From: Florian Westphal <fw@strlen.de>
To: Pablo Neira Ayuso <pablo@netfilter.org>
Cc: Florian Westphal <fw@strlen.de>,
netfilter-devel <netfilter-devel@vger.kernel.org>
Subject: Re: [PATCH nft 2/3] netlink_linearize: fix timeout with map updates
Date: Mon, 12 Dec 2022 14:56:53 +0100 [thread overview]
Message-ID: <20221212135653.GA3457@breakpoint.cc> (raw)
In-Reply-To: <Y5cuL4og4dOOEEhY@salvia>
Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> On Mon, Dec 12, 2022 at 11:04:35AM +0100, Florian Westphal wrote:
> > Map updates can use timeouts, just like with sets, but the
> > linearization step did not pass this info to the kernel.
> >
> > meta l4proto tcp update @pinned { ip saddr . ct original proto-src : ip daddr . ct original proto-dst timeout 90s
> >
> > Listing this won't show the "timeout 90s" because kernel never saw it to
> > begin with.
> >
> > NB: The above line attaches the timeout to the data element,
> > but there are no separate timeouts for the key and the value.
> >
> > An alternative is to reject "key : value timeout X" from the parser
> > or evaluation step.
>
> You mean, timeout is accepted both from key : value sides of the
> mapping, right?
Yes, exactly, you can even to
ip saddr timeout 1m : 0x42 timeout 1s
> It makes more sense to restrict it to the key side, that would require
> a follow up patch.
Ok, works for me, should be easy to do.
next prev parent reply other threads:[~2022-12-12 13:57 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-12-12 10:04 [PATCH nft 0/3] fix map update with concatenation and timeouts Florian Westphal
2022-12-12 10:04 ` [PATCH nft 1/3] netlink_delinearize: fix decoding of concat data element Florian Westphal
2022-12-12 10:04 ` [PATCH nft 2/3] netlink_linearize: fix timeout with map updates Florian Westphal
2022-12-12 13:35 ` Pablo Neira Ayuso
2022-12-12 13:56 ` Florian Westphal [this message]
2022-12-12 10:04 ` [PATCH nft 3/3] tests: add a test case for map update from packet path with concat Florian Westphal
2022-12-12 13:38 ` [PATCH nft 0/3] fix map update with concatenation and timeouts Pablo Neira Ayuso
2022-12-12 16:42 ` Florian Westphal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20221212135653.GA3457@breakpoint.cc \
--to=fw@strlen.de \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.