* why every time that a rule is inserted/appended.... @ 2003-05-26 21:34 diegows 2003-05-27 5:49 ` Andre Uratsuka Manoel 2003-05-28 18:30 ` Harald Welte 0 siblings, 2 replies; 6+ messages in thread From: diegows @ 2003-05-26 21:34 UTC (permalink / raw) To: netfilter-devel ...the entire table is replaced? I read the code, and i don't undertand why this design.... If this could be better, advise me and i try to patch that. ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: why every time that a rule is inserted/appended.... 2003-05-26 21:34 why every time that a rule is inserted/appended diegows @ 2003-05-27 5:49 ` Andre Uratsuka Manoel 2003-05-27 10:29 ` Balazs Scheidler 2003-05-28 18:30 ` Harald Welte 1 sibling, 1 reply; 6+ messages in thread From: Andre Uratsuka Manoel @ 2003-05-27 5:49 UTC (permalink / raw) To: diegows; +Cc: netfilter-devel@lists.netfilter.org On Mon, 26 May 2003, diegows wrote: > ...the entire table is replaced? > > I read the code, and i don't undertand why this design.... > > If this could be better, advise me and i try to patch that. Because that is the way libiptc works. After a rule is inserted, the table is a complete and valid one. That would not be necessary, actually. I want to have that changed, too... when I can find time for it. It has to happen in the next 4 weeks, though, since I need to do some things that depend on iptables-restore complexity not being quadratic. What I thought of doing is, instead of rewriting all the table, to rewrite only the chain on which the rule was inserted, and have that chain outside of the table. When needed, the table is rebuilt, such as when iptc_commit is called. Regards, Andre ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: why every time that a rule is inserted/appended.... 2003-05-27 5:49 ` Andre Uratsuka Manoel @ 2003-05-27 10:29 ` Balazs Scheidler 0 siblings, 0 replies; 6+ messages in thread From: Balazs Scheidler @ 2003-05-27 10:29 UTC (permalink / raw) To: Andre Uratsuka Manoel; +Cc: diegows, netfilter-devel@lists.netfilter.org On Tue, May 27, 2003 at 02:49:43AM -0300, Andre Uratsuka Manoel wrote: > On Mon, 26 May 2003, diegows wrote: > > > ...the entire table is replaced? > > > > I read the code, and i don't undertand why this design.... > > > > If this could be better, advise me and i try to patch that. > > Because that is the way libiptc works. After a rule is inserted, > the table is a complete and valid one. That would not be necessary, > actually. > > I want to have that changed, too... when I can find time for it. > It has to happen in the next 4 weeks, though, since I need to do some > things that depend on iptables-restore complexity not being quadratic. > > What I thought of doing is, instead of rewriting all the table, to > rewrite only the chain on which the rule was inserted, and have that chain > outside of the table. When needed, the table is rebuilt, such as when > iptc_commit is called. I think you should check out the iptables2 module in CVS and the corresponding nfnetlink patch. -- Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1 ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: why every time that a rule is inserted/appended.... 2003-05-26 21:34 why every time that a rule is inserted/appended diegows 2003-05-27 5:49 ` Andre Uratsuka Manoel @ 2003-05-28 18:30 ` Harald Welte 2003-05-28 21:26 ` Diego Woitasen 1 sibling, 1 reply; 6+ messages in thread From: Harald Welte @ 2003-05-28 18:30 UTC (permalink / raw) To: diegows; +Cc: netfilter-devel [-- Attachment #1: Type: text/plain, Size: 1178 bytes --] On Mon, May 26, 2003 at 06:34:51PM -0300, diegows wrote: > ...the entire table is replaced? the idea was to have an atomic snapshot from the kernel, which is especially important for the counters. ipchains doesn't read a chain atomically and thus packets are still traversing between rules are being read from the kernel. This leads to inconsistencies in > If this could be better, advise me and i try to patch that. Sure it can be done better, and there have been at least two approaches to introduce a new kernel/userspace interface, both based on nfnetlink. However, this is not a 'small patch' but a fundamental design change. [maybe I'll finally find some time to do pkttables stuff again... but now there is lots of other distracting stuff like that dual opteron box ;)] -- - Harald Welte <laforge@netfilter.org> http://www.netfilter.org/ ============================================================================ "Fragmentation is like classful addressing -- an interesting early architectural error that shows how much experimentation was going on while IP was being designed." -- Paul Vixie [-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --] ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: why every time that a rule is inserted/appended.... 2003-05-28 18:30 ` Harald Welte @ 2003-05-28 21:26 ` Diego Woitasen 2003-05-31 17:08 ` Harald Welte 0 siblings, 1 reply; 6+ messages in thread From: Diego Woitasen @ 2003-05-28 21:26 UTC (permalink / raw) To: Harald Welte; +Cc: netfilter-devel If you are talking about iptables2, I saw that and the change seems to me really interesting, but the project seems to be stopped. I want to help the development of this new version, as soon as has time (soon I hope). Where can i get the kernel interface? ...if exists... > On Mon, May 26, 2003 at 06:34:51PM -0300, diegows wrote: > >>...the entire table is replaced? > > > the idea was to have an atomic snapshot from the kernel, which is > especially important for the counters. > > ipchains doesn't read a chain atomically and thus packets are still > traversing between rules are being read from the kernel. This leads to > inconsistencies in > > >>If this could be better, advise me and i try to patch that. > > > Sure it can be done better, and there have been at least two approaches > to introduce a new kernel/userspace interface, both based on nfnetlink. > > However, this is not a 'small patch' but a fundamental design change. > > [maybe I'll finally find some time to do pkttables stuff again... but > now there is lots of other distracting stuff like that dual opteron box > ;)] > ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: why every time that a rule is inserted/appended.... 2003-05-28 21:26 ` Diego Woitasen @ 2003-05-31 17:08 ` Harald Welte 0 siblings, 0 replies; 6+ messages in thread From: Harald Welte @ 2003-05-31 17:08 UTC (permalink / raw) To: Diego Woitasen; +Cc: netfilter-devel [-- Attachment #1: Type: text/plain, Size: 849 bytes --] On Wed, May 28, 2003 at 06:26:09PM -0300, Diego Woitasen wrote: > If you are talking about iptables2, I saw that and the change seems to > me really interesting, but the project seems to be stopped. > I want to help the development of this new version, as soon as has time > (soon I hope). > > Where can i get the kernel interface? ...if exists... I'm planning to put a very experimental patch in CVS before my short holiday (that is, until wednesday next week) -- - Harald Welte <laforge@netfilter.org> http://www.netfilter.org/ ============================================================================ "Fragmentation is like classful addressing -- an interesting early architectural error that shows how much experimentation was going on while IP was being designed." -- Paul Vixie [-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --] ^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2003-05-31 17:08 UTC | newest] Thread overview: 6+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2003-05-26 21:34 why every time that a rule is inserted/appended diegows 2003-05-27 5:49 ` Andre Uratsuka Manoel 2003-05-27 10:29 ` Balazs Scheidler 2003-05-28 18:30 ` Harald Welte 2003-05-28 21:26 ` Diego Woitasen 2003-05-31 17:08 ` Harald Welte
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.