connbytes connmark connlimit comment dccp dscp esp hashlimit helper length limit mac mark multiport physdev pkttype quota sctp state statistic standard string tcp tcpmss time u32 udp CLASSIFY CONNMARK DSCP MARK NFLOG NFQUEUE NOTRACK TCPMSS TRACE
+PFX_EXT_SLIB:=connbytes connmark connlimit comment dccp dscp esp hashlimit helper ifgroup length limit mac mark multiport physdev pkttype quota sctp state statistic standard string tcp tcpmss time u32 udp CLASSIFY CONNMARK DSCP MARK NFLOG NFQUEUE NOTRACK TCPMSS TRACE
 
 PF_EXT_SELINUX_SLIB:=
 PF6_EXT_SELINUX_SLIB:=
Index: extensions/libxt_ifgroup.man
===================================================================
--- extensions/libxt_ifgroup.man	(revision 0)
+++ extensions/libxt_ifgroup.man	(revision 0)
@@ -0,0 +1,36 @@
+Maches packets on an interface if it is in the same interface group
+as specified by the
+.B "--ifgroup-in"
+or
+.B "--ifgroup-in"
+parameter. If a mask is also specified, the masked value of
+the inteface's group must be equal to the given value of the
+.B "--ifgroup-in"
+or
+.B "--ifgroup-out"
+parameter to match. This match is available in all tables.
+.TP
+.BR "[!] --ifgroup-in \fIgroup[/mask]\fR"
+This specifies the interface group of input interface and the optional mask.
+Valid only in the in the
+.B PREROUTING
+and
+.B INPUT
+and
+.B FORWARD
+chains, and user-defined chains which are only called from those
+chains. 
+.TP
+.BR "[!] --ifgroup-out \fIgroup[/mask]\fR"
+This specifies the interface group of out interface and the optional mask.
+Valid only in the in the
+.B FORWARD
+and
+.B OUTPUT
+and
+.B POSTROUTING
+chains, and user-defined chains which are only called from those
+chains. 
+.RS
+.PP
+

[PATCHv6 iproute 1/2] Added IFLA_NET_NS_PID as in kernel v2.6.24-rc1

[Laszlo Attila Toth]

Signed-off-by: Laszlo Attila Toth <panther@balabit.hu>
---
 include/linux/if_link.h |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

diff --git a/include/linux/if_link.h b/include/linux/if_link.h
index 23b3a8e..c948395 100644
--- a/include/linux/if_link.h
+++ b/include/linux/if_link.h
@@ -78,6 +78,7 @@ enum
 	IFLA_LINKMODE,
 	IFLA_LINKINFO,
 #define IFLA_LINKINFO IFLA_LINKINFO
+	IFLA_NET_NS_PID,
 	__IFLA_MAX
 };
 
-- 
1.5.2.5

[PATCHv6 iproute 2/2] Interface group as new ip link option

[Laszlo Attila Toth]

Interfaces can be grouped and each group has an unique positive integer ID.
It can be set via ip link. Symbolic names can be specified in
/etc/iproute2/rt_ifgroup.

Signed-off-by: Laszlo Attila Toth <panther@balabit.hu>
---
 include/linux/if_link.h |    2 +
 include/rt_names.h      |    2 +
 ip/ipaddress.c          |    4 +++
 ip/iplink.c             |   11 ++++++++
 lib/rt_names.c          |   62 +++++++++++++++++++++++++++++++++++++++++++++++
 man/man8/ip.8           |    5 ++++
 6 files changed, 86 insertions(+), 0 deletions(-)

diff --git a/include/linux/if_link.h b/include/linux/if_link.h
index c948395..5a2d071 100644
--- a/include/linux/if_link.h
+++ b/include/linux/if_link.h
@@ -79,6 +79,8 @@ enum
 	IFLA_LINKINFO,
 #define IFLA_LINKINFO IFLA_LINKINFO
 	IFLA_NET_NS_PID,
+	IFLA_IFGROUP,
+#define	IFLA_IFGROUP IFLA_IFGROUP
 	__IFLA_MAX
 };
 
diff --git a/include/rt_names.h b/include/rt_names.h
index 07a10e0..72c5247 100644
--- a/include/rt_names.h
+++ b/include/rt_names.h
@@ -8,11 +8,13 @@ char* rtnl_rtscope_n2a(int id, char *buf, int len);
 char* rtnl_rttable_n2a(__u32 id, char *buf, int len);
 char* rtnl_rtrealm_n2a(int id, char *buf, int len);
 char* rtnl_dsfield_n2a(int id, char *buf, int len);
+char* rtnl_ifgroup_n2a(int id, char *buf, int len);
 int rtnl_rtprot_a2n(__u32 *id, char *arg);
 int rtnl_rtscope_a2n(__u32 *id, char *arg);
 int rtnl_rttable_a2n(__u32 *id, char *arg);
 int rtnl_rtrealm_a2n(__u32 *id, char *arg);
 int rtnl_dsfield_a2n(__u32 *id, char *arg);
+int rtnl_ifgroup_a2n(__u32 *id, char *arg);
 
 const char *inet_proto_n2a(int proto, char *buf, int len);
 int inet_proto_a2n(char *buf);
diff --git a/ip/ipaddress.c b/ip/ipaddress.c
index d1c6620..1ecbe03 100644
--- a/ip/ipaddress.c
+++ b/ip/ipaddress.c
@@ -227,6 +227,10 @@ int print_linkinfo(const struct sockaddr_nl *who,
 		fprintf(fp, "mtu %u ", *(int*)RTA_DATA(tb[IFLA_MTU]));
 	if (tb[IFLA_QDISC])
 		fprintf(fp, "qdisc %s ", (char*)RTA_DATA(tb[IFLA_QDISC]));
+	if (tb[IFLA_IFGROUP]) {
+		SPRINT_BUF(b1);
+		fprintf(fp, "group %s ", rtnl_ifgroup_n2a(*(int*)RTA_DATA(tb[IFLA_IFGROUP]), b1, sizeof(b1)));
+	}
 #ifdef IFLA_MASTER
 	if (tb[IFLA_MASTER]) {
 		SPRINT_BUF(b1);
diff --git a/ip/iplink.c b/ip/iplink.c
index 8e0ed2a..71bd240 100644
--- a/ip/iplink.c
+++ b/ip/iplink.c
@@ -27,6 +27,7 @@
 #include <string.h>
 #include <sys/ioctl.h>
 #include <linux/sockios.h>
+#include <linux/rtnetlink.h>
 
