From: Patrick McHardy <kaber@trash.net>
To: Andreas Herz <andi@geekosphere.org>
Cc: netfilter@vger.kernel.org
Subject: Re: [ANNOUNCE]: Release of nftables 0.099
Date: Tue, 21 Jan 2014 12:49:07 +0000 [thread overview]
Message-ID: <20140121124907.GA32383@macbook.localnet> (raw)
In-Reply-To: <20140121124340.GT5409@kvmbude>
On Tue, Jan 21, 2014 at 01:43:40PM +0100, Andreas Herz wrote:
> On 21/01/14 at 12:32, Patrick McHardy wrote:
> > >
> > > > Timeouts shouldn't be that hard as well, but I would need to think about
> > > > this some more, I'd prefer not to add struct timer_lists everywhere.
> > >
> > > That sounds like it rather won't come into nftables code. So what would
> > > be the suggestion?
> >
> > I'm not saying this, I merely want to check how do so this with as little
> > waste as possible. Some possibilities are:
>
> So it's better to just wait some time to see how it will go on :) That's
> fine, too.
Yeah. At least the dynamic updates are quite likely to happen soon.
> > - add a new set feature flag and only implement it for those types. Downside
> > is code duplication.
> >
> > - somehow trigger removal from outside the set. Downside is memory waste
> > since we'd need to store the elements twice.
> >
> > - use dynamic sized structures and add the timer at the end. Problem is that
> > we're in some cases already using optional members at the end, so it would
> > complicate the code a bit.
>
> I see that all three possibilities are far from perfect :/
Well, all have some downsides, but I guess its something people will want
to have, otherwise Joszef wouldn't have added it, so we'll find a way.
> > > Or asking more specific, what would be the suggested way to add special
> > > features needed for some scenarios?
> > > For example, how would you port modules like portscan or others from
> > > xtables-addons to nftables.
> > > Integrate it or port it to be used as a addon.
> >
> > The preferred way would be to indentify the required primitives and build
> > it from a set of lower level expressions if possible. An alternative would
> > be to use the compat expression or just add a native portscan expression.
>
> Is there more information available for the compat expression or how top
> add such a native expression (or at least planned, since it's quite
> early and i can understand that there are other major issues first)?
The compat expression simply uses x_tables modules. We don't support it
in nftables userspace, but you should find enough information in the
iptables-nftables compatibility layer.
For native expressions, just have a look at any of the existing ones.
next prev parent reply other threads:[~2014-01-21 12:49 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-01-20 13:11 [ANNOUNCE]: Release of nftables 0.099 Patrick McHardy
2014-01-20 23:38 ` Release of nftables-plus 0.099 Jan Engelhardt
2014-01-20 23:41 ` [netfilter-core] " Patrick McHardy
2014-01-21 0:00 ` Jan Engelhardt
2014-01-21 0:26 ` Patrick McHardy
2014-01-21 11:59 ` [ANNOUNCE]: Release of nftables 0.099 Andreas Herz
2014-01-21 12:14 ` Patrick McHardy
2014-01-21 12:24 ` Andreas Herz
2014-01-21 12:32 ` Patrick McHardy
2014-01-21 12:43 ` Andreas Herz
2014-01-21 12:49 ` Patrick McHardy [this message]
2014-01-21 13:12 ` Jozsef Kadlecsik
2014-01-21 13:27 ` Patrick McHardy
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140121124907.GA32383@macbook.localnet \
--to=kaber@trash.net \
--cc=andi@geekosphere.org \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).