From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Daniel Borkmann <daniel@iogearbox.net>
Cc: netfilter-devel@vger.kernel.org, davem@davemloft.net,
netdev@vger.kernel.org, kuba@kernel.org, lukas@wunner.de,
kadlec@netfilter.org, fw@strlen.de, ast@kernel.org,
edumazet@google.com, tgraf@suug.ch, nevola@gmail.com,
john.fastabend@gmail.com, willemb@google.com
Subject: Re: [PATCH nf-next v5 0/6] Netfilter egress hook
Date: Thu, 30 Sep 2021 11:21:42 +0200 [thread overview]
Message-ID: <YVWBpsC4kvMuMQsc@salvia> (raw)
In-Reply-To: <3973254b-9afb-72d5-7bf1-59edfcf39a58@iogearbox.net>
On Thu, Sep 30, 2021 at 09:33:23AM +0200, Daniel Borkmann wrote:
> On 9/30/21 9:19 AM, Pablo Neira Ayuso wrote:
[...]
> > Why do you need you need a sysctl knob when my proposal is already
> > addressing your needs?
>
> Well, it's not addressing anything ... you even mention it yourself "arguably,
> distributors might decide to compile nf_tables_netdev built-in".
I said distributors traditionally select the option that we signal to
them, which is to enable this as module. We can document this in
Kconfig. I think distributors should select whatever is better for
their needs.
Anyway, I'll tell you why module blacklisting is bad: It is a hammer,
it is a band aid to a problem. Blacklisting is just making things
worst because it makes some people believe that something is
unfixable. Yes, it took me a while to figure out.
We already entered the let's bloat the skbuff for many years already,
this is stuffing one more bit into the skbuff just because maybe users
might break an existing setup when they load new rules to the new
netfilter egress hook.
Probably the sysctl for this new egress hook is the way to go as you
suggest.
Thanks.
next prev parent reply other threads:[~2021-09-30 9:21 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-09-28 9:55 [PATCH nf-next v5 0/6] Netfilter egress hook Pablo Neira Ayuso
2021-09-28 9:55 ` [PATCH nf-next v5 1/6] netfilter: Rename ingress hook include file Pablo Neira Ayuso
2021-09-28 9:55 ` [PATCH nf-next v5 2/6] netfilter: Generalize " Pablo Neira Ayuso
2021-09-28 9:55 ` [PATCH nf-next v5 3/6] netfilter: nf_tables: move netdev ingress filter chain to nf_tables_netdev.c Pablo Neira Ayuso
2021-09-28 9:55 ` [PATCH nf-next v5 4/6] netfilter: Introduce egress hook Pablo Neira Ayuso
2021-09-28 9:55 ` [PATCH nf-next v5 5/6] af_packet: " Pablo Neira Ayuso
2021-09-28 9:55 ` [PATCH nf-next v5 6/6] netfilter: nf_tables: add egress support Pablo Neira Ayuso
2021-09-30 6:08 ` [PATCH nf-next v5 0/6] Netfilter egress hook Daniel Borkmann
2021-09-30 6:52 ` Lukas Wunner
2021-09-30 7:10 ` Daniel Borkmann
2021-09-30 7:21 ` Pablo Neira Ayuso
2021-09-30 7:19 ` Pablo Neira Ayuso
2021-09-30 7:33 ` Daniel Borkmann
2021-09-30 9:21 ` Pablo Neira Ayuso [this message]
2021-09-30 14:28 ` Jakub Kicinski
2021-09-30 15:13 ` Pablo Neira Ayuso
2021-09-30 16:06 ` Jakub Kicinski
2021-09-30 18:00 ` Pablo Neira Ayuso
2021-09-30 19:17 ` Jakub Kicinski
2021-09-30 17:12 ` Lukas Wunner
2021-09-30 17:19 ` Jakub Kicinski
2021-09-30 17:36 ` Lukas Wunner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YVWBpsC4kvMuMQsc@salvia \
--to=pablo@netfilter.org \
--cc=ast@kernel.org \
--cc=daniel@iogearbox.net \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=fw@strlen.de \
--cc=john.fastabend@gmail.com \
--cc=kadlec@netfilter.org \
--cc=kuba@kernel.org \
--cc=lukas@wunner.de \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=nevola@gmail.com \
--cc=tgraf@suug.ch \
--cc=willemb@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).