 #include "rt_names.h"
 #include "utils.h"
@@ -46,6 +47,7 @@ void iplink_usage(void)
 	fprintf(stderr, "	                     promisc { on | off } |\n");
 	fprintf(stderr, "	                     trailers { on | off } |\n");
 	fprintf(stderr, "	                     txqueuelen PACKETS |\n");
+	fprintf(stderr, "	                     group GROUP |\n");
 	fprintf(stderr, "	                     name NEWNAME |\n");
 	fprintf(stderr, "	                     address LLADDR | broadcast LLADDR |\n");
 	fprintf(stderr, "	                     mtu MTU }\n");
@@ -145,6 +147,7 @@ static int iplink_have_newlink(void)
 static int iplink_modify(int cmd, unsigned int flags, int argc, char **argv)
 {
 	int qlen = -1;
+	__u32 group = 0;
 	int mtu = -1;
 	int len;
 	char abuf[32];
@@ -197,6 +200,14 @@ static int iplink_modify(int cmd, unsigned int flags, int argc, char **argv)
 			if (get_integer(&qlen,  *argv, 0))
 				invarg("Invalid \"txqueuelen\" value\n", *argv);
 			addattr_l(&req.n, sizeof(req), IFLA_TXQLEN, &qlen, 4);
+		} else if (matches(*argv, "group") == 0) {
+			NEXT_ARG();
+			if (group != 0)
+				duparg("group", *argv);
+
+			if (rtnl_ifgroup_a2n(&group, *argv))
+				invarg("\"group\" value is invalid\n", *argv);
+			addattr_l(&req.n, sizeof(req), IFLA_IFGROUP, &group, sizeof(group));
 		} else if (strcmp(*argv, "mtu") == 0) {
 			NEXT_ARG();
 			if (mtu != -1)
diff --git a/lib/rt_names.c b/lib/rt_names.c
index 8d019a0..a067e74 100644
--- a/lib/rt_names.c
+++ b/lib/rt_names.c
@@ -446,3 +446,65 @@ int rtnl_dsfield_a2n(__u32 *id, char *arg)
 	return 0;
 }
 
+static char * rtnl_rtifgroup_tab[256] = {
+	"0",
+};
+
+static int rtnl_rtifgroup_init;
+
+static void rtnl_rtifgroup_initialize(void)
+{
+	rtnl_rtifgroup_init = 1;
+	rtnl_tab_initialize("/etc/iproute2/rt_ifgroup",
+			    rtnl_rtifgroup_tab, 256);
+}
+
+char * rtnl_ifgroup_n2a(int id, char *buf, int len)
+{
+	if (id<0 || id>=256) {
+		snprintf(buf, len, "%d", id);
+		return buf;
+	}
+	if (!rtnl_rtifgroup_tab[id]) {
+		if (!rtnl_rtifgroup_init)
+			rtnl_rtifgroup_initialize();
+	}
+	if (rtnl_rtifgroup_tab[id])
+		return rtnl_rtifgroup_tab[id];
+	snprintf(buf, len, "0x%02x", id);
+	return buf;
+}
+
+
+int rtnl_ifgroup_a2n(__u32 *id, char *arg)
+{
+	static char *cache = NULL;
+	static unsigned long res;
+	char *end;
+	int i;
+
+	if (cache && strcmp(cache, arg) == 0) {
+		*id = res;
+		return 0;
+	}
+
+	if (!rtnl_rtifgroup_init)
+		rtnl_rtifgroup_initialize();
+
+	for (i=0; i<256; i++) {
+		if (rtnl_rtifgroup_tab[i] &&
+		    strcmp(rtnl_rtifgroup_tab[i], arg) == 0) {
+			cache = rtnl_rtifgroup_tab[i];
+			res = i;
+			*id = res;
+			return 0;
+		}
+	}
+
+	res = strtoul(arg, &end, 16);
+	if (!end || end == arg || *end || res > 255)
+		return -1;
+	*id = res;
+	return 0;
+}
+
diff --git a/man/man8/ip.8 b/man/man8/ip.8
index 8fd6d52..0338dab 100644
--- a/man/man8/ip.8
+++ b/man/man8/ip.8
@@ -511,6 +511,11 @@ already configured.
 change the transmit queue length of the device.
 
 .TP
+.BI group " GROUP"
+.TP 
+change the interface group identifier of the device.
+
+.TP
 .BI mtu " NUMBER"
 change the 
 .I MTU
-- 
1.5.2.5

Re: [PATCHv6 iproute 2/2] Interface group as new ip link option

[Lutz Jaenicke]

On Tue, Nov 20, 2007 at 02:14:30PM +0100, Laszlo Attila Toth wrote:
> Interfaces can be grouped and each group has an unique positive integer ID.
> It can be set via ip link. Symbolic names can be specified in
> /etc/iproute2/rt_ifgroup.
 
> diff --git a/include/rt_names.h b/include/rt_names.h
> index 07a10e0..72c5247 100644
> --- a/include/rt_names.h
> +++ b/include/rt_names.h
> @@ -8,11 +8,13 @@ char* rtnl_rtscope_n2a(int id, char *buf, int len);
>  char* rtnl_rttable_n2a(__u32 id, char *buf, int len);
>  char* rtnl_rtrealm_n2a(int id, char *buf, int len);
>  char* rtnl_dsfield_n2a(int id, char *buf, int len);
> +char* rtnl_ifgroup_n2a(int id, char *buf, int len);
>  int rtnl_rtprot_a2n(__u32 *id, char *arg);
>  int rtnl_rtscope_a2n(__u32 *id, char *arg);
>  int rtnl_rttable_a2n(__u32 *id, char *arg);
>  int rtnl_rtrealm_a2n(__u32 *id, char *arg);
>  int rtnl_dsfield_a2n(__u32 *id, char *arg);
> +int rtnl_ifgroup_a2n(__u32 *id, char *arg);

Shouldn't rtnl_ifgroup_n2a() using __u32 for "id"? It is actually handed
a __u32 value.

