From: Pablo Neira Ayuso <pablo@netfilter.org>
To: jalvarez <jalvarez@toulouse.viveris.com>
Cc: netfilter@vger.kernel.org
Subject: Re: netfilter/nftables: chain rule dumps
Date: Wed, 13 Jul 2016 16:40:36 +0200 [thread overview]
Message-ID: <20160713144036.GA1385@salvia> (raw)
In-Reply-To: <578636F6.70802@toulouse.viveris.com>
On Wed, Jul 13, 2016 at 02:41:26PM +0200, jalvarez wrote:
> Hi,
>
> First I want to thank the netfilter developpers for nftables as it is really
> great ! :)
>
> My problem is mostly about libnftnl / libmnl.
>
> I am currently trying to port an IPTC application to work with nftables for
> a high performance firewall, those rules (~50000) are updated very often
> (from 5 to 60 times per second).
> I know it is not really supported, but i can't afford using nft from command
> line as it is too slow and offers less control than the low level C APIs.
>
> I have been looking at the code of libmnl, libnftnl and nftables, and I
> currently didn't see any way of doing the following :
> - dumping the rules for a specific chain or table. I saw it is indeed
> possible to dump the rules for a specific family as it is done in
> mnl_nft_rule_dump, but i didn't see any way of doing so for a specific
> chain.
There is no support for this selective dumping yet in the kernel, but
it should be very easy to add by enhancing the rule dumping. You can
attach .data via netlink_dump_control structure. You only have to
define a container structure like:
struct nft_rule_dump {
const char *table;
const char *chain;
};
The idea is to strdup() the string that comes with NFTA_RULE_TABLE and
NFTA_RULE_CHAIN and attach this to the container structure above, then
use this information from nf_tables_dump_rules(). Don't forget to
release these two pointers by setting .done callback in
netlink_dump_control.
The file to modify is net/netfilter/nf_tables_api.c under the kernel
tree, this should result in a relatively small patch. Would you
contribute this update?
> - getting the handle id of a rule after sending a message to add it
> without the need to dump the whole ruleset. In other words, is it
> possible to retrieve the handle of the rule right after its
> insertion to the ruleset ? Or is there a reliable way to predict
> this handle ?
You can get this through the NLM_F_ECHO flag. This flag makes the
netlink event notification report back to you what rule you have
created, including the 64-bit ID that was allocated. You just have to
invoke recvmsg() after sendmsg().
You can probably enhance the existing libnftnl example to support
this and print the rule ID after creation.
next prev parent reply other threads:[~2016-07-13 14:40 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-07-13 12:41 netfilter/nftables: chain rule dumps jalvarez
2016-07-13 14:40 ` Pablo Neira Ayuso [this message]
2016-07-19 8:59 ` jalvarez
2016-07-19 10:28 ` Pablo Neira Ayuso
2016-07-19 13:47 ` jalvarez
2016-07-19 13:55 ` Pablo Neira Ayuso
2016-07-20 14:03 ` jalvarez
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160713144036.GA1385@salvia \
--to=pablo@netfilter.org \
--cc=jalvarez@toulouse.viveris.com \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox