From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Martin Gignac <martin.gignac@gmail.com>
Cc: Florian Westphal <fw@strlen.de>, netfilter@vger.kernel.org
Subject: Re: Trying to provision flowtable returns error
Date: Fri, 6 Nov 2020 18:18:46 +0100 [thread overview]
Message-ID: <20201106171846.GA5114@salvia> (raw)
In-Reply-To: <20201106105833.GA13845@salvia>
On Fri, Nov 06, 2020 at 11:58:33AM +0100, Pablo Neira Ayuso wrote:
> Hi,
>
> This works fine here, see below.
>
> On Thu, Nov 05, 2020 at 04:45:31PM -0500, Martin Gignac wrote:
> > Hi Pablo,
> >
> > > You can dynamically add/delete devices to/from flowtables since Linux
> > > kernel 5.8
> >
> > Are you referring to this patch ?:
> > https://www.spinics.net/lists/netfilter-devel/msg67310.html
> >
> > I tried with Fedora 33 (5.8.17-300.fc33.x86_64) and this file:
> >
> > [root@localhost ~]# cat /etc/nftables/firewall.nft
> > flush ruleset
> >
> > table inet x {
> > flowtable f {
> > hook ingress priority 0;
> > }
> > chain y {
> > type filter hook forward priority 0; policy accept;
> > ip protocol tcp flow offload @f
> > counter packets 0 bytes 0
> > }
> > }
> >
> > and indeed it does load without error, although I had to compile the
> > latest version of nft (v0.9.7) as v0.9.3 (which comes with Fedora 33)
> > was giving me this error:
> >
> > [root@localhost ~]# nft -f /etc/nftables/firewall.nft
> > /etc/nftables/firewall.nft:4:12-12: Error: Unbound flowtable not
> > allowed (must specify devices)
> > flowtable f {
> > ^
> > Once I added my br0 interface wih 'ip link add br0 type bridge' I was
> > able to run 'nft add flowtable inet x f { devices = { br0 } \; }'
> > without error.
> >
> > However, if I run 'nft -f /etc/nftables/firewall.nft' again and then
> > 'nft list ruleset', br0 is gone. Does this mean that it is no longer
> > bound to a flow table?
> >
> > The way I have been handling rule changes so far is to modify a single
> > '/etc/nftables/firewall.nft' file every time I need to modify rules
> > and then run 'nft -f /etc/nftables/firewall.nft' to reload and apply
> > those changes (I don't tend to run single nft commands to update
> > things here and there -- I prefer to modify a single file as the
> > source of truth and then reload the ruleset completely). Running
> > something like 'nft add flowtable inet x f { devices = { br0 } \; }'
> > once upon boot up when a logical interface comes up is fine, but does
> > my workflow require that I then run 'nft add flowtable inet x f {
> > devices = { br0 } \; }' after every time I run 'nft -f
> > /etc/nftables/firewall.nft'?
>
> # cat firewall.nft
> table ip x {
> flowtable y {
> hook ingress priority filter
> }
>
> chain y {
> flow add @y
> }
> }
> # nft -f firewall.nft
> # nft list ruleset
> table ip x {
> flowtable y {
> hook ingress priority filter
> }
>
> chain y {
> flow add @y
> }
> }
>
> This is your base ruleset.
>
> Now you add devices to the flowtable (requirements: kernel >= 5.8
> and nftables >= 0.9.7):
>
> # nft add flowtable x y { devices = { eth0, eth1 } \; }
>
> Listing shows:
>
> # nft list ruleset
> table ip x {
> flowtable y {
> hook ingress priority filter
> devices = { eth0, eth1 }
> }
>
> chain y {
> flow add @y
> }
> }
>
> Note: If eth0 is gone, then this is automatically removed from the
> flowtable.
>
> Is "flush ruleset" at the very beginning of your firewall.nft file?
>
> If so, that is tearing down everything and creating it from scratch,
> so the devices you have dynamically added are gone since they are not
> in the original firewall.nft file.
>
> I would expect you load firewall.nft at boot time, then dynamically
> add devices as needed in run time.
Just to clarify.
You can still load device at boot time, ie.
# cat ruleset.nft
table ip x {
flowtable y {
hook ingress priority filter
devices = { eth0, eth1 }
}
chain y {
flow add @y
}
}
# nft -f ruleset.nft
You can just update the flowtable later on with more (new) devices in
case you require this. Kernel >= 5.8 and nft >= 0.9.7 are just
providing a bit more flexibility in case you dynamically load an
interface and you would like to incrementally update a flowtable
without reloading the whole ruleset.
prev parent reply other threads:[~2020-11-06 17:18 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-10-16 10:37 nftables iifname and currently unknown interfaces Robert Sander
2020-10-16 10:54 ` Pablo Neira Ayuso
2020-10-16 10:56 ` Florian Westphal
2020-10-16 11:10 ` Robert Sander
2020-10-28 22:25 ` Pablo Neira Ayuso
2020-11-04 5:30 ` Trying to provision flowtable returns error Martin Gignac
2020-11-05 0:53 ` Duncan Roe
2020-11-05 15:17 ` Martin Gignac
2020-11-05 15:38 ` Florian Westphal
2020-11-05 16:20 ` Martin Gignac
2020-11-05 17:07 ` Florian Westphal
2020-11-05 18:21 ` Martin Gignac
2020-11-05 18:41 ` Martin Gignac
2020-11-05 21:01 ` Pablo Neira Ayuso
2020-11-05 21:45 ` Martin Gignac
2020-11-06 10:58 ` Pablo Neira Ayuso
2020-11-06 15:13 ` Martin Gignac
2020-11-06 15:24 ` Martin Gignac
2020-11-06 16:21 ` Pablo Neira Ayuso
2020-11-06 19:20 ` Martin Gignac
2020-11-10 15:04 ` Gordon Fisher
2020-11-06 17:18 ` Pablo Neira Ayuso [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20201106171846.GA5114@salvia \
--to=pablo@netfilter.org \
--cc=fw@strlen.de \
--cc=martin.gignac@gmail.com \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox