Are "device chains" a real thing?

Linux Netfilter discussions
 help / color / mirror / Atom feed

* Are "device chains" a real thing?
@ 2017-02-07 22:18 Robert White
  2017-02-08  9:05 ` Pablo Neira Ayuso
  0 siblings, 1 reply; 3+ messages in thread
From: Robert White @ 2017-02-07 22:18 UTC (permalink / raw)
  To: netfilter

Howdy,

So the manual page for nft says:

{add} chain [family] {table} {chain} {hook} {priority} {policy} {device}

Is that last stanza "{device}" a typo?

If not, what is the syntax and applicability?

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: Are "device chains" a real thing?
  2017-02-07 22:18 Are "device chains" a real thing? Robert White
@ 2017-02-08  9:05 ` Pablo Neira Ayuso
  2017-02-08 17:15   ` Robert White
  0 siblings, 1 reply; 3+ messages in thread
From: Pablo Neira Ayuso @ 2017-02-08  9:05 UTC (permalink / raw)
  To: Robert White; +Cc: netfilter

On Tue, Feb 07, 2017 at 10:18:32PM +0000, Robert White wrote:
> Howdy,
> 
> So the manual page for nft says:
> 
> {add} chain [family] {table} {chain} {hook} {priority} {policy} {device}
> 
> Is that last stanza "{device}" a typo?
> 
> If not, what is the syntax and applicability?

Yes. There is a new family, the so-called 'netdev', currently with one
single hook at ingress.

This comes way before than prerouting, and you can use it to classify
traffic earlier.

 # nft add table netdev x
 # nft add chain netdev x y { type filter hook ingress device eth0 priority 0\; }

There you see anything entering the 'eth0' device, this includes ARP
and both IPv4 and IPv6 traffic, in a nutshell, it's a new hook that
allows you to classify traffic just after the nic driver passes up the
packet to the stack.

This is basically providing an alternative to tc ingress.

We should fix the manual page syntax BTW, it is a bit misleading.

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: Are "device chains" a real thing?
  2017-02-08  9:05 ` Pablo Neira Ayuso
@ 2017-02-08 17:15   ` Robert White
  0 siblings, 0 replies; 3+ messages in thread
From: Robert White @ 2017-02-08 17:15 UTC (permalink / raw)
  To: Pablo Neira Ayuso; +Cc: netfilter

On 02/08/17 09:05, Pablo Neira Ayuso wrote:
>  # nft add table netdev x
>  # nft add chain netdev x y { type filter hook ingress device eth0 priority 0\; }

Device specific chains for ingress is cool.

Device specific chains for prerouting and postrouting simplify the heck 
out of NAT for complex systems since I've got boxes with eight NICs 
(okay, it's two four-port NICs) in various bridges and only one 
interface that does NAT. So that's a lot of null (all tests fail) 
traversals of those chains for no purpose on those other NICs.

I trim that down by using a single rule such as

"iif ext0 jump DNAT_ext0"

to keep all the tests out of the pat for the internal bridges then put 
all the elaborate stuff in that secondary chain. So it's not a killer.

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2017-02-08 17:15 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-02-07 22:18 Are "device chains" a real thing? Robert White
2017-02-08  9:05 ` Pablo Neira Ayuso
2017-02-08 17:15   ` Robert White

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox