On Wed, 24 Apr 2024, at 8:20 PM, William N. wrote:
> On Wed, 24 Apr 2024 19:49:28 +0100 Kerin Millar wrote:
>
>> Rather, "define nics".
>
> Yes, sorry.
>
>> You mentioned the use of bash, which is capable of serving as a generator.
>
> Thanks, I know. The thing is that nics can be added/removed at any
> point in time, not just at startup, which makes it more complicated.
It does. Given that this cannot yet be addressed by nftables alone, I have an idea.
1) write a tmpfiles.d snippet to ensure the presence of a dedicated FIFO
2) write a script that continually reads lines from said FIFO
3) write a .service unit for the script
4) write a udev rule to assume responsibility for writing to said FIFO
The udev rule would need only to respond to the "add" and "remove" events for ethernet devices. The command/script invoked by said rule would need only to write a newline to the FIFO. The use of a FIFO would obviate the need for the main script to be reentrant by ensuring that events are responded to in a serial fashion. The event loop would be trivial to implement.
# Opens the FIFO in read/write mode to keep it perpetually open.
while read -r; do
# An event arrived. Execute the generator and reload the ruleset.
/path/to/your/include/generator && systemctl restart nftables
done <> /path/to/fifo
Combine all that with a partial nftables.service override to ensure that the generator is also triggered by an ExecStartPre command and it should do the job.
>
>> It does not.
>>
>> # nft 'define nics = { "enp1s0" }; table netdev t { chain c { type filter hook ingress devices = $nics priority -500; }; }'
>
> This gives segfault here.
>
>> Perhaps you need to upgrade nft.
>
> Here:
>
> # nft -V
> nftables v1.0.6 (Lester Gooch #5)
> cli: editline
> json: yes
> minigmp: no
> libxtables: yes
>
> On Debian 12 stable.
Alas, a vendor's notion of what is 'stable' counts for very little in practice; they merely pretend to backport important bug fixes. This is an ongoing issue for nftables, which has many bugs. It is at its best in a rolling distribution or if compiling by oneself.
>
>
>> Can you provide a minimal ruleset that reproduces the segfault?
>
> #!/usr/sbin/nft -f
>
> flush ruleset
>
> define nics = { "eth0" }
> table netdev filter
> delete table netdev filter
>
> table netdev filter {
> chain ingress_internal {
> type filter hook ingress devices = $nics priority -500
> }
> }
I see. That has since been addressed, at least.
--
Kerin Millar
