* nft set statistics/info
@ 2024-11-14 11:34 Florian Westphal
2024-11-14 13:14 ` Pablo Neira Ayuso
0 siblings, 1 reply; 2+ messages in thread
From: Florian Westphal @ 2024-11-14 11:34 UTC (permalink / raw)
To: netfilter-devel
Hello,
nftables hides set details from userspace, in particular,
the backend that is used to store set elements.
For debugging it would be good to export the chosen
backend to userspace.
Another item i'd like to export is set->nelems counter.
Before I start working on this, how should that look like?
Option 1 is to just include two exta attributes in nf_tables_fill_set().
We could restrict it to nft --debug=netlink so the information isn't
shown by nftables but by libnftnl.
Option 2 is to add a new type of GET request that only dumps
such extra set info. Frontend could then support something like
nft get setinfo inet mytable set3
which would dump the set backend name and the set->nelems counter.
Yet another option would be to include the info in normal
list ruleset/list sets etc, but print it just like a comment, e.g.
nft list ruleset
table inet t {
set s1 {
type ipv4_addr # nft_rbtree_lookup
flags interval
elements = { 10.0.0.0-11.0.0.0, 172.16.0.0/16 }
# nelems 4
}
Whats your take on this?
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: nft set statistics/info
2024-11-14 11:34 nft set statistics/info Florian Westphal
@ 2024-11-14 13:14 ` Pablo Neira Ayuso
0 siblings, 0 replies; 2+ messages in thread
From: Pablo Neira Ayuso @ 2024-11-14 13:14 UTC (permalink / raw)
To: Florian Westphal; +Cc: netfilter-devel
Hi Florian,
On Thu, Nov 14, 2024 at 12:34:41PM +0100, Florian Westphal wrote:
> Hello,
>
> nftables hides set details from userspace, in particular,
> the backend that is used to store set elements.
Right.
> For debugging it would be good to export the chosen
> backend to userspace.
>
> Another item i'd like to export is set->nelems counter.
>
> Before I start working on this, how should that look like?
>
> Option 1 is to just include two exta attributes in nf_tables_fill_set().
>
> We could restrict it to nft --debug=netlink so the information isn't
> shown by nftables but by libnftnl.
Yes, --debug=netlink or similar approach should be fine to expose the
backend implementation.
> Option 2 is to add a new type of GET request that only dumps
> such extra set info. Frontend could then support something like
>
> nft get setinfo inet mytable set3
>
> which would dump the set backend name and the set->nelems counter.
>
> Yet another option would be to include the info in normal
> list ruleset/list sets etc, but print it just like a comment, e.g.
>
> nft list ruleset
> table inet t {
> set s1 {
> type ipv4_addr # nft_rbtree_lookup
> flags interval
> elements = { 10.0.0.0-11.0.0.0, 172.16.0.0/16 }
> # nelems 4
> }
>
>
> Whats your take on this?
Exposing nelems 4 for rbtree is confusing, better expose this
implementation detail only in debug.
I would like rbtree uses the new netlink attribute representation
which provides both sides of the range rather than providing
independent elements with the flag notation, that was a early design
mistake in that API that was fixed by pipapo.
Thanks.
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2024-11-14 13:14 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-11-14 11:34 nft set statistics/info Florian Westphal
2024-11-14 13:14 ` Pablo Neira Ayuso
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.