From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Phil Sutter <phil@nwl.cc>, netfilter-devel@vger.kernel.org
Subject: Re: [nf-next PATCH 0/2] Support resetting rules' state
Date: Wed, 9 Nov 2022 11:16:14 +0100 [thread overview]
Message-ID: <Y2t97iyVIMEzIF0q@salvia> (raw)
In-Reply-To: <Y2qIlYGKGxysxkFN@orbyte.nwl.cc>
On Tue, Nov 08, 2022 at 05:49:25PM +0100, Phil Sutter wrote:
> Hi Pablo,
>
> On Tue, Oct 25, 2022 at 01:52:33PM +0200, Pablo Neira Ayuso wrote:
> > On Fri, Oct 14, 2022 at 11:45:57PM +0200, Phil Sutter wrote:
> > > In order to "zero" a rule (in the 'iptables -Z' sense), users had to
> > > dump (parts of) the ruleset in stateless form and restore it again after
> > > removing the dumped parts.
> > >
> > > Introduce a simpler method to reset any stateful elements of a rule or
> > > all rules of a chain/table/family. Affects both counter and quota
> > > expressions.
> >
> > Patchset LGTM.
> >
> > For the record, we agreed on the workshop to extend this to:
> >
> > - add support for this command to table, chain and set objects too.
> > - validate that nft syntax is consistent from userspace with other
> > existing commands (for example, list).
>
> Looking into this, I wonder if it might cause confusion with regards to
> stateful objects:
>
> My original patch implements:
>
> - reset rule [<fam>] <table> <chain> handle <num>
> - reset rules [<fam>]
> - reset rules table [<fam>] <table>
> - reset rules chain [<fam>] <table> <chain>
>
> This is relatively consistent with list command, which (e.g.) has:
>
> - list set [<fam>] <table> <set>
> - list sets [<fam>]
> - list sets table [<fam>] <table>
This also looks consistent with stateful objects:
- reset counter [<fam>] <counter>
- reset counters table [<fam>] table <table>
- reset counters [<fam>]
> IIRC, your request at NFWS was to introduce something like:
>
> - reset table (for 'reset rules table')
This would require to make two calls, one to NFT_MSG_GETOBJ_RESET and
another to NFT_MSG_GETRULE_RESET:
> - reset chain (for 'reset rules chain')
This could be implemented with the new NFT_MSG_GETRULE_RESET, which
already allows to filter with chain.
So these two would only require userspace code, this can be done
later.
> But the first one may seem like resetting *all* state of a table,
> including named quotas, counters, etc. while in fact it only resets
> state in rules.
Yes, first should reset everything that is stateful and that is
contained in the table.
As said, this can be implemented later on from userspace.
This is addressing all my questions then, I'm going to put this into
nf-next.
Thanks for explaining.
next prev parent reply other threads:[~2022-11-09 10:16 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-10-14 21:45 [nf-next PATCH 0/2] Support resetting rules' state Phil Sutter
2022-10-14 21:45 ` [nf-next PATCH 1/2] netfilter: nf_tables: Extend nft_expr_ops::dump callback parameters Phil Sutter
2022-10-14 21:45 ` [nf-next PATCH 2/2] netfilter: nf_tables: Introduce NFT_MSG_GETRULE_RESET Phil Sutter
2022-10-25 11:52 ` [nf-next PATCH 0/2] Support resetting rules' state Pablo Neira Ayuso
2022-11-08 16:49 ` Phil Sutter
2022-11-09 10:16 ` Pablo Neira Ayuso [this message]
2022-11-09 12:11 ` Phil Sutter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Y2t97iyVIMEzIF0q@salvia \
--to=pablo@netfilter.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=phil@nwl.cc \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox