| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20240225174619.18990-1-donald.hunter@gmail.com>
Date: Sun, 25 Feb 2024 17:46:15 +0000
From: Donald Hunter <donald.hunter@...il.com>
To: netdev@...r.kernel.org,
Jakub Kicinski <kuba@...nel.org>,
"David S. Miller" <davem@...emloft.net>,
Eric Dumazet <edumazet@...gle.com>,
Paolo Abeni <pabeni@...hat.com>,
Jacob Keller <jacob.e.keller@...el.com>,
Jiri Pirko <jiri@...nulli.us>,
Stanislav Fomichev <sdf@...gle.com>
Cc: donald.hunter@...hat.com,
Donald Hunter <donald.hunter@...il.com>
Subject: [RFC net-next 0/4] tools/net/ynl: Add batch operations for nftables
The nftables netlink families use batch operations for create update and
delete operations. This is a first cut at extending the netlink-raw
schema so that operations can wrapped with begin-batch and end-batch
messages.
The begin/end messages themselves are defined as ordinary ops, but there
are new attributes that describe the op name and parameters for the
begin/end messages.
The section of yaml spec that defines the begin/end ops looks like this;
the newtable op is marked 'is-batch: true' so the message needs to be
wrapped with 'batch-begin(res-id: 10)' and batch-end(res-id: 10) messages:
operations:
enum-model: directional
begin-batch: # Define how to begin a batch
operation: batch-begin
parameters:
res-id: 10
end-batch: # Define how to end a batch
operation: batch-end
parameters:
res-id: 10
list:
-
name: batch-begin
doc: Start a batch of operations
attribute-set: batch-attrs
fixed-header: nfgenmsg
do:
request:
value: 0x10
attributes:
- genid
reply:
value: 0x10
attributes:
- genid
-
name: batch-end
doc: Finish a batch of operations
attribute-set: batch-attrs
fixed-header: nfgenmsg
do:
request:
value: 0x11
attributes:
- genid
-
name: newtable
doc: Create a new table.
attribute-set: table-attrs
fixed-header: nfgenmsg
do:
request:
value: 0xa00
is-batch: True # This message must be in a batch
attributes:
- name
The code in ynl.py is sufficient to test the idea but I haven't extended
nlspec.py nor have I added any support for multiple messages to ynl.
This can be tested with e.g.:
./tools/net/ynl/cli.py --spec Documentation/netlink/specs/nftables.yaml \
--do newtable --json '{"name": "table", "nfgen-family": 1}'
If the approach is acceptable, then I would do the following:
- Extend nlspec.py to support the new schema properties.
- Extend cli.py to include a --batch option, then only allow
'is-batch' ops. Also fail 'is-batch' ops when --batch is not used.
- Extend ynl to support a heterogeneous list of ops to be sent
in a batch.
- Update documentation.
I'm thinking that usage would be '--do <op> | --dump <op> | --batch' and
when '--batch' is used, the '--json' parameter would be a list of op /
param pairs like this:
[ { "newtable": { "name": "x", "nfgen-family": 1 },
{ "newchain": { "table": "x", "name": "y", "nfgen-family": 1 } ]
Alternatively, usage could be '--batch <ops>' where <ops> is the json
above.
Thoughts?
Donald Hunter (4):
doc/netlink: Add batch op definitions to netlink-raw schema
tools/net/ynl: Extract message encoding into _encode_message()
tools/net/ynl: Add batch message encoding for nftables
doc/netlink/specs: Add draft nftables spec
Documentation/netlink/netlink-raw.yaml | 21 +
Documentation/netlink/specs/nftables.yaml | 1292 +++++++++++++++++++++
tools/net/ynl/lib/ynl.py | 33 +-
3 files changed, 1339 insertions(+), 7 deletions(-)
create mode 100644 Documentation/netlink/specs/nftables.yaml
--
2.42.0
Powered by blists - more mailing lists