On 24.11, Pablo Neira Ayuso wrote: > On Tue, Nov 24, 2015 at 11:31:05AM +0100, Florian Westphal wrote: > > > > + if (nfnetlink_has_listeners(pkt->net, NFNLGRP_NFTABLES)) > > > > + prefer_native_trace = true; > > > > + else > > > > + __nft_trace_packet(pkt, chain, rulenum, type); > > > > > > For this very specific case I prefer a sysctl that we can remove > > > moving forward, then remove this code and default to the new tracing > > > infrastructure once we have indications that adoption of this new > > > tracing infrastructure has been massively adopted instead of the > > > existing one. > > > > So you're saying > > > > sysctl nft_old_trace = 1; > > > > and then do > > > > nf_tables_trace_notify(..) > > if (nft_old_trace) > > __nft_trace_packet(); > > > > ? > > What I'm trying to avoid is the initial race that we'll have. > > I mean, with this approach the user will likely enable the tracing > from the rule, then will launch nft trace. In that case, he will be > getting traces from the old way for a little while until you get one > process subscribed to this. On more thing to consider it interaction with other netfilter subsystems. F.i. I think it would be very useful to have per connection tracing, so we'd store a flag in the nfct and transfer it to every packet. This would make them show up in the nft ruleset, but what about tracing in specific points of conntrack/NAT itself? Can we send them to the same group and make them integrate with ruleset tracing? -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
