nftables: introspection capabilities?

nftables: introspection capabilities?

[gapsf]

Hi!
There is a lot of frontends for iptables like shorewall, ufw, ferm and special firewall distros.
They all are trying to formalize, simplify, integrate the
configuration of Linux firewall and traffic control subsystems.
They also use a certain set of metadata for their own use.

One of the iptables disadvantages - the inability to effectively
find out the internal state of the iptables.
There is only one way - parse the "iptables -L" output, isn't it?

So there's no easy way to find out how many rules in the some table now,
or whether there is a rule with the given src and dst port in such a table,
for example.

So for these purposes the frontend should keep the internal state of iptables
in some way, instead of simply request this information from iptables.

There is no doubt that for nftables frontends will be written too, so the question is:
"Will nfatbles be able to find out various information
about their own current state: tables, chains, rules, etc?"

Thanks.

Re: nftables: introspection capabilities?

[Jan Engelhardt]

On Tuesday 2011-05-24 10:21, gapsf@yandex.ru wrote:

>Hi!
>There is a lot of frontends for iptables like shorewall, ufw, ferm and special firewall distros.
>They all are trying to formalize, simplify, integrate the
>configuration of Linux firewall and traffic control subsystems.
>They also use a certain set of metadata for their own use.
>
>One of the iptables disadvantages - the inability to effectively
>find out the internal state of the iptables.
>There is only one way - parse the "iptables -L" output, isn't it?

iptables -S, iptables-save  is preferred at all times.

>There is no doubt that for nftables frontends will be written too, so the question is:
>"Will nfatbles be able to find out various information
>about their own current state: tables, chains, rules, etc?"

You can already obtain this information by using libiptc, iterating over 
all rules and testing for a particular src/dst address (very much like 
poor man's `grep -s 1.2.3.4\b` on the text output).

Re[2]: nftables: introspection capabilities?

[gapsf]

>>There is no doubt that for nftables frontends will be written too, so the question is:
>>"Will nfatbles be able to find out various information
>>about their own current state: tables, chains, rules, etc?"

JE> You can already obtain this information by using libiptc, iterating over 
JE> all rules and testing for a particular src/dst address (very much like 
JE> poor man's `grep -s 1.2.3.4\b` on the text output).
According to Wikipedia "libiptc ... shouldn't be used as a public API,
and is known to change, which breaks programs that use it"
and libiptc is a 3d party project - not netfilter.org's and outdated, isn't it?

As for nftables: means native capabilities of it's kernelspace code (aka virtual machine).

Re[2]: nftables: introspection capabilities?

[Jan Engelhardt]

On Tuesday 2011-05-24 11:14, gapsf@yandex.ru wrote:

>>>There is no doubt that for nftables frontends will be written too, so the question is:
>>>"Will nfatbles be able to find out various information
>>>about their own current state: tables, chains, rules, etc?"
>
>JE> You can already obtain this information by using libiptc, iterating over 
>JE> all rules and testing for a particular src/dst address (very much like 
>JE> poor man's `grep -s 1.2.3.4\b` on the text output).
>
>According to Wikipedia "libiptc ... shouldn't be used as a public API,
>and is known to change, which breaks programs that use it"

The API ain't beautiful, it is undocumented, and using a standard option 
parser on the text output is much more telling than dealing with the 
binary pieces.
Change is a natural occurrence, Wikipedia overexaggerates on the 
problems.

>and libiptc is a 3d party project - not netfilter.org's and outdated, isn't it?

Certainly not.

Re: nftables: introspection capabilities?

[Pablo Neira Ayuso]

On 24/05/11 11:14, gapsf@yandex.ru wrote:
>>> There is no doubt that for nftables frontends will be written too, so the question is:
>>> "Will nfatbles be able to find out various information
>>> about their own current state: tables, chains, rules, etc?"
> 
> JE> You can already obtain this information by using libiptc, iterating over 
> JE> all rules and testing for a particular src/dst address (very much like 
> JE> poor man's `grep -s 1.2.3.4\b` on the text output).
> According to Wikipedia "libiptc ... shouldn't be used as a public API,
> and is known to change, which breaks programs that use it"
> and libiptc is a 3d party project - not netfilter.org's and outdated, isn't it?
> 
> As for nftables: means native capabilities of it's kernelspace code (aka virtual machine).

just to clarify, that's not a virtual machine but a pseudo-state machine
in the BPF fashion, OK?