From: Patrick McHardy <kaber@trash.net>
To: Pablo Neira Ayuso <pablo@netfilter.org>
Cc: netfilter-devel@vger.kernel.org, arturo.borrero.glez@gmail.com
Subject: Re: [PATCH nf-next 3/3 v2] netfilter: nf_tables: export rule-set generation ID
Date: Thu, 11 Sep 2014 17:45:58 +0100 [thread overview]
Message-ID: <20140911164558.GF7600@acer.localdomain> (raw)
In-Reply-To: <20140911161040.GA5824@salvia>
On Thu, Sep 11, 2014 at 06:10:40PM +0200, Pablo Neira Ayuso wrote:
> On Thu, Sep 11, 2014 at 04:32:44PM +0100, Patrick McHardy wrote:
> > On Thu, Sep 11, 2014 at 05:20:19PM +0200, Pablo Neira Ayuso wrote:
> > > This patch exposes the ruleset generation ID in three ways:
> > >
> > > 1) The new command NFT_MSG_GETGEN that exposes the 32-bits ruleset
> > > generation ID. This ID is incremented in every commit and it
> > > should be large enough to avoid wraparound problems.
> > >
> > > 2) The less significant 16-bits of the generation ID is exposed through
> > > the nfgenmsg->res_id header field. This allows us to quickly catch
> > > if the ruleset has change between two consecutive list dumps from
> > > different object lists (in this specific case I think the risk of
> > > wraparound is unlikely).
> > >
> > > 3) Userspace subscribers may receive notifications of new rule-set
> > > generation after every commit. This also provides an alternative
> > > way to monitor the generation ID. If the events are lost, the
> > > userspace process hits a overrun error, so it knows that it is
> > > working with a stale ruleset anyway.
> >
> > Correct, there's just one thing to consider here, which is what happens
> > once we add active ruleset state notifications, like counters, limit
> > etc. At that point its not clear anymore whether changes have happened.
> > OTOH it would be just a false positive, so at least things would keep
> > working.
>
> Right, I can put the genid notification in a different nfnetlink
> multicast group (NFNLGRP_NFTABLES_GENID) to avoid false positives if
> you like the idea, we have plenty of spare groups.
I don't think that's a really good idea since the ordering between the
rule notifications and the commit notification wouldn't be reliable.
Same thing is probably true for state notifications, not entirely
sure yet if they could reasonably be sent to a different group.
next prev parent reply other threads:[~2014-09-11 16:46 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-09-11 15:20 [PATCH nf-next 1/3] netfilter: nf_tables: add NFTA_MASQ_UNSPEC to nft_masq_attributes Pablo Neira Ayuso
2014-09-11 15:20 ` [PATCH nf-next 2/3] netfilter: nfnetlink: use original skbuff when committing/aborting Pablo Neira Ayuso
2014-09-11 15:20 ` [PATCH nf-next 3/3 v2] netfilter: nf_tables: export rule-set generation ID Pablo Neira Ayuso
2014-09-11 15:32 ` Patrick McHardy
2014-09-11 16:10 ` Pablo Neira Ayuso
2014-09-11 16:45 ` Patrick McHardy [this message]
2014-09-11 16:57 ` Pablo Neira Ayuso
2014-09-11 17:22 ` Pablo Neira Ayuso
2014-09-11 17:35 ` Patrick McHardy
2014-09-12 7:47 ` Pablo Neira Ayuso
2014-09-11 15:46 ` Arturo Borrero Gonzalez
2014-09-11 16:25 ` Pablo Neira Ayuso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140911164558.GF7600@acer.localdomain \
--to=kaber@trash.net \
--cc=arturo.borrero.glez@gmail.com \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).