> diff --git a/lib/rt_names.c b/lib/rt_names.c
> index 8d019a0..a067e74 100644
> --- a/lib/rt_names.c
> +++ b/lib/rt_names.c
> @@ -446,3 +446,65 @@ int rtnl_dsfield_a2n(__u32 *id, char *arg)
>  	return 0;
>  }
>  
> +static char * rtnl_rtifgroup_tab[256] = {
> +	"0",
> +};
> +
> +static int rtnl_rtifgroup_init;
> +
> +static void rtnl_rtifgroup_initialize(void)
> +{
> +	rtnl_rtifgroup_init = 1;
> +	rtnl_tab_initialize("/etc/iproute2/rt_ifgroup",
> +			    rtnl_rtifgroup_tab, 256);
> +}
> +
> +char * rtnl_ifgroup_n2a(int id, char *buf, int len)
> +{
> +	if (id<0 || id>=256) {
> +		snprintf(buf, len, "%d", id);
> +		return buf;
> +	}

Shouldn't we better use "hex" here? "hex" is used for values up to 255
and iptables matches use hex for all values as well.
(__u32 change proposed above will make "id<0" pointless.)

> +	if (!rtnl_rtifgroup_tab[id]) {
> +		if (!rtnl_rtifgroup_init)
> +			rtnl_rtifgroup_initialize();
> +	}
> +	if (rtnl_rtifgroup_tab[id])
> +		return rtnl_rtifgroup_tab[id];
> +	snprintf(buf, len, "0x%02x", id);
> +	return buf;
> +}

> +int rtnl_ifgroup_a2n(__u32 *id, char *arg)
> +{
> +	static char *cache = NULL;
> +	static unsigned long res;
> +	char *end;
> +	int i;
> +
> +	if (cache && strcmp(cache, arg) == 0) {
> +		*id = res;
> +		return 0;
> +	}
> +
> +	if (!rtnl_rtifgroup_init)
> +		rtnl_rtifgroup_initialize();
> +
> +	for (i=0; i<256; i++) {
> +		if (rtnl_rtifgroup_tab[i] &&
> +		    strcmp(rtnl_rtifgroup_tab[i], arg) == 0) {
> +			cache = rtnl_rtifgroup_tab[i];
> +			res = i;
> +			*id = res;
> +			return 0;
> +		}
> +	}
> +
> +	res = strtoul(arg, &end, 16);

Why should we hardcode base 16 here. strtoul can handle dec and hex
(0x..) just fine. The iptables matches are usign strtoul(,,0) as
well.

> +	if (!end || end == arg || *end || res > 255)
> +		return -1;

Why do you restrict to values <=255? iptables match does not limit
and I do not really understand why I should restrict the values here.
(Even if they may not have a textual representation.)

Best regards,
	Lutz
-- 
Dr.-Ing. Lutz Jänicke
CTO
Innominate Security Technologies AG  /protecting industrial networks/
tel: +49.30.6392-3308
fax: +49.30.6392-3307
Albert-Einstein-Str. 14
D-12489 Berlin, Germany
www.innominate.com

Register Court: AG Charlottenburg, HR B 81603
Management Board: Joachim Fietz, Dirk Seewald
Chairman of the Supervisory Board: Edward M. Stadum

----------------------------------------------------------------------------

Visit us at the SPS/IPC/Drives in Nuremberg / Germany

27 - 29 November 2007, Hall 9, Stand 9-141

----------------------------------------------------------------------------
-
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCHv6 iptables]Interface group match

[Lutz Jaenicke]

[-- Attachment #1: Type: text/plain, Size: 1463 bytes --]

On Tue, Nov 20, 2007 at 02:14:28PM +0100, Laszlo Attila Toth wrote:
> Interface group values can be checked on both input and output interfaces
> with optional mask.

> Index: extensions/libxt_ifgroup.c
> ===================================================================
> --- extensions/libxt_ifgroup.c	(revision 0)
> +++ extensions/libxt_ifgroup.c	(revision 0)

> +		info->in_group = strtoul(optarg, &end, 0);

This is somewhat inconsistent with the iproute patch which targets
specific groups (with names).
Should iptables be allowed to read "/etc/iproute2/rt_ifgroup"?
There is no standard API like getservbyname()...

I do have a draft patch for physdev which is however against
iptables-1.3.8 and linux-2.6.19 so it will need some more work
but I will attach it for discussion.

(This will leave ebtables to be touched...)

Best regards,
	Lutz
-- 
Dr.-Ing. Lutz Jänicke
CTO
Innominate Security Technologies AG  /protecting industrial networks/
tel: +49.30.6392-3308
fax: +49.30.6392-3307
Albert-Einstein-Str. 14
D-12489 Berlin, Germany
www.innominate.com

Register Court: AG Charlottenburg, HR B 81603
Management Board: Joachim Fietz, Dirk Seewald
Chairman of the Supervisory Board: Edward M. Stadum

----------------------------------------------------------------------------

Visit us at the SPS/IPC/Drives in Nuremberg / Germany

27 - 29 November 2007, Hall 9, Stand 9-141

----------------------------------------------------------------------------

[-- Attachment #2: ifgroup_physdev.patch --]
[-- Type: text/plain, Size: 4806 bytes --]

diff -ruN iptables-1.3.8-vanilla/extensions/libipt_physdev.c iptables-1.3.8/extensions/libipt_physdev.c
--- iptables-1.3.8-vanilla/extensions/libipt_physdev.c	2007-01-23 13:50:00.000000000 +0100
+++ iptables-1.3.8/extensions/libipt_physdev.c	2007-11-01 16:57:58.000000000 +0100
@@ -19,6 +19,8 @@
 "physdev v%s options:\n"
 " --physdev-in [!] input name[+]		bridge port name ([+] for wildcard)\n"
 " --physdev-out [!] output name[+]	bridge port name ([+] for wildcard)\n"
+" --physgroup-in [!] input group		bridge port group value\n"
+" --physgroup-out [!] output group	bridge port group value\n"
 " [!] --physdev-is-in			arrived on a bridge device\n"
 " [!] --physdev-is-out			will leave on a bridge device\n"
 " [!] --physdev-is-bridged		it's a bridged packet\n"
@@ -31,6 +33,8 @@
 	{ "physdev-is-in", 0, 0, '3' },
 	{ "physdev-is-out", 0, 0, '4' },
 	{ "physdev-is-bridged", 0, 0, '5' },
+	{ "physgroup-in", 1, 0, '6' },
+	{ "physgroup-out", 1, 0, '7' },
 	{0}
 };
 
