From: Patrick McHardy <kaber@trash.net>
To: Jan Engelhardt <jengelh@medozas.de>
Cc: "David S. Miller" <davem@davemloft.net>,
pablo@netfilter.org, netdev@vger.kernel.org
Subject: Re: Netlink limitations
Date: Sun, 07 Nov 2010 18:17:43 +0100 [thread overview]
Message-ID: <4CD6DF37.6010800@trash.net> (raw)
In-Reply-To: <alpine.LNX.2.01.1011071743070.21289@obet.zrqbmnf.qr>
On 07.11.2010 17:44, Jan Engelhardt wrote:
> we mentioned it only briefly at the Netfilter workshop a few weeks ago,
> but as I am trying to figure out how to use Netlink in Xtables,
> Netlink's limitations really start ruining my day.
>
> The well-known issue is that NL messages the kernel is supposed to
> receive have a max size of 64K, due to nlmsghdr's use of uint16_t. This
> is very problematic because attributes can easily amass more than 64K.
> Think of a chain full of rules, represented by a top-level attribute
> that nests attributes. The problem is bidirectional, a table
> dump has the same problem.
Messages are not limited to 64k, individual attributes are. Holger
started working on a nlattr32, which uses 32 bit for the length
value.
> A further problem seems to be that the kernel does not seem to have
> support for receiving NLM_F_MULTI messages, so even assuming chains were
> just 40K, one cannot atomically replace an entire table with 2 chains of
> 40K each. Trying to slap transaction support on _top_ of netlink is not
> going to work with the current implementation, because there is no
> notification of when the socket is closed before a NLMSG_DONE has been
> sent.
There is, search for NETLINK_URELEASE in af_netlink.c. With 32 bit
attribute lengths this should not be needed anymore however.
> What I would also like is streaming support, i.e. that I can tag an
> attribute container (one that has nested attrs) with .len = -1 to define
> that the end of the container is given not by .len, but by a stop
> marker.
That's somewhat similar to the nlattr32 idea, but a length of 0 makes
more sense since that's currently not used. In that case the length
would be read from a second length field which has 32 bits.
next prev parent reply other threads:[~2010-11-07 17:17 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-11-07 16:44 Netlink limitations Jan Engelhardt
2010-11-07 17:17 ` Patrick McHardy [this message]
2010-11-08 15:16 ` Thomas Graf
2010-11-08 19:21 ` Jan Engelhardt
2010-11-08 23:36 ` Pablo Neira Ayuso
2010-11-09 9:27 ` Patrick McHardy
2010-11-09 14:49 ` Thomas Graf
2010-11-09 20:20 ` Jan Engelhardt
2010-11-09 21:40 ` Thomas Graf
2010-11-09 22:02 ` Jan Engelhardt
2010-11-09 23:35 ` Thomas Graf
2010-11-09 23:42 ` Jan Engelhardt
2010-11-09 23:54 ` Thomas Graf
2010-11-09 11:58 ` Jan Engelhardt
2010-11-09 12:10 ` Jan Engelhardt
2010-11-09 12:24 ` Patrick McHardy
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4CD6DF37.6010800@trash.net \
--to=kaber@trash.net \
--cc=davem@davemloft.net \
--cc=jengelh@medozas.de \
--cc=netdev@vger.kernel.org \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.