NFNL_NFA_NEST
Patrick McHardy
kaber at trash.net
Wed Mar 21 11:13:41 CET 2007
Jozsef Kadlecsik wrote:
> On Wed, 21 Mar 2007, Patrick McHardy wrote:
>
>> One of the worst mistakes in nfnetlink in my opinion was the
>> introduction of the NFNL_NFA_NEST bit. It prevents us from
>> using a large part of the generic netlink stuff, since that
>> just interprets it as a really huge attribute type. Since
>> its not used even for anything, this is really annoying.
>
>
> Pablo helped me to work on porting ipset from sockopt to nfnetlink
> (which is still not finished yet :-() and I nagged Pablo a lot to use
> nesting, primarily to hide sub-module details at netlink message level
> from the ipset core. For example when adding/deleting/testing a set, the
> netlink message looks like this:
>
> <set name>
> <set type>
> <nested: set type specific data>
>
> so that the core is not burdened by module-dependent details.
>
> The other place where I wanted to use nesting is to send a bunch of the
> same type data in one netlink message instead of sending every one of
> them in separated messages: I shudder to send ~370 netlink messages
> instead of a single one in order to pass that number of IP addresses.
I don't want to remove the ability to nest attributes, just the
NFNL_NFA_NEST bit on nested attributes (ORed in nfa_type):
#define NFA_NEST(skb, type) \
({ struct nfattr *__start = (struct nfattr *) (skb)->tail; \
NFA_PUT(skb, (NFNL_NFA_NEST | type), 0, NULL); \
__start; })
Or did I misunderstand you and you actually use this for something?
More information about the netfilter-devel
mailing list