@@ -47,6 +51,7 @@
 {
 	struct ipt_physdev_info *info =
 		(struct ipt_physdev_info*)(*match)->data;
+	char *end;
 
 	switch (c) {
 	case '1':
@@ -103,6 +108,44 @@
 		info->bitmask |= IPT_PHYSDEV_OP_BRIDGED;
 		break;
 
+	case '6':
+		if (*flags & IPT_PHYSDEV_OP_GROUPIN)
+			goto multiple_use;
+		check_inverse(argv[optind-1], &invert, &optind, 0);
+	 	end = optarg = argv[optind-1];
+		info->ingroup = strtoul(optarg, &end, 0);
+		info->ingroupmask = 0xffffffffUL;
+		if (*end == '/')
+			info->ingroupmask = strtoul(end+1, &end, 0);
+		if (*end != '\0' || end == optarg)
+			exit_error(PARAMETER_PROBLEM,
+				"physdev match: Bad ifgroup value `%s'",
+				optarg);
+		if (invert)
+			info->invert |= IPT_PHYSDEV_OP_GROUPIN;
+		*flags |= IPT_PHYSDEV_OP_GROUPIN;
+		info->bitmask |= IPT_PHYSDEV_OP_GROUPIN;
+		break;
+
+	case '7':
+		if (*flags & IPT_PHYSDEV_OP_GROUPOUT)
+			goto multiple_use;
+               check_inverse(argv[optind-1], &invert, &optind, 0);
+               end = optarg = argv[optind-1];
+		info->outgroup = strtoul(optarg, &end, 0);
+		info->outgroupmask = 0xffffffffUL;
+		if (*end == '/')
+			info->outgroupmask = strtoul(end+1, &end, 0);
+		if (*end != '\0' || end == optarg)
+			exit_error(PARAMETER_PROBLEM,
+				"physdev match: Bad ifgroup value `%s'",
+				optarg);
+		if (invert)
+			info->invert |= IPT_PHYSDEV_OP_GROUPOUT;
+		*flags |= IPT_PHYSDEV_OP_GROUPOUT;
+		info->bitmask |= IPT_PHYSDEV_OP_GROUPOUT;
+		break;
+
 	default:
 		return 0;
 	}
@@ -145,6 +186,13 @@
 	if (info->bitmask & IPT_PHYSDEV_OP_BRIDGED)
 		printf("%s --physdev-is-bridged",
 		       info->invert & IPT_PHYSDEV_OP_BRIDGED ? " !":"");
+
+	if (info->bitmask & IPT_PHYSDEV_OP_GROUPIN)
+		printf("%s --physgroup-in 0x%x/0x%x",
+		(info->invert & IPT_PHYSDEV_OP_GROUPIN) ? " !":"", info->ingroup, info->ingroupmask);
+	if (info->bitmask & IPT_PHYSDEV_OP_GROUPOUT)
+		printf("%s --physgroup-out 0x%x/0x%x",
+		(info->invert & IPT_PHYSDEV_OP_GROUPOUT) ? " !":"", info->outgroup, info->outgroupmask);
 	printf(" ");
 }
 
diff -ruN iptables-1.3.8-vanilla/include/linux/netfilter_ipv4/ipt_physdev.h iptables-1.3.8/include/linux/netfilter_ipv4/ipt_physdev.h
--- iptables-1.3.8-vanilla/include/linux/netfilter_ipv4/ipt_physdev.h	2007-01-23 13:49:51.000000000 +0100
+++ iptables-1.3.8/include/linux/netfilter_ipv4/ipt_physdev.h	2007-11-01 16:15:38.000000000 +0100
@@ -10,13 +10,19 @@
 #define IPT_PHYSDEV_OP_BRIDGED		0x04
 #define IPT_PHYSDEV_OP_ISIN		0x08
 #define IPT_PHYSDEV_OP_ISOUT		0x10
-#define IPT_PHYSDEV_OP_MASK		(0x20 - 1)
+#define IPT_PHYSDEV_OP_GROUPIN		0x20
+#define IPT_PHYSDEV_OP_GROUPOUT		0x40
+#define IPT_PHYSDEV_OP_MASK		(0x80 - 1)
 
 struct ipt_physdev_info {
 	char physindev[IFNAMSIZ];
 	char in_mask[IFNAMSIZ];
 	char physoutdev[IFNAMSIZ];
 	char out_mask[IFNAMSIZ];
+	u_int32_t ingroup;
+	u_int32_t ingroupmask;
+	u_int32_t outgroup;
+	u_int32_t outgroupmask;
 	u_int8_t invert;
 	u_int8_t bitmask;
 };
diff -ruN iptables-1.3.8-vanilla/include/linux/netfilter_ipv6/ip6t_physdev.h iptables-1.3.8/include/linux/netfilter_ipv6/ip6t_physdev.h
--- iptables-1.3.8-vanilla/include/linux/netfilter_ipv6/ip6t_physdev.h	2007-01-23 13:49:51.000000000 +0100
+++ iptables-1.3.8/include/linux/netfilter_ipv6/ip6t_physdev.h	2007-11-01 16:15:21.000000000 +0100
@@ -10,13 +10,19 @@
 #define IP6T_PHYSDEV_OP_BRIDGED		0x04
 #define IP6T_PHYSDEV_OP_ISIN		0x08
 #define IP6T_PHYSDEV_OP_ISOUT		0x10
-#define IP6T_PHYSDEV_OP_MASK		(0x20 - 1)
+#define IP6T_PHYSDEV_OP_GROUPIN		0x20
+#define IP6T_PHYSDEV_OP_GROUPOUT	0x40
+#define IP6T_PHYSDEV_OP_MASK		(0x80 - 1)
 
 struct ip6t_physdev_info {
 	char physindev[IFNAMSIZ];
 	char in_mask[IFNAMSIZ];
 	char physoutdev[IFNAMSIZ];
 	char out_mask[IFNAMSIZ];
+	u_int32_t ingroup;
+	u_int32_t ingroupmask;
+	u_int32_t outgroup;
+	u_int32_t outgroupmask;
 	u_int8_t invert;
 	u_int8_t bitmask;
 };

