On Wed, Aug 31, 2022 at 8:31 AM Florian Westphal <fw@xxxxxxxxx> wrote: > > Toke Høiland-Jørgensen <toke@xxxxxxxxxx> wrote: > > > Same with a 'nft list ruleset > /etc/nft.txt', reboot, > > > 'nft -f /etc/nft.txt' fails because user forgot to load/pin the program > > > first. > > > > Right, so under what conditions is the identifier expected to survive, > > exactly? It's okay if it fails after a reboot, but it should keep > > working while the system is up? > > Right, thats the question. I think it boils down to 'least surprise', > which to me would mean useable labels are: > > 1. pinned name > 2. elf filename > 3. filter name > > 3) has the advantage that afaiu I can extend nft to use the dumped > id + program tag to query the name from the kernel, whereas 1+2 would > need to store the label. > > 1 and 2 have the upside that its easy to handle a 'file not found' > error. I'm strongly against calling into bpf from the inner guts of nft. Nack to all options discussed in this thread. None of them make any sense.
