From: Phil Sutter <phil@nwl.cc>
To: Karuna Grewal <karunagrewal98@gmail.com>,
Florian Westphal <fw@strlen.de>
Cc: Pablo Neira Ayuso <pablo@netfilter.org>, netfilter-devel@vger.kernel.org
Subject: Re: Implementing Deletion of Set Elements in Rulesets
Date: Thu, 21 Mar 2019 12:08:02 +0100 [thread overview]
Message-ID: <20190321110802.GI4851@orbyte.nwl.cc> (raw)
In-Reply-To: <20190321084516.6qmr23meelir7uc3@breakpoint.cc> <CAHRz_yZQ8JYq90BCTKoN7SsivWpXMsGiFz2WkmxbX2S2aVj81Q@mail.gmail.com>
On Thu, Mar 21, 2019 at 09:45:16AM +0100, Florian Westphal wrote:
> This is about deletion of elements from the packet path in dynamic
> sets, see https://people.netfilter.org/pablo/nf-ideas-2019.txt, 1.4 .
Ah, thanks for the pointer! Obviously I confused dynamic with anonymous
in Karuna's mail.
On Thu, Mar 21, 2019 at 11:57:15AM +0530, Karuna Grewal wrote:
> I'm trying to implement "deletion of set elements in ruleset". For
> which I wanted to understand the way existing set operations are
> implemented.
> While grepping through the code I have noticed that the implementation
> has some parts in the kernel, libnftnl 's dynset and the userspace's
> netlink_(de)linearize .
> I'm unable to get a clear view of how the control flow goes from the
> userspace's `evaluate` to the kernel's `nft_dynset.c` in case of the
> set operations.
> Can someone please share some pointers in this direction?
> Also how does the `set_stmt_alloc` in nftables's statement.c relate to
> the `set_evaluate` in evaluate.c ?
I don't quite see where you're stuck. So here's a bit of generic
code-flow explanation, maybe it helps:
- User calls 'nft' with some command
- Arguments are parsed in scanner.l/parser_bison.y, resulting in a
struct cmd instance
- Last step of parsing is to call cmd_evaluate() (see
parser_bison.y:799)
- Assuming the command was:
'nft add rule ip test testchain update @testset { ip saddr timeout 1m }'
code flows like this:
- cmd_evaluate_add()
- case CMD_OBJ_RULE
- rule_evaluate()
- stmt_evaluate()
- case STMT_SET
- stmt_evaluate_set()
- ...
- rule_postprocess()
- payload_try_merge() (probably noop in this case)
- If evaluation succeeds (most of it is sanitization checking), command
is appended to list in state->cmds
- After parsing has finished, code continues in
nft_run_cmd_from_buffer() of libnftables.c
- nft_netlink()
- do_command()
- do_command_add()
- case CMD_OBJ_RULE
- mnl_nft_rule_add() this converts the rule into a netlink
message which is appended to batch buffer
- mnl_batch_talk() this submits the batch to kernel
My guess is that you over-estimate evaluation stage. The real work is
done by do_command() as this turns parser output into netlink messages.
I'll skip kernel side for now, hopefully user space is more clear now.
Feel free to follow-up with further questions.
Cheers, Phil
next prev parent reply other threads:[~2019-03-21 11:08 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-03-21 6:27 Implementing Deletion of Set Elements in Rulesets Karuna Grewal
2019-03-21 8:23 ` Phil Sutter
2019-03-21 8:45 ` Florian Westphal
2019-03-21 11:08 ` Phil Sutter [this message]
2019-03-24 4:33 ` Karuna Grewal
[not found] ` <CAHRz_yazsKDFYfsVemDLd4av3M+3k6MJnctvFYYMjDD7q2zSMA@mail.gmail.com>
2019-03-25 10:44 ` Phil Sutter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190321110802.GI4851@orbyte.nwl.cc \
--to=phil@nwl.cc \
--cc=fw@strlen.de \
--cc=karunagrewal98@gmail.com \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).