Hi Jozsef, On Tue, Jul 29, 2025 at 09:22:46AM +0200, Jozsef Kadlecsik wrote: > Hi, > > On Mon, 28 Jul 2025, Florian Westphal wrote: > > > Another option might be to replace a flush with delset+newset > > internally, but this will get tricky because the set/map still being > > referenced by other rules, we'd have to fixup the ruleset internally to > > use the new/empty set while still being able to roll back. > > If "data" of struct nft_set would be a pointer to an allocated memory area, > then there'd be no need to fixup the references in the rules: it would be > enough to create-delete the data part. (All non-static, set data related > attributes could be move to the "data" as well, like nelems, ndeact.) But > it'd mean a serious redesign. refcounting on object is needed to detect deletion of chains that are still in used, rule refer to chains either via direct jump/goto or via verdict map. When handling the transaction batch is needed to know what can be deleted or not.
