* How to have a dynamic ingress device(s) list?
@ 2024-04-24 18:03 William N.
2024-04-24 18:49 ` Kerin Millar
0 siblings, 1 reply; 7+ messages in thread
From: William N. @ 2024-04-24 18:03 UTC (permalink / raw)
To: netfilter
Hi,
I am trying to do this:
# dynamic list, updated through a bash script:
define $nics = { "nic1", "nic5", ... }
# ...
chain foo {
type filter hook ingress devices = $nics priority -500
# ...
}
The problems I am facing:
1. It seems the perfect solution I was hoping for is not possible:
devices = "nic*"
2. If there is only one device (e.g. "nic7"), the syntax requires:
device "nic7" # not 'devices' and no '='
Trying something like devices = "nic7" results in a segmentation fault.
3. Adding/removing a separate chain for each nic dynamically seems to
me less efficient, i.e. I am trying to avoid it if possible.
What is the right way to do this?
^ permalink raw reply [flat|nested] 7+ messages in thread* Re: How to have a dynamic ingress device(s) list?
2024-04-24 18:03 How to have a dynamic ingress device(s) list? William N.
@ 2024-04-24 18:49 ` Kerin Millar
2024-04-24 19:20 ` William N.
0 siblings, 1 reply; 7+ messages in thread
From: Kerin Millar @ 2024-04-24 18:49 UTC (permalink / raw)
To: netfilter
On Wed, 24 Apr 2024, at 7:03 PM, William N. wrote:
> Hi,
>
> I am trying to do this:
>
> # dynamic list, updated through a bash script:
> define $nics = { "nic1", "nic5", ... }
Rather, "define nics".
>
> # ...
> chain foo {
> type filter hook ingress devices = $nics priority -500
> # ...
> }
>
> The problems I am facing:
>
> 1. It seems the perfect solution I was hoping for is not possible:
>
> devices = "nic*"
You mentioned the use of bash, which is capable of serving as a generator.
nics=( /sys/class/net/nic* )
( IFS=,; printf 'define nics = { %s }\n' "${nics[*]##*/}" ) > /etc/nftables.d/include-me.nft
>
> 2. If there is only one device (e.g. "nic7"), the syntax requires:
>
> device "nic7" # not 'devices' and no '='
It does not.
# nft 'define nics = { "enp1s0" }; table netdev t { chain c { type filter hook ingress devices = $nics priority -500; }; }'
# nft list ruleset
table netdev t {
chain c {
type filter hook ingress device "enp1s0" priority -500; policy accept;
}
}
Perhaps you need to upgrade nft.
>
> Trying something like devices = "nic7" results in a segmentation fault.
Can you provide a minimal ruleset that reproduces the segfault?
--
Kerin Millar
^ permalink raw reply [flat|nested] 7+ messages in thread* Re: How to have a dynamic ingress device(s) list?
2024-04-24 18:49 ` Kerin Millar
@ 2024-04-24 19:20 ` William N.
2024-04-24 23:25 ` Kerin Millar
0 siblings, 1 reply; 7+ messages in thread
From: William N. @ 2024-04-24 19:20 UTC (permalink / raw)
To: netfilter
On Wed, 24 Apr 2024 19:49:28 +0100 Kerin Millar wrote:
> Rather, "define nics".
Yes, sorry.
> You mentioned the use of bash, which is capable of serving as a generator.
Thanks, I know. The thing is that nics can be added/removed at any point in time, not just at startup, which makes it more complicated.
> It does not.
>
> # nft 'define nics = { "enp1s0" }; table netdev t { chain c { type filter hook ingress devices = $nics priority -500; }; }'
This gives segfault here.
> Perhaps you need to upgrade nft.
Here:
# nft -V
nftables v1.0.6 (Lester Gooch #5)
cli: editline
json: yes
minigmp: no
libxtables: yes
On Debian 12 stable.
> Can you provide a minimal ruleset that reproduces the segfault?
#!/usr/sbin/nft -f
flush ruleset
define nics = { "eth0" }
table netdev filter
delete table netdev filter
table netdev filter {
chain ingress_internal {
type filter hook ingress devices = $nics priority -500
}
}
^ permalink raw reply [flat|nested] 7+ messages in thread* Re: How to have a dynamic ingress device(s) list?
2024-04-24 19:20 ` William N.
@ 2024-04-24 23:25 ` Kerin Millar
2024-04-25 14:12 ` William N.
0 siblings, 1 reply; 7+ messages in thread
From: Kerin Millar @ 2024-04-24 23:25 UTC (permalink / raw)
To: netfilter
On Wed, 24 Apr 2024, at 8:20 PM, William N. wrote:
> On Wed, 24 Apr 2024 19:49:28 +0100 Kerin Millar wrote:
>
>> Rather, "define nics".
>
> Yes, sorry.
>
>> You mentioned the use of bash, which is capable of serving as a generator.
>
> Thanks, I know. The thing is that nics can be added/removed at any
> point in time, not just at startup, which makes it more complicated.
It does. Given that this cannot yet be addressed by nftables alone, I have an idea.
1) write a tmpfiles.d snippet to ensure the presence of a dedicated FIFO
2) write a script that continually reads lines from said FIFO
3) write a .service unit for the script
4) write a udev rule to assume responsibility for writing to said FIFO
The udev rule would need only to respond to the "add" and "remove" events for ethernet devices. The command/script invoked by said rule would need only to write a newline to the FIFO. The use of a FIFO would obviate the need for the main script to be reentrant by ensuring that events are responded to in a serial fashion. The event loop would be trivial to implement.
# Opens the FIFO in read/write mode to keep it perpetually open.
while read -r; do
# An event arrived. Execute the generator and reload the ruleset.
/path/to/your/include/generator && systemctl restart nftables
done <> /path/to/fifo
Combine all that with a partial nftables.service override to ensure that the generator is also triggered by an ExecStartPre command and it should do the job.
>
>> It does not.
>>
>> # nft 'define nics = { "enp1s0" }; table netdev t { chain c { type filter hook ingress devices = $nics priority -500; }; }'
>
> This gives segfault here.
>
>> Perhaps you need to upgrade nft.
>
> Here:
>
> # nft -V
> nftables v1.0.6 (Lester Gooch #5)
> cli: editline
> json: yes
> minigmp: no
> libxtables: yes
>
> On Debian 12 stable.
Alas, a vendor's notion of what is 'stable' counts for very little in practice; they merely pretend to backport important bug fixes. This is an ongoing issue for nftables, which has many bugs. It is at its best in a rolling distribution or if compiling by oneself.
>
>
>> Can you provide a minimal ruleset that reproduces the segfault?
>
> #!/usr/sbin/nft -f
>
> flush ruleset
>
> define nics = { "eth0" }
> table netdev filter
> delete table netdev filter
>
> table netdev filter {
> chain ingress_internal {
> type filter hook ingress devices = $nics priority -500
> }
> }
I see. That has since been addressed, at least.
--
Kerin Millar
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2024-04-25 15:30 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-04-24 18:03 How to have a dynamic ingress device(s) list? William N.
2024-04-24 18:49 ` Kerin Millar
2024-04-24 19:20 ` William N.
2024-04-24 23:25 ` Kerin Millar
2024-04-25 14:12 ` William N.
2024-04-25 14:22 ` Kerin Millar
2024-04-25 15:30 ` William N.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).