From: Nicolas Dichtel <nicolas.dichtel@6wind.com>
To: Pablo Neira Ayuso <pablo@netfilter.org>
Cc: netfilter-devel@vger.kernel.org, Jan Engelhardt <jengelh@inai.de>
Subject: Re: [RFC PATCH 0/1] xtables: allow to monitor table update event
Date: Fri, 26 Oct 2012 10:05:25 +0200 [thread overview]
Message-ID: <508A4445.5020500@6wind.com> (raw)
In-Reply-To: <20121025171911.GA9571@1984>
Le 25/10/2012 19:19, Pablo Neira Ayuso a écrit :
> Hi Nicolas,
>
> On Thu, Oct 25, 2012 at 02:52:48PM +0200, Nicolas Dichtel wrote:
>> Le 15/10/2012 15:10, Nicolas Dichtel a écrit :
>>> Le 02/10/2012 15:06, Nicolas Dichtel a écrit :
>>>> The following patch is an example of a userspace tools (in fact, iptables)
>>>> that use the new netlink API to monitor tables activity.
>>>>
>>>> I will also send a patch against libnfnetlink to update linux includes with
>>>> this new feature.
>>>>
>>>> Maybe another API can be used for this feature: adding a setsockopt() on an
>>>> iptc socket to enable monitoring. When a table is updated, a packet (built with
>>>> CMSG_* macro for example) can be sent over all sockets that monitor tables
>>>> acitivity (like km sockets in IPsec). I know that this socket was used only with
>>>> [g|s]etsockopt(), but this can avoid adding another netlink API.
>>>>
>>>> Comments are welcome.
>>> Any feedback about this patch or the other proposed API?
>>
>> Still no comment about this feature? Maybe another option to solve the problem?
>
> Adding a new nfnetlink subsystem to just reports table updates seems
> a bit too much to me.
What about the second proposal? Sending messages through the iptc socket?
If you have some other ideas, we can change the design of the implementation,
it's not a problem.
>
> I'd aim to the nftables proposal that I just made. If this doesn't
> happen in a reasonable amount of time, get back to the mailing list
> and push us again to get this in.
There seems to be two competitors for the next generation: nftables vs xtables2.
Can we not start with a first implementation with the current xtables. Then, we
will work to have a continuity of this feature in the next generation.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2012-10-26 8:05 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-09-24 15:39 [PATCH] nfnetlink: add a new subsystem to advertise tables update Nicolas Dichtel
2012-10-02 13:06 ` [RFC PATCH 0/1] xtables: allow to monitor table update event Nicolas Dichtel
2012-10-02 13:06 ` [RFC PATCH 1/1] " Nicolas Dichtel
2012-10-02 13:07 ` [RFC PATCH] includes: add definitions of nfnl_tables Nicolas Dichtel
2012-10-15 13:10 ` [RFC PATCH 0/1] xtables: allow to monitor table update event Nicolas Dichtel
2012-10-25 12:52 ` Nicolas Dichtel
2012-10-25 17:19 ` Pablo Neira Ayuso
2012-10-26 8:05 ` Nicolas Dichtel [this message]
2012-10-26 8:44 ` Pablo Neira Ayuso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=508A4445.5020500@6wind.com \
--to=nicolas.dichtel@6wind.com \
--cc=jengelh@inai.de \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.