On Wed, Feb 26, 2014 at 12:05:06PM +0000, Patrick McHardy wrote:
> On Wed, Feb 26, 2014 at 02:53:12AM +0100, Pablo Neira Ayuso wrote:
> > This allows us to store user comment strings, but it could be also
> > used to store any kind of information that the user application needs
> > to link to the rule.
> >
> > struct nft_rule {
> > struct list_head list;
> > - u64 handle:46,
> > - genmask:2,
> > - dlen:16;
> > + u64 handle;
> > + u32 dlen;
> > + u32 genmask:2,
> > + ulen:30;
>
> This increases the size of the rule by 8 bytes.
Yup, spent some minutes in front of this but I didn't find a better
way.
> I'd suggest to scrape that off elsewhere. First of all, we probably
> don't need 16 bytes for the rule length, 12 == 4k should be enough.
Considered that, but my main concern was the xtables compatibility
layer. I guess 4K is fine in terms of matches/target there. Assuming
120 bytes per match, we get 34, which sounds quite a lot.
Good, I think we can scratch those 4 bits.
> The other 4 bits could be taken from the handle I suppose, 2^42
> should still be enough. Assuming 1000 new rules per second it would
> still last for 139 years :)
Ah good too. Someone else will have to fix this by that time, I
already reserved a deckchair with popcorns in Mars for year 2153.
Will send a v2. Thanks.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