[-- Attachment #3: ifgroup_physdev_kernel.patch --]
[-- Type: text/plain, Size: 2576 bytes --]

diff --git a/net/netfilter/xt_physdev.c b/net/netfilter/xt_physdev.c
index fbcc7ce..75cdc51 100644
--- a/net/netfilter/xt_physdev.c
+++ b/net/netfilter/xt_physdev.c
@@ -23,6 +23,23 @@ MODULE_DESCRIPTION("iptables bridge physical device match module");
 MODULE_ALIAS("ipt_physdev");
 MODULE_ALIAS("ip6t_physdev");
 
+static inline bool
+ifgroup_match_in(u_int32_t ingroup, 
+		 const struct xt_physdev_info *info)
+{
+
+	return ((ingroup & info->ingroupmask) == info->ingroup) ^ 
+		((info->invert & XT_PHYSDEV_OP_GROUPIN) == XT_PHYSDEV_OP_GROUPIN);
+}
+
+static inline bool
+ifgroup_match_out(u_int32_t outgroup,
+		 const struct xt_physdev_info *info)
+{
+	return ((outgroup & info->outgroupmask) == info->outgroup) ^ 
+		((info->invert & XT_PHYSDEV_OP_GROUPOUT) == XT_PHYSDEV_OP_GROUPOUT);
+}
+
 static int
 match(const struct sk_buff *skb,
       const struct net_device *in,
@@ -38,6 +55,7 @@ match(const struct sk_buff *skb,
 	const struct xt_physdev_info *info = matchinfo;
 	unsigned int ret;
 	const char *indev, *outdev;
+	u_int32_t ingroup, outgroup;
 	struct nf_bridge_info *nf_bridge;
 
 	/* Not a bridged IP packet or no info available yet:
@@ -60,6 +78,12 @@ match(const struct sk_buff *skb,
 		if ((info->bitmask & XT_PHYSDEV_OP_OUT) &&
 		    !(info->invert & XT_PHYSDEV_OP_OUT))
 			return NOMATCH;
+		if ((info->bitmask & XT_PHYSDEV_OP_GROUPIN) &&
+		    !(info->invert & XT_PHYSDEV_OP_GROUPIN))
+			return NOMATCH;
+		if ((info->bitmask & XT_PHYSDEV_OP_GROUPOUT) &&
+		    !(info->invert & XT_PHYSDEV_OP_GROUPOUT))
+			return NOMATCH;
 		return MATCH;
 	}
 
@@ -75,6 +99,18 @@ match(const struct sk_buff *skb,
 	    (!nf_bridge->physoutdev ^ !!(info->invert & XT_PHYSDEV_OP_ISOUT))))
 		return NOMATCH;
 
+	if (info->bitmask & XT_PHYSDEV_OP_GROUPIN) {
+		ingroup = nf_bridge->physindev ? nf_bridge->physindev->ifgroup : -1;
+		if (!ifgroup_match_in(ingroup, info))
+			return NOMATCH;
+	}
+
+	if (info->bitmask & XT_PHYSDEV_OP_GROUPOUT) {
+		outgroup = nf_bridge->physoutdev ? nf_bridge->physoutdev->ifgroup : -1;
+		if (!ifgroup_match_out(outgroup, info))
+			return NOMATCH;
+	}
+
 	if (!(info->bitmask & XT_PHYSDEV_OP_IN))
 		goto match_outdev;
 	indev = nf_bridge->physindev ? nf_bridge->physindev->name : nulldevname;
@@ -114,6 +150,7 @@ checkentry(const char *tablename,
 	    info->bitmask & ~XT_PHYSDEV_OP_MASK)
 		return 0;
 	if (brnf_deferred_hooks == 0 &&
+	    info->bitmask & XT_PHYSDEV_OP_GROUPOUT &&
 	    info->bitmask & XT_PHYSDEV_OP_OUT &&
 	    (!(info->bitmask & XT_PHYSDEV_OP_BRIDGED) ||
 	     info->invert & XT_PHYSDEV_OP_BRIDGED) &&

Re: [PATCHv6 iptables]Interface group match

[Laszlo Attila Toth]

Lutz Jaenicke írta:
> On Tue, Nov 20, 2007 at 02:14:28PM +0100, Laszlo Attila Toth wrote:
>> Interface group values can be checked on both input and output interfaces
>> with optional mask.
> 
>> Index: extensions/libxt_ifgroup.c
>> ===================================================================
>> --- extensions/libxt_ifgroup.c	(revision 0)
>> +++ extensions/libxt_ifgroup.c	(revision 0)
> 
>> +		info->in_group = strtoul(optarg, &end, 0);
> 
> This is somewhat inconsistent with the iproute patch which targets
> specific groups (with names).
> Should iptables be allowed to read "/etc/iproute2/rt_ifgroup"?

It would be good but cannot be used if a mask is set and only values 
less than 256 can be used with names.

> There is no standard API like getservbyname()...

The code of iproute2 should be copied. If Patrick says it is ok,  I'll 
write this part.

> 
> I do have a draft patch for physdev which is however against
> iptables-1.3.8 and linux-2.6.19 so it will need some more work
> but I will attach it for discussion.

Thanks. I will send soon for net-2.6.25 and iptables svn version.

-
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCHv6 iptables]Interface group match

[Patrick McHardy]

Laszlo Attila Toth wrote:
> Lutz Jaenicke írta:
>> On Tue, Nov 20, 2007 at 02:14:28PM +0100, Laszlo Attila Toth wrote:
>>> Interface group values can be checked on both input and output 
>>> interfaces
>>> with optional mask.
>>
>>> Index: extensions/libxt_ifgroup.c
>>> ===================================================================
>>> --- extensions/libxt_ifgroup.c    (revision 0)
>>> +++ extensions/libxt_ifgroup.c    (revision 0)
>>
>>> +        info->in_group = strtoul(optarg, &end, 0);
>>
>> This is somewhat inconsistent with the iproute patch which targets
>> specific groups (with names).
>> Should iptables be allowed to read "/etc/iproute2/rt_ifgroup"?
> 
> It would be good but cannot be used if a mask is set and only values 
> less than 256 can be used with names.


