Send connman mailing list submissions to
[email protected]
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.01.org/mailman/listinfo/connman
or, via email, send a message with subject or body 'help' to
[email protected]
You can reach the person managing the list at
[email protected]
When replying, please edit your Subject line so it is more specific
than "Re: Contents of connman digest..."
Today's Topics:
1. [PATCH v0 0/3] nftable session fixes (Daniel Wagner)
2. [PATCH v0 1/3] nftables: Drop connection tracking (Daniel Wagner)
3. [PATCH v0 2/3] nftables: Improve warning messages (Daniel Wagner)
4. [PATCH v0 3/3] nftables: Mark packets in the route table
(Daniel Wagner)
5. [PATCH v1] nftables: Drop connection tracking (Daniel Wagner)
----------------------------------------------------------------------
Message: 1
Date: Thu, 29 Sep 2016 10:22:52 +0200
From: Daniel Wagner <[email protected]>
To: [email protected]
Cc: Daniel Wagner <[email protected]>
Subject: [PATCH v0 0/3] nftable session fixes
Message-ID: <[email protected]>
From: Daniel Wagner <[email protected]>
Hi,
The first patch removes the connection tracking code from ConnMan. We
never really used it. It looks like we are soon having means to
enforce network activies via cgroups (eBPF) thanks to Daniel Macks
work [1]. So I think its better to have this kind of enforcement in an
external component.
The second patch does add a warning when nftables fails. It took me a
while to figure out what's going on when I forgot to load the right
module. So why not just be userfriendly.
The last patch moves the marking rule to the route table. I just
placed it iniatially into the filter chain. That was wrong. With this,
the packets are routed acording the session settings.
cheers,
daniel
[1] https://lwn.net/Articles/701162/
Daniel Wagner (3):
nftables: Drop connection tracking
nftables: Improve warning messages
nftables: Mark packets in the route table
src/firewall-nftables.c | 119 ++++++------------------------------------------
1 file changed, 14 insertions(+), 105 deletions(-)
--
2.7.4
------------------------------
Message: 2
Date: Thu, 29 Sep 2016 10:22:53 +0200
From: Daniel Wagner <[email protected]>
To: [email protected]
Cc: Daniel Wagner <[email protected]>
Subject: [PATCH v0 1/3] nftables: Drop connection tracking
Message-ID: <[email protected]>
From: Daniel Wagner <[email protected]>
We don't use the connection tracking for per session statistics, so just
drop it.
When we started with the Session API the goal was to support routing and
statistics per application. So far we implement the routing via policy
routing tables but never finished on the statistics side. Also the D-Bus
API does not expose counters for TX/RX.
It is quite likely we see eBPF support for cgroups in Linux
soon. Creating simple counters via eBPF and do some form of enforcement
in an extra component seems a better approach than stuffing all of this
into ConnMan. So for the time beeing remove the unused bits.
---
src/firewall-nftables.c | 94 -------------------------------------------------
1 file changed, 94 deletions(-)
diff --git a/src/firewall-nftables.c b/src/firewall-nftables.c
index bc6d87514008..0c5e5d1826b1 100644
--- a/src/firewall-nftables.c
+++ b/src/firewall-nftables.c
@@ -745,93 +745,6 @@ int __connman_firewall_disable_snat(struct
firewall_context *ctx)
return rule_delete(&ctx->rule);
}
-static int build_rule_ct(struct nftnl_rule **res)
-{
- struct nftnl_rule *rule;
- struct nftnl_expr *expr;
-
- /*
- *
http://wiki.nftables.org/wiki-nftables/index.php/Setting_packet_metainformation
- *
http://wiki.nftables.org/wiki-nftables/index.php/Matching_packet_metainformation
- *
- * # nft --debug netlink add rule connman filter-output \
- * ct mark set mark
- *
- * ip connman filter-output
- * [ meta load mark => reg 1 ]
- * [ ct set mark with reg 1 ]
- */
-
- rule = nftnl_rule_alloc();
- if (!rule)
- return -ENOMEM;
-
- nftnl_rule_set(rule, NFTNL_RULE_TABLE, CONNMAN_TABLE);
- nftnl_rule_set(rule, NFTNL_RULE_CHAIN, CONNMAN_CHAIN_FILTER_OUTPUT);
-
- expr = nftnl_expr_alloc("meta");
