Hi Jesper, thanks for summarizing it and keep me in the loop. On 4/22/2013 10:05 PM, Jesper Dangaard Brouer wrote: Use-case 4 ---------- I discussed this with Pablo after the conference (well I rather cornered him and forced him to listen to me ;)). Common per socket ACL re-using in kernel nftable. Problem: virtually all userland daemons implement some kind of access list (source ip, interface, etc.). This is a lot of duplicated code across many implementations that might be not as efficient as they could be and not as flexible. Discussion lead to have some kind of per socket nftable that could (for example): 1) drop packets directly (saves a few memcpy down to userland and userland processing). 2) mark the packet as "this one matched rule X or Y" and send the data down to userland in the ancillary data, to allow userland to warn/take other actions. and from a troubleshooting/debugging perspective, by having all those rules in the place (nftable/kernel), would allow a user to: nftable --fulldump (whatever option) and see effectively all the rules that apply to the host and the applications in one go, without having to interact with multiple parts of the system (first nftable, then per application config files, etc). An approach of this kind also integrates very well with use-case 2 and 3 because effectively, a dry run would be able to navigate all the active rules at once. Thanks again for taking time to listen to my rumbling guys! Fabio -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
