Re: priv_data patch - Patrick McHardy

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Patrick McHardy <kaber@trash.net>
To: Joakim Axelsson <gozem@gozem.se>
Cc: Massimiliano Hofer <max@nucleus.it>,
	Netfilter Development Mailinglist
	<netfilter-devel@lists.netfilter.org>
Subject: Re: priv_data patch
Date: Mon, 14 Aug 2006 18:50:28 +0200	[thread overview]
Message-ID: <44E0A9D4.6060704@trash.net> (raw)
In-Reply-To: <20060814164048.GB7194@kriss.csbnet.se>

Joakim Axelsson wrote:
> 2006-08-14 18:26:21+0200, Patrick McHardy <kaber@trash.net> ->
> 
>>>5. Possible a new 'alter' that will alter info in the rules/match/targets
>>>private kernel data.
>>
>>This is tricky to get right on the rule level, a rule consist of
>>multiple elements that would need to be changed atomically.
>>
> 
> Yes, sorry. I mean per match/target.


Is that really useful without beeing able to change more than
one component

>>That is basically impossible. We can keep a compatible command-line
>>interface, but the ABI can't be kept compatible. The interface itself
>>it quite simple, but we also need new ruleset evaluation functions,
>>new loop detection and probably a few other things.
> 
> 
> This work is huge, but really needed. I don't feel I am skilled enough to
> write it, only contribute with porting matches and other things. I did
> however write most of the code that ipset is based on now. So I have the
> "extreme amount of hook functions needed" in my back. 
> 
> The real question is. Do we really want to force each match/target to
> implement a fair amount of functions for it to work? We need to think big
> from the start here, not missing some feature that will be hard to add
> after. I rather see one too many needed function then one too few.

Its not so much. The interface comes down to "init", "destroy", "dump",
"do something". If we really want "change" it should be possible to
do it in one function with "init".

And as I already said, I would like to get rid of the large amount of
matches doing the same thing anyway. connbytes, connmark, conntrack,
helper, ... basically all do "take data from conntrack, compare".
realm, length, pkttype, .. do the same with skb metadata. A lot
of matches on real packet data are also quite similar. We could
easily get rid of 50%-75% of all matches and still have the same
functionality.

> Is this really something we want? It will most probably end up in a new
> ipfwadmin/ipchains/iptables -version. Its the easiest way todo it. Drop the
> backward compability completly and possibly only make a new iptables
> userspace command-line compability tool using the new API.

We can't do this, people expect to be able to user old versions of
the iptables tool. But we can introduce a new interface and new
tools without breaking the old ones.

next prev parent reply	other threads:[~2006-08-14 16:50 UTC|newest]

Thread overview: 31+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2006-08-14 13:34 priv_data patch Patrick McHardy
2006-08-14 14:25 ` Joakim Axelsson
2006-08-14 14:31   ` Patrick McHardy
2006-08-14 15:20     ` Joakim Axelsson
2006-08-14 15:28       ` Patrick McHardy
2006-08-14 16:04         ` Joakim Axelsson
2006-08-14 16:13           ` Patrick McHardy
2006-08-14 16:55             ` Joakim Axelsson
2006-08-14 16:59               ` Patrick McHardy
2006-08-15  8:27               ` Amin Azez
2006-08-15  8:40                 ` Joakim Axelsson
2006-08-14 15:31       ` Patrick McHardy
2006-08-14 15:40         ` Joakim Axelsson
2006-08-14 15:46           ` Patrick McHardy
2006-08-14 15:56             ` Joakim Axelsson
2006-08-14 16:01               ` Patrick McHardy
2006-08-14 16:13                 ` Joakim Axelsson
2006-08-14 16:26                   ` Patrick McHardy
2006-08-14 16:40                     ` Joakim Axelsson
2006-08-14 16:50                       ` Patrick McHardy [this message]
2006-08-14 17:11                         ` Joakim Axelsson
2006-08-14 17:48                           ` Patrick McHardy
2006-08-14 17:59                             ` Joakim Axelsson
2006-08-14 15:53       ` Massimiliano Hofer
2006-08-14 14:40 ` Massimiliano Hofer
2006-08-14 14:48   ` Patrick McHardy
2006-08-14 14:58     ` Joakim Axelsson
2006-08-14 15:05       ` Patrick McHardy
2006-08-14 16:19     ` Massimiliano Hofer
2006-08-14 16:32       ` Joakim Axelsson
     [not found] ` <200608141557.35918.max@nucleus.it>
     [not found]   ` <44E08AC7.2050204@trash.net>
     [not found]     ` <200608141702.50753.max@nucleus.it>
2006-08-14 15:14       ` Patrick McHardy

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=44E0A9D4.6060704@trash.net \
    --to=kaber@trash.net \
    --cc=gozem@gozem.se \
    --cc=max@nucleus.it \
    --cc=netfilter-devel@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.