Re: [PATCH nf-next v4 0/5] netfilter: nf_tables: reduce set element transaction size

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote:
> >nftables audit log format unfortunately leaks an implementation detail, the
> >transaction log size, to userspace:
> >
> >    table=t1 family=2 entries=4 op=nft_register_set
> >                      ~~~~~~~~~
> >
> >This 'entries' key is the number of transactions that will be applied.
> 
> To my understanding, entries= is the number of entries that are either
> added or updated in this transaction.
> 
> Before this patch, there was a 1:1 mapping between transaction and
> elements, now this is not the case anymore.
> 
> If entries= exposes only the number of transactions, then this becomes
> useless to userspace?

Hmm, I would need to know what this is supposed to be.
Its not going to be the same in either case,
iptables-legacy -A ... vs iptables-nft -A won't result in same
entries due to the whole-table-replace paradigm and introduction
of "update" mechanism also changes entries count.

I think its fine now, but please feel free to rewrite the commit
message if you think its needed.




[Index of Archives]     [Netfitler Users]     [Berkeley Packet Filter]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux