Re: Formal submission of Xtables2

netfilter-devel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Jan Engelhardt <jengelh@inai.de>
Cc: Netfilter Developer Mailing List
	<netfilter-devel@vger.kernel.org>,
	Netfilter user mailing list <netfilter@vger.kernel.org>
Subject: Re: Formal submission of Xtables2
Date: Mon, 17 Dec 2012 10:53:30 +0100	[thread overview]
Message-ID: <20121217095330.GA17148@1984> (raw)
In-Reply-To: <alpine.LNX.2.01.1212170214350.29351@nerf07.vanv.qr>

On Mon, Dec 17, 2012 at 02:39:07AM +0100, Jan Engelhardt wrote:
> On Monday 2012-12-17 01:08, Pablo Neira Ayuso wrote:
> 
> >On Thu, Dec 13, 2012 at 07:19:28PM +0100, Jan Engelhardt wrote:
> >[...]
> >> Each of us are (understandably) biased, as each has contributed
> >> to "their" implementation. But, you also have the decisive power as
> >> the Linux kernel Netfilter subsystem maintainer, and I fear that you
> >> might use this to reject xt2 to force nft.
> >
> >I have to ask you to stick to technical arguments.
> 
> Ok, let me try again then. We should merge xtables2, because
> (some selected arguments follow):
> 
>  - It brings a NL-type (<- long-sought) interface
> 
>  - It uses a single table because there simply is no need
>    to have multiple ones. This has benefits for replacement atomicity 
>    guarantees, and gives some memory previously spent for modules
>    back to the user, for example.

You can implement this with nftables. Actually, nftables allows you to
have as many tables as you want. No matter what configuration you
select, it's extremely flexible.

>  - This table is NFPROTO_UNSPEC which means that the duplication of
>    rules between ip(4)tables and ip6tables users had to make is
>    gone, meaning less maintenance/complexity/etc. for the administrator, 
>    and of course, less rules lead to less memory usage.

Once single table means no table at all to me. We have also planned
adding agnostic tables to avoid the IPv4/IPv6 cases.

>  - and because it retains some characteristics, for example
>    atomic replaces and netns.
> 
> >You wrote on Thu, 13 Dec 2012 13:05:09 +0100:
> >>I don't think that feature-set provides compelling reasons to push [xt2]
> 
>    Not everybody cares about these things, that would be unrealistic.
>    However, some users, and me included, _do have_ an interest in having
>    what is presented, because they do e.g. run containers. Otherwise,
>    we would not be having netns in iptables today, right?

Again, those are completely possible with nftables.

> Now, don't dismiss these arguments.

So far, I haven't see any *strong reason* to drop nftables code and
write something from scratch as flexible as it is, my impression is
that you don't know how nftables is designed and it works, so you'll
have to tell me why I'm wrong.

As said, please provide convincing arguments, no more rants.

next prev parent reply	other threads:[~2012-12-17  9:53 UTC|newest]

Thread overview: 22+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2012-12-13  6:00 Formal submission of Xtables2 Jan Engelhardt
2012-12-13 11:00 ` Pablo Neira Ayuso
2012-12-13 11:36   ` Jan Engelhardt
2012-12-13 12:05     ` Pablo Neira Ayuso
2012-12-13 13:08       ` Jan Engelhardt
2012-12-13 14:28         ` Pablo Neira Ayuso
2012-12-13 14:53           ` Jan Engelhardt
2012-12-13 15:16             ` Pablo Neira Ayuso
2012-12-13 16:41               ` Jan Engelhardt
2012-12-13 17:25                 ` Pablo Neira Ayuso
2012-12-13 18:19                   ` Jan Engelhardt
2012-12-17  0:08                     ` Pablo Neira Ayuso
2012-12-17  1:39                       ` Jan Engelhardt
2012-12-17  9:53                         ` Pablo Neira Ayuso [this message]
2012-12-17 10:12                           ` Maciej Żenczykowski
2012-12-17 13:01                           ` Jan Engelhardt
2012-12-17 14:30                             ` Pablo Neira Ayuso
2012-12-17 20:51                               ` Jan Engelhardt
2012-12-17 23:49                                 ` Jozsef Kadlecsik
2012-12-18  1:11                                   ` Jan Engelhardt
2012-12-18  1:27                                   ` David Miller
     [not found]   ` <20121214094141.GO2606@workstation>
2012-12-16 23:57     ` Pablo Neira Ayuso

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20121217095330.GA17148@1984 \
    --to=pablo@netfilter.org \
    --cc=jengelh@inai.de \
    --cc=netfilter-devel@vger.kernel.org \
    --cc=netfilter@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).