- if (!expr)
- goto err;
- nftnl_expr_set_u32(expr, NFTNL_EXPR_META_KEY, NFT_META_MARK);
- nftnl_expr_set_u32(expr, NFTNL_EXPR_META_DREG, NFT_REG_1);
- nftnl_rule_add_expr(rule, expr);
-
- expr = nftnl_expr_alloc("ct");
- if (!expr)
- goto err;
- nftnl_expr_set_u32(expr, NFTNL_EXPR_CT_KEY, NFT_CT_MARK);
- nftnl_expr_set_u32(expr, NFTNL_EXPR_CT_SREG, NFT_REG_1);
- nftnl_rule_add_expr(rule, expr);
-
- *res = rule;
- return 0;
-
-err:
- nftnl_rule_free(rule);
- return -ENOMEM;
-}
-
-static int ct_enable(void)
-{
- struct nftnl_rule *rule;
- struct mnl_socket *nl;
- int err;
-
- DBG("");
-
- if (nft_info->mark_ref > 0)
- return 0;
-
- err = socket_open_and_bind(&nl);
- if (err < 0)
- return err;
-
- err = build_rule_ct(&rule);
- if (err < 0)
- goto out;
-
- nft_info->ct.chain = CONNMAN_CHAIN_FILTER_OUTPUT;
- err = rule_cmd(nl, rule, NFT_MSG_NEWRULE, NFPROTO_IPV4,
- NLM_F_APPEND|NLM_F_CREATE|NLM_F_ACK,
- CALLBACK_RETURN_HANDLE, &nft_info->ct.handle);
- nftnl_rule_free(rule);
-
- if (!err)
- nft_info->mark_ref++;
-out:
- mnl_socket_close(nl);
- return err;
-}
-
-static int ct_disable(void)
-{
- nft_info->mark_ref--;
- if (nft_info->mark_ref > 0)
- return 0;
-
- return rule_delete(&nft_info->ct);
-}
-
static int build_rule_marking(uid_t uid, uint32_t mark, struct nftnl_rule
**res)
{
struct nftnl_rule *rule;
@@ -911,10 +824,6 @@ int __connman_firewall_enable_marking(struct
firewall_context *ctx,
return -EINVAL;
uid = pw->pw_uid;
- err = ct_enable();
- if (err)
- return err;
-
err = socket_open_and_bind(&nl);
if (err < 0)
return err;
@@ -930,8 +839,6 @@ int __connman_firewall_enable_marking(struct
firewall_context *ctx,
nftnl_rule_free(rule);
out:
- if (err)
- ct_disable();
mnl_socket_close(nl);
return err;
}
@@ -943,7 +850,6 @@ int __connman_firewall_disable_marking(struct
firewall_context *ctx)
DBG("");
err = rule_delete(&ctx->rule);
- ct_disable();
return err;
}
--
2.7.4
------------------------------
Message: 3
Date: Thu, 29 Sep 2016 10:22:54 +0200
From: Daniel Wagner <[email protected]>
To: [email protected]
Cc: Daniel Wagner <[email protected]>
Subject: [PATCH v0 2/3] nftables: Improve warning messages
Message-ID: <[email protected]>
From: Daniel Wagner <[email protected]>
Let's be a bit more userfriendly and report why we think the nftable
code is not working.
While at it also use connman_warn for the cleanup path instead of the
printf.
---
src/firewall-nftables.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/src/firewall-nftables.c b/src/firewall-nftables.c
index 0c5e5d1826b1..c63387c61041 100644
--- a/src/firewall-nftables.c
+++ b/src/firewall-nftables.c
@@ -1030,8 +1030,11 @@ int __connman_firewall_init(void)
* loaded yet. ENOENT is return in case the table is missing.
*/
err = cleanup_table_and_chains();
- if (err < 0 && (err != EAFNOSUPPORT && err != -ENOENT))
+ if (err < 0 && (err != EAFNOSUPPORT && err != -ENOENT)) {
+ connman_warn("initializing nftable failed with '%s' %d. Check
if kernel module nf_tables_ipv4 is missing\n",
+ strerror(-err), err);
return err;
+ }
nft_info = g_new0(struct nftables_info, 1);
err = create_table_and_chains(nft_info);
@@ -1051,7 +1054,7 @@ void __connman_firewall_cleanup(void)
err = cleanup_table_and_chains();
if (err < 0)
- printf("cleanup table and chains failed with '%s' %d\n",
+ connman_warn("cleanup table and chains failed with '%s' %d\n",
strerror(-err), err);
g_free(nft_info);
--
2.7.4
------------------------------
Message: 4
Date: Thu, 29 Sep 2016 10:22:55 +0200
From: Daniel Wagner <[email protected]>
To: [email protected]
Cc: Daniel Wagner <[email protected]>
Subject: [PATCH v0 3/3] nftables: Mark packets in the route table
Message-ID: <[email protected]>
From: Daniel Wagner <[email protected]>
The networking stack does the rerouting in the route table. There is a
check which prevents calling ip_reroute_me_harder when it was not
modified in route output chain. By moving our marking rule to the route
output chain the rerouting path is taken and we send our packets via the
right interface (which is defined in the policy routing table).
