On Tue, Nov 12, 2024 at 09:44:36PM +0100, Florian Westphal wrote: > Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote: > > >nftables audit log format unfortunately leaks an implementation detail, the > > >transaction log size, to userspace: > > > > > > table=t1 family=2 entries=4 op=nft_register_set > > > ~~~~~~~~~ > > > > > >This 'entries' key is the number of transactions that will be applied. > > > > To my understanding, entries= is the number of entries that are either > > added or updated in this transaction. > > > > Before this patch, there was a 1:1 mapping between transaction and > > elements, now this is not the case anymore. > > > > If entries= exposes only the number of transactions, then this becomes > > useless to userspace? > > Hmm, I would need to know what this is supposed to be. > Its not going to be the same in either case, > iptables-legacy -A ... vs iptables-nft -A won't result in same > entries due to the whole-table-replace paradigm and introduction > of "update" mechanism also changes entries count. Right, there is a change between -legacy and -nft regarding audit. > I think its fine now, but please feel free to rewrite the commit > message if you think its needed. Thanks, I will make an edit.
