From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Jakub Kicinski <kuba@kernel.org>
Cc: netfilter-devel@vger.kernel.org, davem@davemloft.net,
netdev@vger.kernel.org
Subject: Re: [PATCH net 2/5] netfilter: nf_tables: add position handle in event notification
Date: Thu, 30 Sep 2021 09:28:39 +0200 [thread overview]
Message-ID: <YVVnJ+Rv36/aF3+u@salvia> (raw)
In-Reply-To: <20210929191953.00378ec4@kicinski-fedora-pc1c0hjn.dhcp.thefacebook.com>
Hi Jakub,
On Wed, Sep 29, 2021 at 07:19:53PM -0700, Jakub Kicinski wrote:
> On Thu, 30 Sep 2021 01:04:57 +0200 Pablo Neira Ayuso wrote:
> > Add position handle to allow to identify the rule location from netlink
> > events. Otherwise, userspace cannot incrementally update a userspace
> > cache through monitoring events.
> >
> > Skip handle dump if the rule has been either inserted (at the beginning
> > of the ruleset) or appended (at the end of the ruleset), the
> > NLM_F_APPEND netlink flag is sufficient in these two cases.
> >
> > Handle NLM_F_REPLACE as NLM_F_APPEND since the rule replacement
> > expansion appends it after the specified rule handle.
> >
> > Fixes: 96518518cc41 ("netfilter: add nftables")
> > Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
>
> Let me defer to Dave on this one. Krzysztof K recently provided us with
> this quote:
>
> "One thing that does bother [Linus] is developers who send him fixes in the
> -rc2 or -rc3 time frame for things that never worked in the first place.
> If something never worked, then the fact that it doesn't work now is not
> a regression, so the fixes should just wait for the next merge window.
> Those fixes are, after all, essentially development work."
>
> https://lwn.net/Articles/705245/
>
> Maybe the thinking has evolved since, but this patch strikes me as odd.
> We forgot to put an attribute in netlink 8 years ago, and suddenly it's
> urgent to fill it in? Something does not connect for me, certainly the
> commit message should have explained things better...
Reasonable, but in this particular case I cannot fix userspace monitor
mode without this patch.
A user reported that 'nft insert rule...' shows as 'nft add rule...'
in 'nft monitor'.
Then if 'nft add rule x y position 10...' is used to add a rule at a
given position, then it does not show the 'position 10' so the user
is just getting a 'add rule x y' which means append it at the end.
Same thing happens with 'create table x', it shows as 'add table x'.
Noone noticed the missing flags in the event notification path so far.
I can place this into net-next, yes, but this is only going to delay
things before I can ask for including this in -stable, meanwhile users
will keep getting misleading event notification for these cases.
Thanks.
next prev parent reply other threads:[~2021-09-30 7:28 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-09-29 23:04 [PATCH net 0/5] Netfilter fixes for net Pablo Neira Ayuso
2021-09-29 23:04 ` [PATCH net 1/5] netfilter: conntrack: fix boot failure with nf_conntrack.enable_hooks=1 Pablo Neira Ayuso
2021-09-29 23:04 ` [PATCH net 2/5] netfilter: nf_tables: add position handle in event notification Pablo Neira Ayuso
2021-09-30 2:19 ` Jakub Kicinski
2021-09-30 7:28 ` Pablo Neira Ayuso [this message]
2021-09-30 12:35 ` David Miller
2021-09-30 13:49 ` Pablo Neira Ayuso
2021-09-29 23:04 ` [PATCH net 3/5] netfilter: nf_tables: reverse order in rule replacement expansion Pablo Neira Ayuso
2021-09-29 23:04 ` [PATCH net 4/5] netfilter: nft_dynset: relax superfluous check on set updates Pablo Neira Ayuso
2021-09-29 23:05 ` [PATCH net 5/5] netfilter: nf_tables: honor NLM_F_CREATE and NLM_F_EXCL in event notification Pablo Neira Ayuso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YVVnJ+Rv36/aF3+u@salvia \
--to=pablo@netfilter.org \
--cc=davem@davemloft.net \
--cc=kuba@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).