On Tue, Jan 21, 2014 at 02:12:23PM +0100, Jozsef Kadlecsik wrote: > On Tue, 21 Jan 2014, Patrick McHardy wrote: > > > > > - use dynamic sized structures and add the timer at the end. Problem is that > > > > we're in some cases already using optional members at the end, so it would > > > > complicate the code a bit. > > > > > > I see that all three possibilities are far from perfect :/ > > > > Well, all have some downsides, but I guess its something people will want > > to have, otherwise Joszef wouldn't have added it, so we'll find a way. > > Sets with timeout give an easy way to stop/slow down scanners/attackers > without the need (usually) of any maintenance when honeypots, detectors > add the entries. > > ipset doesn't use struct timer_lists either, but implements > timeout as a data extension (similar to conntrack). The elements are fixed > sized, so it's simpler than the third case above for nftables. Thanks, I'll have a closer look at this once I get to this. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
