From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Florian Westphal <fw@strlen.de>
Cc: Phil Sutter <phil@nwl.cc>, netfilter-devel@vger.kernel.org
Subject: Re: [PATCH nf] netfilter: nf_tables: do not refresh timeout when resetting element
Date: Wed, 4 Oct 2023 10:23:48 +0200 [thread overview]
Message-ID: <ZR0hFIIqdTixdPi4@calendula> (raw)
In-Reply-To: <20231004080702.GD15013@breakpoint.cc>
On Wed, Oct 04, 2023 at 10:07:02AM +0200, Florian Westphal wrote:
> Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> > We will soon need NFT_MSG_GETRULE_RESET_NO_TIMEOUT to undo this combo
> > command semantics, from userspace this will require some sort of 'nft
> > reset table x notimeout' syntax.
>
> NFT_MSG_GETRULE_RESET_NO_TIMEOUT sounds super ugly :/
>
> Do you think we can add a flags attr that describes which parts
> to reset?
Sure. This will require one attribute for each object type, also
reject it where it does not make sense.
> No flags attr would reset everything.
Refreshing timers is a bad default behaviour.
And how does this mix with the set element timeout model from
transaction? Now timers becomes a "moving target" again with this
refresh? Oh, this will drag commit_mutex to netlink dump path to avoid
that.
> Do you consider reset of timers to be something that must
> be handled via transaction infra or do you think it can
> (re)use the dump-and-reset approach?
The question why user wants to reset the timers in this path.
For counters, this is to collect stats while leaving remaining things
as is. Refreshing timers make no sense to me.
For quota, this is to fetch the consumed quota and restart it, it
might make sense to refresh the timer, but transaction sounds like a
better path for this usecase?
For limit, they do not expose internal stateful information, so this
just a reset. Timer refresh makes no sense to me here.
If this is for a dynamic set, user is refreshing/extending the
timeout, but usually it is packet path that refreshes this timeouts
via update.
This reset feature is just there to collect stateful properties and
leave things as is.
next prev parent reply other threads:[~2023-10-04 8:23 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-10-02 9:05 [PATCH nf] netfilter: nf_tables: do not refresh timeout when resetting element Pablo Neira Ayuso
2023-10-02 9:07 ` Florian Westphal
2023-10-02 18:06 ` Phil Sutter
2023-10-02 21:50 ` Pablo Neira Ayuso
2023-10-02 22:17 ` Pablo Neira Ayuso
2023-10-02 22:55 ` Phil Sutter
2023-10-03 7:46 ` Pablo Neira Ayuso
2023-10-03 15:57 ` Phil Sutter
2023-10-03 17:21 ` Pablo Neira Ayuso
2023-10-03 17:52 ` Phil Sutter
2023-10-03 18:03 ` Pablo Neira Ayuso
2023-10-03 20:12 ` Phil Sutter
2023-10-04 8:01 ` Pablo Neira Ayuso
2023-10-04 8:07 ` Florian Westphal
2023-10-04 8:23 ` Pablo Neira Ayuso [this message]
2023-10-04 8:46 ` Florian Westphal
2023-10-04 9:27 ` Pablo Neira Ayuso
2023-10-04 12:48 ` Florian Westphal
2023-10-04 14:32 ` Pablo Neira Ayuso
2023-10-10 12:48 ` Phil Sutter
2023-10-10 13:18 ` Phil Sutter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZR0hFIIqdTixdPi4@calendula \
--to=pablo@netfilter.org \
--cc=fw@strlen.de \
--cc=netfilter-devel@vger.kernel.org \
--cc=phil@nwl.cc \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).