From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Thomas Haller <thaller@redhat.com>
Cc: NetFilter <netfilter-devel@vger.kernel.org>
Subject: Re: [PATCH nft 0/4] add operation cache for timestamp
Date: Tue, 29 Aug 2023 17:38:11 +0200 [thread overview]
Message-ID: <ZO4Q4xZGvg+E+j3P@calendula> (raw)
In-Reply-To: <20230825132942.2733840-1-thaller@redhat.com>
[-- Attachment #1: Type: text/plain, Size: 807 bytes --]
On Fri, Aug 25, 2023 at 03:24:16PM +0200, Thomas Haller wrote:
> Add a cache for "time(NULL)" and tm_gmtoff from localtime_r(time(NULL), &tm).
> The point is to ensure that one parse/output operation fetches the current time
> and GMT offset at most once.
>
> Follow up to ([1])
>
> Subject: Re: [nft PATCH 2/2] meta: use reentrant localtime_r()/gmtime_r() functions
> Date: Tue, 22 Aug 2023 17:15:14 +0200
>
> [1] https://marc.info/?l=netfilter-devel&m=169271724629901&w=4
To extend what I said yesterday. It would be great if you could
validate that we have sufficient tests for time support.
Probably you can use this ruleset that I am attaching as reference and
think of a ruleset to cover this? I am attaching an example ruleset
which is basically a "timetable" using nftables sets/maps.
[-- Attachment #2: schedules.nft --]
[-- Type: text/plain, Size: 768 bytes --]
table netdev filter {
map ether_to_chain {
typeof ether saddr : verdict
elements = { 96:68:97:a7:e8:a7 comment "Device match" : jump fw_p0_dev0 }
}
map schedule_time {
typeof meta time : verdict
flags interval
counter
elements = { "2022-10-09 18:46:50" - "2022-10-09 19:16:50" comment "!Schedule OFFLINE override" : drop }
}
map schedule_day {
typeof meta day . meta hour : verdict
flags interval
counter
elements = { "Tuesday" . "06:00" - "07:00" : drop }
}
chain fw_p0_dev0 {
meta time vmap @schedule_time
meta day . meta hour vmap @schedule_day
}
chain my_devices_rules {
ether saddr vmap @ether_to_chain
}
chain ingress {
type filter hook ingress device eth0 priority filter; policy accept;
jump my_devices_rules
}
}
prev parent reply other threads:[~2023-08-29 15:39 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-08-25 13:24 [PATCH nft 0/4] add operation cache for timestamp Thomas Haller
2023-08-25 13:24 ` [PATCH nft 1/4] evaluate: add and use parse_ctx_init() helper method Thomas Haller
2023-08-25 13:24 ` [PATCH nft 2/4] src: add ops_cache struct for caching information during parsing Thomas Haller
2023-08-28 15:00 ` Pablo Neira Ayuso
2023-08-25 13:24 ` [PATCH nft 3/4] src: cache result of time() during parsing/output Thomas Haller
2023-08-28 15:02 ` Pablo Neira Ayuso
2023-08-25 13:24 ` [PATCH nft 4/4] src: cache GMT offset for current time " Thomas Haller
2023-08-29 15:38 ` Pablo Neira Ayuso [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZO4Q4xZGvg+E+j3P@calendula \
--to=pablo@netfilter.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=thaller@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).