From: Alexei Starovoitov <alexei.starovoitov@gmail.com>
To: Florian Westphal <fw@strlen.de>,
Daniel Borkmann <daniel@iogearbox.net>,
Andrii Nakryiko <andrii@kernel.org>,
Martin KaFai Lau <martin.lau@linux.dev>,
"David S. Miller" <davem@davemloft.net>,
Jakub Kicinski <kuba@kernel.org>,
Network Development <netdev@vger.kernel.org>
Cc: "Toke Høiland-Jørgensen" <toke@kernel.org>,
netfilter-devel <netfilter-devel@vger.kernel.org>,
bpf <bpf@vger.kernel.org>
Subject: Re: [PATCH nf-next] netfilter: nf_tables: add ebpf expression
Date: Wed, 31 Aug 2022 08:39:33 -0700 [thread overview]
Message-ID: <CAADnVQJp5RJ0kZundd5ag-b3SDYir8cF4R_nVbN8Zj9Rcn0rww@mail.gmail.com> (raw)
In-Reply-To: <20220831152624.GA15107@breakpoint.cc>
On Wed, Aug 31, 2022 at 8:31 AM Florian Westphal <fw@strlen.de> wrote:
>
> Toke Høiland-Jørgensen <toke@kernel.org> wrote:
> > > Same with a 'nft list ruleset > /etc/nft.txt', reboot,
> > > 'nft -f /etc/nft.txt' fails because user forgot to load/pin the program
> > > first.
> >
> > Right, so under what conditions is the identifier expected to survive,
> > exactly? It's okay if it fails after a reboot, but it should keep
> > working while the system is up?
>
> Right, thats the question. I think it boils down to 'least surprise',
> which to me would mean useable labels are:
>
> 1. pinned name
> 2. elf filename
> 3. filter name
>
> 3) has the advantage that afaiu I can extend nft to use the dumped
> id + program tag to query the name from the kernel, whereas 1+2 would
> need to store the label.
>
> 1 and 2 have the upside that its easy to handle a 'file not found'
> error.
I'm strongly against calling into bpf from the inner guts of nft.
Nack to all options discussed in this thread.
None of them make any sense.
next prev parent reply other threads:[~2022-08-31 15:41 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-08-31 10:16 [PATCH nf-next] netfilter: nf_tables: add ebpf expression Florian Westphal
2022-08-31 12:13 ` Toke Høiland-Jørgensen
2022-08-31 12:56 ` Florian Westphal
2022-08-31 13:41 ` Toke Høiland-Jørgensen
2022-08-31 13:57 ` Florian Westphal
2022-08-31 14:43 ` Toke Høiland-Jørgensen
2022-08-31 15:09 ` Pablo Neira Ayuso
2022-08-31 15:35 ` Florian Westphal
2022-08-31 20:38 ` Pablo Neira Ayuso
2022-08-31 15:26 ` Florian Westphal
2022-08-31 15:39 ` Alexei Starovoitov [this message]
2022-08-31 15:53 ` Florian Westphal
2022-08-31 17:26 ` Alexei Starovoitov
2022-08-31 21:49 ` Daniel Borkmann
2022-09-01 5:18 ` Eyal Birger
2022-09-02 16:53 ` Alexei Starovoitov
2022-09-05 17:50 ` Eyal Birger
2022-09-01 10:14 ` Florian Westphal
2022-09-02 17:06 ` Alexei Starovoitov
2022-09-02 17:52 ` Florian Westphal
2022-08-31 21:57 ` Florian Westphal
2022-09-06 6:57 ` Nicolas Dichtel
2022-09-07 3:04 ` Alexei Starovoitov
2022-09-07 15:52 ` Nicolas Dichtel
2022-09-01 8:08 ` Jan Engelhardt
2022-08-31 20:44 ` Toke Høiland-Jørgensen
2022-08-31 13:44 ` Florian Westphal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAADnVQJp5RJ0kZundd5ag-b3SDYir8cF4R_nVbN8Zj9Rcn0rww@mail.gmail.com \
--to=alexei.starovoitov@gmail.com \
--cc=andrii@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=davem@davemloft.net \
--cc=fw@strlen.de \
--cc=kuba@kernel.org \
--cc=martin.lau@linux.dev \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=toke@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).