How to get rule with attributes NFT_META_IIF #1120

tsv1991 · 2023-08-11T16:03:16Z

tsv1991
Aug 11, 2023

Hi everybody.
I have this rule:

    {
      "rule": {
        "family": "inet",
        "table": "forwarding",
        "chain": "POLICER",
        "handle": 4,
        "expr": [
          {
            "match": {
              "op": "==",
              "left": {
                "meta": {
                  "key": "oif"
                }
              },
              "right": "br100"
            }
          },
          {
            "limit": {
              "rate": 125,
              "burst": 18,
              "per": "second",
              "rate_unit": "mbytes",
              "burst_unit": "mbytes"
            }
          },
          {
            "counter": {
              "packets": 3382,
              "bytes": 417181
            }
          },

When I do rules = nft.get_rules(), I get:
{'nfgen_family': 1, 'version': 0, 'res_id': 236, 'attrs': [('NFTA_RULE_TABLE', 'prerouting'), ('NFTA_RULE_CHAIN', 'POLICER'), ('NFTA_RULE_HANDLE', 4), ('NFTA_RULE_EXPRESSIONS', [{'attrs': [('NFTA_EXPR_NAME', 'meta'), ('NFTA_EXPR_DATA', {'attrs': [('NFTA_META_KEY', 'NFT_META_IIF'), ('NFTA_META_DREG', 'NFT_REG_1')]})]}, {'attrs': [('NFTA_EXPR_NAME', 'cmp'), ('NFTA_EXPR_DATA', {'attrs': [('NFTA_CMP_SREG', 'NFT_REG_1'), ('NFTA_CMP_OP', 'NFT_CMP_EQ'), ('NFTA_CMP_DATA', {'attrs': [('NFTA_DATA_VALUE', b'\x03\x00\x00\x00')]})]})]}, {'attrs': [('NFTA_EXPR_NAME', 'counter'), ('NFTA_EXPR_DATA', {'attrs': [('NFTA_COUNTER_BYTES', 3904398), ('NFTA_COUNTER_PACKETS', 48244)]})]}, {'attrs': [('NFTA_EXPR_NAME', 'immediate'), ('NFTA_EXPR_DATA', {'attrs': [('NFTA_IMMEDIATE_DREG', 'NFT_REG_VERDICT'), ('NFTA_IMMEDIATE_DATA', {'attrs': [('NFTA_DATA_VERDICT', {'attrs': [('NFTA_VERDICT_CODE', 'NF_ACCEPT')]})]})]})]}])], 'header': {'length': 236, 'type': 2566, 'flags': 2050, 'sequence_number': 255, 'pid': 3497, 'error': None, 'target': 'localhost', 'stats': Stats(qsize=0, delta=0, delay=0)}}

How can I get a meta oif? I want to get br100 is a result.

svinota · 2023-08-14T10:08:16Z

svinota
Aug 14, 2023
Maintainer

With nft.get_rules() you get a list of rules to iterate. When it gets to a particular rule, you can simply use x.get(spec), where spec is either a string to get a first level attribute, like x.get('nfgen_family'), or a tuple to get from 1 to K level attribute, for example:

meta_key = x.get(('NFTA_RULE_EXPRESSIONS', 'NFTA_EXPR_DATA', 'NFTA_META_KEY'))`

I hope this helps. If not, don't hesitate to ask.

0 replies

tsv1991 · 2023-08-15T18:42:34Z

tsv1991
Aug 15, 2023
Author

Thank you for your help, but I can't.
I have nftables config like this:

# ip netns exec dataplane nft list ruleset
table inet forwarding {
	chain POLICER {
		type filter hook forward priority filter; policy drop;
		oif "br3099999" counter packets 0 bytes 0 accept
		meta mark 0x00000064 counter packets 0 bytes 0 accept
	}
}
table inet prerouting {
	chain POLICER {
		type filter hook prerouting priority mangle; policy drop;
		iif "ens16" counter packets 336411 bytes 21892004 accept
		iif "ens17" counter packets 339405 bytes 21531386 accept
		iif "internet" counter packets 53274 bytes 2129581 accept
		ip daddr @INTERNAL_LIST-V4 ip saddr @INTERNAL_LIST-V4 counter packets 0 bytes 0 meta mark set 0x00000064 accept
		ip6 daddr @INTERNAL_LIST-V6 ip6 saddr @INTERNAL_LIST-V6 counter packets 0 bytes 0 meta mark set 0x00000064 accept
		iif "br3099999" counter packets 53274 bytes 2129581 accept
	}
}

I need find all rules handle with iif or oof br3099999. And next I want to delete this rules by received handle.

This record iif "br3099999" counter packets 53274 bytes 2129581 accept has handle number 9.

