Re: [PATCH nf-next 7/8] netfilter: nf_tables: add never expires marker to elements

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Phil Sutter <phil@nwl.cc>
To: Pablo Neira Ayuso <pablo@netfilter.org>
Cc: netfilter-devel@vger.kernel.org
Subject: Re: [PATCH nf-next 7/8] netfilter: nf_tables: add never expires marker to elements
Date: Tue, 13 Aug 2024 20:12:18 +0200	[thread overview]
Message-ID: <ZruiAlR9UGRJTW8o@orbyte.nwl.cc> (raw)
In-Reply-To: <20240807142357.90493-8-pablo@netfilter.org>

Hi Pablo,

On Wed, Aug 07, 2024 at 04:23:56PM +0200, Pablo Neira Ayuso wrote:
> This patch adds a timeout marker for those elements that never expire
> when the element are created, so timeout updates are possible.
> 
> Note that maximum supported timeout in milliseconds which is conveyed
> within a netlink attribute is 0x10c6f7a0b5ec which translates to
> 0xffffffffffe85300 jiffies64, higher milliseconds values result in an
> ERANGE error. Use U64_MAX as an internal marker to be stored in the set
> element timeout field for permanent elements.
> 
> If userspace provides no timeout for an element, then the default set
> timeout applies. However, if no default set timeout is specified and
> timeout flag is set on, then such new element gets the never expires
> marker.
> 
> Note that, in older kernels, it is already possible to define elements
> that never expire by declaring a set with the set timeout flag set on
> and no global set timeout, in this case, new element with no explicit
> timeout never expire do not allocate the timeout extension, hence, they
> never expire. This approach makes it complicated to accomodate element
> timeout update, because element extensions do not support reallocations.
> Therefore, allocate the timeout extension and use the new marker for
> this case, but do not expose it to userspace to retain backward
> compatibility in the set listing.

I fail to miss the point why this marker is needed at all:

Right now, new set elements receive EXT_TIMEOUT upon creation if either
NFTA_SET_ELEM_TIMEOUT is present (i.e., user specified per-element
timeout) or set->timeout is non-zero (i.e., set has a default timeout).

Why not change this logic and add EXT_TIMEOUT to all elements which will
timeout and initialize it either to the user-defined value or the set's
default? Then, only elements which don't timeout remain without
EXT_TIMEOUT. Which is not a problem, because their expiration value does
not need to be reset and thus they don't need space for one.

The only downside is that elements which stick to the set's default
timeout increase in size (for the copied set->timeout value), but this
patch series merges EXT_EXPIRATION and EXT_TIMEOUT anyway so their size
increases already. OTOH, non-expiring set elements won't need a spurious
EXT_TIMEOUT holding never expires marker.

Cheers, Phil

next prev parent reply	other threads:[~2024-08-13 18:12 UTC|newest]

Thread overview: 17+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-08-07 14:23 [PATCH nf-next 0/8] nf_tables: support for updating set element timeout Pablo Neira Ayuso
2024-08-07 14:23 ` [PATCH nf-next 1/8] netfilter: nf_tables: elements with timeout less than HZ/10 never expire Pablo Neira Ayuso
2024-08-13 14:39   ` Phil Sutter
2024-08-07 14:23 ` [PATCH nf-next 2/8] netfilter: nf_tables: reject element expiration with no timeout Pablo Neira Ayuso
2024-08-13 14:41   ` Phil Sutter
2024-08-07 14:23 ` [PATCH nf-next 3/8] netfilter: nf_tables: remove annotation to access set timeout while holding lock Pablo Neira Ayuso
2024-08-07 14:23 ` [PATCH nf-next 4/8] netfilter: nft_dynset: annotate data-races around set timeout Pablo Neira Ayuso
2024-08-07 14:23 ` [PATCH nf-next 5/8] netfilter: nf_tables: annotate data-races around element expiration Pablo Neira Ayuso
2024-08-07 14:23 ` [PATCH nf-next 6/8] netfilter: nf_tables: consolidate timeout extension for elements Pablo Neira Ayuso
2024-08-07 14:23 ` [PATCH nf-next 7/8] netfilter: nf_tables: add never expires marker to elements Pablo Neira Ayuso
2024-08-08 17:01   ` kernel test robot
2024-08-13 18:12   ` Phil Sutter [this message]
2024-08-13 20:43     ` Pablo Neira Ayuso
2024-08-14  8:53       ` Phil Sutter
2024-08-14 20:44         ` Pablo Neira Ayuso
2024-08-15 11:20           ` Phil Sutter
2024-08-07 14:23 ` [PATCH nf-next 8/8] netfilter: nf_tables: set element timeout update support Pablo Neira Ayuso

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=ZruiAlR9UGRJTW8o@orbyte.nwl.cc \
    --to=phil@nwl.cc \
    --cc=netfilter-devel@vger.kernel.org \
    --cc=pablo@netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.