From mboxrd@z Thu Jan 1 00:00:00 1970 From: Patrick McHardy Subject: Re: [PATCH] netfilter: nf_tables: fix rule batch with anonymous set and module autoload Date: Sun, 16 Feb 2014 10:44:09 +0000 Message-ID: <20140216104409.GB28646@macbook.localnet> References: <1392377228-3748-1-git-send-email-pablo@netfilter.org> <20140214113755.GC19082@macbook.localnet> <20140214123411.GA4422@localhost> <20140215093822.GB3815@macbook.localnet> <20140216103335.GA4499@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Cc: netfilter-devel@vger.kernel.org To: Pablo Neira Ayuso Return-path: Received: from stinky.trash.net ([213.144.137.162]:38752 "EHLO stinky.trash.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751040AbaBPKoM (ORCPT ); Sun, 16 Feb 2014 05:44:12 -0500 Content-Disposition: inline In-Reply-To: <20140216103335.GA4499@localhost> Sender: netfilter-devel-owner@vger.kernel.org List-ID: On Sun, Feb 16, 2014 at 11:33:35AM +0100, Pablo Neira Ayuso wrote: > On Sat, Feb 15, 2014 at 09:38:23AM +0000, Patrick McHardy wrote: > > > > > > The set definition and the elements need to be included in the lookup > > > expression for anonymous sets, can you think of any better solution? > > > > I think we can use some identifiers generated by userspace to tie them > > both together. Something like a unique numeric identifier (unique within > > the transaction). > > That can be done, but I don't see why we allow the creation of > anonymous sets out of the scope of a rule since: > > * They can only be used by one single rule. > * You cannot update them by adding/deleting elements. > > The current API allows creating an anonymous set that can be left > unused. I think we should only allow the creation of non-anonymous > sets via NFT_MSG_NEWSET at some point. The two main reasons are: - it keeps the API simpler - members might not fit into a single message and currently we can keep adding members as long as the set is not bound I don't think we should change this. It actually also is possible to use anonymous sets with more than one rule, just nft doesn't provide a way to do it. The definition of an anonymous set it (anonymous isn't the best name) a set that is automatically destroyed once the last rule unbinds. The fact that we don't allow to use them in multiple rules is purely internal to nft. On a general note, nft is just meant to be *one* frontend, there's no reason why someone else couldn't write a different one more suitable for a specific purpose. F.i. a simple embedded system might only use tuples of (dst,proto,port) and use a hash for the lookup.