Hi Pablo, On Mon, Jun 17, 2019 at 06:06:57PM +0200, Pablo Neira Ayuso wrote: > On Mon, Jun 17, 2019 at 06:00:30PM +0200, Phil Sutter wrote: [...] > > My initial implementation of intra-transaction rule references made > > this handle guessing impossible, but your single point cache > > fetching still allowed for it (hence why I dropped my patch with a > > similar change). > > Hm. I think we should not guess the handle that the kernel assigns. > > In a batch, handles do not exist. We could expose the > intra-transaction index if needed to the user. But I don't see a > use-case for this. > > I think we should leave the handle as a reference to already existing > rules in the kernel. Yes, it's an ugly hack that should never have worked in the first place, I fully agree. Yet that it stops working indicates user space starts doing more than it has to - IMHO relying upon the kernel verifier is desirable. At least it allows for much better handling of large rulesets. Cheers, Phil
