Hi,
This patchset extends the nftables netlink API to support for anonymous
non-base chains. Anonymous non-base chains have two properties:
1) The kernel dynamically allocates the (internal) chain name.
2) If the rule that refers to the anonymous chain is removed, then the
anonymous chain and its content is also released.
This new infrastructure allows for the following syntax from userspace:
table inet x {
chain y {
type filter hook input priority 0;
tcp dport 22 chain {
ip saddr { 127.0.0.0/8, 172.23.0.0/16, 192.168.13.0/24 } accept
ip6 saddr ::1/128 accept;
}
}
}
The bytecode actually looks like this:
tcp dport 22 chain { ...
[ meta load l4proto => reg 1 ]
[ cmp eq reg 1 0x00000006 ]
[ payload load 2b @ transport header + 2 => reg 1 ]
[ cmp eq reg 1 0x00001600 ]
[ immediate reg 0 jump __chain%llu ]
where the anonymous chain block:
ip saddr { 127.0.0.0/8, 172.23.0.0/16, 192.168.13.0/24 } accept
ip6 saddr ::1/128 accept;
is added to the __chain%llu chain.
The %llu is replaced by a 64-bit identifier which is dynamically
allocated from the kernel. This is actually an incremental 64-bit
chain ID that is used to allocated the internal name.
A few notes:
* The existing approach assumes an implicit jump to chain action for
implicit chains.
* Depending on the use-case, jumpto chain through dictionary (a.k.a. verdict
map) provides a more efficient ruleset evaluation.
Pablo Neira Ayuso (5):
netfilter: nf_tables: add NFTA_CHAIN_ID attribute
netfilter: nf_tables: add NFTA_RULE_CHAIN_ID attribute
netfilter: nf_tables: add NFTA_VERDICT_CHAIN_ID attribute
netfilter: nf_tables: expose enum nft_chain_flags through UAPI
netfilter: nf_tables: add NFT_CHAIN_ANONYMOUS
include/net/netfilter/nf_tables.h | 23 +++--
include/uapi/linux/netfilter/nf_tables.h | 11 +++
net/netfilter/nf_tables_api.c | 117 +++++++++++++++++++----
net/netfilter/nft_immediate.c | 54 +++++++++++
4 files changed, 178 insertions(+), 27 deletions(-)
--
2.20.1
