Re: Xtables2 Netlink spec

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Friday 2010-11-26 09:25, Pablo Neira Ayuso wrote:
>
>> In fact, why don't we just use genetlink for new code instead?
>
>Genetlink is similar. The main difference is that the ID family number
>and multicast groups for each subsystem is not fixed, it's registered in
>runtime. This means that you have to make the "family name resolution",
>ie. to send a message to resolve the ID family number and multicast
>groups before doing any operation.

That does not sound like a showstopper, though.

>>> BTW, I didn't look at your protocol in deep yet but I'd suggest the 
>>> following basis to rework it: one netlink message, one rule operation.
>> 
>> I can agree with that suggestion, so I will be doing that.
>
>Great, this approach requires more memory because you spend one netlink
>header for every rule, but the cost is worth since it provides flexibility.

As far as I can see, it won't cost me more memory; char buf[MNL_BUFFER_SIZE]
remains, and the kernel part does not have to keep more state than before
anyway, so it's a zero-sum game.

>> On the other extreme, Perl5 has shown that, when there is no full
>> specification, the code fills in. As it stands, af_netlink.c does
>> support attribute ordering :-)
>
>I agree, it would be great to have some more specifications. However, 1)
>someone would have to like doing that, and 2) Linux kernel evolves so
>quick that documenting aspects remains a daunting task. Anyway, I don't
>throw the towel on documentation, actually I'd like to do that.
>
>You are quite prolific in writing documentation, let me know if you are
>interested if I write some drafts, in case that you want to
>contribute/review. Or let me know if you decide to write something, I'd
>be pleased to contribute of course.

I have in the pipeline an Netlink e-book, though it's more of a large
howto (like "Writing Netfilter Modules") than an academicly dry RFC.

>>[...] memory needs to be allocated and stored, right before
>>netlink_dump_start is called. [But] because nlk->cb->cb_args is
>>inaccessible from outside[...], the lookup and allocation is
>>currently done inside the dump function[...]
>
>What is that initial data handling in dumps for?

Making an atomic snapshot/copy of the table. A userspace client
could take almost indefinitely on retrieving a table, so it is
possible that something else changes tables meanwhile.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html


[Index of Archives]     [Netfitler Users]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux