From: David Miller <davem@davemloft.net>
To: pablo@netfilter.org
Cc: netfilter-devel@vger.kernel.org, netdev@vger.kernel.org
Subject: Re: [PATCH 00/30] Netfilter/IPVS updates for net-next
Date: Mon, 12 Mar 2018 14:58:43 -0400 (EDT) [thread overview]
Message-ID: <20180312.145843.1054152977291695095.davem@davemloft.net> (raw)
In-Reply-To: <20180312175920.9022-1-pablo@netfilter.org>
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Mon, 12 Mar 2018 18:58:50 +0100
> The following patchset contains Netfilter/IPVS updates for your net-next
> tree. This batch comes with more input sanitization for xtables to
> address bug reports from fuzzers, preparation works to the flowtable
> infrastructure and assorted updates. In no particular order, they are:
Sorry, I've seen enough. I'm not pulling this.
What is the story with this flow table stuff? I tried to ask you
about this before, but the response I was given was extremely vague
and did not answer my question at all.
This is a lot of code, and a lot of infrastructure, yet I see
no device using the infrastructure to offload conntack.
Nor can I see how this can possibly be even useful for such an
application. What conntrack offload needs are things completely
outside of what the flow table stuff provides. Mainly, they
require that the SKB is completely abstracted away from all of
the contrack code paths, and that the conntrack infrastructure
operates on an abstract packet metadata concept.
If you are targetting one specific piece of hardware with TCAMs
that you are familiar with. I'd like you to stop right there.
Because if that is all that this infrastructure can actually
be used for, it is definitely designed wrong.
This, as has been the case in the past, is what is wrong with
netfilter approach to supporting offloading. We see all of this
infrastructure before an actual working use case is provided for a
specific piece of hardware for a specific driver in the tree.
Nobody can evaluate whether the approach is good or not without
a clear driver change implementing support for it.
No other area of networking puts the cart before the horse like this.
I do not agree at all with the flow table infrastructure and I
therefore do not want to pull any more flow table changes into my tree
until there is an actual user of this stuff in that pull request which
actually works in a way which is useful for people. It is completely
dead and useless code currently.
If you disagree you have to not just say it, but show it with a driver
that successfully and cleanly uses this code to offload conntrack.
Meanwhile, remove the flow table commits from this pull request out of
your tree and ask me to pull in the rest.
Thanks.
next prev parent reply other threads:[~2018-03-12 18:58 UTC|newest]
Thread overview: 44+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-03-12 17:58 [PATCH 00/30] Netfilter/IPVS updates for net-next Pablo Neira Ayuso
2018-03-12 17:58 ` [PATCH 01/30] netfilter: nf_tables: nf_tables_obj_lookup_byhandle() can be static Pablo Neira Ayuso
2018-03-12 17:58 ` [PATCH 02/30] netfilter: nfnetlink_acct: remove useless parameter Pablo Neira Ayuso
2018-03-12 17:58 ` [PATCH 03/30] netfilter: xt_cluster: get rid of xt_cluster_ipv6_is_multicast Pablo Neira Ayuso
2018-03-12 17:58 ` [PATCH 04/30] netfilter: nf_conntrack_broadcast: remove useless parameter Pablo Neira Ayuso
2018-03-12 17:58 ` [PATCH 05/30] netfilter: ipt_ah: return boolean instead of integer Pablo Neira Ayuso
