Hi Pablo, On Tue, Sep 17, 2019 at 07:00:38AM +0200, Pablo Neira Ayuso wrote: > On Mon, Sep 16, 2019 at 06:49:53PM +0200, Phil Sutter wrote: > > This improves cache population quite a bit and therefore helps when > > dealing with large rulesets. A simple hard to improve use-case is > > listing the last rule in a large chain. > > You might consider extending the netlink interface too for this > particularly case, GETRULE plus position attribute could be used for > this I think. You won't be able to use this new operation from > userspace anytime soon though, given there is no way so far to expose > interface capabilities so far rather than probing. > > If there are more particular corner cases like this, I would also > encourage to extend the netlink interface. > > Just a side note, not a comment specifically on this patch :-). Thanks for suggesting, I didn't consider extending kernel to support the index stuff yet. In general, I refrained from kernel changes simply because of the compat problem. Implementing failure tolerance can quickly turn into a mess, too. Cheers, Phil
