Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-108861

nftables: Name-based flowtable hooks (with wildcard support)

Linking RHIVOS CVEs to...Migration: Automation ...SWIFT: POC ConversionSync from "Extern...XMLWordPrintable

    • Icon: Story Story
    • Resolution: Unresolved
    • Icon: Normal Normal
    • rhel-10.2
    • None
    • nftables
    • None
    • rhel-net-firewall
    • None
    • False
    • False
    • Hide

      None

      Show
      None
    • Yes
    • NST-firewall-25W32-35, NST-firewall-25W36-39, NST-firewall-25W40-43, NST-firewall-25W48-51, NST-firewall-25W52-26W3
    • Feature
    • Hide
      Feature, enhancement: Name-based netdev hooks with wildcard support
      Reason: Previously, nftables in kernel would immediately bind to each specified interface when adding a flowtable or netdev-family chain. A non-existing interface would fail the transaction. Removing an interface (e.g. via driver unload or hardware unplug) would remove matching interface specs from flowtables and even delete whole netdev-family chains bound to it.
      Result: With this combined feature in kernel and nftables package, defined rulesets remain stable irrespective of interface presence. Hooks for non-existing interfaces are accepted, remain inactive and matching interfaces are bound at the time they appear in the system. The currently active hooks may be inspected via 'nft list hooks' command. This dynamic registration opened the possibility to accept simple interface (suffix) wildcards, used to bind a flowtable or netdev-family chain to any matching interface.
      Show
      Feature, enhancement: Name-based netdev hooks with wildcard support Reason: Previously, nftables in kernel would immediately bind to each specified interface when adding a flowtable or netdev-family chain. A non-existing interface would fail the transaction. Removing an interface (e.g. via driver unload or hardware unplug) would remove matching interface specs from flowtables and even delete whole netdev-family chains bound to it. Result: With this combined feature in kernel and nftables package, defined rulesets remain stable irrespective of interface presence. Hooks for non-existing interfaces are accepted, remain inactive and matching interfaces are bound at the time they appear in the system. The currently active hooks may be inspected via 'nft list hooks' command. This dynamic registration opened the possibility to accept simple interface (suffix) wildcards, used to bind a flowtable or netdev-family chain to any matching interface.
    • Proposed
    • Unspecified
    • Unspecified
    • Unspecified
    • None

      Goal

      • See epic.

      Acceptance criteria

      A list of verification conditions, successful functional tests, or expected outcomes in order to declare this story/task successfully completed.

      • See epic.

              psutter@redhat.com Phil Sutter
              psutter@redhat.com Phil Sutter
              Phil Sutter Phil Sutter
              Jiri Peska Jiri Peska
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated: