[nft] src: add tee statement

This allows you to clone packets to some destination, eg.

... tee gateway 172.20.0.2
... tee oifname tap0 gateway ip saddr map { 192.168.0.2 : 172.20.0.2, ... }

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 include/statement.h       |    9 +++++++++
 src/evaluate.c            |   21 +++++++++++++++++++--
 src/netlink_delinearize.c |   39 +++++++++++++++++++++++++++++++++++++++
 src/netlink_linearize.c   |   21 +++++++++++++++++++++
 src/parser_bison.y        |   18 ++++++++++++++++++
 src/scanner.l             |    2 ++
 src/statement.c           |   29 +++++++++++++++++++++++++++++
 7 files changed, 137 insertions(+), 2 deletions(-)

On 19.06, Pablo Neira Ayuso wrote:
> This allows you to clone packets to some destination, eg.
> 
> ... tee gateway 172.20.0.2
> ... tee oifname tap0 gateway ip saddr map { 192.168.0.2 : 172.20.0.2, ... }

Is tee a name we want to use for userspace syntax? It's not particulary
descriptive for people who don't know what "tee" is, which I guess are
quite a few. Alternative suggestion of the top of my head would be "dup"
or "duplicate".

> +struct tee_stmt {
> +	struct expr		*gw;
> +	const char		*oifname;

I'd suggest to use an expr as well to allow use of symbolic variables.
BTW, have you considered using an ifindex? I mean, we do it for matches
as well, and in case of tee its rather unlikely to be used with a
dynamic network device.

> +	reg1 = netlink_parse_register(nle, NFT_EXPR_TEE_SREG_GW);
> +	if (reg1) {
> +		addr = netlink_get_register(ctx, loc, reg1);
> +		if (addr == NULL)
> +			return netlink_error(ctx, loc,
> +					     "TEE statement has no address "
> +					     "expression");
> +
> +		if (ctx->table->handle.family == NFPROTO_IPV4)
> +			expr_set_type(addr, &ipaddr_type, BYTEORDER_BIG_ENDIAN);
> +		else
> +			expr_set_type(addr, &ip6addr_type,
> +				      BYTEORDER_BIG_ENDIAN);
> +		stmt->tee.gw = addr;
> +	}
> +
> +	if (nft_rule_expr_is_set(nle, NFT_EXPR_TEE_OIFNAME)) {
> +		stmt->tee.oifname =
> +			strdup(nft_rule_expr_get_str(nle, NFT_EXPR_TEE_OIFNAME));

Please use consistent braces, IOW none for single statements.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in

On Friday 19 June 2015 14:57:24 Patrick McHardy wrote:
>
> Is tee a name we want to use for userspace syntax? It's not particulary
> descriptive for people who don't know what "tee" is, which I guess are
> quite a few.

Naming the thing "tee" was a conscious decision when I invented the it as an 
option to the ROUTE target back in 2004  - because it is a huge foot gun, and 
obscurity seemed appropriate.

best regards
  Patrick
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in

On Friday 2015-06-19 15:17, Patrick Schaaf wrote:
>On Friday 19 June 2015 14:57:24 Patrick McHardy wrote:
>>
>> Is tee a name we want to use for userspace syntax? It's not particulary
>> descriptive for people who don't know what "tee" is, which I guess are
>> quite a few.
>
>Naming the thing "tee" was a conscious decision when I invented the it as an 
>option to the ROUTE target back in 2004  - because it is a huge foot gun, and 
>obscurity seemed appropriate.

Well, "clone" is the term that should be used if one really wants to
avoid "tee". But tee is now used for the kernel module and for the
iptables module, so out of consistency, you want the same in nft.

Besides, tee is inspired from /usr/bin/tee and therefore ought to be
rather well-known already: it's what people are usually learning in
the same chapter as cat(1) when they make their first steps in Shell.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in

On 19.06, Patrick Schaaf wrote:
> On Friday 19 June 2015 14:57:24 Patrick McHardy wrote:
> >
> > Is tee a name we want to use for userspace syntax? It's not particulary
> > descriptive for people who don't know what "tee" is, which I guess are
> > quite a few.
> 
> Naming the thing "tee" was a conscious decision when I invented the it as an 
> option to the ROUTE target back in 2004  - because it is a huge foot gun, and 
> obscurity seemed appropriate.

Yeah, but we're trying to have a descriptive language. Its not that
"duplicate" doesn't also sound dangerous.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in

On 19.06, Jan Engelhardt wrote:
> 
> On Friday 2015-06-19 15:17, Patrick Schaaf wrote:
> >On Friday 19 June 2015 14:57:24 Patrick McHardy wrote:
> >>
> >> Is tee a name we want to use for userspace syntax? It's not particulary
> >> descriptive for people who don't know what "tee" is, which I guess are
> >> quite a few.
> >
> >Naming the thing "tee" was a conscious decision when I invented the it as an 
> >option to the ROUTE target back in 2004  - because it is a huge foot gun, and 
> >obscurity seemed appropriate.
> 
> Well, "clone" is the term that should be used if one really wants to
> avoid "tee". But tee is now used for the kernel module and for the
> iptables module, so out of consistency, you want the same in nft.

