Re: [PATCH nft] src: add cookie support for rules

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, Aug 04, 2020 at 01:38:05PM -0400, Eric Garver wrote:
> On Tue, Aug 04, 2020 at 04:24:12PM +0200, Pablo Neira Ayuso wrote:
> > This patch allows users to specify a unsigned 64-bit cookie for rules.
> > The userspace application assigns the cookie number for tracking the rule.
> > The cookie needs to be non-zero. This cookie value is only relevant to
> > userspace since this resides in the user data area.
> > 
> > Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
> > ---
> > Phil, you suggested a cookie to track rules, here it is. A few notes:
> > 
> > - This patch is missing json support.
> > - No need for kernel update since the cookie is stored in the user data area.
> 
> It's also missing the ability to delete a rule using the cookie. I guess
> this means userspace will have to fetch the ruleset and map a cookie to
> rule handle in order to perform the delete.

This cookie idea provides an alternative to skip the input and output
json string comparison, you have to combine it with --echo.

You will still need to use the handle to uniquely identify the rule by
processing the echo message (compare the cookie you set in the rule
that is sent to the kernel, instead of comparing strings).

The input and output json string comparison might be a problem in the
midterm. New netlink attributes and old kernels might result in
different input and output json string.

This is not aiming to provide a mechanism to delete rules by other
than the rule handle.



[Index of Archives]     [Netfitler Users]     [Berkeley Packet Filter]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux