Re: [iptables PATCH 00/18] nft: Sorted chain listing et al.

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Phil Sutter <phil@nwl.cc>
Cc: netfilter-devel@vger.kernel.org
Subject: Re: [iptables PATCH 00/18] nft: Sorted chain listing et al.
Date: Thu, 23 Jul 2020 14:22:57 +0200	[thread overview]
Message-ID: <20200723122257.GA22824@salvia> (raw)
In-Reply-To: <20200711101831.29506-1-phil@nwl.cc>

On Sat, Jul 11, 2020 at 12:18:13PM +0200, Phil Sutter wrote:
> Work in this series centered around Harald's complaint about seemingly
> random custom chain ordering in iptables-nft-save output. nftables
> returns chains in the order they were created which differs from
> legacy iptables which sorts by name.
> 
> The intuitive approach of simply sorting chains in tables'
> nftnl_chain_lists is problematic since base chains, which shall be
> dumped first, are contained in there as well. Patch 15 solves this by
> introducing a per-table array of nftnl_chain pointers to hold only base
> chains (the hook values determine the array index). The old
> nftnl_chain_list now contains merely non-base chains and is sorted upon
> population by the new nftnl_chain_list_add_sorted() function.
> 
> Having dedicated slots for base chains allows for another neat trick,
> namely to create only immediately required base chains. Apart from the
> obvious case, where adding a rule to OUTPUT chain doesn't cause creation
> of INPUT or FORWARD chains, this means ruleset modifications can be
> avoided completely when listing, flushing or zeroing counters (unless
> chains exist).

Patches from 1 to 7, they look good to me. Would it be possible to
apply these patches independently from this batch or they are a strong
dependency?

I think it's better if we go slightly different direction?

https://patchwork.ozlabs.org/project/netfilter-devel/patch/20200723121553.7400-1-pablo@netfilter.org/

Instead of adding more functions into libnftnl for specific list
handling, which are not used by nft, use linux list native handling.

I think there is not need to cache the full nftnl_table object,
probably it should be even possible to just use it to collect the
attributes from the kernel to populate the nft_table object that I'm
proposing.

IIRC embedded people complained on the size of libnftnl, going this
direction I suggest, we can probably deprecated iterators for a number
of objects and get it slimmer in the midrun.

WDYT?

next prev parent reply	other threads:[~2020-07-23 12:23 UTC|newest]

Thread overview: 23+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-07-11 10:18 [iptables PATCH 00/18] nft: Sorted chain listing et al Phil Sutter
2020-07-11 10:18 ` [iptables PATCH 01/18] nft: Make table creation purely implicit Phil Sutter
2020-07-11 10:18 ` [iptables PATCH 02/18] nft: Be lazy when flushing Phil Sutter
2020-07-11 10:18 ` [iptables PATCH 03/18] nft: cache: Drop duplicate chain check Phil Sutter
2020-07-11 10:18 ` [iptables PATCH 04/18] nft: Drop pointless nft_xt_builtin_init() call Phil Sutter
2020-07-11 10:18 ` [iptables PATCH 05/18] nft: Turn nft_chain_save() into a foreach-callback Phil Sutter
2020-07-11 10:18 ` [iptables PATCH 06/18] nft: Use nft_chain_find() in two more places Phil Sutter
2020-07-11 10:18 ` [iptables PATCH 07/18] nft: Reorder enum nft_table_type Phil Sutter
2020-07-11 10:18 ` [iptables PATCH 08/18] nft: cache: Fetch only interesting tables from kernel Phil Sutter
2020-07-11 10:18 ` [iptables PATCH 09/18] nft: Use nftnl_chain_list_foreach in nft_rule_list{,_save} Phil Sutter
2020-07-11 10:18 ` [iptables PATCH 10/18] nft: Use nftnl_chain_list_foreach in nft_rule_flush Phil Sutter
2020-07-11 10:18 ` [iptables PATCH 11/18] nft: Use nftnl_chain_foreach in nft_rule_save Phil Sutter
2020-07-11 10:18 ` [iptables PATCH 12/18] nft: Fold nftnl_rule_list_chain_save() into caller Phil Sutter
2020-07-11 10:18 ` [iptables PATCH 13/18] nft: Implement nft_chain_foreach() Phil Sutter
2020-07-11 10:18 ` [iptables PATCH 14/18] nft: cache: Introduce nft_cache_add_chain() Phil Sutter
2020-07-11 10:18 ` [iptables PATCH 15/18] nft: Introduce a dedicated base chain array Phil Sutter
2020-07-11 10:18 ` [iptables PATCH 16/18] nft: cache: Sort custom chains by name Phil Sutter
2020-07-11 10:18 ` [iptables PATCH 17/18] tests: shell: Drop any dump sorting in place Phil Sutter
2020-07-11 10:18 ` [iptables PATCH 18/18] nft: Avoid pointless table/chain creation Phil Sutter
2020-07-23 12:22 ` Pablo Neira Ayuso [this message]
2020-07-25 11:55   ` [iptables PATCH 00/18] nft: Sorted chain listing et al Phil Sutter
2020-07-27 10:20     ` Pablo Neira Ayuso
2020-07-27 10:55       ` Phil Sutter

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20200723122257.GA22824@salvia \
    --to=pablo@netfilter.org \
    --cc=netfilter-devel@vger.kernel.org \
    --cc=phil@nwl.cc \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.