Why 256? I can see no such limitation. For masks you could
simply allow to define masks in rt_ifgroup too and use
name/name or simply name/0xmask.

>> There is no standard API like getservbyname()...
> 
> The code of iproute2 should be copied. If Patrick says it is ok,  I'll 
> write this part.


Of course. Please put the tab part somewhere common, I always
wanted to have named firewall marks shared with ip and tc
and I believe Balazs wanted that too :)

Re: [PATCHv6 iptables]Interface group match

[Laszlo Attila Toth]

Patrick McHardy írta:
> Laszlo Attila Toth wrote:
>> Lutz Jaenicke írta:
>>> On Tue, Nov 20, 2007 at 02:14:28PM +0100, Laszlo Attila Toth wrote:
>>>> Interface group values can be checked on both input and output 
>>>> interfaces
>>>> with optional mask.
>>>
>>>> Index: extensions/libxt_ifgroup.c
>>>> ===================================================================
>>>> --- extensions/libxt_ifgroup.c    (revision 0)
>>>> +++ extensions/libxt_ifgroup.c    (revision 0)
>>>
>>>> +        info->in_group = strtoul(optarg, &end, 0);
>>>
>>> This is somewhat inconsistent with the iproute patch which targets
>>> specific groups (with names).
>>> Should iptables be allowed to read "/etc/iproute2/rt_ifgroup"?
>>
>> It would be good but cannot be used if a mask is set and only values 
>> less than 256 can be used with names.
> 
> 
> Why 256? I can see no such limitation. For masks you could
> simply allow to define masks in rt_ifgroup too and use
> name/name or simply name/0xmask.


256 because it is the size of a static array (and I don't want allocate 
too much memory when other arrays such as the routing table names also 
have this size). In the current version I posted some minutes ago 
0..2^32-1  can be used.

The syntax "name/0xmask" is simply too strange for me.

> 
>>> There is no standard API like getservbyname()...
>>
>> The code of iproute2 should be copied. If Patrick says it is ok,  I'll 
>> write this part.
> 
> 
> Of course. Please put the tab part somewhere common, I always
> wanted to have named firewall marks shared with ip and tc
> and I believe Balazs wanted that too :)

Ok. Yes, he wants :)


-- 
Attila
-
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCHv6 iptables]Interface group match

[Patrick McHardy]

Laszlo Attila Toth wrote:
> Patrick McHardy írta:
>> Laszlo Attila Toth wrote:
>>> Lutz Jaenicke írta:

>>>> Should iptables be allowed to read "/etc/iproute2/rt_ifgroup"?
>>>
>>> It would be good but cannot be used if a mask is set and only values 
>>> less than 256 can be used with names.
>>
>>
>> Why 256? I can see no such limitation. For masks you could
>> simply allow to define masks in rt_ifgroup too and use
>> name/name or simply name/0xmask.
> 
> 
> 256 because it is the size of a static array (and I don't want allocate 
> too much memory when other arrays such as the routing table names also 
> have this size). In the current version I posted some minutes ago 
> 0..2^32-1  can be used.

Its a hash. You can put as much in there as you like :)

> The syntax "name/0xmask" is simply too strange for me.

Then how about name/name with masks also defined in rt_ifgroup?
The same question applies for marks of course.

>>>> There is no standard API like getservbyname()...
>>>
>>> The code of iproute2 should be copied. If Patrick says it is ok,  
>>> I'll write this part.
>>
>>
>> Of course. Please put the tab part somewhere common, I always
>> wanted to have named firewall marks shared with ip and tc
>> and I believe Balazs wanted that too :)
> 
> Ok. Yes, he wants :)
> 
> 

Re: [PATCHv6 iptables]Interface group match

[Jan Engelhardt]

On Nov 29 2007 17:27, Patrick McHardy wrote:
>
>> The syntax "name/0xmask" is simply too strange for me.
>
> Then how about name/name with masks also defined in rt_ifgroup?
> The same question applies for marks of course.
>
I would find that confusing, which is why the new xt_TOS only
allows names when no /mask or a mask of /allbits is used.

>> > > > There is no standard API like getservbyname()...
>> > >
>> > > The code of iproute2 should be copied. If Patrick says it is ok,  I'll
>> > > write this part.
>> >
>> > Of course. Please put the tab part somewhere common, I always
>> > wanted to have named firewall marks shared with ip and tc
>> > and I believe Balazs wanted that too :)
>> 
>> Ok. Yes, he wants :)
>
So, we are going to see a librtnl?

Re: [PATCHv6 iptables]Interface group match

[Patrick McHardy]

Jan Engelhardt wrote:
> On Nov 29 2007 17:27, Patrick McHardy wrote:
>>> The syntax "name/0xmask" is simply too strange for me.
>> Then how about name/name with masks also defined in rt_ifgroup?
>> The same question applies for marks of course.
>>
> I would find that confusing, which is why the new xt_TOS only
> allows names when no /mask or a mask of /allbits is used.

Its still useful, you don't have to use it :) Another alternative
would be to allow defining names to val/mask.

Re: [PATCHv6 3/3] Netfilter Interface group match

[Patrick McHardy]

Laszlo Attila Toth wrote:
> Interface group values can be checked on both input and output interfaces.


Needs a minor update to comply with the naming scheme Jan introduced,
but I can take care of that once the other patches are merged.

