|
|
| netfilter support in libnl |
 
United States |
2007-09-03 00:09:42 |
There have been comments in the past on this list about
using libnl
for the netfilter netlink support, and since I would like to
use a
common library api for all the netlink interfaces, I decided
to give
it a go. These patches are the result of that.
Any comments welcome, particularly about whether this is
still
something that is desired.
Some notes about the patches:
- only tested on an ARM platform
- only conntrack and log implemented (not queue)
- only dumping and monitoring implemented (no
modifications)
- monitoring ct/log events requires copying all the netlink
message
data into another object, which seems a bit inefficient
- I defined a cache to monitor log messages, so that it can
find the
parser automatically, but not sure that caching log events
makes sense
- I've added 'test' operations for some ct/log fields. None
of the
other objects in libnl have these, but I think they are
needed.
|
|
| libnl: add netfilter support |
United States |
2007-09-03 00:11:18 |
|
|
 |
| libnl: add netfilter conntrack support |
United States |
2007-09-03 00:11:54 |
|
|
| |
| libnl: add netfilter log support |
United States |
2007-09-03 00:12:32 |
|
|
| |
| Re: netfilter support in libnl |
 
Germany |
2007-09-03 04:30:59 |
Philip Craig wrote:
> There have been comments in the past on this list about
using libnl
> for the netfilter netlink support, and since I would
like to use a
> common library api for all the netlink interfaces, I
decided to give
> it a go. These patches are the result of that.
>
> Any comments welcome, particularly about whether this
is still
> something that is desired.
Very nice, I think its still desirable to avoid having to
use multiple pretty similar libraries in case you also need
to use other netlink subsystems.
And I think LGPL is a much better choice than GPL for stuff
like this.
If you want to merge this upstream, you should probably CC
Thomas.
|
|
| Re: libnl: add netfilter support |
Germany |
2007-09-03 04:50:05 |
Philip Craig wrote:
> +#define NFA_NEST(skb, type)
> +({ struct nfattr *__start = (struct nfattr
*)skb_tail_pointer(skb);
> + NFA_PUT(skb, (NFNL_NFA_NEST | type), 0, NULL);
> + __start; })
The latest libnetfilter_conntrack version doesn't send the
NFA_NEST
bit to the kernel anymore since we intend to get rid of it,
at
least on the receive side. Please change this to not send it
here
as well.
|
|
| Re: netfilter support in libnl |
 
Switzerland |
2007-09-03 04:59:15 |
* Patrick McHardy <kaber trash.net> 2007-09-03
11:30
> Philip Craig wrote:
> > There have been comments in the past on this list
about using libnl
> > for the netfilter netlink support, and since I
would like to use a
> > common library api for all the netlink interfaces,
I decided to give
> > it a go. These patches are the result of that.
> >
> > Any comments welcome, particularly about whether
this is still
> > something that is desired.
>
>
> Very nice, I think its still desirable to avoid having
to
> use multiple pretty similar libraries in case you also
need
> to use other netlink subsystems.
I agree, it would be great if we could get rid of the
almost
duplicate effort of nfnl attributes etc.
> And I think LGPL is a much better choice than GPL for
stuff
> like this.
This is my fault, I intedend to use LGPL as stated in the
COPYING
for some brain dead reason have been copying GPL headers
from file
to file. I'm fixing this up right now.
> If you want to merge this upstream, you should probably
CC
> Thomas.
|
|
| Re: libnl: add netfilter support |
Switzerland |
2007-09-03 05:01:48 |
* Patrick McHardy <kabertrash.net> 2007-09-03
11:50
> Philip Craig wrote:
> > +#define NFA_NEST(skb, type)
> > +({ struct nfattr *__start = (struct nfattr
*)skb_tail_pointer(skb);
> > + NFA_PUT(skb, (NFNL_NFA_NEST | type), 0, NULL);
> > + __start; })
>
>
> The latest libnetfilter_conntrack version doesn't send
the NFA_NEST
> bit to the kernel anymore since we intend to get rid of
it, at
> least on the receive side. Please change this to not
send it here
> as well.
Great, so basically the attribute interfaces could be merged
on the
sending side.
I think I can live with checking for the bit on the
receiving side,
the only problem it could cause is when the attribute type
is used
to encode information such as a port number. So if we are
willing
to take that risk the receiving path could be merged as
well.
|
|
| Re: netfilter support in libnl |
Germany |
2007-09-03 05:05:16 |
Thomas Graf wrote:
> * Patrick McHardy <kabertrash.net> 2007-09-03
11:30
>
>>And I think LGPL is a much better choice than GPL
for stuff
>>like this.
>
>
> This is my fault, I intedend to use LGPL as stated in
the COPYING
> for some brain dead reason have been copying GPL
headers from file
> to file. I'm fixing this up right now.
I was actually under the impression that it already uses
LGPL 
|
|
| Re: libnl: add netfilter support |
Germany |
2007-09-03 05:06:51 |
Thomas Graf wrote:
> * Patrick McHardy <kabertrash.net> 2007-09-03
11:50
>
>>Philip Craig wrote:
>>
>>>+#define NFA_NEST(skb, type)
>>>+({ struct nfattr *__start = (struct nfattr
*)skb_tail_pointer(skb);
>>>+ NFA_PUT(skb, (NFNL_NFA_NEST | type), 0, NULL);
>>>+ __start; })
>>
>>
>>The latest libnetfilter_conntrack version doesn't
send the NFA_NEST
>>bit to the kernel anymore since we intend to get rid
of it, at
>>least on the receive side. Please change this to not
send it here
>>as well.
>
>
> Great, so basically the attribute interfaces could be
merged on the
> sending side.
Yes, hopefully. We're using big endian for numeric values,
but that
shouldn't be a problem I think.
> I think I can live with checking for the bit on the
receiving side,
> the only problem it could cause is when the attribute
type is used
> to encode information such as a port number. So if we
are willing
> to take that risk the receiving path could be merged as
well.
That kind of information should be stored as attribute
value, no?
|
|