From: Florian Westphal <fw@strlen.de>
To: Fernando Fernandez Mancera <ffmancera@riseup.net>
Cc: netfilter-devel@vger.kernel.org
Subject: Re: [PATCH 1/2 nf-next] netfilter: nf_tables: Introduce stateful object update operation
Date: Wed, 21 Aug 2019 12:09:05 +0200 [thread overview]
Message-ID: <20190821100905.GX2588@breakpoint.cc> (raw)
In-Reply-To: <20190821094420.866-1-ffmancera@riseup.net>
Fernando Fernandez Mancera <ffmancera@riseup.net> wrote:
> This patch adds the infrastructure needed for the stateful object update
> support.
>
> Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net>
> ---
> include/net/netfilter/nf_tables.h | 6 +++
> net/netfilter/nf_tables_api.c | 71 ++++++++++++++++++++++++++++---
> 2 files changed, 70 insertions(+), 7 deletions(-)
>
> diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h
> index dc301e3d6739..dc4e32040ea9 100644
> --- a/include/net/netfilter/nf_tables.h
> +++ b/include/net/netfilter/nf_tables.h
> @@ -1123,6 +1123,9 @@ struct nft_object_ops {
> int (*dump)(struct sk_buff *skb,
> struct nft_object *obj,
> bool reset);
> + int (*update)(const struct nft_ctx *ctx,
> + const struct nlattr *const tb[],
> + struct nft_object *obj);
maybe adda 'bool commit' argument here.
> + err = obj->ops->update(ctx, (const struct nlattr * const *)tb, obj);
Then, set it to 'false' here.
You would have to keep 'tb' allocated and place it on the 'trans'
object.
> + nft_trans_obj_update(trans) = true;
nft_trans_obj_update_tb(trans) = tb;
> - nft_clear(net, nft_trans_obj(trans));
> - nf_tables_obj_notify(&trans->ctx, nft_trans_obj(trans),
> - NFT_MSG_NEWOBJ);
> - nft_trans_destroy(trans);
> + if (nft_trans_obj_update(trans)) {
nft_trans_obj(trans)->ops->update(&trans->ctx,
nft_trans_obj_update_tb(trans),
nft_trans_obj(trans),
true);
kfree(nft_trans_obj_update_tb(trans));
Because otherwise we will update objects while we're not yet sure that
we can process/handle the entire batch.
I think we should, if possible, only update once we've made it to
the commit phase.
next prev parent reply other threads:[~2019-08-21 10:09 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-08-21 9:44 [PATCH 1/2 nf-next] netfilter: nf_tables: Introduce stateful object update operation Fernando Fernandez Mancera
2019-08-21 9:44 ` [PATCH 2/2 nf-next] netfilter: nft_quota: add quota object update support Fernando Fernandez Mancera
2019-08-21 10:09 ` Florian Westphal [this message]
2019-08-21 11:01 ` [PATCH 1/2 nf-next] netfilter: nf_tables: Introduce stateful object update operation Fernando Fernandez Mancera
2019-08-21 11:11 ` Florian Westphal
2019-08-21 11:14 ` Fernando Fernandez Mancera
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190821100905.GX2588@breakpoint.cc \
--to=fw@strlen.de \
--cc=ffmancera@riseup.net \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.