When I do get_rules(), I get:

{
	'nfgen_family': 1,
	'version': 0,
	'res_id': 136,
	'attrs': [('NFTA_RULE_TABLE', 'prerouting'), ('NFTA_RULE_CHAIN', 'POLICER'), ('NFTA_RULE_HANDLE', 9), ('NFTA_RULE_POSITION', 8), ('NFTA_RULE_EXPRESSIONS', [{
		'attrs': [('NFTA_EXPR_NAME', 'meta'), ('NFTA_EXPR_DATA', {
			'attrs': [('NFTA_META_KEY', 'NFT_META_IIF'), ('NFTA_META_DREG', 'NFT_REG_1')]
		})]
	}, {
		'attrs': [('NFTA_EXPR_NAME', 'cmp'), ('NFTA_EXPR_DATA', {
			'attrs': [('NFTA_CMP_SREG', 'NFT_REG_1'), ('NFTA_CMP_OP', 'NFT_CMP_EQ'), ('NFTA_CMP_DATA', {
				'attrs': [('NFTA_DATA_VALUE', b '\x05\x00\x00\x00')]
			})]
		})]
	}, {
		'attrs': [('NFTA_EXPR_NAME', 'counter'), ('NFTA_EXPR_DATA', {
			'attrs': [('NFTA_COUNTER_BYTES', 2129581), ('NFTA_COUNTER_PACKETS', 53274)]
		})]
	}, {
		'attrs': [('NFTA_EXPR_NAME', 'immediate'), ('NFTA_EXPR_DATA', {
			'attrs': [('NFTA_IMMEDIATE_DREG', 'NFT_REG_VERDICT'), ('NFTA_IMMEDIATE_DATA', {
				'attrs': [('NFTA_DATA_VERDICT', {
					'attrs': [('NFTA_VERDICT_CODE', 'NF_ACCEPT')]
				})]
			})]
		})]
	}])],
	'header': {
		'length': 248,
		'type': 2566,
		'flags': 2050,
		'sequence_number': 255,
		'pid': 4515,
		'error': None,
		'target': 'localhost',
		'stats': Stats(qsize = 0, delta = 0, delay = 0)
	}
}

Next step I try do meta_key = rule.get(('NFTA_RULE_EXPRESSIONS', 'NFTA_EXPR_DATA', 'NFTA_META_KEY')) and get:

None
None
None
None
None
None
None
None

meta_key = rule.get(('NFTA_RULE_EXPRESSIONS', 'NFTA_EXPR_DATA')) - gives the same result
meta_key = rule.get(('NFTA_RULE_EXPRESSIONS')) - gives:

[{
	'attrs': [('NFTA_EXPR_NAME', 'meta'), ('NFTA_EXPR_DATA', {
		'attrs': [('NFTA_META_KEY', 'NFT_META_IIF'), ('NFTA_META_DREG', 'NFT_REG_1')]
	})]
}, {
	'attrs': [('NFTA_EXPR_NAME', 'cmp'), ('NFTA_EXPR_DATA', {
		'attrs': [('NFTA_CMP_SREG', 'NFT_REG_1'), ('NFTA_CMP_OP', 'NFT_CMP_EQ'), ('NFTA_CMP_DATA', {
			'attrs': [('NFTA_DATA_VALUE', b '\x05\x00\x00\x00')]
		})]
	})]
}, {
	'attrs': [('NFTA_EXPR_NAME', 'counter'), ('NFTA_EXPR_DATA', {
		'attrs': [('NFTA_COUNTER_BYTES', 2129581), ('NFTA_COUNTER_PACKETS', 53274)]
	})]
}, {
	'attrs': [('NFTA_EXPR_NAME', 'immediate'), ('NFTA_EXPR_DATA', {
		'attrs': [('NFTA_IMMEDIATE_DREG', 'NFT_REG_VERDICT'), ('NFTA_IMMEDIATE_DATA', {
			'attrs': [('NFTA_DATA_VERDICT', {
				'attrs': [('NFTA_VERDICT_CODE', 'NF_ACCEPT')]
			})]
		})]
	})]
}]```

as a list.

I still can't figure out how to get the value of NFT_META_IIF and NFT_META_OIF.

0 replies

svinota · 2023-08-16T07:35:45Z

svinota
Aug 16, 2023
Maintainer

What library version do you use?

0 replies

tsv1991 · 2023-08-16T12:07:12Z

tsv1991
Aug 16, 2023
Author

@svinota
pyroute2 0.7.9

0 replies

svinota · 2023-08-16T12:29:34Z

svinota
Aug 16, 2023
Maintainer

Thanks a lot. Let me reproduce your config on a VM and I will return to you tomorrow.

0 replies

tsv1991 · 2023-08-16T12:35:05Z

tsv1991
Aug 16, 2023
Author

Thank you! If you need preconfigured VM for testing just let me know.

0 replies

svinota · 2023-08-18T16:25:45Z

svinota
Aug 18, 2023
Maintainer

Sorry for the wait.

