Date: Mon, 2 Dec 2013 17:28:57 +0100 From: Kajetan Staszkiewicz <vegeta@tuxpowered.net> To: Gleb Smirnoff <glebius@freebsd.org> Cc: "freebsd-pf@freebsd.org" <freebsd-pf@freebsd.org> Subject: Re: [patch] Source entries removing is awfully slow. Message-ID: <201312021728.58010.vegeta@tuxpowered.net> In-Reply-To: <20131202153638.GL48919@glebius.int.ru> References: <201303081419.17743.vegeta@tuxpowered.net> <201312012005.54919.vegeta@tuxpowered.net> <20131202153638.GL48919@glebius.int.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
Dnia poniedzia=C5=82ek, 2 grudnia 2013 o 16:36:38 Gleb Smirnoff napisa=C5=
=82(a):
> Kajetan,
>=20
> On Sun, Dec 01, 2013 at 08:05:54PM +0100, Kajetan Staszkiewicz wrote:
> K> > Ok. Let's summurize what we need to:
> K> >
> K> > 1) Switch kill|reset, that affects both -K and -k.
> K> > 2) Add option to -K that would kill states.
> K> > 3) Add option to -K and -k to specify that argument is a table.
> K> > 4) Try not to add new global option keys.
> K> >
> K> > What we got:
> K> >
> K> > 1) -k supports specifying that argument is label or id. This is done
> via K> > multiple -k specifiers:
> K> >
> K> > pfctl -k id -k 4823e84500000003
> K> >
> K> > 2) -K and -k can be specified twice, meaning -k source -K destinatio=
n.
> K> >
> K> > So, 1) and 2) make order of multiple arguments important.
> K> >
> K> > The main problem is that we need to keep working current syntax, whi=
ch
> I K> > find ugly. The biggest problem is that order of arguments matters.
> This is K> > really a bad habbit.
> K> >
> K> > What about if we come with something order-agnostic as alternative to
> K> > current syntax? And put all enhanced state/srcnode killing/resetting
> into K> > this new syntax, w/o touching current syntax. The current syntax
> will be K> > mark as obsoleted in manual page. We might even want to
> implement all K> > these new features in a new utility. Not sure there is
> a reason to do, so K> > but is possible.
> K>
> K> I believe it is possible to extend the current syntax without breaking
> K> compatibility. Have a look:
> K> - A list of -K string1 -K string2... is provided.
> K> - Magic keywords are: label, id, table, rdrhost, kill ("states",
> K> "rststates").
> K> - If there is a magic keyword at any position, the next position is a
> value for K> the keyword.
> K> - If there is a string, which is not a magic keyword, at any position,
> it is K> src host or dst host, depending on position (first is src, next
> is dst). K> - Of course not all keywords apply both to -K and -k (e.g
> state's rdrhost is K> src_node's dst).
> K>
> K> This is:
> K> - Compatible with the current syntax.
> K> - Extends the syntax to my needs.
> K> - By coincidence extedns the syntax for matching by multiple keywords +
> src/dst K> at once. Kernel should already handle that, pfctl.c needs to
> be changed. K>
> K> It can be extended with more magic keywords: srchost, dsthost. This
> would make K> order of tuples (-K keyword -K value) fully obsolete.
> K>
> K> How do you find the idea?
>=20
> Well, that would work. I just dislike the current syntax order dependant:
>=20
> '-K foo -K bar' isn't equal to '-K bar -K foo'
>=20
> But compatibility issue can overweight saneness.
Do we have an agreement then? Shall I start developing this?
> Hmm, may be it is worth make our discussion public? The freebsd-pf@
> or freebsd-net@ would be okay.
I think it's a bit late, but I somehow forgot about this in the first email=
=2E=20
Added pf@ now.
=2D-=20
| pozdrawiam / greetings | powered by Debian, FreeBSD and CentOS |
| Kajetan Staszkiewicz | jabber,email: vegeta()tuxpowered net |
| Vegeta | www: http://vegeta.tuxpowered.net |
`------------------------^---------------------------------------'
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201312021728.58010.vegeta>