From: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
To: Pablo Neira Ayuso <pablo@netfilter.org>
Cc: netfilter-devel@vger.kernel.org
Subject: Re: [iptables-nftables RFC v3 PATCH 04/16] nft: Integrate nft translator engine in current core
Date: Mon, 12 Aug 2013 10:15:22 +0300 [thread overview]
Message-ID: <52088B8A.8080007@linux.intel.com> (raw)
In-Reply-To: <20130809212454.GA7102@localhost>
Hi Pablo,
> If I understood this correctly, your approach uses the array of
> instructions above as keys to look up for the corresponding parser. In
> that case, I'm afraid that this engine won't cover the complexity of
> the payload instructions since we'll end up having*a lot* of matching
> combinations that will overlap in your tree. You cannot resolve that
> ambiguity problem of what parser needs to be invoked without looking
> at other information that is contained in the instruction, eg. payload
> base and offset.
It already handles overlapping patterns. I decided to go the simplest way:
- you can register as many parser you want for a pattern, of course.
- engine will try as many parser it has for a pattern as long as those
return -1, the one who returns 0 wins (engine tries then to continue on
next expressions, finding other patterns)
- engine follows longest pattern first: so if no parser as won on the
current pattern, engine will start to go backward. (it will try to match
shorter pattern)
Have a look at nft_trans_add_instruction(),
retrieve_nft_trans_instructions() and execute_relevant_instruction() for
insights.
Sure it's definitely not the most optimized but I believe it should be
sufficient for our concerns.
And anyway, the API is good enough so the engine itself can be
transparently improved if necessary.
Tomasz
next prev parent reply other threads:[~2013-08-12 7:15 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-08-09 13:31 [iptables-nftables RFC v3 PATCH 00/16] Xtables extensions: full support (pure nft or compat layer) Tomasz Bursztyka
2013-08-09 13:31 ` [iptables-nftables RFC v3 PATCH 01/16] xtables: Add support for injecting xtables target into nft rule Tomasz Bursztyka
2013-08-09 13:31 ` [iptables-nftables RFC v3 PATCH 02/16] xtables: add support for injecting xtables matches " Tomasz Bursztyka
2013-08-09 13:31 ` [iptables-nftables RFC v3 PATCH 03/16] nft: Add nft expressions translation engine as a library Tomasz Bursztyka
2013-08-09 13:31 ` [iptables-nftables RFC v3 PATCH 04/16] nft: Integrate nft translator engine in current core Tomasz Bursztyka
2013-08-09 21:24 ` Pablo Neira Ayuso
2013-08-12 7:15 ` Tomasz Bursztyka [this message]
2013-08-09 13:31 ` [iptables-nftables RFC v3 PATCH 05/16] nft: Manage xtables target parsing through translation tree Tomasz Bursztyka
2013-08-09 13:31 ` [iptables-nftables RFC v3 PATCH 06/16] nft: Manage xtables matches through nft " Tomasz Bursztyka
2013-08-09 13:31 ` [iptables-nftables RFC v3 PATCH 07/16] nft: Add support for xtables extensions callback to change cs Tomasz Bursztyka
2013-08-09 13:31 ` [iptables-nftables RFC v3 PATCH 08/16] xtables: Add support for registering nft translation function for target Tomasz Bursztyka
2013-08-09 13:31 ` [iptables-nftables RFC v3 PATCH 09/16] xtables: Add support for registering nft translation function for match Tomasz Bursztyka
2013-08-09 13:31 ` [iptables-nftables RFC v3 PATCH 10/16] nft: Register all relevant xtables extensions into translation tree Tomasz Bursztyka
2013-08-09 13:31 ` [iptables-nftables RFC v3 PATCH 11/16] nft: Refactor firewall printing so it reuses already parsed cs struct Tomasz Bursztyka
2013-08-09 21:51 ` Pablo Neira Ayuso
2013-08-12 7:54 ` Tomasz Bursztyka
2013-08-12 9:30 ` Pablo Neira Ayuso
2013-08-12 10:54 ` Tomasz Bursztyka
2013-08-09 13:31 ` [iptables-nftables RFC v3 PATCH 12/16] nft: Refactor rule deletion so it compares both cs structure Tomasz Bursztyka
2013-08-09 13:31 ` [iptables-nftables RFC v3 PATCH 13/16] xtables: nft: Complete refactoring on how rules are saved Tomasz Bursztyka
2013-08-09 13:31 ` [iptables-nftables RFC v3 PATCH 14/16] xtables: Support pure nft expressions for DNAT extension Tomasz Bursztyka
2013-08-09 21:56 ` Pablo Neira Ayuso
2013-08-12 7:42 ` Tomasz Bursztyka
2013-08-09 13:31 ` [iptables-nftables RFC v3 PATCH 15/16] nft: Add a function to reset the counters of an existing rule Tomasz Bursztyka
2013-08-09 22:00 ` Pablo Neira Ayuso
2013-08-09 13:31 ` [iptables-nftables RFC v3 PATCH 16/16] xtables: Support -Z options for a given rule number Tomasz Bursztyka
2013-08-09 22:02 ` Pablo Neira Ayuso
2013-08-12 7:45 ` Tomasz Bursztyka
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=52088B8A.8080007@linux.intel.com \
--to=tomasz.bursztyka@linux.intel.com \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).