Netdev Archive on lore.kernel.org
 help / color / Atom feed
* [PATCH netfilter/iptables] Add new slavedev match extension
@ 2019-12-17 13:56 Martin Willi
  2019-12-17 13:56 ` [PATCH nf-next] netfilter: xt_slavedev: Add new L3master slave input device match Martin Willi
                   ` (2 more replies)
  0 siblings, 3 replies; 6+ messages in thread
From: Martin Willi @ 2019-12-17 13:56 UTC (permalink / raw)
  To: netfilter-devel; +Cc: netdev

This patchset introduces a new Netfilter match extension to match input
interfaces that are associated to a layer 3 master device. The first 
patch adds the new match to the kernel, the other provides an extension 
to userspace iptables to make use of the new match.

The motivation for a new match is that in INPUT/FORWARD, a base match
for the input interface is done against the layer 3 master device if
the real input device is associated to such a device. This makes
filtering on input interfaces within VRFs difficult.

In output, the packet is passed to Netfilter with the real output
interface as well, so output interface matching in slavedev is not
required. Nonetheless are the arguments named explicitly for the input
interface, as it makes the meaning of these options more intuitive
and the match extensible.

An alternative approach for better filtering within VRFs could be to pass
the packet with the real interface to FORWARD/INPUT hooks, or even pass 
it twice similar to the output path. This is very likely to break 
existing rulesets, though, which should be no problem with a new match
extension.
--
2.20.1

^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, back to index

Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-12-17 13:56 [PATCH netfilter/iptables] Add new slavedev match extension Martin Willi
2019-12-17 13:56 ` [PATCH nf-next] netfilter: xt_slavedev: Add new L3master slave input device match Martin Willi
2019-12-17 13:56 ` [PATCH iptables] extensions: Add new xt_slavedev input interface match extension Martin Willi
2020-01-10 16:34 ` [PATCH netfilter/iptables] Add new slavedev " Martin Willi
2020-01-16 19:59   ` Pablo Neira Ayuso
2020-01-17 12:00     ` Martin Willi

Netdev Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/netdev/0 netdev/git/0.git
	git clone --mirror https://lore.kernel.org/netdev/1 netdev/git/1.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 netdev netdev/ https://lore.kernel.org/netdev \
		netdev@vger.kernel.org
	public-inbox-index netdev

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.netdev


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git