Re: [PATCHv6 2/3] Interface group: core (netlink) part

[Lutz Jaenicke]

On Tue, Nov 20, 2007 at 02:14:26PM +0100, Laszlo Attila Toth wrote:
> Interface groups let handle different interfaces together.
> Modified net device structure and netlink interface.
> 
> Signed-off-by: Laszlo Attila Toth <panther@balabit.hu>
> ---
>  include/linux/if_link.h   |    2 ++
>  include/linux/netdevice.h |    2 ++
>  net/core/rtnetlink.c      |   11 +++++++++++
>  3 files changed, 15 insertions(+), 0 deletions(-)

Adding read/write support via sysfs should not be too difficult:

diff -ruN a/net/core/net-sysfs.c b/net/core/net-sysfs.c
--- a/net/core/net-sysfs.c	2007-11-17 06:16:36.000000000 +0100
+++ b/net/core/net-sysfs.c	2007-11-23 14:04:47.000000000 +0100
@@ -219,6 +219,20 @@
 	return netdev_store(dev, attr, buf, len, change_tx_queue_len);
 }
 
+NETDEVICE_SHOW(ifgroup, fmt_hex);
+
+static int change_ifgroup(struct net_device *net, unsigned long new_ifgroup)
+{
+	net->ifgroup = new_ifgroup;
+	return 0;
+}
+
+static ssize_t store_ifgroup(struct device *dev, struct device_attribute *attr,
+			   const char *buf, size_t len)
+{
+	return netdev_store(dev, attr, buf, len, change_ifgroup);
+}
+
 static struct device_attribute net_class_attributes[] = {
 	__ATTR(addr_len, S_IRUGO, show_addr_len, NULL),
 	__ATTR(iflink, S_IRUGO, show_iflink, NULL),
@@ -235,6 +249,7 @@
 	__ATTR(flags, S_IRUGO | S_IWUSR, show_flags, store_flags),
 	__ATTR(tx_queue_len, S_IRUGO | S_IWUSR, show_tx_queue_len,
 	       store_tx_queue_len),
+	__ATTR(ifgroup, S_IRUGO | S_IWUSR, show_ifgroup, store_ifgroup),
 	{}
 };
 
-- 
Dr.-Ing. Lutz Jänicke
CTO
Innominate Security Technologies AG  /protecting industrial networks/
tel: +49.30.6392-3308
fax: +49.30.6392-3307
Albert-Einstein-Str. 14
D-12489 Berlin, Germany
www.innominate.com

Register Court: AG Charlottenburg, HR B 81603
Management Board: Joachim Fietz, Dirk Seewald
Chairman of the Supervisory Board: Edward M. Stadum

----------------------------------------------------------------------------

Visit us at the SPS/IPC/Drives in Nuremberg / Germany

27 - 29 November 2007, Hall 9, Stand 9-141

----------------------------------------------------------------------------

Re: [PATCHv6 2/3] Interface group: core (netlink) part

[Patrick McHardy]

Laszlo Attila Toth wrote:
> Interface groups let handle different interfaces together.
> Modified net device structure and netlink interface.


Looks good.

Re: [PATCHv6 1/3] rtnetlink: setlink changes are unprotected; with single notification

[Patrick McHardy]

Laszlo Attila Toth wrote:
> In do_setlink the device changes don't need to be protected. Notification
> is sent at the end of the function once if any modification occured
> and once if an address has been changed.
> 
> Signed-off-by: Laszlo Attila Toth <panther@balabit.hu>
> ---
>  net/core/rtnetlink.c |   32 ++++++++++++++++++++------------
>  1 files changed, 20 insertions(+), 12 deletions(-)
> 
> diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
> index 4a07e83..20cb67e 100644
> --- a/net/core/rtnetlink.c
> +++ b/net/core/rtnetlink.c
> @@ -542,7 +542,7 @@ int rtnl_put_cacheinfo(struct sk_buff *skb, struct dst_entry *dst, u32 id,
>  
>  EXPORT_SYMBOL_GPL(rtnl_put_cacheinfo);
>  
> -static void set_operstate(struct net_device *dev, unsigned char transition)
> +static int set_operstate(struct net_device *dev, unsigned char transition)
>  {
>  	unsigned char operstate = dev->operstate;
>  
> @@ -562,11 +562,10 @@ static void set_operstate(struct net_device *dev, unsigned char transition)
>  	}
>  
>  	if (dev->operstate != operstate) {
> -		write_lock_bh(&dev_base_lock);
>  		dev->operstate = operstate;
> -		write_unlock_bh(&dev_base_lock);
> -		netdev_state_change(dev);
> -	}
> +		return 1;
> +	} else
> +		return 0;


The locking changes belong in a seperate patch with an explanation.

>  
> -	if (tb[IFLA_OPERSTATE])
> -		set_operstate(dev, nla_get_u8(tb[IFLA_OPERSTATE]));
> +	if (tb[IFLA_OPERSTATE]) {
> +		modified |= set_operstate(dev, nla_get_u8(tb[IFLA_OPERSTATE]));
> +	}

Please don't add braces here.

The rest looks fine.

Re: [PATCHv6 0/3] Interface group patches

[Jan Engelhardt]

On Nov 20 2007 14:14, Laszlo Attila Toth wrote:
>
>This is the 6th version of our interface group patches.
>
>The interface group value can be used to manage different interfaces
>at the same time such as in netfilter/iptables.

I take it you could not use...?
	iptables -i iif1 -j dosomething
	iptables -i iif2 -j dosomething

>The netfilter patch
>is ready but future plan is the same for ip/tc commands (except
>the ifgroup value change which happens via "ip link set" command).

How can it be useful in conjunction with tc?

Re: [PATCHv6 0/3] Interface group patches

[Laszlo Attila Toth]

Jan Engelhardt írta:
> On Nov 20 2007 14:14, Laszlo Attila Toth wrote:
>> This is the 6th version of our interface group patches.
>>
>> The interface group value can be used to manage different interfaces
>> at the same time such as in netfilter/iptables.
> 
> I take it you could not use...?
> 	iptables -i iif1 -j dosomething
> 	iptables -i iif2 -j dosomething

This kind of usage requires static interface names. But there are 
dynamic interfaces such as ppp, where the actual name is not always 
known or sometimes they exist sometimes not. It is difficult to use 
iptables this way, and every ifup/ifdown requires change in the iptables 
ruleset (donwload it, modify and upload to the kernel). It may be too slow.

> 
>> The netfilter patch
>> is ready but future plan is the same for ip/tc commands (except
>> the ifgroup value change which happens via "ip link set" command).
> 
> How can it be useful in conjunction with tc?

jamal wrote it previously:
http://marc.info/?l=linux-netdev&m=119253403415810&w=2

-- 
Attila
-
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCHv6 0/3] Interface group patches

[David Miller]

From: Laszlo Attila Toth <panther@balabit.hu>
Date: Tue, 20 Nov 2007 14:52:12 +0100

> Jan Engelhardt írta:
> > On Nov 20 2007 14:14, Laszlo Attila Toth wrote:
> >> This is the 6th version of our interface group patches.
> >>
> >> The interface group value can be used to manage different interfaces
> >> at the same time such as in netfilter/iptables.
> > 
> > I take it you could not use...?
> > 	iptables -i iif1 -j dosomething
> > 	iptables -i iif2 -j dosomething
> 
> This kind of usage requires static interface names. But there are 
> dynamic interfaces such as ppp, where the actual name is not always 
> known or sometimes they exist sometimes not. It is difficult to use 
> iptables this way, and every ifup/ifdown requires change in the iptables 
> ruleset (donwload it, modify and upload to the kernel). It may be too slow.

