From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Phil Sutter <phil@nwl.cc>,
netfilter-devel@vger.kernel.org, Florian Westphal <fw@strlen.de>,
Eric Garver <e@erig.me>
Subject: Re: [nf-next PATCH v6 00/12] Dynamic hook interface binding part 2
Date: Wed, 21 May 2025 17:51:50 +0200 [thread overview]
Message-ID: <aC32llhNc-j5j49-@calendula> (raw)
In-Reply-To: <aC3yKSl3u4_zNc4b@orbyte.nwl.cc>
Hi Phil,
On Wed, May 21, 2025 at 05:32:57PM +0200, Phil Sutter wrote:
> Hi Pablo,
>
> On Wed, May 21, 2025 at 12:28:01AM +0200, Pablo Neira Ayuso wrote:
[...]
> > 2) I wonder if nft_hook_find_ops() will need a hashtable sooner or
> > later. With the wildcard, the number of devices could be significantly
> > large in this list lookup.
>
> Maybe, yes. Is it useful to have a single flowtable for all virtual
> functions (e.g.) on a hypervisor? Or would one rather have distinct
> flowtables for each VM/container?
[...]
> Callers are:
>
> - nft_{flowtable,netdev}_event(): Interface is added or removed
> - nft_flow_offload_eval(): New flow being offloaded
> - nft_offload_netdev_event(): Interface is removed
>
> All these are "slow path" at least. I could try building a test case to
> see how performance scales, but since we hit the function just once for
> each new connection, I guess it's hard to get significant data out of
> it.
This can be added later, not a deal breaker.
This is event path which might slow down adding new entries via
rtnetlink maybe, but I would need to have a closer look.
[...]
> > == netfilter: nf_tables: Add "notications" <-- typo: "notifications"
> >
> > I suggest you add a new NFNLGRP_NFT_DEV group for these notifications,
> > so NFNLGRP_NFTABLES is only used for control plane updates via
> > nfnetlink API. In this case, these events are triggered by rtnetlink
> > when a new device is registered and it matches the existing an
> > existing device if I understood the rationale.
>
> Yes, MSG_NEWDEV and MSG_DELDEV are triggered if a new device matches a
> hook or if a hooked device is removed (or renamed, so the hook won't
> match anymore).
>
> Having a distinct NFNLGRP for them requires a new 'nft monitor' mode,
> right? So we can't have a single monitor process for ruleset changes and
> these device events. Should not be a problem, though.
Having a different group allows to filter out events you might not
care about, it is a simple netlink event filtering facility.
I think this feature is for debugging purpose only, correct? So a
separated group should be fine. IIUC, this event does not modify the
ruleset, it only tells us a hook for a matching device is being
registered.
Thanks.
next prev parent reply other threads:[~2025-05-21 15:52 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-04-15 15:44 [nf-next PATCH v6 00/12] Dynamic hook interface binding part 2 Phil Sutter
2025-04-15 15:44 ` [nf-next PATCH v6 01/12] netfilter: nf_tables: Introduce functions freeing nft_hook objects Phil Sutter
2025-04-15 15:44 ` [nf-next PATCH v6 02/12] netfilter: nf_tables: Introduce nft_hook_find_ops{,_rcu}() Phil Sutter
2025-04-15 15:44 ` [nf-next PATCH v6 03/12] netfilter: nf_tables: Introduce nft_register_flowtable_ops() Phil Sutter
2025-04-15 15:44 ` [nf-next PATCH v6 04/12] netfilter: nf_tables: Pass nf_hook_ops to nft_unregister_flowtable_hook() Phil Sutter
2025-04-15 15:44 ` [nf-next PATCH v6 05/12] netfilter: nf_tables: Have a list of nf_hook_ops in nft_hook Phil Sutter
2025-04-15 15:44 ` [nf-next PATCH v6 06/12] netfilter: nf_tables: Prepare for handling NETDEV_REGISTER events Phil Sutter
2025-04-15 15:44 ` [nf-next PATCH v6 07/12] netfilter: nf_tables: Respect " Phil Sutter
2025-04-15 15:44 ` [nf-next PATCH v6 08/12] netfilter: nf_tables: Wrap netdev notifiers Phil Sutter
2025-04-15 15:44 ` [nf-next PATCH v6 09/12] netfilter: nf_tables: Handle NETDEV_CHANGENAME events Phil Sutter
2025-04-15 15:44 ` [nf-next PATCH v6 10/12] netfilter: nf_tables: Support wildcard netdev hook specs Phil Sutter
2025-04-15 15:44 ` [nf-next PATCH v6 11/12] netfilter: nf_tables: Add notications for hook changes Phil Sutter
2025-04-15 15:44 ` [nf-next PATCH v6 12/12] selftests: netfilter: Torture nftables netdev hooks Phil Sutter
2025-05-20 10:58 ` [nf-next PATCH v6 00/12] Dynamic hook interface binding part 2 Phil Sutter
2025-05-20 11:03 ` Pablo Neira Ayuso
2025-05-20 11:08 ` Phil Sutter
2025-05-20 22:28 ` Pablo Neira Ayuso
2025-05-21 15:32 ` Phil Sutter
2025-05-21 15:49 ` Phil Sutter
2025-05-21 15:51 ` Pablo Neira Ayuso [this message]
2025-05-21 16:46 ` Phil Sutter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aC32llhNc-j5j49-@calendula \
--to=pablo@netfilter.org \
--cc=e@erig.me \
--cc=fw@strlen.de \
--cc=netfilter-devel@vger.kernel.org \
--cc=phil@nwl.cc \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.