From: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
To: Patrick McHardy <kaber@trash.net>
Cc: pablo@netfilter.org, netfilter-devel@vger.kernel.org
Subject: Re: [nftables 3/9] netfilter: nf_tables: atomic rule updates and dumps
Date: Wed, 20 Feb 2013 12:32:30 +0200 [thread overview]
Message-ID: <5124A63E.3000006@linux.intel.com> (raw)
In-Reply-To: <20130219220257.GF3240@macbook.localnet>
Hi Patrick,
>
>> @@ -37,6 +37,8 @@ enum nf_tables_msg_types {
>> NFT_MSG_NEWSETELEM,
>> NFT_MSG_GETSETELEM,
>> NFT_MSG_DELSETELEM,
>> + NFT_MSG_COMMIT,
>> + NFT_MSG_ABORT,
> I see why you're doing this, but this is similar to the NEWCHAINNAME
> attribute, it doesn't really fit into the scheme how the netlink API
> is designed.
Why doesn't it fit? Do you mean you would prefer one command leads to
one result, so no transaction based manipulation?
I would rather see a NFT_MSG_START added actually.
>
>> diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
>> index db6150b..7f08381 100644
>> --- a/net/netfilter/nf_tables_api.c
>> +++ b/net/netfilter/nf_tables_api.c
>> static int nf_tables_dump_rules(struct sk_buff *skb,
>> struct netlink_callback *cb)
>> {
>> @@ -1250,6 +1288,7 @@ static int nf_tables_dump_rules(struct sk_buff *skb,
>> unsigned int idx = 0, s_idx = cb->args[0];
>> struct net *net = sock_net(skb->sk);
>> int family = nfmsg->nfgen_family;
>> + unsigned int genctr = net->nft.genctr, gencursor = net->nft.gencursor;
>>
>> list_for_each_entry(afi, &net->nft.af_info, list) {
>> if (family != NFPROTO_UNSPEC && family != afi->family)
>> @@ -1258,6 +1297,8 @@ static int nf_tables_dump_rules(struct sk_buff *skb,
>> list_for_each_entry(table, &afi->tables, list) {
>> list_for_each_entry(chain, &table->chains, list) {
>> list_for_each_entry(rule, &chain->rules, list) {
>> + if (!nft_rule_is_active(net, rule))
>> + goto cont;
> Not sure whether we should really skip them during the dump. That hides
> information from userspace, we could just as well include an INACTIVE flag
> and have userspace decide whether to process them or not.
Personally I don't see much point dumping non-active (yet to be
committed) rules to anybody.
The current way of notifying the rule change when committed, as
described at the end of this patch message, is I think just right.
That would be better though within the proposal I made earlier to Pablo.
Unless you don't want transaction based manipulation. What would be the
idea then?
Tomasz
next prev parent reply other threads:[~2013-02-20 10:32 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-01-31 0:03 [nftables 1/9] netfilter: nf_tables: fix compilation if CONFIG_COMPAT is disabled pablo
2013-01-31 0:03 ` [nftables 2/9] netfilter: nf_tables: fix chain after rule deletion pablo
2013-01-31 0:03 ` [nftables 3/9] netfilter: nf_tables: atomic rule updates and dumps pablo
2013-02-18 17:17 ` Tomasz Bursztyka
2013-02-20 1:12 ` Pablo Neira Ayuso
2013-02-20 8:16 ` Tomasz Bursztyka
2013-02-20 23:10 ` Pablo Neira Ayuso
2013-02-19 22:02 ` Patrick McHardy
2013-02-20 0:44 ` Pablo Neira Ayuso
2013-02-20 10:32 ` Tomasz Bursztyka [this message]
2013-01-31 0:04 ` [nftables 4/9] netfilter: nf_tables: fix error path in newchain pablo
2013-01-31 0:04 ` [nftables 5/9] netfilter: nf_tables: add packet and byte counters per chain pablo
2013-01-31 0:04 ` [nftables 6/9] netfilter: nf_tables: add protocol and flags for xtables over nf_tables pablo
2013-01-31 0:04 ` [nftables 7/9] netfilter: nf_tables: add trace support pablo
2013-01-31 0:04 ` [nftables 8/9] netfilter: nf_tables: add missing code in route chain type pablo
2013-01-31 0:04 ` [nftables 9/9] netfilter: nf_tables: statify chain definition to fix sparse warning pablo
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5124A63E.3000006@linux.intel.com \
--to=tomasz.bursztyka@linux.intel.com \
--cc=kaber@trash.net \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).