---
src/firewall-nftables.c | 18 +++++++++---------
1 file changed, 9 insertions(+), 9 deletions(-)
diff --git a/src/firewall-nftables.c b/src/firewall-nftables.c
index c63387c61041..3dee39eb9218 100644
--- a/src/firewall-nftables.c
+++ b/src/firewall-nftables.c
@@ -65,7 +65,7 @@
#define CONNMAN_TABLE "connman"
#define CONNMAN_CHAIN_NAT_PRE "nat-prerouting"
#define CONNMAN_CHAIN_NAT_POST "nat-postrouting"
-#define CONNMAN_CHAIN_FILTER_OUTPUT "filter-output"
+#define CONNMAN_CHAIN_ROUTE_OUTPUT "route-output"
static bool debug_enabled = true;
@@ -755,10 +755,10 @@ static int build_rule_marking(uid_t uid, uint32_t mark,
struct nftnl_rule **res)
*
http://wiki.nftables.org/wiki-nftables/index.php/Setting_packet_metainformation
*
http://wiki.nftables.org/wiki-nftables/index.php/Matching_packet_metainformation
*
- * # nft --debug netlink add rule connman filter-output \
+ * # nft --debug netlink add rule connman route-output \
* meta skuid wagi mark set 1234
*
- * ip connman filter-output
+ * ip connman route-output
* [ meta load skuid => reg 1 ]
* [ cmp eq reg 1 0x000003e8 ]
* [ immediate reg 1 0x000004d2 ]
@@ -770,7 +770,7 @@ static int build_rule_marking(uid_t uid, uint32_t mark,
struct nftnl_rule **res)
return -ENOMEM;
nftnl_rule_set(rule, NFTNL_RULE_TABLE, CONNMAN_TABLE);
- nftnl_rule_set(rule, NFTNL_RULE_CHAIN, CONNMAN_CHAIN_FILTER_OUTPUT);
+ nftnl_rule_set(rule, NFTNL_RULE_CHAIN, CONNMAN_CHAIN_ROUTE_OUTPUT);
expr = nftnl_expr_alloc("meta");
if (!expr)
@@ -832,7 +832,7 @@ int __connman_firewall_enable_marking(struct
firewall_context *ctx,
if (err < 0)
goto out;
- ctx->rule.chain = CONNMAN_CHAIN_FILTER_OUTPUT;
+ ctx->rule.chain = CONNMAN_CHAIN_ROUTE_OUTPUT;
err = rule_cmd(nl, rule, NFT_MSG_NEWRULE, NFPROTO_IPV4,
NLM_F_APPEND|NLM_F_CREATE|NLM_F_ACK,
CALLBACK_RETURN_HANDLE, &ctx->rule.handle);
@@ -965,11 +965,11 @@ static int create_table_and_chains(struct nftables_info
*nft_info)
goto out;
/*
- * # nft add chain connman filter-output \
- * { type filter hook output priority 0 ; }
+ * # nft add chain connman route-output \
+ * { type route hook output priority 0 ; }
*/
- chain = build_chain(CONNMAN_CHAIN_FILTER_OUTPUT, CONNMAN_TABLE,
- "filter", NF_INET_LOCAL_OUT, 0);
+ chain = build_chain(CONNMAN_CHAIN_ROUTE_OUTPUT, CONNMAN_TABLE,
+ "route", NF_INET_LOCAL_OUT, 0);
if (!chain) {
err = -ENOMEM;
goto out;
--
2.7.4
------------------------------
Message: 5
Date: Thu, 29 Sep 2016 11:25:17 +0200
From: Daniel Wagner <[email protected]>
To: [email protected]
Cc: Daniel Wagner <[email protected]>
Subject: [PATCH v1] nftables: Drop connection tracking
Message-ID: <[email protected]>
From: Daniel Wagner <[email protected]>
We don't use the connection tracking for per session statistics, so just
drop it.
When we started with the Session API the goal was to support routing and
statistics per application. So far we implement the routing via policy
routing tables but never finished on the statistics side. Also the D-Bus
API does not expose counters for TX/RX.
It is quite likely we see eBPF support for cgroups in Linux
soon. Creating simple counters via eBPF and do some form of enforcement
in an extra component seems a better approach than stuffing all of this
into ConnMan. So for the time beeing remove the unused bits.
