How to have a dynamic ingress device(s) list?

How to have a dynamic ingress device(s) list?

[William N.]

Hi,

I am trying to do this:

# dynamic list, updated through a bash script:
define $nics = { "nic1", "nic5", ... } 

# ...
chain foo {
	type filter hook ingress devices = $nics priority -500
	# ...
}

The problems I am facing:

1. It seems the perfect solution I was hoping for is not possible:

devices = "nic*"

2. If there is only one device (e.g. "nic7"), the syntax requires:

device "nic7" # not 'devices' and no '='

Trying something like devices = "nic7" results in a segmentation fault.

3. Adding/removing a separate chain for each nic dynamically seems to
me less efficient, i.e. I am trying to avoid it if possible.


What is the right way to do this?

Re: How to have a dynamic ingress device(s) list?

[Kerin Millar]

On Wed, 24 Apr 2024, at 7:03 PM, William N. wrote:
> Hi,
>
> I am trying to do this:
>
> # dynamic list, updated through a bash script:
> define $nics = { "nic1", "nic5", ... } 

Rather, "define nics".

>
> # ...
> chain foo {
> 	type filter hook ingress devices = $nics priority -500
> 	# ...
> }
>
> The problems I am facing:
>
> 1. It seems the perfect solution I was hoping for is not possible:
>
> devices = "nic*"

You mentioned the use of bash, which is capable of serving as a generator.

nics=( /sys/class/net/nic* )
( IFS=,; printf 'define nics = { %s }\n' "${nics[*]##*/}" ) > /etc/nftables.d/include-me.nft

>
> 2. If there is only one device (e.g. "nic7"), the syntax requires:
>
> device "nic7" # not 'devices' and no '='

It does not.

# nft 'define nics = { "enp1s0" }; table netdev t { chain c { type filter hook ingress devices = $nics priority -500; }; }'
# nft list ruleset
table netdev t {
        chain c {
                type filter hook ingress device "enp1s0" priority -500; policy accept;
        }
}

Perhaps you need to upgrade nft.

>
> Trying something like devices = "nic7" results in a segmentation fault.

Can you provide a minimal ruleset that reproduces the segfault?

-- 
Kerin Millar

Re: How to have a dynamic ingress device(s) list?

[William N.]

On Wed, 24 Apr 2024 19:49:28 +0100 Kerin Millar wrote:

> Rather, "define nics".

Yes, sorry.

> You mentioned the use of bash, which is capable of serving as a generator.

Thanks, I know. The thing is that nics can be added/removed at any point in time, not just at startup, which makes it more complicated.

> It does not.
> 
> # nft 'define nics = { "enp1s0" }; table netdev t { chain c { type filter hook ingress devices = $nics priority -500; }; }'

This gives segfault here.

> Perhaps you need to upgrade nft.

Here:

# nft -V
nftables v1.0.6 (Lester Gooch #5)
  cli:          editline
  json:         yes
  minigmp:      no
  libxtables:   yes

On Debian 12 stable.


> Can you provide a minimal ruleset that reproduces the segfault?

#!/usr/sbin/nft -f

flush ruleset

define nics = { "eth0" }
table netdev filter
delete table netdev filter

table netdev filter {
	chain ingress_internal {
		type filter hook ingress devices = $nics priority -500
	}
}

Re: How to have a dynamic ingress device(s) list?

[Kerin Millar]

On Wed, 24 Apr 2024, at 8:20 PM, William N. wrote:
> On Wed, 24 Apr 2024 19:49:28 +0100 Kerin Millar wrote:
>
>> Rather, "define nics".
>
> Yes, sorry.
>
>> You mentioned the use of bash, which is capable of serving as a generator.
>
> Thanks, I know. The thing is that nics can be added/removed at any 
> point in time, not just at startup, which makes it more complicated.

It does. Given that this cannot yet be addressed by nftables alone, I have an idea.

1) write a tmpfiles.d snippet to ensure the presence of a dedicated FIFO
2) write a script that continually reads lines from said FIFO
3) write a .service unit for the script
4) write a udev rule to assume responsibility for writing to said FIFO

The udev rule would need only to respond to the "add" and "remove" events for ethernet devices. The command/script invoked by said rule would need only to write a newline to the FIFO. The use of a FIFO would obviate the need for the main script to be reentrant by ensuring that events are responded to in a serial fashion. The event loop would be trivial to implement.

# Opens the FIFO in read/write mode to keep it perpetually open.
while read -r; do
   # An event arrived. Execute the generator and reload the ruleset.
   /path/to/your/include/generator && systemctl restart nftables
done <> /path/to/fifo

Combine all that with a partial nftables.service override to ensure that the generator is also triggered by an ExecStartPre command and it should do the job.

>
>> It does not.
>> 
>> # nft 'define nics = { "enp1s0" }; table netdev t { chain c { type filter hook ingress devices = $nics priority -500; }; }'
>
> This gives segfault here.
>
>> Perhaps you need to upgrade nft.
>
> Here:
>
> # nft -V
> nftables v1.0.6 (Lester Gooch #5)
>   cli:          editline
>   json:         yes
>   minigmp:      no
>   libxtables:   yes
>
> On Debian 12 stable.

Alas, a vendor's notion of what is 'stable' counts for very little in practice; they merely pretend to backport important bug fixes. This is an ongoing issue for nftables, which has many bugs. It is at its best in a rolling distribution or if compiling by oneself.

>
>
>> Can you provide a minimal ruleset that reproduces the segfault?
>
> #!/usr/sbin/nft -f
>
> flush ruleset
>
> define nics = { "eth0" }
> table netdev filter
> delete table netdev filter
>
> table netdev filter {
> 	chain ingress_internal {
> 		type filter hook ingress devices = $nics priority -500
> 	}
> }

I see. That has since been addressed, at least.

-- 
Kerin Millar

Re: How to have a dynamic ingress device(s) list?

[William N.]

On Thu, 25 Apr 2024 00:25:31 +0100 Kerin Millar wrote:

> I see. That has since been addressed, at least.

In which version?

Re: How to have a dynamic ingress device(s) list?

[Kerin Millar]

On Thu, 25 Apr 2024, at 3:12 PM, William N. wrote:
> On Thu, 25 Apr 2024 00:25:31 +0100 Kerin Millar wrote:
>
>> I see. That has since been addressed, at least.
>
> In which version?

I do not know exactly. I'm running 1.0.9.

-- 
Kerin Millar

Re: How to have a dynamic ingress device(s) list?

[William N.]

On Thu, 25 Apr 2024 15:22:45 +0100 Kerin Millar wrote:

> I do not know exactly. I'm running 1.0.9.

I see. I guess I will have to consider my options until a version
having it fixed makes it to "stable".