Hi Dianel,
2013/11/6 Daniel Wagner <w...@monom.org>
> Hi Glenn,
>
>
> On 11/04/2013 08:37 PM, Glenn Schmottlach wrote:
>
>> I have a proposal which I hope the Connman developers will consider.
>>
>
> Sure :)
>
>
> As I understand it, Connman sessions are tracked, in part, by marking
>> packets associated with the session's UID, GID, or SELinux context
>> information. This is translated into iptable rules to which "mark" the
>> connections as described in session-overview.txt.
>>
>> Per session iptables rules:
>>
>> iptables -t mangle -A OUTPUT -m owner [--uid-owner|--gid-owner] $OWNER \
>> -j MARK --set-mark $MARK
>>
>> iptables -t filter -A INPUT -m mark --mark $MARK \
>> -m nfacct --nfacct-name session-input-$MARK
>> iptables -t filter -A OUTPUT -m mark --mark $MARK \
>> -m nfacct --nfacct-name session-output-$MARK
>>
>
> BTW, the nfacct is going away. We are going to use NFQUEUE in future.
> Though we still need the MARK unless we can convince the netdev
> guys that the lookup for a policy routing table could be something else
> e.g. cgroup id. For the time being I keep the assumption we need
> the marker.
>
1) I want to know how ConnMan implements the data usage of network for per
APP.
Does ConnMan need to create a session for per APP?
2) the nfacct is going away. why?
3) I don't know why ConnMan should switch to nftables.
Tomasz Bursztyka write a article "ConnMan usage of Netfilter: a close
overview"
(
https://home.regit.org/2013/03/tomasz-bursztyka-connman-usage-of-netfilter-a-close-overview/
).
Reference:
---------------------------------------------------------------------------------------------------------------------------------
Switching to nftables
Application connectivity is a more advanced part involving Netfilter as it
makes a use of statistics and differenciated routing. For example, in a
car, service data must be sent to manufacturer operator and not on the
owner network.
To do so a session system has been implemented. Application can be modified
to open a session to ConnMan. This allow to define a per-session policy for
routing and accounting.
ConnMan team wanted to use a C API to do rules modification but this was
difficult with iptables and xtables. This is not an official API so it is
subject to bugs and change.
ConnMan team has then switch to nftables and is currently working on
stabilizing nftables to ensure the acceptation of the project and of the
maintainability of their solution in the long time. This work is not yet
upstream but there is good chance it will be accepted.
------------------------------------------------------------------------------------------------------------------------------------
Cheers,
Chengyi
_______________________________________________
connman mailing list
connman@connman.net
https://lists.connman.net/mailman/listinfo/connman
