Re: [PATCH nft 1/2] Introduce socket matching
On Thu, May 17, 2018 at 04:42:15PM +0200, Florian Westphal wrote: > Máté Eckl wrote: > > +socket_stmt: SOCKET EXISTS /* with the actual > > implementation we cannot match abscence */ > > I think we should go for a native expression. > > I'll leave it up to you what you'd like to do next. > There are a few options: > 1. First go for TPROXY in nft (i.e. finish userspace syntax first) > 2. add socket expression for nf_tables. > 3. add support for SYNPROXY (outside of your original proposal, >but this can be done via nft_compat without loss of functionality). I think I'll go for option 2. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH nft 1/2] Introduce socket matching
Máté Eckl wrote: > +socket_stmt : SOCKET EXISTS /* with the actual > implementation we cannot match abscence */ I think we should go for a native expression. I'll leave it up to you what you'd like to do next. There are a few options: 1. First go for TPROXY in nft (i.e. finish userspace syntax first) 2. add socket expression for nf_tables. 3. add support for SYNPROXY (outside of your original proposal, but this can be done via nft_compat without loss of functionality). I think 1 or 2 would make most sense, let me know. In case you go for #2, i would go for net/netfilter/nft_socket.c, you'll need a way to serialize the socket_stmt data via new netlink attributes. You can look at 2fa841938c648fe4359691f41e8e1f37ff1a3aa2 for a commit that added a new expression. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH nft 1/2] Introduce socket matching
Máté Eckl wrote: > Originally I also added the following lines but it made the print too slow for > the test to pass. > > It printed the following warning: > inet/socket.t: WARNING: line 8: 'add rule ip sockip4 sockchain socket > exists': 'socket exists' mismatches 'socke' > inet/socket.t: WARNING: line 9: 'add rule ip sockip4 sockchain socket > flags transparent': 'socket flags transparent' mismatches 'socket' > > To be honest I don't know what this criterion means so if it is important > please > notify me. > > diff --git a/src/statement.c b/src/statement.c > index ff6a98a..ec3b0c0 100644 > --- a/src/statement.c > +++ b/src/statement.c > @@ -183,6 +183,10 @@ static void socket_stmt_print(const struct stmt *stmt, > struct output_ctx *octx) >*existance_str = (s->exists) ? "exists" : "missing"; > > nft_print(octx, "socket"); > + > + if(octx->stateless) > + return; This test makes no sense, socket match has no state. This is for 'nft -s' which e.g. prints 'counter' instead of 'counter x packets y bytes'. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH nft 1/2] Introduce socket matching
Originally I also added the following lines but it made the print too slow for the test to pass. It printed the following warning: inet/socket.t: WARNING: line 8: 'add rule ip sockip4 sockchain socket exists': 'socket exists' mismatches 'socke' inet/socket.t: WARNING: line 9: 'add rule ip sockip4 sockchain socket flags transparent': 'socket flags transparent' mismatches 'socket' To be honest I don't know what this criterion means so if it is important please notify me. diff --git a/src/statement.c b/src/statement.c index ff6a98a..ec3b0c0 100644 --- a/src/statement.c +++ b/src/statement.c @@ -183,6 +183,10 @@ static void socket_stmt_print(const struct stmt *stmt, struct output_ctx *octx) *existance_str = (s->exists) ? "exists" : "missing"; nft_print(octx, "socket"); + + if(octx->stateless) + return; + if (s->flags) { __u8 f = s->flags; -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html