All of lore.kernel.org
 help / color / mirror / Atom feed
From: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
To: Jesper Dangaard Brouer <brouer@redhat.com>
Cc: Pablo Neira Ayuso <pablo@netfilter.org>,
	Netfilter Development Mailing list
	<netfilter-devel@vger.kernel.org>,
	Patrick McHardy <kaber@trash.net>, Eric Leblond <eric@regit.org>,
	Julien Vehent <julien@linuxwall.info>,
	Fabio Di Nitto <fdinitto@redhat.com>,
	Jiri Benc <jbenc@redhat.com>,
	Daniel Borkmann <dborkman@redhat.com>,
	Thomas Graf <tgraf@redhat.com>
Subject: Re: [Nftables RFC] High level library proposal
Date: Tue, 23 Apr 2013 13:15:16 +0300	[thread overview]
Message-ID: <51765F34.6020402@linux.intel.com> (raw)
In-Reply-To: <1366661111.26911.361.camel@localhost>

Hi Jesper,

> First of all, thanks Tomasz for proposing to write a high level API for
> nftables.

We all need this and I know I will not be alone implementing it.

> Use-case 1
> ----------
> At ComX Networks, I needed to build a "SubnetSkeleton" tree structure
> with iptables
> (https://github.com/netoptimizer/IPTables-SubnetSkeleton/blob/master/lib/IPTables/SubnetSkeleton.pm#L440)
>
> For this I needed some API calls, to query if some rules and chains
> already existed.  There was an API for testing if a chain existed, I
> used when building the tree.  And the assumed that the jump rule in/to
> the chain was correct, as no API existed for asking if a rule existed,
>
> To avoid inserting a rule twice, I solved this by the hack of simply
> first delete the rule, and the insert the rule.  I would really have
> liked a test if rule exist API instead.

I stumble into the same use case with iptables and indeed it got solved 
the same way.

But since we are dealing with much better kernel stack, we could solve 
this differently:
- either via proposing low level functions requesting the cache as you 
propose (and we probably should)
- and/or when using nft_execute_statement() it would check if it already 
exist - or not, if it's a delete statement -
by itself, hiding the details to the dev and raising a success relevantly.

> Use-case 2
> -----------
> Think this was Fabio's use-case during the netfilter workshop.
>
> An interface to dry run a packet through configured netfilter policy.
>
> This would allow user space to figure out if a specific daemon or
> use-case can function in the configured environment.
>
> The feature is primarily intended for debugging and troubleshooting
> purposes but can be extended later on, enabling daemons or daemon
> management tools to verify if the daemon is permitted to run in the
> configured specific environment.
>
> I guess, we also would need some kernel changes for supporting this?

Indeed, it needs to be thought and implemented there first.


Br,

Tomasz

  parent reply	other threads:[~2013-04-23 10:15 UTC|newest]

Thread overview: 20+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2013-04-17 13:41 [Nftables RFC] High level library proposal Tomasz Bursztyka
2013-04-17 13:52 ` Victor Julien
2013-04-19  6:50   ` Tomasz Bursztyka
2013-04-19 10:05 ` Pablo Neira Ayuso
2013-04-19 11:26   ` Tomasz Bursztyka
2013-04-19 12:11     ` Pablo Neira Ayuso
2013-04-22 23:03       ` Eric Leblond
2013-04-22 23:50         ` Pablo Neira Ayuso
2013-04-23 10:15           ` Tomasz Bursztyka
2013-04-23 11:31             ` Pablo Neira Ayuso
2013-04-23 11:55               ` Tomasz Bursztyka
2013-04-23 10:15       ` Tomasz Bursztyka
2013-04-22 20:05   ` Jesper Dangaard Brouer
2013-04-22 22:26     ` Eric Leblond
2013-04-23  7:27     ` Fabio M. Di Nitto
2013-04-23 10:15     ` Tomasz Bursztyka [this message]
2013-04-23 18:49       ` Jesper Dangaard Brouer
2013-04-24  6:06         ` Tomasz Bursztyka
2013-04-24 11:23           ` Jesper Dangaard Brouer
2013-04-24 15:35             ` Stephen Hemminger

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=51765F34.6020402@linux.intel.com \
    --to=tomasz.bursztyka@linux.intel.com \
    --cc=brouer@redhat.com \
    --cc=dborkman@redhat.com \
    --cc=eric@regit.org \
    --cc=fdinitto@redhat.com \
    --cc=jbenc@redhat.com \
    --cc=julien@linuxwall.info \
    --cc=kaber@trash.net \
    --cc=netfilter-devel@vger.kernel.org \
    --cc=pablo@netfilter.org \
    --cc=tgraf@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.