From: Phil Sutter <phil@nwl.cc>
To: Florian Westphal <fw@strlen.de>
Cc: Pablo Neira Ayuso <pablo@netfilter.org>, netfilter-devel@vger.kernel.org
Subject: Re: [nf-next RFC] netfilter: nf_tables: Feature ifname-based hook registration
Date: Thu, 3 Jul 2025 14:47:32 +0200 [thread overview]
Message-ID: <aGZ75G4SVuwkNDb9@orbyte.nwl.cc> (raw)
In-Reply-To: <aGZ6E0k0AyYMiMvp@strlen.de>
On Thu, Jul 03, 2025 at 02:39:47PM +0200, Florian Westphal wrote:
> Phil Sutter <phil@nwl.cc> wrote:
> > personally wouldn't care about as I find it similar to mis-typing an IP
> > address or RHS to an iifname match.
>
> Good point. I think if performance isn't an issue then we can go ahead
> without this flag.
>
> > If transparency of behaviour is a
> > concern, I'd rather implement GETDEV message type and enable user space
> > to print the list of currently bound interfaces (though it's partially
> > redundant, 'nft list hooks' helps there although it does not show which
> > flowtable/chain "owns" the hook).
>
> Do we need new query types for this?
> nftables could just query via rtnetlink if the device exists or not
> and then print a hint if its absent.
Hey, that's a hack! :P
Under normal circumstances, this should indeed suffice. The ruleset is
per-netns, so the kernel's view matches nft's. The only downside I see
is that we would not detect kernel bugs this way, e.g. if a new device
slipped through and was not bound. Debatable if the GETDEV extra effort
is justified for this "should not happen" situation, though.
Cheers, Phil
next prev parent reply other threads:[~2025-07-03 12:47 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-07-02 17:47 [nf-next RFC] netfilter: nf_tables: Feature ifname-based hook registration Phil Sutter
2025-07-02 22:39 ` Florian Westphal
2025-07-03 10:21 ` Phil Sutter
2025-07-03 11:35 ` Pablo Neira Ayuso
2025-07-03 12:09 ` Florian Westphal
2025-07-03 12:37 ` Phil Sutter
2025-07-03 12:25 ` Phil Sutter
2025-07-03 12:39 ` Florian Westphal
2025-07-03 12:47 ` Phil Sutter [this message]
2025-07-03 12:54 ` Florian Westphal
2025-07-03 13:17 ` Phil Sutter
2025-07-03 14:19 ` Pablo Neira Ayuso
2025-07-03 14:33 ` Phil Sutter
2025-07-03 21:32 ` Pablo Neira Ayuso
2025-07-04 12:41 ` Phil Sutter
2025-07-04 14:04 ` Florian Westphal
2025-07-04 15:33 ` Phil Sutter
2025-07-07 19:25 ` Pablo Neira Ayuso
2025-07-08 14:38 ` Phil Sutter
2025-07-09 22:43 ` Pablo Neira Ayuso
2025-07-10 13:55 ` Phil Sutter
2025-07-11 12:19 ` Phil Sutter
2025-07-11 13:16 ` Florian Westphal
2025-07-11 13:43 ` Phil Sutter
2025-07-11 13:48 ` Florian Westphal
2025-07-11 14:52 ` Pablo Neira Ayuso
2025-07-11 16:39 ` Phil Sutter
2025-07-14 14:02 ` Pablo Neira Ayuso
2025-07-03 11:55 ` Florian Westphal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aGZ75G4SVuwkNDb9@orbyte.nwl.cc \
--to=phil@nwl.cc \
--cc=fw@strlen.de \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).