2018-03-12 17:58 ` [PATCH 06/30] netfilter: unlock xt_table earlier in __do_replace Pablo Neira Ayuso
2018-03-12 17:58 ` [PATCH 07/30] netfilter: x_tables: check standard verdicts in core Pablo Neira Ayuso
2018-03-12 17:58 ` [PATCH 08/30] netfilter: x_tables: check error target size too Pablo Neira Ayuso
2018-03-12 17:58 ` [PATCH 09/30] netfilter: x_tables: move hook entry checks into core Pablo Neira Ayuso
2018-03-12 17:59 ` [PATCH 10/30] netfilter: x_tables: enforce unique and ascending entry points Pablo Neira Ayuso
2018-03-12 17:59 ` [PATCH 11/30] netfilter: x_tables: cap allocations at 512 mbyte Pablo Neira Ayuso
2018-03-12 17:59 ` [PATCH 12/30] netfilter: x_tables: limit allocation requests for blob rule heads Pablo Neira Ayuso
2018-03-12 17:59 ` [PATCH 13/30] netfilter: x_tables: add counters allocation wrapper Pablo Neira Ayuso
2018-03-12 17:59 ` [PATCH 14/30] netfilter: compat: prepare xt_compat_init_offsets to return errors Pablo Neira Ayuso
2018-03-12 17:59 ` [PATCH 15/30] netfilter: compat: reject huge allocation requests Pablo Neira Ayuso
2018-03-12 17:59 ` [PATCH 16/30] netfilter: x_tables: make sure compat af mutex is held Pablo Neira Ayuso
2018-03-12 17:59 ` [PATCH 17/30] netfilter: x_tables: ensure last rule in base chain matches underflow/policy Pablo Neira Ayuso
2018-03-12 17:59 ` [PATCH 18/30] netfilter: make xt_rateest hash table per net Pablo Neira Ayuso
2018-03-12 17:59 ` [PATCH 19/30] netfilter: xt_limit: Spelling s/maxmum/maximum/ Pablo Neira Ayuso
2018-03-12 17:59 ` [PATCH 20/30] netfilter: nf_flow_table: use IP_CT_DIR_* values for FLOW_OFFLOAD_DIR_* Pablo Neira Ayuso
2018-03-12 17:59 ` [PATCH 21/30] netfilter: nf_flow_table: clean up flow_offload_alloc Pablo Neira Ayuso
2018-03-12 17:59 ` [PATCH 22/30] ipv6: make ip6_dst_mtu_forward inline Pablo Neira Ayuso
2018-03-12 17:59 ` [PATCH 23/30] netfilter: nf_flow_table: cache mtu in struct flow_offload_tuple Pablo Neira Ayuso
2018-03-12 17:59 ` [PATCH 24/30] netfilter: nf_flow_table: rename nf_flow_table.c to nf_flow_table_core.c Pablo Neira Ayuso
2018-03-12 17:59 ` [PATCH 25/30] netfilter: x_tables: fix build with CONFIG_COMPAT=n Pablo Neira Ayuso
2018-03-12 17:59 ` [PATCH 26/30] ipvs: use true and false for boolean values Pablo Neira Ayuso
2018-03-12 17:59 ` [PATCH 27/30] netfilter: nf_tables: handle rt0 and rt2 properly Pablo Neira Ayuso
2018-03-12 17:59 ` [PATCH 28/30] netfilter: Refactor nf_conncount Pablo Neira Ayuso
2018-03-12 17:59 ` [PATCH 29/30] netfilter: conncount: Support count only use case Pablo Neira Ayuso
2018-03-12 17:59 ` [PATCH 30/30] netfilter: nft_ct: add NFT_CT_{SRC,DST}_{IP,IP6} Pablo Neira Ayuso
2018-03-12 18:58 ` David Miller [this message]
2018-03-12 19:30 ` [PATCH 00/30] Netfilter/IPVS updates for net-next Felix Fietkau
2018-03-12 20:01 ` David Miller
2018-03-12 20:22 ` Felix Fietkau
2018-03-13 13:41 ` Florian Westphal
2018-03-13 15:34 ` David Miller
2018-03-13 15:39 ` Florian Westphal
2018-03-14 18:38 ` Pablo Neira Ayuso
2018-03-16 16:23 ` David Miller
2018-03-16 16:39 ` Guy Shattah
2018-03-16 16:41 ` David Miller
-- strict thread matches above, loose matches on Subject: below --
2015-09-22 9:13 Pablo Neira Ayuso
2015-09-22 20:12 ` David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180312.145843.1054152977291695095.davem@davemloft.net \
--to=davem@davemloft.net \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).