Changes since v1: - New patch 6 adding notifications for updated hooks. - New patch 7 adding the requested torture test. Currently, netdev-family chains and flowtables expect their interfaces to exist at creation time. In practice, this bites users of virtual interfaces if these happen to be created after the nftables service starts up and loads the stored ruleset. Vice-versa, if an interface disappears at run-time (via module unloading or 'ip link del'), it also disappears from the ruleset, along with the chain and its rules which binds to it. This is at least problematic for setups which store the running ruleset during system shutdown. This series attempts to solve these problems by effectively making netdev hooks name-based: If no matching interface is found at hook creation time, it will be inactive until a matching interface appears. If a bound interface is renamed, a matching inactive hook is searched for it. Ruleset dumps will stabilize in that regard. To still provide information about which existing interfaces a chain/flowtable currently binds to, new netlink attributes *_ACT_DEVS are introduced which are filled from the active hooks only. This series is also prep work for a simple wildcard interface binding similar to the wildcard interface matching in meta expression. It should suffice to turn struct nft_hook::ops into an array of all matching interfaces, but the respective code does not exist yet. Phil Sutter (7): netfilter: nf_tables: Store user-defined hook ifname netfilter: nf_tables: Relax hook interface binding netfilter: nf_tables: Report active interfaces to user space netfilter: nf_tables: Dynamic hook interface binding netfilter: nf_tables: Correctly handle NETDEV_RENAME events netfilter: nf_tables: Add notications for hook changes selftests: netfilter: Torture nftables netdev hooks include/net/netfilter/nf_tables.h | 8 +- include/uapi/linux/netfilter/nf_tables.h | 6 +- net/netfilter/nf_tables_api.c | 204 ++++++++++++------ net/netfilter/nft_chain_filter.c | 80 ++++--- .../testing/selftests/net/netfilter/Makefile | 1 + .../net/netfilter/nft_interface_stress.sh | 106 +++++++++ 6 files changed, 309 insertions(+), 96 deletions(-) create mode 100755 tools/testing/selftests/net/netfilter/nft_interface_stress.sh -- 2.43.0
