Re: [ANNOUNCE]: Release of nftables 0.099

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Patrick McHardy <kaber@trash.net>
To: Andreas Herz <andi@geekosphere.org>
Cc: netfilter@vger.kernel.org
Subject: Re: [ANNOUNCE]: Release of nftables 0.099
Date: Tue, 21 Jan 2014 12:49:07 +0000	[thread overview]
Message-ID: <20140121124907.GA32383@macbook.localnet> (raw)
In-Reply-To: <20140121124340.GT5409@kvmbude>

On Tue, Jan 21, 2014 at 01:43:40PM +0100, Andreas Herz wrote:
> On 21/01/14 at 12:32, Patrick McHardy wrote:
> > > 
> > > > Timeouts shouldn't be that hard as well, but I would need to think about
> > > > this some more, I'd prefer not to add struct timer_lists everywhere.
> > > 
> > > That sounds like it rather won't come into nftables code. So what would
> > > be the suggestion?
> > 
> > I'm not saying this, I merely want to check how do so this with as little
> > waste as possible. Some possibilities are:
> 
> So it's better to just wait some time to see how it will go on :) That's
> fine, too.

Yeah. At least the dynamic updates are quite likely to happen soon.

> > - add a new set feature flag and only implement it for those types. Downside
> >   is code duplication.
> > 
> > - somehow trigger removal from outside the set. Downside is memory waste
> >   since we'd need to store the elements twice.
> > 
> > - use dynamic sized structures and add the timer at the end. Problem is that
> >   we're in some cases already using optional members at the end, so it would
> >   complicate the code a bit.
> 
> I see that all three possibilities are far from perfect :/

Well, all have some downsides, but I guess its something people will want
to have, otherwise Joszef wouldn't have added it, so we'll find a way.

> > > Or asking more specific, what would be the suggested way to add special
> > > features needed for some scenarios?
> > > For example, how would you port modules like portscan or others from
> > > xtables-addons to nftables.
> > > Integrate it or port it to be used as a addon.
> > 
> > The preferred way would be to indentify the required primitives and build
> > it from a set of lower level expressions if possible. An alternative would
> > be to use the compat expression or just add a native portscan expression.
> 
> Is there more information available for the compat expression or how top
> add such a native expression (or at least planned, since it's quite
> early and i can understand that there are other major issues first)?

The compat expression simply uses x_tables modules. We don't support it
in nftables userspace, but you should find enough information in the
iptables-nftables compatibility layer.

For native expressions, just have a look at any of the existing ones.

next prev parent reply	other threads:[~2014-01-21 12:49 UTC|newest]

Thread overview: 13+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2014-01-20 13:11 [ANNOUNCE]: Release of nftables 0.099 Patrick McHardy
2014-01-20 23:38 ` Release of nftables-plus 0.099 Jan Engelhardt
2014-01-20 23:41   ` [netfilter-core] " Patrick McHardy
2014-01-21  0:00     ` Jan Engelhardt
2014-01-21  0:26       ` Patrick McHardy
2014-01-21 11:59 ` [ANNOUNCE]: Release of nftables 0.099 Andreas Herz
2014-01-21 12:14   ` Patrick McHardy
2014-01-21 12:24     ` Andreas Herz
2014-01-21 12:32       ` Patrick McHardy
2014-01-21 12:43         ` Andreas Herz
2014-01-21 12:49           ` Patrick McHardy [this message]
2014-01-21 13:12             ` Jozsef Kadlecsik
2014-01-21 13:27               ` Patrick McHardy

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20140121124907.GA32383@macbook.localnet \
    --to=kaber@trash.net \
    --cc=andi@geekosphere.org \
    --cc=netfilter@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.