From: "Gerd v. Egidy" <lists@egidy.de>
To: Harald Welte <laforge@netfilter.org>,
netfilter-devel@lists.netfilter.org
Subject: Re: condition and 2.6
Date: Sun, 29 Feb 2004 15:28:01 +0100 [thread overview]
Message-ID: <200402291528.01679.lists@egidy.de> (raw)
In-Reply-To: <20040229110711.GJ7790@sunbeam.de.gnumonks.org>
> This comment is meant as:
>
> "Since nobody provided us with a 2.6.x port yet, and I have very limited
> time for such porting, and I personnaly dislike the condition match
> anyway, I marked it as 2.4.x only - since the 2.4.x patch doesn't work
> for 2.6.x"
Thank you for the clarification.
> > What do you dislike? Is it the idea or the implementation? Do you know of
> > any bugs or possible problems in the code - especially with 2.6?
>
> The idea of having /proc files control how the ruleset behaves. This is
> an ugly kludge for our less-than-optimal ruleset change performance.
> Apart from that I cannot really see why this has to be solved in the
> kernel and not by some userspace daemon that updates the ruleset
> whenever a change is needed.
I don't mind that much about ruleset change speed. The different conditions
for my firewall are changed by different scripts and I can't make sure that
only one is running at a time. So I fear a race like this:
Program 1: iptc_init
Program 2: iptc_init
Program 1: modify rule A
Program 2: modify rule B
Program 1: iptc_commit
Program 2: iptc_commit
As far as I understand the libiptc code, the result will be that the changes
done by program 1 will be lost. Is that correct or have I misunderstood the
code?
The condition module offers a lot more atomicity and I can be sure that two
scripts don't interfere with each other.
Kind regards,
Gerd
next prev parent reply other threads:[~2004-02-29 14:28 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-02-29 1:10 condition and 2.6 Gerd v. Egidy
2004-02-29 11:07 ` Harald Welte
2004-02-29 14:05 ` Willy Tarreau
2004-02-29 14:28 ` Gerd v. Egidy [this message]
2004-02-29 20:56 ` Harald Welte
2004-02-29 22:14 ` Gerd v. Egidy
2004-03-01 6:30 ` Henrik Nordstrom
2004-03-01 7:40 ` Philip Craig
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200402291528.01679.lists@egidy.de \
--to=lists@egidy.de \
--cc=gerd@egidy.de \
--cc=laforge@netfilter.org \
--cc=netfilter-devel@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.