Re: Combine ipv4 and ipv6 in a set

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Dňa 31. januára 2024 13:02:57 UTC používateľ Kerin Millar <kfm@xxxxxxxxxxxxx> napísal:

>Firstly, I mentioned both tables and the "inet" family. If you search for inet in the man page, you should land in the ADDRESS FAMILY section, which indicates that the purpose of an address family is to define the type of packets that can be processed. It goes on to say that "all nftables objects exist in address family specific namespaces, therefore all identifiers include an address family".

I check manpage now, 1.0.6 (as is in debian bookworm) and from its
ADDRESS FAMILY section is nor clean (at least for me) the order of
inet and ip/ip6 tables processing. It is even not clearly stated here,
that packet will be processed in both, the inet and the ip/ip6.

I know, that hook's priority comes into play, it is worth to mention,
if here are hooks with the same priority in both (as inet and ip/ip6)
the order is ... or order is not defined.

>>> table inet filter {
>>>         set block4 {
>>>                 type ipv4_addr
>>>         }
>>>         set block6 {
>>>                 type ipv6_addr
>>>         }
>>>         chain INPUT {
>>>                 type filter hook input priority filter; policy accept
>>>                 ip saddr @block4 drop
>>>                 ip6 saddr @block6 drop
>>>         }
>>> }

This can be OK with two sets, as it really doesn't matter if you have
one ot two rules/sets. But when you start to really use them and you
need eg. 10 sets, you have to define every twice, things become
more complicated...

When i start to play with these sets i was too constrained by iptables's
approach by that, that every iptables's table becomed separate
nftables table, thus one cannot share common sets between eg. raw
and filter tables. It took some time to realize, that i need to switch my
mind and that i can define "raw" and "filter" hooks in one table and thus
share the same set in both (eg. fill content in filter and drop in raw).

Second thing which took time to understand was, why in hell i need
as many sets. After some time i realized, that it is price for flexibility.
In iptables many extensions uses some storage (recent, limit,
hashlimit, connlimit) and these storages are managed by extension
itself, and user needs only to setup its name or even nothing (for
limit). In nftables world one can use sets to achieve the same result,
but have to create sets/storage by self, but can customize them in
simple way (without change kernel module options) and that is
great.

But if one use these features intensive, all sets and rules must
be twiced in inet table (exactly as in separated ip/ip6 tables), the
amount of sets increases significantly. Yes, these "sets" was twiced
in ip(6)tables too, but that was "hidden" in extension code, now the
inet table exposes that twicing. And as amount of sets increases,
listing them becomes more and more not user friendly, as one can
list either all table's sets or one concrete set, nothing in between.

BTW, i am curious, how big difference (in performance/time) is to
search IPv4 vs. IPv6 address in set? Is it worth to consider?

I start to more and more think, that using of inet family (as in current
state) is good only for simple/basic FWs, without any advanced
features, where are L3 addresses used only to static distingushing
of access or where rulesets are maintained by some external tool
(in separate tables).

>From my point of view, integration of sets created impressive
features in nftables, but in result they are too constrained (in L3
mean), by the same way as they was in iptables, or even worse,
as now ipset allow to use combined sets and add/update it from
the same name (thus rule too) in both, the iptables and ip6tables
(yes, as mentioned already, that is not possible from command
line -- yet?).

Another thing, which is not clean for me, is memory usage of sets.
I read on multiple places about huge memory usage with big sets,
but nowhere i found real comparison. Nor in memory usage, nor in
performance of nftables's sets vs. ipset sets. Now i don't know
if these memory problems was in early stage of sets development
(and are solved now), or they was caused by suboptimal usage of
tools, or it is by design. Recently i noticed in docs, that there is
memory/performance switch for sets, but what that means in
real usage? Again, no benchmark is documented, to one can
properly decide which one to use. Or, at least, commands/way
how to measure difference by self...

regards


-- 
Slavko
https://www.slavino.sk/





[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux