From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Phil Sutter <phil@nwl.cc>, Florian Westphal <fw@strlen.de>,
netfilter-devel@vger.kernel.org
Subject: Re: [nf-next PATCH v2] netfilter: nf_tables: Introduce NFTA_RULE_ACTUAL_EXPR
Date: Thu, 16 Feb 2023 12:29:30 +0100 [thread overview]
Message-ID: <Y+4Tmv3H24XTiEhK@salvia> (raw)
In-Reply-To: <Y+4LoOjaT1RU6I1r@orbyte.nwl.cc>
On Thu, Feb 16, 2023 at 11:55:28AM +0100, Phil Sutter wrote:
> On Tue, Feb 07, 2023 at 11:56:53AM +0100, Phil Sutter wrote:
> [...]
> > Yes, please! I'll finish user space this week. :)
>
> Famous last words. :(
>
> I realized anonymous sets are indeed a problem, and I'm not sure how it
> could be solved. I missed the fact that with lookup expressions one has
> to run the init() callback to convert their per-batch set ID into the
> kernel-defined set name. So the simple "copy and return nla" approach is
> not sufficient.
>
> Initializing all of the dump-only expressions though causes other
> unwanted side-effects, like e.g. duplicated chain use-counters.
>
> One could ban lookup from being used in dump-only expressions. Right
> now, only ebtables' among match requires it.
>
> To still allow for ebtables-nft to use the compat interface, among match
> could be rewritten to use the legacy extension in-kernel. This doesn't
> solve the original problem though, because old ebtables-nft versions
> can't parse a match expression containing among extension.
>
> Another option that might work is to parse the dump-only expressions in
> nf_tables_newrule(), dump them into an skb, drop them again and extract
> the skb's buffer for later.
>
> Do you have a better idea perhaps? I'm a bit clueless how to proceed
> further right now. :(
I'll drop the patch from nf-next and we take more time to think how to
solve this.
This problem is interesting, but it is difficult!
Does this work for you?
next prev parent reply other threads:[~2023-02-16 11:29 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-12-21 14:22 [nf-next PATCH v2] netfilter: nf_tables: Introduce NFTA_RULE_ACTUAL_EXPR Phil Sutter
2023-01-12 10:15 ` Phil Sutter
2023-01-12 11:06 ` Pablo Neira Ayuso
2023-01-12 12:02 ` Phil Sutter
2023-01-18 11:58 ` Pablo Neira Ayuso
2023-01-18 13:48 ` Phil Sutter
2023-02-02 21:31 ` Pablo Neira Ayuso
2023-02-03 13:48 ` Phil Sutter
2023-02-03 15:32 ` Pablo Neira Ayuso
2023-02-03 16:21 ` Phil Sutter
2023-02-04 9:41 ` Pablo Neira Ayuso
2023-02-04 21:00 ` Phil Sutter
2023-02-06 9:52 ` Pablo Neira Ayuso
2023-02-07 10:43 ` Pablo Neira Ayuso
2023-02-07 10:56 ` Phil Sutter
2023-02-16 10:55 ` Phil Sutter
2023-02-16 11:29 ` Pablo Neira Ayuso [this message]
2023-02-16 12:05 ` Phil Sutter
2023-04-26 19:58 ` Pablo Neira Ayuso
2023-04-27 10:57 ` Phil Sutter
2023-04-27 11:01 ` Pablo Neira Ayuso
2023-04-27 11:33 ` Phil Sutter
2023-04-27 13:07 ` Pablo Neira Ayuso
2023-04-27 22:45 ` Phil Sutter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Y+4Tmv3H24XTiEhK@salvia \
--to=pablo@netfilter.org \
--cc=fw@strlen.de \
--cc=netfilter-devel@vger.kernel.org \
--cc=phil@nwl.cc \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).