From: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
To: Patrick McHardy <kaber@trash.net>
Cc: pablo@netfilter.org, netfilter-devel@vger.kernel.org
Subject: Re: [nftables 3/9] netfilter: nf_tables: atomic rule updates and dumps
Date: Wed, 20 Feb 2013 12:32:30 +0200 [thread overview]
Message-ID: <5124A63E.3000006@linux.intel.com> (raw)
In-Reply-To: <20130219220257.GF3240@macbook.localnet>
Hi Patrick,
>
>> @@ -37,6 +37,8 @@ enum nf_tables_msg_types {
>> NFT_MSG_NEWSETELEM,
>> NFT_MSG_GETSETELEM,
>> NFT_MSG_DELSETELEM,
>> + NFT_MSG_COMMIT,
>> + NFT_MSG_ABORT,
> I see why you're doing this, but this is similar to the NEWCHAINNAME
> attribute, it doesn't really fit into the scheme how the netlink API
> is designed.
Why doesn't it fit? Do you mean you would prefer one command leads to
one result, so no transaction based manipulation?
I would rather see a NFT_MSG_START added actually.
>
>> diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
>> index db6150b..7f08381 100644
>> --- a/net/netfilter/nf_tables_api.c
>> +++ b/net/netfilter/nf_tables_api.c
>> static int nf_tables_dump_rules(struct sk_buff *skb,
>> struct netlink_callback *cb)
>> {
>> @@ -1250,6 +1288,7 @@ static int nf_tables_dump_rules(struct sk_buff *skb,
>> unsigned int idx = 0, s_idx = cb->args[0];
>> struct net *net = sock_net(skb->sk);
>> int family = nfmsg->nfgen_family;
>> + unsigned int genctr = net->nft.genctr, gencursor = net->nft.gencursor;
>>
>> list_for_each_entry(afi, &net->nft.af_info, list) {
>> if (family != NFPROTO_UNSPEC && family != afi->family)
>> @@ -1258,6 +1297,8 @@ static int nf_tables_dump_rules(struct sk_buff *skb,
>> list_for_each_entry(table, &afi->tables, list) {
>> list_for_each_entry(chain, &table->chains, list) {
>> list_for_each_entry(rule, &chain->rules, list) {
>> + if (!nft_rule_is_active(net, rule))
>> + goto cont;
> Not sure whether we should really skip them during the dump. That hides
> information from userspace, we could just as well include an INACTIVE flag
> and have userspace decide whether to process them or not.
Personally I don't see much point dumping non-active (yet to be
committed) rules to anybody.
The current way of notifying the rule change when committed, as
described at the end of this patch message, is I think just right.
That would be better though within the proposal I made earlier to Pablo.
Unless you don't want transaction based manipulation. What would be the
idea then?
Tomasz
next prev parent reply other threads:[~2013-02-20 10:32 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-01-31 0:03 [nftables 1/9] netfilter: nf_tables: fix compilation if CONFIG_COMPAT is disabled pablo
2013-01-31 0:03 ` [nftables 2/9] netfilter: nf_tables: fix chain after rule deletion pablo
2013-01-31 0:03 ` [nftables 3/9] netfilter: nf_tables: atomic rule updates and dumps pablo
2013-02-18 17:17 ` Tomasz Bursztyka
2013-02-20 1:12 ` Pablo Neira Ayuso
2013-02-20 8:16 ` Tomasz Bursztyka
2013-02-20 23:10 ` Pablo Neira Ayuso
2013-02-19 22:02 ` Patrick McHardy
2013-02-20 0:44 ` Pablo Neira Ayuso
2013-02-20 10:32 ` Tomasz Bursztyka [this message]
2013-01-31 0:04 ` [nftables 4/9] netfilter: nf_tables: fix error path in newchain pablo
2013-01-31 0:04 ` [nftables 5/9] netfilter: nf_tables: add packet and byte counters per chain pablo
2013-01-31 0:04 ` [nftables 6/9] netfilter: nf_tables: add protocol and flags for xtables over nf_tables pablo
2013-01-31 0:04 ` [nftables 7/9] netfilter: nf_tables: add trace support pablo
2013-01-31 0:04 ` [nftables 8/9] netfilter: nf_tables: add missing code in route chain type pablo
2013-01-31 0:04 ` [nftables 9/9] netfilter: nf_tables: statify chain definition to fix sparse warning pablo
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5124A63E.3000006@linux.intel.com \
--to=tomasz.bursztyka@linux.intel.com \
--cc=kaber@trash.net \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.