We are free to use whatever we want in the nft syntax. There's no need
to use the kernel internal names.

> Besides, tee is inspired from /usr/bin/tee and therefore ought to be
> rather well-known already: it's what people are usually learning in
> the same chapter as cat(1) when they make their first steps in Shell.

I'm aware of that, but I don't think it is necessarily well known among
firewall admins. That was my whole point.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in

On Fri, Jun 19, 2015 at 02:57:24PM +0200, Patrick McHardy wrote:
> On 19.06, Pablo Neira Ayuso wrote:
> > This allows you to clone packets to some destination, eg.
> > 
> > ... tee gateway 172.20.0.2
> > ... tee oifname tap0 gateway ip saddr map { 192.168.0.2 : 172.20.0.2, ... }
> 
> Is tee a name we want to use for userspace syntax? It's not particulary
> descriptive for people who don't know what "tee" is, which I guess are
> quite a few. Alternative suggestion of the top of my head would be "dup"
> or "duplicate".

I can do so, yes. Do you want to me rename the kernel part to
nft_dup.c as well? The core name can be net/netfilter/nf_dup.c instead
of net/netfilter/nf_tee.c

> > +struct tee_stmt {
> > +	struct expr		*gw;
> > +	const char		*oifname;
> 
> I'd suggest to use an expr as well to allow use of symbolic variables.
> BTW, have you considered using an ifindex? I mean, we do it for matches
> as well, and in case of tee its rather unlikely to be used with a
> dynamic network device.

Note sure about this, we now have tapX in place in VM environments
that can go up and down.

However, when implementing tee (now dup) for the new netdev and bridge
family we'll indicate the physical device to duplicate packets, it
should be good to allow the use ifindef if we want maps in place
there.

I think we can change to ifindex, if someone needs with ifname, we can
add it later on, OK?

> > +	reg1 = netlink_parse_register(nle, NFT_EXPR_TEE_SREG_GW);
> > +	if (reg1) {
> > +		addr = netlink_get_register(ctx, loc, reg1);
> > +		if (addr == NULL)
> > +			return netlink_error(ctx, loc,
> > +					     "TEE statement has no address "
> > +					     "expression");
> > +
> > +		if (ctx->table->handle.family == NFPROTO_IPV4)
> > +			expr_set_type(addr, &ipaddr_type, BYTEORDER_BIG_ENDIAN);
> > +		else
> > +			expr_set_type(addr, &ip6addr_type,
> > +				      BYTEORDER_BIG_ENDIAN);
> > +		stmt->tee.gw = addr;
> > +	}
> > +
> > +	if (nft_rule_expr_is_set(nle, NFT_EXPR_TEE_OIFNAME)) {
> > +		stmt->tee.oifname =
> > +			strdup(nft_rule_expr_get_str(nle, NFT_EXPR_TEE_OIFNAME));
> 
> Please use consistent braces, IOW none for single statements.

I'll do it, but I think it's unclear wrt. kernel netdev coding style,
since the line split can be considered as two lines.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in

On 19.06, Pablo Neira Ayuso wrote:
> On Fri, Jun 19, 2015 at 02:57:24PM +0200, Patrick McHardy wrote:
> > On 19.06, Pablo Neira Ayuso wrote:
> > > This allows you to clone packets to some destination, eg.
> > > 
> > > ... tee gateway 172.20.0.2
> > > ... tee oifname tap0 gateway ip saddr map { 192.168.0.2 : 172.20.0.2, ... }
> > 
> > Is tee a name we want to use for userspace syntax? It's not particulary
> > descriptive for people who don't know what "tee" is, which I guess are
> > quite a few. Alternative suggestion of the top of my head would be "dup"
> > or "duplicate".
> 
> I can do so, yes. Do you want to me rename the kernel part to
> nft_dup.c as well? The core name can be net/netfilter/nf_dup.c instead
> of net/netfilter/nf_tee.c

Would be fine with me, however I don't have as strong an opinion about
that as for the userspace syntax.

> > > +struct tee_stmt {
> > > +	struct expr		*gw;
> > > +	const char		*oifname;
> > 
> > I'd suggest to use an expr as well to allow use of symbolic variables.
> > BTW, have you considered using an ifindex? I mean, we do it for matches
> > as well, and in case of tee its rather unlikely to be used with a
> > dynamic network device.
> 
> Note sure about this, we now have tapX in place in VM environments
> that can go up and down.

Good point.

