From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Patrick McHardy <kaber@trash.net>
Cc: netfilter-devel@vger.kernel.org, arturo.borrero.glez@gmail.com
Subject: Re: [PATCH nf-next 3/3 v2] netfilter: nf_tables: export rule-set generation ID
Date: Fri, 12 Sep 2014 09:47:46 +0200 [thread overview]
Message-ID: <20140912074746.GA4580@salvia> (raw)
In-Reply-To: <20140911173531.GI7600@acer.localdomain>
On Thu, Sep 11, 2014 at 06:35:35PM +0100, Patrick McHardy wrote:
> On Thu, Sep 11, 2014 at 07:22:10PM +0200, Pablo Neira Ayuso wrote:
> > On Thu, Sep 11, 2014 at 06:57:31PM +0200, Pablo Neira Ayuso wrote:
> > > On Thu, Sep 11, 2014 at 05:45:58PM +0100, Patrick McHardy wrote:
> > > > >
> > > > > Right, I can put the genid notification in a different nfnetlink
> > > > > multicast group (NFNLGRP_NFTABLES_GENID) to avoid false positives if
> > > > > you like the idea, we have plenty of spare groups.
> > > >
> > > > I don't think that's a really good idea since the ordering between the
> > > > rule notifications and the commit notification wouldn't be reliable.
> > > > Same thing is probably true for state notifications, not entirely
> > > > sure yet if they could reasonably be sent to a different group.
> > >
> > > Indeed, we have to stick to one single group.
> >
> > Oh, you can subscribe to several groups from one single socket. So you
> > get them notifications in order. IIRC, the grouping just provides a
> > way to filter out what you don't want to listen.
> >
>
> Correct, but at that point we're back to square one because we don't
> know why the error orginated :)
Right. I'm considering the (likely spamming) stateful notifications
that we'll have at some point. Those we can put them in
NFNLGRP_NFTABLES_STATES or something similar. So we leave
NFNLGRP_NFTABLES for rule-set updates only (including the genid
notification, of course).
next prev parent reply other threads:[~2014-09-12 7:46 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-09-11 15:20 [PATCH nf-next 1/3] netfilter: nf_tables: add NFTA_MASQ_UNSPEC to nft_masq_attributes Pablo Neira Ayuso
2014-09-11 15:20 ` [PATCH nf-next 2/3] netfilter: nfnetlink: use original skbuff when committing/aborting Pablo Neira Ayuso
2014-09-11 15:20 ` [PATCH nf-next 3/3 v2] netfilter: nf_tables: export rule-set generation ID Pablo Neira Ayuso
2014-09-11 15:32 ` Patrick McHardy
2014-09-11 16:10 ` Pablo Neira Ayuso
2014-09-11 16:45 ` Patrick McHardy
2014-09-11 16:57 ` Pablo Neira Ayuso
2014-09-11 17:22 ` Pablo Neira Ayuso
2014-09-11 17:35 ` Patrick McHardy
2014-09-12 7:47 ` Pablo Neira Ayuso [this message]
2014-09-11 15:46 ` Arturo Borrero Gonzalez
2014-09-11 16:25 ` Pablo Neira Ayuso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140912074746.GA4580@salvia \
--to=pablo@netfilter.org \
--cc=arturo.borrero.glez@gmail.com \
--cc=kaber@trash.net \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.