From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Patrick McHardy <kaber@trash.net>
Cc: netfilter-devel@vger.kernel.org
Subject: Re: [PATCH] netfilter: xtables: add cluster match
Date: Wed, 25 Feb 2009 00:13:47 +0100 [thread overview]
Message-ID: <49A47F2B.6040704@netfilter.org> (raw)
In-Reply-To: <49A3FEE2.3000601@trash.net>
Patrick McHardy wrote:
> Pablo Neira Ayuso wrote:
>> Patrick McHardy wrote:
>>> Pablo Neira Ayuso wrote:
>>>> +enum xt_cluster_flags {
>>>> + XT_CLUSTER_F_INV = (1 << 0)
>>>> +};
>>>> +
>>>> +struct xt_cluster_match_info {
>>>> + u_int32_t total_nodes;
>>>> + u_int32_t node_mask;
>>>> + u_int32_t hash_seed;
>>>> + u_int32_t flags;
>>>> +};
>>>
>>> This doesn't seem like such a hot idea. I haven't seen the new
>>> userspace patch, but assuming you're interested in the flags and
>>> not ignoring them in userspace, the user has to specify the hash
>>> seed for rule deletions.
>>
>> The user has to specify the hash seed to delete the rule if it's
>> non-zero, otherwise it must be specified. The hash seed is optional. I
>> don't quite see the problem.
>
> Its a parameter without a meaning, the user is needlessly bothered
> with this.
>From the user view, yes. No matter what value you set as long as it is
the same in all the cluster nodes.
>>> You also have to chose the same seed for all nodes in a cluster.
>>> This seems needlessly complicated, I'd suggest to simply use zero.
>>
>> One may want to forge traffic to flood a single node? The hash seed
>> avoids this.
>
> No, it only makes it easier to shut off since I have to use the same
> source address to be sure I hit the same node. This seems like a valid
> argument though.
>
> The fact that you have to specify it for deletion still seems unnecesary
> though. You would never have two rules differing only in the seed value
> since that would mean the node is part of two clusters. So we might as
> well move it to the end and ignore it in userspace. What do you think?
But the value has to be the same in all the cluster nodes, so how can it
be set to ensure that it is the same value?
> In case you agree, I also think "secret" would be a more fitting name.
I can rename the field to "secret" in the structure or change the
iptables cluster match option to be "--cluster-secret" instead of
"--cluster-hash-seed" if you like.
--
"Los honestos son inadaptados sociales" -- Les Luthiers
next prev parent reply other threads:[~2009-02-24 23:13 UTC|newest]
Thread overview: 49+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-02-23 10:13 [PATCH] netfilter: xtables: add cluster match Pablo Neira Ayuso
2009-02-24 13:46 ` Patrick McHardy
2009-02-24 14:05 ` Pablo Neira Ayuso
2009-02-24 14:06 ` Patrick McHardy
2009-02-24 23:13 ` Pablo Neira Ayuso [this message]
2009-02-25 5:52 ` Patrick McHardy
2009-02-25 9:42 ` Pablo Neira Ayuso
2009-02-25 10:20 ` Patrick McHardy
2009-03-16 16:11 ` Patrick McHardy
-- strict thread matches above, loose matches on Subject: below --
2009-02-20 20:50 Pablo Neira Ayuso
2009-02-20 20:56 ` Pablo Neira Ayuso
2009-02-19 23:14 Pablo Neira Ayuso
2009-02-20 9:24 ` Patrick McHardy
2009-02-20 13:15 ` Pablo Neira Ayuso
2009-02-20 13:48 ` Patrick McHardy
2009-02-20 16:52 ` Pablo Neira Ayuso
2009-02-16 9:32 Pablo Neira Ayuso
2009-02-16 9:23 Pablo Neira Ayuso
2009-02-16 9:31 ` Pablo Neira Ayuso
2009-02-16 12:13 ` Jan Engelhardt
2009-02-16 12:17 ` Patrick McHardy
2009-02-14 19:29 Pablo Neira Ayuso
2009-02-14 20:28 ` Jan Engelhardt
2009-02-14 20:42 ` Pablo Neira Ayuso
2009-02-14 22:31 ` Jan Engelhardt
2009-02-14 22:32 ` Jan Engelhardt
2009-02-16 10:56 ` Patrick McHardy
2009-02-16 14:01 ` Pablo Neira Ayuso
2009-02-16 14:03 ` Patrick McHardy
2009-02-16 14:30 ` Pablo Neira Ayuso
2009-02-16 15:01 ` Patrick McHardy
2009-02-16 15:14 ` Pablo Neira Ayuso
2009-02-16 15:10 ` Patrick McHardy
2009-02-16 15:27 ` Pablo Neira Ayuso
2009-02-17 10:46 ` Pablo Neira Ayuso
2009-02-17 10:50 ` Patrick McHardy
2009-02-17 13:50 ` Pablo Neira Ayuso
2009-02-17 19:45 ` Vincent Bernat
2009-02-18 10:14 ` Patrick McHardy
2009-02-18 10:13 ` Patrick McHardy
2009-02-18 11:06 ` Pablo Neira Ayuso
2009-02-18 11:14 ` Patrick McHardy
2009-02-18 17:20 ` Vincent Bernat
2009-02-18 17:25 ` Patrick McHardy
2009-02-18 18:38 ` Pablo Neira Ayuso
2009-02-16 17:17 ` Jan Engelhardt
2009-02-16 17:13 ` Jan Engelhardt
2009-02-16 17:16 ` Patrick McHardy
2009-02-16 17:22 ` Jan Engelhardt
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=49A47F2B.6040704@netfilter.org \
--to=pablo@netfilter.org \
--cc=kaber@trash.net \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).