why every time that a rule is inserted/appended....

why every time that a rule is inserted/appended....

[diegows]

...the entire table is replaced?

I read the code, and i don't undertand why this design....

If this could be better, advise me and i try to patch that.

Re: why every time that a rule is inserted/appended....

[Andre Uratsuka Manoel]

On Mon, 26 May 2003, diegows wrote:

> ...the entire table is replaced?
> 
> I read the code, and i don't undertand why this design....
> 
> If this could be better, advise me and i try to patch that.

	Because that is the way libiptc works. After a rule is inserted,
the table is a complete and valid one. That would not be necessary,
actually.

	I want to have that changed, too... when I can find time for it.  
It has to happen in the next 4 weeks, though, since I need to do some
things that depend on iptables-restore complexity not being quadratic.

	What I thought of doing is, instead of rewriting all the table, to
rewrite only the chain on which the rule was inserted, and have that chain
outside of the table. When needed, the table is rebuilt, such as when
iptc_commit is called.
	
	Regards,
	Andre

Re: why every time that a rule is inserted/appended....

[Balazs Scheidler]

On Tue, May 27, 2003 at 02:49:43AM -0300, Andre Uratsuka Manoel wrote:
> On Mon, 26 May 2003, diegows wrote:
> 
> > ...the entire table is replaced?
> > 
> > I read the code, and i don't undertand why this design....
> > 
> > If this could be better, advise me and i try to patch that.
> 
> 	Because that is the way libiptc works. After a rule is inserted,
> the table is a complete and valid one. That would not be necessary,
> actually.
> 
> 	I want to have that changed, too... when I can find time for it.  
> It has to happen in the next 4 weeks, though, since I need to do some
> things that depend on iptables-restore complexity not being quadratic.
> 
> 	What I thought of doing is, instead of rewriting all the table, to
> rewrite only the chain on which the rule was inserted, and have that chain
> outside of the table. When needed, the table is rebuilt, such as when
> iptc_commit is called.

I think you should check out the iptables2 module in CVS and the
corresponding nfnetlink patch.

-- 
Bazsi
PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1

Re: why every time that a rule is inserted/appended....

[Harald Welte]

[-- Attachment #1: Type: text/plain, Size: 1178 bytes --]

On Mon, May 26, 2003 at 06:34:51PM -0300, diegows wrote:
> ...the entire table is replaced?

the idea was to have an atomic snapshot from the kernel, which is
especially important for the counters.

ipchains doesn't read a chain atomically and thus packets are still
traversing between rules are being read from the kernel.  This leads to
inconsistencies in 

> If this could be better, advise me and i try to patch that.

Sure it can be done better, and there have been at least two approaches
to introduce a new kernel/userspace interface, both based on nfnetlink.

However, this is not a 'small patch' but a fundamental design change.

[maybe I'll finally find some time to do pkttables stuff again... but
now there is lots of other distracting stuff like that dual opteron box
;)]

-- 
- Harald Welte <laforge@netfilter.org>             http://www.netfilter.org/
============================================================================
  "Fragmentation is like classful addressing -- an interesting early
   architectural error that shows how much experimentation was going
   on while IP was being designed."                    -- Paul Vixie

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: why every time that a rule is inserted/appended....

[Diego Woitasen]

If you are talking about iptables2, I saw that and the change seems to 
me really interesting, but the project seems to be stopped.
I want to help the development of this new version, as soon as has time 
(soon I hope).

Where can i get the kernel interface? ...if exists...


> On Mon, May 26, 2003 at 06:34:51PM -0300, diegows wrote:
> 
>>...the entire table is replaced?
> 
> 
> the idea was to have an atomic snapshot from the kernel, which is
> especially important for the counters.
> 
> ipchains doesn't read a chain atomically and thus packets are still
> traversing between rules are being read from the kernel.  This leads to
> inconsistencies in 
> 
> 
>>If this could be better, advise me and i try to patch that.
> 
> 
> Sure it can be done better, and there have been at least two approaches
> to introduce a new kernel/userspace interface, both based on nfnetlink.
> 
> However, this is not a 'small patch' but a fundamental design change.
> 
> [maybe I'll finally find some time to do pkttables stuff again... but
> now there is lots of other distracting stuff like that dual opteron box
> ;)]
> 

Re: why every time that a rule is inserted/appended....

[Harald Welte]

[-- Attachment #1: Type: text/plain, Size: 849 bytes --]

On Wed, May 28, 2003 at 06:26:09PM -0300, Diego Woitasen wrote:
> If you are talking about iptables2, I saw that and the change seems to 
> me really interesting, but the project seems to be stopped.
> I want to help the development of this new version, as soon as has time 
> (soon I hope).
> 
> Where can i get the kernel interface? ...if exists...

I'm planning to put a very experimental patch in CVS before my short
holiday (that is, until wednesday next week)

-- 
- Harald Welte <laforge@netfilter.org>             http://www.netfilter.org/
============================================================================
  "Fragmentation is like classful addressing -- an interesting early
   architectural error that shows how much experimentation was going
   on while IP was being designed."                    -- Paul Vixie

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]