On Sat, Mar 18, 2017 at 12:59:18AM +0000, Robert White wrote:
> So this doesn't rate a bug, but it did confuse me.
>
> Flow tables are always named, but they don't conform to the way sets, maps,
> and dictionaries work in terms of "add" and "delete" and all that.
>
> They are also "flow tables" instead of one word like "flows" or "throttle"
> or something.
>
> It seems weird to just have these break the syntactic expectations.
>
> I think, long-term, that picking a one word designator like "rate" or
> "gauge" and making them syntactically similar to sets with a type and flags
> at the table level, and using @name syntax or having them be unnamed in
> place, would make much more sense.
>
> It's especially confusing since "list map tablename mapname" and "list flow
> table tablename flowname" are so similar in function but have a different
> word count and are not orthogonal to add and delete and clear etc.
>
> So if they were just like sets this would be so much less confusing.
>
> table ip example {
> gauge dhcp_throttle {
> type ipv4_addr . inet_service
> flags whatever, whateverelse
> }
This would provide a way to restore flow table between reboots, so we
could even per populate them with elements.
> chain dhcp_traffic {
> gauge { ip saddr limit over 200/day } drop
> gauge @dhcp_throttle { ip saddr . udp dport limit 3/second } accept
This would resolve the inconsistency, yes.
I would still stick to 'flow table' instead of 'gauge'. I was never
comfortable with the fact that we overload 'table' with more semantics
(given we already have tables in nf_tables).
Let me think, it would be good to add an entry to netfilter's
bugzilla, so we don't lose track of this.
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
