From: Jesper Dangaard Brouer <brouer@redhat.com>
To: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
Cc: Pablo Neira Ayuso <pablo@netfilter.org>,
Netfilter Development Mailing list
<netfilter-devel@vger.kernel.org>,
Patrick McHardy <kaber@trash.net>, Eric Leblond <eric@regit.org>,
Julien Vehent <julien@linuxwall.info>,
Fabio Di Nitto <fdinitto@redhat.com>,
Jiri Benc <jbenc@redhat.com>,
Daniel Borkmann <dborkman@redhat.com>,
Thomas Graf <tgraf@redhat.com>,
Thomas Woerner <twoerner@redhat.com>
Subject: Re: [Nftables RFC] High level library proposal
Date: Wed, 24 Apr 2013 13:23:27 +0200 [thread overview]
Message-ID: <1366802607.26911.489.camel@localhost> (raw)
In-Reply-To: <51777660.7090802@linux.intel.com>
On Wed, 2013-04-24 at 09:06 +0300, Tomasz Bursztyka wrote:
> Hi Jesper,
>
> >> >- either via proposing low level functions requesting the cache as you
> >> >propose (and we probably should)
> > I'm a little worried about your idea of implementing a cache.
> > It reminds me of the current libliptc (IPtables Cache) library, which
> > caused a lot of annoying issues in the past.
> > I know, you said we can use the notification system to keep the cache
> > up-to-date, but just have a bad feeling about introducing a cache
> > layer...
>
> It should be indeed much easier and reliable to maintain a cache with
> nftables api.
> But you are right: not all usage might require this. That's why I
> thought about NFT_FLAG_FOLLOW_* flags
> One could limit the "caching" towards only application
> rules/chain/tables (if any), and other one would keep track of everything.
>
> >> >- and/or when using nft_execute_statement() it would check if it already
> >> >exist - or not, if it's a delete statement -
> >> >by itself, hiding the details to the dev and raising a success relevantly.
> > So, your are saying that a nft_execute_statement() that creates a rule
> > sound return a "false" indication if the rule already exists?
> > I would really prefer a real "test/query" operation, but I guess we
> > should extend the kernel API to support this, so we don't need a cache
> > infrastructure for this.
>
> I don't know if such existence test should be part of kernel API rather
> than in user land since when manipulating
> you need anyway a dump of the rule set.
>
> But about nft_execute_statement(), it's not really a false indication:
> you want to inject a rule which already exist, so it's fine.
> Or we could handle it so it return an error like -EALREADY if it's
> preferable.
Hmm, yes, I see the problem. It is actually allowed/valid to create
many of the exact same rule...
We definitely need a "test/query/exists" operation. And it should be
fairly simple to implement, as its very similar to a "delete" rule
operation, which simply don't actually delete the rule, but just returns
if it was "possible" to delete such a rule.
(but again a kernel side changes)
--
Best regards,
Jesper Dangaard Brouer
MSc.CS, Sr. Network Kernel Developer at Red Hat
Author of http://www.iptv-analyzer.org
LinkedIn: http://www.linkedin.com/in/brouer
next prev parent reply other threads:[~2013-04-24 11:24 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-04-17 13:41 [Nftables RFC] High level library proposal Tomasz Bursztyka
2013-04-17 13:52 ` Victor Julien
2013-04-19 6:50 ` Tomasz Bursztyka
2013-04-19 10:05 ` Pablo Neira Ayuso
2013-04-19 11:26 ` Tomasz Bursztyka
2013-04-19 12:11 ` Pablo Neira Ayuso
2013-04-22 23:03 ` Eric Leblond
2013-04-22 23:50 ` Pablo Neira Ayuso
2013-04-23 10:15 ` Tomasz Bursztyka
2013-04-23 11:31 ` Pablo Neira Ayuso
2013-04-23 11:55 ` Tomasz Bursztyka
2013-04-23 10:15 ` Tomasz Bursztyka
2013-04-22 20:05 ` Jesper Dangaard Brouer
2013-04-22 22:26 ` Eric Leblond
2013-04-23 7:27 ` Fabio M. Di Nitto
2013-04-23 10:15 ` Tomasz Bursztyka
2013-04-23 18:49 ` Jesper Dangaard Brouer
2013-04-24 6:06 ` Tomasz Bursztyka
2013-04-24 11:23 ` Jesper Dangaard Brouer [this message]
2013-04-24 15:35 ` Stephen Hemminger
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1366802607.26911.489.camel@localhost \
--to=brouer@redhat.com \
--cc=dborkman@redhat.com \
--cc=eric@regit.org \
--cc=fdinitto@redhat.com \
--cc=jbenc@redhat.com \
--cc=julien@linuxwall.info \
--cc=kaber@trash.net \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
--cc=tgraf@redhat.com \
--cc=tomasz.bursztyka@linux.intel.com \
--cc=twoerner@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).