On Tue, Nov 24, 2015 at 11:31:05AM +0100, Florian Westphal wrote: > Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote: > > > diff --git a/net/netfilter/nf_tables_core.c b/net/netfilter/nf_tables_core.c > > > index dabf5ed..69bdd9a 100644 > > > --- a/net/netfilter/nf_tables_core.c > > > +++ b/net/netfilter/nf_tables_core.c > > > @@ -55,6 +55,7 @@ static void __nft_trace_packet(const struct nft_pktinfo *pkt, > > > rulenum); > > > } > > > > > > +static bool prefer_native_trace __read_mostly; > > > struct static_key nft_trace_enabled __read_mostly; > > > EXPORT_SYMBOL_GPL(nft_trace_enabled); > > > > > > @@ -69,7 +70,13 @@ static inline void nft_trace_packet(const struct nft_pktinfo *pkt, > > > if (!pkt->skb->nf_trace) > > > return; > > > nf_tables_trace_notify(pkt, chain, rule, verdict, type); > > > - __nft_trace_packet(pkt, chain, rulenum, type); > > > + if (prefer_native_trace) > > > + return; > > > + > > > + if (nfnetlink_has_listeners(pkt->net, NFNLGRP_NFTABLES)) > > > + prefer_native_trace = true; > > > + else > > > + __nft_trace_packet(pkt, chain, rulenum, type); > > > > For this very specific case I prefer a sysctl that we can remove > > moving forward, then remove this code and default to the new tracing > > infrastructure once we have indications that adoption of this new > > tracing infrastructure has been massively adopted instead of the > > existing one. > > So you're saying > > sysctl nft_old_trace = 1; > > and then do > > nf_tables_trace_notify(..) > if (nft_old_trace) > __nft_trace_packet(); > > ? What I'm trying to avoid is the initial race that we'll have. I mean, with this approach the user will likely enable the tracing from the rule, then will launch nft trace. In that case, he will be getting traces from the old way for a little while until you get one process subscribed to this. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
