On 26/11/10 16:27, Jan Engelhardt wrote: > > On Friday 2010-11-26 09:25, Pablo Neira Ayuso wrote: > >>>> BTW, I didn't look at your protocol in deep yet but I'd suggest the >>>> following basis to rework it: one netlink message, one rule operation. > v>> >>> I can agree with that suggestion, so I will be doing that. >> >> Great, this approach requires more memory because you spend one netlink >> header for every rule, but the cost is worth since it provides flexibility. > > Hm, I remembered a problem with that. With "allow same attribute type > multiple times", it is possible to send a single TABLE_REPLACE > request message (even if it is 150 MB in size) that the kernel part > can then work on. Without it, and instead using per-rule ops, it > would mean that I would have to keep a per-fd state (which seems not > possible) and make use of the NETLINK_URELEASE notification handler > to kill said state when the client goes away unexpectedly. You can lock the table during the dump to avoid that someone modifies the rule-set (we can return EAGAIN to the one trying to add some rule, so it can retry). -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
