Richard Guy Briggs <rgb@xxxxxxxxxx> wrote:
> > > I personally would notify once per transaction. This is easy and quick.
>
> This was the goal. iptables was atomic. nftables appears to no longer
> be so. If I have this wrong, please show how that works.
nftables transactions are atomic, either the entire batch takes effect or not
at all.
The audit_log_nfcfg() calls got added to the the nft monitor infra which
is designed to allow userspace to follow the entire content of the
transaction log.
So, if its just a 'something was changed' event that is needed all of
them can be removed. ATM the audit_log_nfcfg() looks like this:
/* step 3. Start new generation, rules_gen_X now in use. */
net->nft.gencursor = nft_gencursor_next(net);
list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
switch (trans->msg_type) {
case NFT_MSG_NEWTABLE:
audit_log_nfcfg();
...
case NFT_MSG_...
audit_log_nfcfg();
..
}
which gives an audit_log for every single change in the batch.
So, if just a summary is needed a single audit_log_nfcfg()
after 'step 3' and outside of the list_for_each_entry_safe() is all
that is needed.
If a summary is wanted as well one could fe. count the number of
transaction types in the batch, e.g. table adds, chain adds, rule
adds etc. and then log a summary count instead.
