Re: [ANNOUNCE]: Release of nftables 0.099

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, 21 Jan 2014, Patrick McHardy wrote:

> On Tue, Jan 21, 2014 at 01:43:40PM +0100, Andreas Herz wrote:
> > On 21/01/14 at 12:32, Patrick McHardy wrote:
> > > > 
> > > > > Timeouts shouldn't be that hard as well, but I would need to think about
> > > > > this some more, I'd prefer not to add struct timer_lists everywhere.
> > > > 
> > > > That sounds like it rather won't come into nftables code. So what would
> > > > be the suggestion?
> > > 
> > > I'm not saying this, I merely want to check how do so this with as little
> > > waste as possible. Some possibilities are:
> > 
> > So it's better to just wait some time to see how it will go on :) That's
> > fine, too.
> 
> Yeah. At least the dynamic updates are quite likely to happen soon.
> 
> > > - add a new set feature flag and only implement it for those types. Downside
> > >   is code duplication.
> > > 
> > > - somehow trigger removal from outside the set. Downside is memory waste
> > >   since we'd need to store the elements twice.
> > > 
> > > - use dynamic sized structures and add the timer at the end. Problem is that
> > >   we're in some cases already using optional members at the end, so it would
> > >   complicate the code a bit.
> > 
> > I see that all three possibilities are far from perfect :/
> 
> Well, all have some downsides, but I guess its something people will want
> to have, otherwise Joszef wouldn't have added it, so we'll find a way.

Sets with timeout give an easy way to stop/slow down scanners/attackers 
without the need (usually) of any maintenance when honeypots, detectors 
add the entries.

ipset doesn't use struct timer_lists either, but implements 
timeout as a data extension (similar to conntrack). The elements are fixed 
sized, so it's simpler than the third case above for nftables.

Best regards,
Jozsef	
-
E-mail  : kadlec@xxxxxxxxxxxxxxxxx, kadlecsik.jozsef@xxxxxxxxxxxxx
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : Wigner Research Centre for Physics, Hungarian Academy of Sciences
          H-1525 Budapest 114, POB. 49, Hungary
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html




[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux