Message ID | 20241107174415.4690-1-fw@strlen.de |
---|---|
Headers | show |
Series | netfilter: nf_tables: reduce set element transaction size | expand |
Hi Florian, This series looks good to me. Regarding 3/5, I don't see any fix or anything silly in this. >nftables audit log format unfortunately leaks an implementation detail, the >transaction log size, to userspace: > > table=t1 family=2 entries=4 op=nft_register_set > ~~~~~~~~~ > >This 'entries' key is the number of transactions that will be applied. To my understanding, entries= is the number of entries that are either added or updated in this transaction. Before this patch, there was a 1:1 mapping between transaction and elements, now this is not the case anymore. If entries= exposes only the number of transactions, then this becomes useless to userspace? In iptables, it shows the number of entries in the table after the update.
Pablo Neira Ayuso <pablo@netfilter.org> wrote: > >nftables audit log format unfortunately leaks an implementation detail, the > >transaction log size, to userspace: > > > > table=t1 family=2 entries=4 op=nft_register_set > > ~~~~~~~~~ > > > >This 'entries' key is the number of transactions that will be applied. > > To my understanding, entries= is the number of entries that are either > added or updated in this transaction. > > Before this patch, there was a 1:1 mapping between transaction and > elements, now this is not the case anymore. > > If entries= exposes only the number of transactions, then this becomes > useless to userspace? Hmm, I would need to know what this is supposed to be. Its not going to be the same in either case, iptables-legacy -A ... vs iptables-nft -A won't result in same entries due to the whole-table-replace paradigm and introduction of "update" mechanism also changes entries count. I think its fine now, but please feel free to rewrite the commit message if you think its needed.
On Tue, Nov 12, 2024 at 09:44:36PM +0100, Florian Westphal wrote: > Pablo Neira Ayuso <pablo@netfilter.org> wrote: > > >nftables audit log format unfortunately leaks an implementation detail, the > > >transaction log size, to userspace: > > > > > > table=t1 family=2 entries=4 op=nft_register_set > > > ~~~~~~~~~ > > > > > >This 'entries' key is the number of transactions that will be applied. > > > > To my understanding, entries= is the number of entries that are either > > added or updated in this transaction. > > > > Before this patch, there was a 1:1 mapping between transaction and > > elements, now this is not the case anymore. > > > > If entries= exposes only the number of transactions, then this becomes > > useless to userspace? > > Hmm, I would need to know what this is supposed to be. > Its not going to be the same in either case, > iptables-legacy -A ... vs iptables-nft -A won't result in same > entries due to the whole-table-replace paradigm and introduction > of "update" mechanism also changes entries count. Right, there is a change between -legacy and -nft regarding audit. > I think its fine now, but please feel free to rewrite the commit > message if you think its needed. Thanks, I will make an edit.