[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20210728014347.GM3673@orbyte.nwl.cc>
Date: Wed, 28 Jul 2021 03:43:47 +0200
From: Phil Sutter <phil@....cc>
To: Alex Forster <aforster@...udflare.com>
Cc: Pablo Neira Ayuso <pablo@...filter.org>,
kernel-team <kernel-team@...udflare.com>,
Network Development <netdev@...r.kernel.org>,
Kyle Bowman <kbowman@...udflare.com>,
linux-kernel@...r.kernel.org,
Jozsef Kadlecsik <kadlec@...filter.org>,
coreteam@...filter.org, netfilter-devel@...r.kernel.org,
Jakub Kicinski <kuba@...nel.org>,
"David S. Miller" <davem@...emloft.net>
Subject: Re: [netfilter-core] [PATCH] netfilter: xt_NFLOG: allow 128
character log prefixes
Hi,
On Tue, Jul 27, 2021 at 05:45:09PM -0500, Alex Forster via netfilter-core wrote:
> > Yes, you can update iptables-nft to use nft_log instead of xt_LOG,
> > that requires no kernel upgrades and it will work with older kernels.
>
> I've always been under the impression that mixing xtables and nftables
> was impossible. Forgive me, but I just want to clarify one more time:
> you're saying we should be able to modify iptables-nft such that the
> following rule will use xt_bpf to match a packet and then nft_log to
> log it, rather than xt_log as it does today?
iptables-nft is free to use either xtables extensions or native nftables
expressions and it may mix them within the same rule. Internally, this
is all nftables but calling xtables extensions via a compat expression.
You might want to check iptables commit ccf154d7420c0 ("xtables: Don't
use native nftables comments") for reference, it does the opposite of
what you want to do.
> iptables-nft -A test-chain -d 11.22.33.44/32 -m bpf --bytecode
> "1,6 0 0 65536" -j NFLOG --nflog-prefix
> "0123456789012345678901234567890123456789012345678901234567890123456789"
Keep in mind though, you may end with rulesets an older iptables(-nft)
will reject. I've seen people running into such compat issues when using
containers for things they shouldn't, but that's a different story.
> We had some unexplained performance loss when we were evaluating
> switching to iptables-nft, but if this sort of mixing is possible then
> it is certainly worth reevaluating.
There were some significant performance improvements in the near past.
Repeating the check might yield better results in this aspect, too.
Cheers, Phil
Powered by blists - more mailing lists