On Tue, 21 Jan 2014, Patrick McHardy wrote: > On Tue, Jan 21, 2014 at 01:43:40PM +0100, Andreas Herz wrote: > > On 21/01/14 at 12:32, Patrick McHardy wrote: > > > > > > > > > Timeouts shouldn't be that hard as well, but I would need to think about > > > > > this some more, I'd prefer not to add struct timer_lists everywhere. > > > > > > > > That sounds like it rather won't come into nftables code. So what would > > > > be the suggestion? > > > > > > I'm not saying this, I merely want to check how do so this with as little > > > waste as possible. Some possibilities are: > > > > So it's better to just wait some time to see how it will go on :) That's > > fine, too. > > Yeah. At least the dynamic updates are quite likely to happen soon. > > > > - add a new set feature flag and only implement it for those types. Downside > > > is code duplication. > > > > > > - somehow trigger removal from outside the set. Downside is memory waste > > > since we'd need to store the elements twice. > > > > > > - use dynamic sized structures and add the timer at the end. Problem is that > > > we're in some cases already using optional members at the end, so it would > > > complicate the code a bit. > > > > I see that all three possibilities are far from perfect :/ > > Well, all have some downsides, but I guess its something people will want > to have, otherwise Joszef wouldn't have added it, so we'll find a way. Sets with timeout give an easy way to stop/slow down scanners/attackers without the need (usually) of any maintenance when honeypots, detectors add the entries. ipset doesn't use struct timer_lists either, but implements timeout as a data extension (similar to conntrack). The elements are fixed sized, so it's simpler than the third case above for nftables. Best regards, Jozsef - E-mail : kadlec@xxxxxxxxxxxxxxxxx, kadlecsik.jozsef@xxxxxxxxxxxxx PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt Address : Wigner Research Centre for Physics, Hungarian Academy of Sciences H-1525 Budapest 114, POB. 49, Hungary -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
