From: Peter Gordon <peter@pg-consultants.com>
To: Bart De Schuymer <bdschuym@pandora.be>
Cc: Jan Engelhardt <jengelh@medozas.de>, netfilter-devel@vger.kernel.org
Subject: Re: Modifying ebtables to read the commands from a file
Date: Wed, 31 Mar 2010 10:23:54 +0300 [thread overview]
Message-ID: <1270020234.2792.11.camel@qed> (raw)
In-Reply-To: <4BAF7917.2030207@pandora.be>
Thanks for the reply.
The counters are not particularly interesting in my application, so that
isn't a problem.
ebtables-restore replaces the rules atomically. There are two meanings
in this context to "atomic".
a) The old ruleset is deleted, and after, the new ruleset is applied
atomically, at a single instant in time.
or
b) The old ruleset is deleted and replaced by the new ruleset as one
action - with no time gap between them.
Peter
On Sun, 2010-03-28 at 17:43 +0200, Bart De Schuymer wrote:
> Jan Engelhardt schreef:
> > On Sunday 2010-03-28 12:07, Peter Gordon wrote:
> >
> >
> >> I need to add a number of rules to the ebtables and I cannot afford the
> >> fork overhead for each line.
> >>
> >
> > The larger part of the overhead is due to the tables recomputed (dumped,
> > rule added, restored) every time you call it. That's why one should use
> > xx-restore.
> >
> >
> >> So what I want to do is to read each line
> >>
> > >from a file and have the program iterate over the file.
> >
> >> ebtables-save and ebtables-restore is not good enough for my
> >> application, because I can't add rules incrementally.
> >>
> >
> > Dump the rules with ebtables-save to a buffer, add your rules,
> > and use -restore. That's sort of incrementally, and the fastest
> > way to put a ruleset in atomic fashion into place.
> >
> That's indeed the easiest way to do it. The only problem is that the
> counters of already existing rules won't always be correct because
> packets will traverse the chains between the -save and -restore time.
> It's probably not so hard to alter ebtables-restore to keep the counters
> correct.
> A few years ago I experimented with an ebtables 'daemon' that would run
> in the background and commands could be sent to it through a pipe. This
> has the advantage that the distinction between added and already
> existing rules is maintained, enabling correct counters. The changed
> table is updated in userspace and only committed to the kernel when a
> specific command is given. See ebtablesd.c and ebtablesu.c for the code.
> Performance tests are available in examples/perf_test/perf_test. I'm not
> maintaining these files for free, though.
>
> cheers,
> Bart
>
next prev parent reply other threads:[~2010-03-31 7:24 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-03-28 10:07 Modifying ebtables to read the commands from a file Peter Gordon
2010-03-28 13:00 ` Jan Engelhardt
2010-03-28 15:43 ` Bart De Schuymer
2010-03-31 7:23 ` Peter Gordon [this message]
2010-03-31 11:45 ` Bart De Schuymer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1270020234.2792.11.camel@qed \
--to=peter@pg-consultants.com \
--cc=bdschuym@pandora.be \
--cc=jengelh@medozas.de \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.