This is actually not true these days.

When network devices are created user events are generated and the
user can rename the device however they like using a mapping table of
any kind.

And at such point the problem you present doesn't actually exist, you
can know what the device will be named.

And if rule loading dynamically is slow, we should fix that instead of
creating infrastructure and interfaces we don't actually need.
-
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCHv6 0/3] Interface group patches

[Patrick McHardy]

David Miller wrote:
> From: Laszlo Attila Toth <panther@balabit.hu>
> Date: Tue, 20 Nov 2007 14:52:12 +0100
> 
>> Jan Engelhardt írta:
>>> On Nov 20 2007 14:14, Laszlo Attila Toth wrote:
>>>> This is the 6th version of our interface group patches.
>>>>
>>>> The interface group value can be used to manage different interfaces
>>>> at the same time such as in netfilter/iptables.
>>> I take it you could not use...?
>>> 	iptables -i iif1 -j dosomething
>>> 	iptables -i iif2 -j dosomething
>> This kind of usage requires static interface names. But there are 
>> dynamic interfaces such as ppp, where the actual name is not always 
>> known or sometimes they exist sometimes not. It is difficult to use 
>> iptables this way, and every ifup/ifdown requires change in the iptables 
>> ruleset (donwload it, modify and upload to the kernel). It may be too slow.
> 
> This is actually not true these days.
> 
> When network devices are created user events are generated and the
> user can rename the device however they like using a mapping table of
> any kind.
> 
> And at such point the problem you present doesn't actually exist, you
> can know what the device will be named.
> 
> And if rule loading dynamically is slow, we should fix that instead of
> creating infrastructure and interfaces we don't actually need.


I actually like this feature. Matching on names in iptables
has always been one of the major bottlenecks, taking
(according to my last measurement, which is some time ago)
about 1-2% of the total performance. This is of course in
large parts because the interface match is present on *every*
rule, but still some way to logically group interfaces seems
useful to me, not only for iptables, but also for routing rules,
traffic classifiers, af_packet sockets etc.

I'm working on the incremental ruleset changing API BTW :)
One of the changes will be that interface matching is not
a default part of every rule, and without wildcards it will
use the ifindex. But since the cost of this feature seems
pretty low, I don't see a compelling reason against it.

Re: [PATCHv6 0/3] Interface group patches

[David Miller]

From: Patrick McHardy <kaber@trash.net>
Date: Wed, 21 Nov 2007 01:25:54 +0100

> I'm working on the incremental ruleset changing API BTW :)
> One of the changes will be that interface matching is not
> a default part of every rule, and without wildcards it will
> use the ifindex. But since the cost of this feature seems
> pretty low, I don't see a compelling reason against it.

Fair enough :)

Re: [PATCHv6 0/3] Interface group patches

[Laszlo Attila Toth]

David Miller írta:
> From: Patrick McHardy <kaber@trash.net>
> Date: Wed, 21 Nov 2007 01:25:54 +0100
> 
>> I'm working on the incremental ruleset changing API BTW :)
>> One of the changes will be that interface matching is not
>> a default part of every rule, and without wildcards it will
>> use the ifindex. But since the cost of this feature seems
>> pretty low, I don't see a compelling reason against it.
> 
> Fair enough :)
> 

If this means the patch is ok, please apply it. Thanks.

--
Attila
-
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCHv6 0/3] Interface group patches

[Balazs Scheidler]

On Wed, 2007-11-21 at 01:25 +0100, Patrick McHardy wrote:
> David Miller wrote:
> > From: Laszlo Attila Toth <panther@balabit.hu>
> > Date: Tue, 20 Nov 2007 14:52:12 +0100
> > 
> >> Jan Engelhardt írta:
> >>> On Nov 20 2007 14:14, Laszlo Attila Toth wrote:
> >>>> This is the 6th version of our interface group patches.
> >>>>
> >>>> The interface group value can be used to manage different interfaces
> >>>> at the same time such as in netfilter/iptables.
> >>> I take it you could not use...?
> >>> 	iptables -i iif1 -j dosomething
> >>> 	iptables -i iif2 -j dosomething
> >> This kind of usage requires static interface names. But there are 
> >> dynamic interfaces such as ppp, where the actual name is not always 
> >> known or sometimes they exist sometimes not. It is difficult to use 
> >> iptables this way, and every ifup/ifdown requires change in the iptables 
> >> ruleset (donwload it, modify and upload to the kernel). It may be too slow.
> > 
> > This is actually not true these days.
> > 
> > When network devices are created user events are generated and the
> > user can rename the device however they like using a mapping table of
> > any kind.
> > 
> > And at such point the problem you present doesn't actually exist, you
> > can know what the device will be named.
> > 
> > And if rule loading dynamically is slow, we should fix that instead of
> > creating infrastructure and interfaces we don't actually need.
> 
> 
> I actually like this feature. Matching on names in iptables
> has always been one of the major bottlenecks, taking
> (according to my last measurement, which is some time ago)
> about 1-2% of the total performance. This is of course in
> large parts because the interface match is present on *every*
> rule, but still some way to logically group interfaces seems
> useful to me, not only for iptables, but also for routing rules,
> traffic classifiers, af_packet sockets etc.
> 
> I'm working on the incremental ruleset changing API BTW :)
> One of the changes will be that interface matching is not
> a default part of every rule, and without wildcards it will
> use the ifindex. But since the cost of this feature seems
> pretty low, I don't see a compelling reason against it.

We are also using interface groups from userspace applications (hence
the netlink notification). 

ppp comes up, an interface is created according to the pppd
configuration, which then assigns the interface to the given group.
another application (a proxy based firewall in our example) listens to
this notification and binds to the new interface as well.

-- 
Bazsi

-
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html