On Sun, Feb 16, 2014 at 11:33:35AM +0100, Pablo Neira Ayuso wrote: > On Sat, Feb 15, 2014 at 09:38:23AM +0000, Patrick McHardy wrote: > > > > > > The set definition and the elements need to be included in the lookup > > > expression for anonymous sets, can you think of any better solution? > > > > I think we can use some identifiers generated by userspace to tie them > > both together. Something like a unique numeric identifier (unique within > > the transaction). > > That can be done, but I don't see why we allow the creation of > anonymous sets out of the scope of a rule since: > > * They can only be used by one single rule. > * You cannot update them by adding/deleting elements. > > The current API allows creating an anonymous set that can be left > unused. I think we should only allow the creation of non-anonymous > sets via NFT_MSG_NEWSET at some point. The two main reasons are: - it keeps the API simpler - members might not fit into a single message and currently we can keep adding members as long as the set is not bound I don't think we should change this. It actually also is possible to use anonymous sets with more than one rule, just nft doesn't provide a way to do it. The definition of an anonymous set it (anonymous isn't the best name) a set that is automatically destroyed once the last rule unbinds. The fact that we don't allow to use them in multiple rules is purely internal to nft. On a general note, nft is just meant to be *one* frontend, there's no reason why someone else couldn't write a different one more suitable for a specific purpose. F.i. a simple embedded system might only use tuples of (dst,proto,port) and use a hash for the lookup. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