The issue was that there are many expressions within one rule. Here is an example code:

import struct
from pyroute2.nftables.main import NFTables
from pyroute2 import NDB


def get_cmp_eq(rule, ndb):
    nft_reg = None  # register to look
    nft_key = None  # the key type
    nft_data = None  # the cmp data
    expr_name = None  # expression type -- meta, cmp, counter, immediate...

    # iterate all the expression in a rule
    for expression in rule.get('NFTA_RULE_EXPRESSIONS'):
        expr_name = expression.get('NFTA_EXPR_NAME')
        if expr_name == 'meta':
            nft_key = expression.get(('NFTA_EXPR_DATA', 'NFTA_META_KEY'))
            nft_reg = expression.get(('NFTA_EXPR_DATA', 'NFTA_META_DREG'))
        if expr_name == 'cmp':
            # load only NFT_CMP_EQ ( == ) operations data
            if (
                expression.get(('NFTA_EXPR_DATA', 'NFTA_CMP_SREG')) == nft_reg
                and expression.get(('NFTA_EXPR_DATA', 'NFTA_CMP_OP')) == 'NFT_CMP_EQ'
            ):
                nft_data = expression.get(
                    ('NFTA_EXPR_DATA', 'NFTA_CMP_DATA', 'NFTA_DATA_VALUE')
                )

    # nft returns interface index in NFT_META_IIF and NFT_META_OIF
    if nft_key in ('NFT_META_IIF', 'NFT_META_OIF'):
        # decode the index
        if_index = struct.unpack('I', nft_data)[0]
        # lookup the NDB
        nft_data = ndb.interfaces[if_index]['ifname']

    return (nft_key, nft_data)


with NDB() as ndb, NFTables() as nft:
    for rule in nft.get_rules():
        print(get_cmp_eq(rule, ndb))

And here is how it works:

$ sudo python e1120.py 
('NFT_META_OIF', 'br3099999')
('NFT_META_MARK', b'd\x00\x00\x00')
('NFT_META_IIF', 'eth0')
('NFT_META_IIF', 'eth1')
('NFT_META_IIF', 'br3099999')

on a slightly simplified ruleset:

table ip forwarding {
        chain POLICER {
                type filter hook forward priority filter; policy accept;
                oif "br3099999" counter packets 0 bytes 0 accept
                meta mark 0x00000064 counter packets 0 bytes 0 accept
        }
}
table ip prerouting {
        chain POLICER {
                type filter hook prerouting priority mangle; policy accept;
                iif "eth0" counter packets 359944 bytes 24323541 accept
                iif "eth1" counter packets 339405 bytes 21531386 accept
                iif "br3099999" counter packets 53274 bytes 2129581 accept
        }
}

0 replies

tsv1991 · 2023-08-21T14:14:14Z

tsv1991
Aug 21, 2023
Author

Hi! Sorry for long time answer. We should was do some tests. We see two problems:

The code doesn't work, we get empty returns (we're trying to figure it out). Payload for forwarding (prerouting is same) https://gist.github.com/tsv1991/129e124fbcd1c07ae4ba1c12a0ec3a33
The code is so slowly. We have 1000 interfaces and 2000 rules (2 rules per interface, one in the prerouting and one in the forwarding) and search lasts 21 secs. We use this module: https://git.netfilter.org/nftables/tree/py/src and it do search about 0.15-0.2 sec under the same conditions.

0 replies

svinota · 2023-08-21T15:26:11Z

svinota
Aug 21, 2023
Maintainer

Indeed it might be a good idea to provide a pre-configured VM, so we will be in synced environments. So if you can share a qemu/kvm image with me, I would use it for prototyping. Thus we will avoid inconsistent test results.

Regarding the performance — it is possible to use specific parsers for particular requests, that will match binary protocol data instead of decoding & comparing, and then the code will decode only particular fields.

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

How to get rule with attributes NFT_META_IIF #1120

{{title}}

Replies: 9 comments

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

Select a reply

How to get rule with attributes NFT_META_IIF #1120

tsv1991 Aug 11, 2023

Replies: 9 comments

svinota Aug 14, 2023 Maintainer

tsv1991 Aug 15, 2023 Author

svinota Aug 16, 2023 Maintainer

tsv1991 Aug 16, 2023 Author

svinota Aug 16, 2023 Maintainer

tsv1991 Aug 16, 2023 Author

svinota Aug 18, 2023 Maintainer

tsv1991 Aug 21, 2023 Author

svinota Aug 21, 2023 Maintainer

tsv1991
Aug 11, 2023

svinota
Aug 14, 2023
Maintainer

tsv1991
Aug 15, 2023
Author

svinota
Aug 16, 2023
Maintainer

tsv1991
Aug 16, 2023
Author

svinota
Aug 16, 2023
Maintainer

tsv1991
Aug 16, 2023
Author

svinota
Aug 18, 2023
Maintainer

tsv1991
Aug 21, 2023
Author

svinota
Aug 21, 2023
Maintainer