Hi,
On Fri, 2016-02-26 at 09:19 +0100, Daniel Wagner wrote:
Hi,
Indeed I was thinking to replace iptables and not have nftables
and iptables to coexist. The iptables rules set are visible on
the highest layer, e.g
rule #1
src/nat.c- cmd = g_strdup_printf("-s %s/%d -o %s -j MASQUERADE",
src/nat.c- nat->address,
src/nat.c- nat->prefixlen,
src/nat.c- nat->interface);
rule #2
src/session.c: err = __connman_firewall_add_rule(fw, "mangle",
"INPUT",
src/session.c- "-j CONNMARK --restore-mark");
src/session.c: err = __connman_firewall_add_rule(fw, "mangle",
"POSTROUTING",
src/session.c- "-j CONNMARK --save-mark");
rule #3
src/session.c- case CONNMAN_SESSION_ID_TYPE_UID:
src/session.c: err = __connman_firewall_add_rule(fw, "mangle",
"OUTPUT",
src/session.c- "-m owner --uid-owner %s -j MARK --set-mark
%d",
src/session.c-
session->policy_config->id,
src/session.c- session->mark);
src/session.c- break;
src/session.c- case CONNMAN_SESSION_ID_TYPE_GID:
src/session.c: err = __connman_firewall_add_rule(fw, "mangle",
"OUTPUT",
src/session.c- "-m owner --gid-owner %s -j MARK --set-mark
%d",
src/session.c-
session->policy_config->id,
src/session.c- session->mark);
src/session.c- break;
rule #4
src/session.c: id = __connman_firewall_add_rule(session->fw, "nat",
"POSTROUTING",
src/session.c- "-o %s -j SNAT --to-source %s",
src/session.c- ifname, addr);
In order to have iptables and nftables available (the implementation will be selected
at compile time) we need to do either
a) translate the iptables rules to nftables rules
b) come up with a generic rule API
c) introduce a bunch of specific rule functions which implemented
by iptables and nftables subsystem.
I think a) is pretty dirty and we should not do it. b) is way to
complex for what we do. c) would be a good compromise and it helps
the transitions phase. When we finally rip out iptables
this wrapper API could get removed as well.
So what about something like this:
rule #1
__connman_firewall_enable_masquerade(struct firewall_context *ctx);
__connman_firewall_disable_masquerade(struct firewall_context *ctx);
Yes, looks simple enough.
rule #2
__connman_firewall_enable_connection_tracking(struct firewall_context *ctx);
__connman_firewall_disable_connection_tracking(struct firewall_context *ctx);
Where is this needed? Isn't it something automatically used when
enabling marking with rule #3 below?
rule #3
__connman_firewall_enable_marking(struct firewall_context *ctx,
enum connman_session_id_type,
chard *id, uint32_t mark);
__connman_firewall_disable_marking(struct firewall_context *ctx);
Should we say here which marking to remove or is the ctx per one marking
only? If it's one marking per ctx then subsequent (accidental) calls to
__connman_firewall_enable_marking() need to return -EALREADY or similar.
rule #4
__connman_firewall_enable_snat(struct firewall_context *ctx,
char *ifname, char *addr);
__connman_firewall_disable_snat(struct firewall_context *ctx);
Should this be called "add interface" with the code figuring out the
address (or am I getting confused which address this is)? What happens
if one combines this function with and only with rule #1 above?
Obviously, the naming sucks.
Hmm, let's see. It could be worse, of course :-)
Thanks,
Patrik