---
changes from v0:
- remove unused mark_ref from struct nftables_info
src/firewall-nftables.c | 96 +------------------------------------------------
1 file changed, 1 insertion(+), 95 deletions(-)
diff --git a/src/firewall-nftables.c b/src/firewall-nftables.c
index bc6d87514008..7ea480d55bfb 100644
--- a/src/firewall-nftables.c
+++ b/src/firewall-nftables.c
@@ -80,8 +80,8 @@ struct firewall_context {
struct nftables_info {
struct firewall_handle ct;
- unsigned int mark_ref;
};
+
static struct nftables_info *nft_info;
enum callback_return_type {
@@ -745,93 +745,6 @@ int __connman_firewall_disable_snat(struct
firewall_context *ctx)
return rule_delete(&ctx->rule);
}
-static int build_rule_ct(struct nftnl_rule **res)
-{
- struct nftnl_rule *rule;
- struct nftnl_expr *expr;
-
- /*
- *
http://wiki.nftables.org/wiki-nftables/index.php/Setting_packet_metainformation
- *
http://wiki.nftables.org/wiki-nftables/index.php/Matching_packet_metainformation
- *
- * # nft --debug netlink add rule connman filter-output \
- * ct mark set mark
- *
- * ip connman filter-output
- * [ meta load mark => reg 1 ]
- * [ ct set mark with reg 1 ]
- */
-
- rule = nftnl_rule_alloc();
- if (!rule)
- return -ENOMEM;
-
- nftnl_rule_set(rule, NFTNL_RULE_TABLE, CONNMAN_TABLE);
- nftnl_rule_set(rule, NFTNL_RULE_CHAIN, CONNMAN_CHAIN_FILTER_OUTPUT);
-
- expr = nftnl_expr_alloc("meta");
- if (!expr)
- goto err;
- nftnl_expr_set_u32(expr, NFTNL_EXPR_META_KEY, NFT_META_MARK);
- nftnl_expr_set_u32(expr, NFTNL_EXPR_META_DREG, NFT_REG_1);
- nftnl_rule_add_expr(rule, expr);
-
- expr = nftnl_expr_alloc("ct");
- if (!expr)
- goto err;
- nftnl_expr_set_u32(expr, NFTNL_EXPR_CT_KEY, NFT_CT_MARK);
- nftnl_expr_set_u32(expr, NFTNL_EXPR_CT_SREG, NFT_REG_1);
- nftnl_rule_add_expr(rule, expr);
-
- *res = rule;
- return 0;
-
-err:
- nftnl_rule_free(rule);
- return -ENOMEM;
-}
-
-static int ct_enable(void)
-{
- struct nftnl_rule *rule;
- struct mnl_socket *nl;
- int err;
-
- DBG("");
-
- if (nft_info->mark_ref > 0)
- return 0;
-
- err = socket_open_and_bind(&nl);
- if (err < 0)
- return err;
-
- err = build_rule_ct(&rule);
- if (err < 0)
- goto out;
-
- nft_info->ct.chain = CONNMAN_CHAIN_FILTER_OUTPUT;
- err = rule_cmd(nl, rule, NFT_MSG_NEWRULE, NFPROTO_IPV4,
- NLM_F_APPEND|NLM_F_CREATE|NLM_F_ACK,
- CALLBACK_RETURN_HANDLE, &nft_info->ct.handle);
- nftnl_rule_free(rule);
-
- if (!err)
- nft_info->mark_ref++;
-out:
- mnl_socket_close(nl);
- return err;
-}
-
-static int ct_disable(void)
-{
- nft_info->mark_ref--;
- if (nft_info->mark_ref > 0)
- return 0;
-
- return rule_delete(&nft_info->ct);
-}
-
static int build_rule_marking(uid_t uid, uint32_t mark, struct nftnl_rule
**res)
{
struct nftnl_rule *rule;
@@ -911,10 +824,6 @@ int __connman_firewall_enable_marking(struct
firewall_context *ctx,
return -EINVAL;
uid = pw->pw_uid;
- err = ct_enable();
- if (err)
- return err;
-
err = socket_open_and_bind(&nl);
if (err < 0)
return err;
@@ -930,8 +839,6 @@ int __connman_firewall_enable_marking(struct
firewall_context *ctx,
nftnl_rule_free(rule);
out:
- if (err)
- ct_disable();
mnl_socket_close(nl);
return err;
}
@@ -943,7 +850,6 @@ int __connman_firewall_disable_marking(struct
firewall_context *ctx)
DBG("");
err = rule_delete(&ctx->rule);
- ct_disable();
return err;
}
--
2.7.4
------------------------------
Subject: Digest Footer
_______________________________________________
connman mailing list
[email protected]
https://lists.01.org/mailman/listinfo/connman
------------------------------
End of connman Digest, Vol 11, Issue 28
***************************************
