Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote:
> > At least for systemd use case, there would be a need to allow
> > add/removal of set elements from other user.
>
> Then, probably a flag for this? Such flag would work like this?
>
> - Allow for set element updates (from any process, no ownership).
> - nft flush ruleset skips flushing the set.
> - nft flush set x y flushes the content of this set.
Right, i'd suggest some permission set that tells what is (dis)allowed.
> Would this work for the scenario you describe below?
I think so. We can add this later.
> > > + nft_active_genmask(table, genmask)) {
> > > + if (nlpid && table->nlpid && table->nlpid != nlpid)
> > > + return ERR_PTR(-EPERM);
> > > +
> >
> > i.e., (table->flags & OWNED) && table->nlpid != nlpid)?
> >
> > On netlink sk destruction the owner flag could be cleared or table
> > could be auto-zapped.
>
> Default behaviour right now is: table is released if owner is gone.
I think thats fine.
