From mboxrd@z Thu Jan 1 00:00:00 1970 From: Patrick McHardy Subject: Re: nftables add vs replace Date: Tue, 21 Jan 2014 12:25:32 +0000 Message-ID: <20140121122532.GA30955@macbook.localnet> References: <20140121110645.GC25197@macbook.localnet> <20140121112700.GA21772@localhost> <52DE5E10.5000403@linux.intel.com> <20140121114955.GA27718@macbook.localnet> <52DE6331.4030902@linux.intel.com> <20140121121147.GB30577@macbook.localnet> <52DE655B.9020105@linux.intel.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Cc: Arturo Borrero Gonzalez , Pablo Neira Ayuso , Netfilter Development Mailing list To: Tomasz Bursztyka Return-path: Received: from stinky.trash.net ([213.144.137.162]:38885 "EHLO stinky.trash.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754539AbaAUMZg (ORCPT ); Tue, 21 Jan 2014 07:25:36 -0500 Content-Disposition: inline In-Reply-To: <52DE655B.9020105@linux.intel.com> Sender: netfilter-devel-owner@vger.kernel.org List-ID: On Tue, Jan 21, 2014 at 02:17:31PM +0200, Tomasz Bursztyka wrote: > > >>Actually, after your patch and Arturo's, it could be possible to > >>improve the ruleset management so > >>it would use create/add/replace accordingly. > >> > >>Though it means it would need to dump first the targeted > >>tables/chains to do so, > >>thus I am not sure how relevant is my blabbering from performance > >>point of view. > >How would that work? Dumping rules, flushing the old ones and reinstalling > >them is prone to race conditions. > > There would be no flushing involved. > Comparing the dump vs the input ruleset you would know what to > remove/replace/add. > > But maybe there is no benefit from that anyway. I still I don't see how this helps. Incremental updates already work, the two problems I see are: - create something only iff it doesn't exist: easy, not use NLM_F_EXCL - replace entire tables or chains: harder since the transactions need to handle tables, chains and sets which they currently don't. For basechains this goes down all the way to nf_register_hooks() since we need to atomically replace the hooks.