-
Notifications
You must be signed in to change notification settings - Fork 316
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Construction of nl_msg message with multiple headers #313
Comments
hm. I am not familiar with this topic. And from your question, I can tell that you already know more than me. A new API is certainly possible, if somebody provides a patch :) As with help for your question. Maybe somebody else can answer on this issue. Or maybe you'd like to send an email to the mailing list? (though, in both cases I cannot guarantee that somebody will chime in). Good luck though!! |
Thank you for quick reply. I'm also new to this topic. To give a bit more insight, usage pattern is to apply filtering changes by nfnetlink batching. I believe this mechanism is specific to Netfilter subsystem-only. Having an option to combine headers in general (i.e. not only for NF batching) may be also useful for non-functional, e.g. performance reasons. This seems in line with past mailing thread. Kernel likely limits maximum frame size (didn't check it yet), although default allocation message size (i.e. IMHO, the cleanest solution may to be to modify semantics of
Such change would break backward compatibility, although it's seems bit awkward to rely on header overwrite (but I may be wrong here and someone else considers it's a feature, not a bug). What do you think? In either case, I agree with you that any of such enhancements deserve wider audience for discussion. |
in general, changing behavior (and more importantly: breaking users) would be a problem. I do think that it's unlikely that there are users who depend on this behavior, so we could change behavior. On the other hand, maybe we should just add another variant of the function, with the desired behavior. While that adds new API (and increase the complexity for the user to understand what to do), it seems the safe thing. |
Hi @thom311 ,
I'm looking for ability to send single message consisting of many NL headers in order to be able to configure kernel filtering changes in one transaction (to not disrupt the traffic). After checking libnl documentation and sources, it seems like API such as
nfnlmsg_put()
are suited for scenario of a single header within a message, i.e. succeeding calls to put are overwriting existing header rather than add after tail.Can you recommend what would the be solution here? The closest W/A I found is to limit allocation size (i.e. via
nlmsg_alloc_size
) of a single message and encapsulate each header within message, then collect all of the segments instruct iovec
, and execute send bynl_send_iovec
.For example, to construct a message with two NL headers:
It seems to work, but the main drawback is it involves multiple allocations.
Another W/A could be to have single instance of
nl_msg
and manipulatenm_nlh
(along with size) to "fool" succeeding calls tonfnlmsg_put()
, so it creates are header after the previous segment (including padding). But, this is risky (original pointer would have to be restored for deallocation) and is not possible with current API due to struct hiding.Nevertheless, the cleanest solution might be for API to append segment. Do you consider it's something that could be added?
Thanks,
Grzegorz
The text was updated successfully, but these errors were encountered: