Re: [RFC PATCH] netfilter: add connlabel conntrack extension

netfilter-devel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Florian Westphal <fw@strlen.de>
Cc: netfilter-devel <netfilter-devel@vger.kernel.org>
Subject: Re: [RFC PATCH] netfilter: add connlabel conntrack extension
Date: Fri, 19 Oct 2012 10:19:59 +0200	[thread overview]
Message-ID: <20121019081959.GA11880@1984> (raw)
In-Reply-To: <20121018203809.GA18674@breakpoint.cc>

Hi Florian,

On Thu, Oct 18, 2012 at 10:38:09PM +0200, Florian Westphal wrote:
[...]
> The problem i have with this is that 32 unique bits is a bit (pun intended)
> low.  If its used as enumeration its plentiful but i specifically want
> to be able to attach 'lots of' different labels to a conntrack entry.

Ah I see. You want overlapping labels, I like that idea :-)

What if we provide overlapping and non-overlapping label types,
something like:

struct nf_conn_label {
        uint64_t overlapping:56,
                 enumerated:8;
};

That provides 56 overlapping labels and 256 non-overlapping labels.
There will be two configuration files to be used depending on what you
want. I'm not sure what amount of labels would be fine.

Probably, this alternative semantics could be useful:

struct nf_conn_label {
        uint64_t mask:56,
                 type:8;
};

For each type (we would have 2^8), we have 56 overlapping labels.

Thus, we make sure this extension only requires 64-bits (plus the
extension structure, of course).

My only concern with dynamically allocated purely bit-based labels is
that users may bloat the size of each conntrack entry.

Let me know.

Regards.

next prev parent reply	other threads:[~2012-10-19  8:20 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2012-10-18 16:22 [RFC PATCH] netfilter: add connlabel conntrack extension Florian Westphal
2012-10-18 16:51 ` Pablo Neira Ayuso
2012-10-18 20:38   ` Florian Westphal
2012-10-19  8:19     ` Pablo Neira Ayuso [this message]
2012-10-19  8:50       ` Florian Westphal
2012-10-19 13:15         ` Pablo Neira Ayuso
2012-10-19 13:52           ` Florian Westphal
2012-10-20 13:15           ` Ed W

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20121019081959.GA11880@1984 \
    --to=pablo@netfilter.org \
    --cc=fw@strlen.de \
    --cc=netfilter-devel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).