From: Florent Fourcot <florent.fourcot@wifirst.fr>
To: Pablo Neira Ayuso <pablo@netfilter.org>
Cc: Romain Bellan <romain.bellan@wifirst.fr>,
netfilter-devel@vger.kernel.org
Subject: Re: [PATCH nf-next v5 1/1] netfilter: ctnetlink: add kernel side filtering for dump
Date: Thu, 4 Jun 2020 18:08:15 +0200 [thread overview]
Message-ID: <7b5d9844-45d4-02df-42a0-6b1220b479a0@wifirst.fr> (raw)
In-Reply-To: <20200529180425.GA30992@salvia>
Dear Pablo,
>
> I think you already mentioned, but it should be possible to extend
> the conntrack utility to support for kernel side filtering seamlessly.
>
> The idea is to keep the userspace filtering as a fallback, regardless
> the kernel supports for CTA_FILTER or not.
>
We agree, and we are currently working on a transparent implementation
for another netlink userspace library (pyroute2).
About our patches on libnetfilter_conntrack, first step is probably one
small refresh, since kernel part change a little bit. And we saw a first
issue. Definitions of CTA_FILTER_* are now in nf_internals.h in kernel,
so synchronization of linux_nfnetlink_conntrack.h will not be enough to
export FILTER_FLAGS values. What do you think about the best way to
synchronize flags values between userspace and kernel?
After this refresh, we can extend code of the submitted example for a
full support.
> I'm missing one feature in the CTA_FILTER, that is the netmask
> filtering for IP addresses. It would be also good to make this fit
> into libnetfilter_conntrack.
>
Yes, but it needs some extensions in kernel before. It's in our
planning, but not done yet.
>
> Probably rename NFCT_FILTER_DUMP_TUPLE to NFCT_FILTER_DUMP, which
> would provide the most generic version to request kernel side
> filtering.
>
Ok, we will do that.
Thanks for the follow-up,
--
Florent.
prev parent reply other threads:[~2020-06-04 16:08 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-03-30 20:46 [PATCH nf-next v5 1/1] netfilter: ctnetlink: add kernel side filtering for dump Romain Bellan
2020-04-26 21:43 ` Pablo Neira Ayuso
2020-05-04 19:37 ` Florent Fourcot
2020-05-05 19:14 ` Pablo Neira Ayuso
2020-05-29 18:04 ` Pablo Neira Ayuso
2020-06-04 16:08 ` Florent Fourcot [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=7b5d9844-45d4-02df-42a0-6b1220b479a0@wifirst.fr \
--to=florent.fourcot@wifirst.fr \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
--cc=romain.bellan@wifirst.fr \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.