> However, when implementing tee (now dup) for the new netdev and bridge
> family we'll indicate the physical device to duplicate packets, it
> should be good to allow the use ifindef if we want maps in place
> there.
> 
> I think we can change to ifindex, if someone needs with ifname, we can
> add it later on, OK?

Yeah, that sound good to me. Perhaps we even have something that can take
care of all the ifindices until then.

> > > +	reg1 = netlink_parse_register(nle, NFT_EXPR_TEE_SREG_GW);
> > > +	if (reg1) {
> > > +		addr = netlink_get_register(ctx, loc, reg1);
> > > +		if (addr == NULL)
> > > +			return netlink_error(ctx, loc,
> > > +					     "TEE statement has no address "
> > > +					     "expression");
> > > +
> > > +		if (ctx->table->handle.family == NFPROTO_IPV4)
> > > +			expr_set_type(addr, &ipaddr_type, BYTEORDER_BIG_ENDIAN);
> > > +		else
> > > +			expr_set_type(addr, &ip6addr_type,
> > > +				      BYTEORDER_BIG_ENDIAN);
> > > +		stmt->tee.gw = addr;
> > > +	}
> > > +
> > > +	if (nft_rule_expr_is_set(nle, NFT_EXPR_TEE_OIFNAME)) {
> > > +		stmt->tee.oifname =
> > > +			strdup(nft_rule_expr_get_str(nle, NFT_EXPR_TEE_OIFNAME));
> > 
> > Please use consistent braces, IOW none for single statements.
> 
> I'll do it, but I think it's unclear wrt. kernel netdev coding style,
> since the line split can be considered as two lines.

For the kernel the coding style states to now use them for single statements.
This is what we also have in most places in nft.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in

On Fri, Jun 19, 2015 at 03:41:29PM +0200, Patrick McHardy wrote:
> On 19.06, Pablo Neira Ayuso wrote:
> > On Fri, Jun 19, 2015 at 02:57:24PM +0200, Patrick McHardy wrote:
> > > On 19.06, Pablo Neira Ayuso wrote:
> > > > This allows you to clone packets to some destination, eg.
> > > > 
> > > > ... tee gateway 172.20.0.2
> > > > ... tee oifname tap0 gateway ip saddr map { 192.168.0.2 : 172.20.0.2, ... }
> > > 
> > > Is tee a name we want to use for userspace syntax? It's not particulary
> > > descriptive for people who don't know what "tee" is, which I guess are
> > > quite a few. Alternative suggestion of the top of my head would be "dup"
> > > or "duplicate".
> > 
> > I can do so, yes. Do you want to me rename the kernel part to
> > nft_dup.c as well? The core name can be net/netfilter/nf_dup.c instead
> > of net/netfilter/nf_tee.c
> 
> Would be fine with me, however I don't have as strong an opinion about
> that as for the userspace syntax.

I'll rename nft_tee.c to nft_dup.c for consistency.

> > > > +struct tee_stmt {
> > > > +	struct expr		*gw;
> > > > +	const char		*oifname;
> > > 
> > > I'd suggest to use an expr as well to allow use of symbolic variables.
> > > BTW, have you considered using an ifindex? I mean, we do it for matches
> > > as well, and in case of tee its rather unlikely to be used with a
> > > dynamic network device.
> > 
> > Note sure about this, we now have tapX in place in VM environments
> > that can go up and down.
> 
> Good point.
> 
> > However, when implementing tee (now dup) for the new netdev and bridge
> > family we'll indicate the physical device to duplicate packets, it
> > should be good to allow the use ifindef if we want maps in place
> > there.
> > 
> > I think we can change to ifindex, if someone needs with ifname, we can
> > add it later on, OK?
> 
> Yeah, that sound good to me. Perhaps we even have something that can take
> care of all the ifindices until then.

Will do so then.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in

On Friday 2015-06-19 15:37, Patrick McHardy wrote:
>
>[...] I don't think [tee] is necessarily well known among
>firewall admins.

I think different.


TEE has been in iptables for a long time (a little over five years),
the manpage for it has the important keywords "clone" and "redirect"
in it, and there are sufficiently many blog posts and StackExchange
on the matter (including duplication), and has become an established
name, like masquerade - another symbolic-mnemonic name - once did.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in

On Jun 19, 2015 4:14 PM, "Jan Engelhardt" <jengelh@inai.de> wrote:
>
>
> On Friday 2015-06-19 15:37, Patrick McHardy wrote:
> >
> >[...] I don't think [tee] is necessarily well known among
> >firewall admins.
>
> I think different.
>
>
> TEE has been in iptables for a long time (a little over five years),
> the manpage for it has the important keywords "clone" and "redirect"
> in it, and there are sufficiently many blog posts and StackExchange
> on the matter (including duplication), and has become an established
> name, like masquerade - another symbolic-mnemonic name - once did.

I agree. Tee is a historic name, and should be good reasons to change.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html