Re: [iptables PATCH] extensions: libxt_statistic: Complete nft translator

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Phil Sutter <phil@nwl.cc>, netfilter-devel@vger.kernel.org
Subject: Re: [iptables PATCH] extensions: libxt_statistic: Complete nft translator
Date: Wed, 15 Mar 2017 12:01:27 +0100	[thread overview]
Message-ID: <20170315110127.GA20691@salvia> (raw)
In-Reply-To: <20170314141112.GA17939@orbyte.nwl.cc>

On Tue, Mar 14, 2017 at 03:11:12PM +0100, Phil Sutter wrote:
> On Mon, Mar 13, 2017 at 05:53:53PM +0100, Pablo Neira Ayuso wrote:
> > On Mon, Mar 13, 2017 at 05:01:53PM +0100, Phil Sutter wrote:
> > [...]
> > > The nftables numgen expression works differently:
> > 
> > Phil, if you think we need a 1:1 mapping so iptables users moving to
> > nftables don't get confused, I'll be fine to take an update to
> > nft_numgen so we accomodate a new NFT_NG_PROBABILISTIC mode or so.
> 
> Well, implementing the translator wasn't exactly trivial, but in general
> I don't think numgen is particularly hard to use. Of course an explicit
> probability mode might make things easier, but then I guess it wouldn't
> fit into the LHS/RHS scheme anymore.

Right, we would need a specific statement for this.

Question is how useful this can be as statement. The usecases I found
for this are:

1) Load balancing, which is already covered by numgen via maps.
2) Simulate packet loss.

With a statement we could combine this probability thing with flow
tables, but still I wonder how useful can be to match packets using
probability at a per-flow level, a.k.a. hashprobability.

Florian already sent a patch to add an alias for this [1], problem is
that this break symmetry between what we add to the kernel and what we
may get, and that is going to break the rule deletion by description.

Just a brain dump on this in case anyone want to spend jiffies on
this.

[1] https://patchwork.ozlabs.org/patch/591534/

next prev parent reply	other threads:[~2017-03-15 11:01 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-03-13 16:01 [iptables PATCH] extensions: libxt_statistic: Complete nft translator Phil Sutter
2017-03-13 16:53 ` Pablo Neira Ayuso
2017-03-14 14:11   ` Phil Sutter
2017-03-15 11:01     ` Pablo Neira Ayuso [this message]
2017-03-22 13:27       ` Pablo Neira Ayuso

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20170315110127.GA20691@salvia \
    --to=pablo@netfilter.org \
    --cc=netfilter-devel@vger.kernel.org \
    --cc=phil@nwl.cc \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.