From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0944DC433EF for ; Thu, 30 Sep 2021 09:21:49 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id E313361267 for ; Thu, 30 Sep 2021 09:21:48 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1349330AbhI3JXa (ORCPT ); Thu, 30 Sep 2021 05:23:30 -0400 Received: from mail.netfilter.org ([217.70.188.207]:36312 "EHLO mail.netfilter.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1349293AbhI3JX3 (ORCPT ); Thu, 30 Sep 2021 05:23:29 -0400 Received: from netfilter.org (barqueta.lsi.us.es [150.214.188.150]) by mail.netfilter.org (Postfix) with ESMTPSA id CC8EE63EBA; Thu, 30 Sep 2021 11:20:20 +0200 (CEST) Date: Thu, 30 Sep 2021 11:21:42 +0200 From: Pablo Neira Ayuso To: Daniel Borkmann Cc: netfilter-devel@vger.kernel.org, davem@davemloft.net, netdev@vger.kernel.org, kuba@kernel.org, lukas@wunner.de, kadlec@netfilter.org, fw@strlen.de, ast@kernel.org, edumazet@google.com, tgraf@suug.ch, nevola@gmail.com, john.fastabend@gmail.com, willemb@google.com Subject: Re: [PATCH nf-next v5 0/6] Netfilter egress hook Message-ID: References: <20210928095538.114207-1-pablo@netfilter.org> <3973254b-9afb-72d5-7bf1-59edfcf39a58@iogearbox.net> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <3973254b-9afb-72d5-7bf1-59edfcf39a58@iogearbox.net> Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org On Thu, Sep 30, 2021 at 09:33:23AM +0200, Daniel Borkmann wrote: > On 9/30/21 9:19 AM, Pablo Neira Ayuso wrote: [...] > > Why do you need you need a sysctl knob when my proposal is already > > addressing your needs? > > Well, it's not addressing anything ... you even mention it yourself "arguably, > distributors might decide to compile nf_tables_netdev built-in". I said distributors traditionally select the option that we signal to them, which is to enable this as module. We can document this in Kconfig. I think distributors should select whatever is better for their needs. Anyway, I'll tell you why module blacklisting is bad: It is a hammer, it is a band aid to a problem. Blacklisting is just making things worst because it makes some people believe that something is unfixable. Yes, it took me a while to figure out. We already entered the let's bloat the skbuff for many years already, this is stuffing one more bit into the skbuff just because maybe users might break an existing setup when they load new rules to the new netfilter egress hook. Probably the sysctl for this new egress hook is the way to go as you suggest. Thanks.