[PATCH 0/2] Interface groups, round two
Hello, Here is the new version of ifgroup patches. The interface group value is u_int32_t in net_device which should be enough. Previously it was an int. Usage: ip link set eth0 group 4 but currently it cannot be unset, only changed to another value. In /etc/iproute2/rt_ifgroup each value may have a symbolic name. Netfilter part: xt_ifgroup module for both IPv4 and IPv6. Iptables usage: iptables -A INPUT -m ifgroup --in-ifgroup 4/0xf -j ACCEPT iptables -A FORWARD -m ifgroup --in-ifgroup 4 --out-ifgroup 5 -j ACCEPT ... in the FORWARD chain both input and output interface group value should be matched (with optional masks). The following patches are: kernel: core part kernel: netfilter module, ifgroup match iproute2: showing and set ifgroup value iptables: ifgroup match -- Laszlo Attila Toth - To unsubscribe from this list: send the line unsubscribe netdev in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH 0/2] Interface groups, round two
Laszlo Attila Toth wrote: Hello, Here is the new version of ifgroup patches. The interface group value is u_int32_t in net_device which should be enough. Previously it was an int. Usage: ip link set eth0 group 4 but currently it cannot be unset, only changed to another value. The only reason why it can't be set to zero again seems to be this part from the iproute patch: + if (rtnl_ifgroup_a2n(group, *argv) || group == 0) Why don't you allow a value of zero? - To unsubscribe from this list: send the line unsubscribe netdev in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH 0/2] Interface groups, round two
Patrick McHardy írta: Laszlo Attila Toth wrote: Hello, Here is the new version of ifgroup patches. The interface group value is u_int32_t in net_device which should be enough. Previously it was an int. Usage: ip link set eth0 group 4 but currently it cannot be unset, only changed to another value. The only reason why it can't be set to zero again seems to be this part from the iproute patch: +if (rtnl_ifgroup_a2n(group, *argv) || group == 0) Why don't you allow a value of zero? It has historical reason. The original version which didn't use netlink (at kernel 2.6.17) used zero to indicate that group was not set. You wrote previously that this part is useless for new kernels. I'll fix this (with type of group variable to unsigned int32 to be consistent with the kernel part). -- Attila - To unsubscribe from this list: send the line unsubscribe netdev in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH 0/2] Interface groups, round two
Laszlo Attila Toth wrote: Patrick McHardy írta: Laszlo Attila Toth wrote: The only reason why it can't be set to zero again seems to be this part from the iproute patch: +if (rtnl_ifgroup_a2n(group, *argv) || group == 0) Why don't you allow a value of zero? It has historical reason. The original version which didn't use netlink (at kernel 2.6.17) used zero to indicate that group was not set. You wrote previously that this part is useless for new kernels. I'll fix this (with type of group variable to unsigned int32 to be consistent with the kernel part). Support for ifgroups in the ioctl part is useless since that will never be used with kernel supporting this feature. Setting it to zero is not useless. - To unsubscribe from this list: send the line unsubscribe netdev in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH 0/2] Interface groups
Hello, Different network interfaces can be grouped using the same group ID. With this patch fewer netfilter rules are necessary but it may also be used by routing. The interface group (ifgroup) member of the net_device can be modified via netlink (with iproute2) and it is used in the new 'ifgroup' netfilter match. ip link set eth0 group 4 iptables -A INPUT -m ifgroup --if-group 4 -j ACCEPT -- Laszlo Attila Toth - To unsubscribe from this list: send the line unsubscribe netdev in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH 0/2] Interface groups
Laszlo Attila Toth wrote: Hello, Different network interfaces can be grouped using the same group ID. With this patch fewer netfilter rules are necessary but it may also be used by routing. This allows an interface to belong to only one group. I expect there are situations where you want more. eg you might want a group of all pptp connections, and another group of pptp connections for a subset of users. An alternative approach would be to extend ipset to have sets of ifindex, although this would tie it closer to iptables, and it would be slower. But it still gives the properties of reducing the number of iptables rules, and allowing to change group membership without reinstalling rules. Maybe Jozsef has designed nfset to be able to handle this already? - To unsubscribe from this list: send the line unsubscribe netdev in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH 0/2] Interface groups
Philip Craig írta: Laszlo Attila Toth wrote: Hello, Different network interfaces can be grouped using the same group ID. With this patch fewer netfilter rules are necessary but it may also be used by routing. This allows an interface to belong to only one group. I expect there are situations where you want more. eg you might want a group of all pptp connections, and another group of pptp connections for a subset of users. With masked values it should work with only one group. -- Attila - To unsubscribe from this list: send the line unsubscribe netdev in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
