From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Stefano Brivio <sbrivio@redhat.com>
Cc: netfilter-devel@vger.kernel.org,
"Florian Westphal" <fw@strlen.de>,
"Kadlecsik József" <kadlec@blackhole.kfki.hu>,
"Eric Garver" <eric@garver.life>, "Phil Sutter" <phil@nwl.cc>
Subject: Re: [PATCH nf-next v2 1/8] netfilter: nf_tables: Support for subkeys, set with multiple ranged fields
Date: Mon, 25 Nov 2019 15:30:58 +0100 [thread overview]
Message-ID: <20191125143058.zpbtm34cuhvl32rt@salvia> (raw)
In-Reply-To: <20191125142616.46951155@elisabeth>
On Mon, Nov 25, 2019 at 02:26:16PM +0100, Stefano Brivio wrote:
> On Mon, 25 Nov 2019 10:58:17 +0100
> Pablo Neira Ayuso <pablo@netfilter.org> wrote:
>
> > On Mon, Nov 25, 2019 at 10:30:35AM +0100, Stefano Brivio wrote:
> > [...]
> > > Another idea could be that we get rid of this flag altogether: if we
> > > move "subkeys" to set->desc, the ->estimate() functions of rbtree and
> > > pipapo can check for those and refuse or allow set selection
> > > accordingly. I have no idea yet if this introduces further complexity
> > > for nft, because there we would need to decide how to create start/end
> > > elements depending on the existing set description instead of using a
> > > single flag. I can give it a try if it makes sense.
> >
> > nft_set_desc can probably store a boolean 'concat' that is set on if
> > the NFTA_SET_DESC_SUBKEY attribute is specified. Then, this flag is
> > not needed and you can just rely on ->estimate() as you describe.
>
> I could even just check desc->num_subkeys from your patch then, without
> adding another field to nft_set_desc. Too ugly?
OK.
> > The hashtable will just ignore this description, it does not need the
> > description even if userspace pass it on since the interval flag is
> > set on.
> >
> > You just have to update the rbtree to check for desc->concat, if this
> > is true, then rbtree->estimate() returns false.
>
> Yes, I think it all makes sense, thanks for detailing the idea. I'll get
> to this in a few hours.
>
> > BTW, then probably you can rename this attribute to
> > NFT_SET_DESC_CONCAT?
>
> It would include sizes, though. What about NFT_SET_DESC_SUBSIZE or
> NFT_SET_DESC_FIELD_SIZE?
You mean this:
NFT_SET_DESC_SUBSIZE
NFT_SET_DESC_FIELD_SIZE
NFT_SET_DESC_FIELD_SIZE
instead of this:
NFT_SET_DESC_CONCAT
NFT_LIST_ELEM
NFT_SET_DESC_SUBKEY_LEN
NFT_LIST_ELEM
NFT_SET_DESC_SUBKEY_LEN
If I described this correctly, your approach is more simple indeed.
However, I don't really have specific requirements for the future
right now. The one below is leaving room to add more subkey fields (to
describe each subkey if that is ever required). My experience is that
leaving room to extend netlink in the future is usually a good idea,
that's all.
Instead of NFT_LIST_ELEM, something like NFT_SET_DESC_SUBKEY should be
fine too, ie.
NFT_SET_DESC_CONCAT
NFT_SET_DESC_SUBKEY
NFT_SET_DESC_SUBKEY_LEN
NFT_SET_DESC_SUBKEY
NFT_SET_DESC_SUBKEY_LEN
This netlink stuff is tricky in that it's set on stone one exposed.
Thanks.
next prev parent reply other threads:[~2019-11-25 14:31 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-11-22 13:39 [PATCH nf-next v2 0/8] nftables: Set implementation for arbitrary concatenation of ranges Stefano Brivio
2019-11-22 13:40 ` [PATCH nf-next v2 1/8] netfilter: nf_tables: Support for subkeys, set with multiple ranged fields Stefano Brivio
2019-11-23 20:01 ` Pablo Neira Ayuso
2019-11-25 9:30 ` Stefano Brivio
2019-11-25 9:58 ` Pablo Neira Ayuso
2019-11-25 13:26 ` Stefano Brivio
2019-11-25 14:30 ` Pablo Neira Ayuso [this message]
2019-11-25 14:54 ` Stefano Brivio
2019-11-25 20:38 ` Pablo Neira Ayuso
2019-11-22 13:40 ` [PATCH nf-next v2 2/8] bitmap: Introduce bitmap_cut(): cut bits and shift remaining Stefano Brivio
2019-11-22 13:40 ` [PATCH nf-next v2 3/8] nf_tables: Add set type for arbitrary concatenation of ranges Stefano Brivio
2019-11-27 9:29 ` Pablo Neira Ayuso
2019-11-27 11:02 ` Stefano Brivio
2019-11-27 18:29 ` Pablo Neira Ayuso
2019-11-22 13:40 ` [PATCH nf-next v2 4/8] selftests: netfilter: Introduce tests for sets with range concatenation Stefano Brivio
2019-11-22 13:40 ` [PATCH nf-next v2 5/8] nft_set_pipapo: Provide unrolled lookup loops for common field sizes Stefano Brivio
2019-11-22 13:40 ` [PATCH nf-next v2 6/8] nft_set_pipapo: Prepare for vectorised implementation: alignment Stefano Brivio
2019-11-22 13:40 ` [PATCH nf-next v2 7/8] nft_set_pipapo: Prepare for vectorised implementation: helpers Stefano Brivio
2019-11-22 13:40 ` [PATCH nf-next v2 8/8] nft_set_pipapo: Introduce AVX2-based lookup implementation Stefano Brivio
2019-11-26 6:36 ` kbuild test robot
2019-11-26 6:36 ` kbuild test robot
2019-11-23 20:05 ` [PATCH nf-next v2 0/8] nftables: Set implementation for arbitrary concatenation of ranges Pablo Neira Ayuso
2019-11-25 9:31 ` Stefano Brivio
2019-11-25 10:02 ` Pablo Neira Ayuso
2019-11-25 13:36 ` Stefano Brivio
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20191125143058.zpbtm34cuhvl32rt@salvia \
--to=pablo@netfilter.org \
--cc=eric@garver.life \
--cc=fw@strlen.de \
--cc=kadlec@blackhole.kfki.hu \
--cc=netfilter-devel@vger.kernel.org \
--cc=phil@nwl.cc \
--cc=sbrivio@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.