Hi Pablo,
On Tue, 29 Jul 2025, Pablo Neira Ayuso wrote:
On Tue, Jul 29, 2025 at 09:22:46AM +0200, Jozsef Kadlecsik wrote:
Hi,
On Mon, 28 Jul 2025, Florian Westphal wrote:
Another option might be to replace a flush with delset+newset
internally, but this will get tricky because the set/map still being
referenced by other rules, we'd have to fixup the ruleset internally to
use the new/empty set while still being able to roll back.
If "data" of struct nft_set would be a pointer to an allocated memory area,
then there'd be no need to fixup the references in the rules: it would be
enough to create-delete the data part. (All non-static, set data related
attributes could be move to the "data" as well, like nelems, ndeact.) But
it'd mean a serious redesign.
refcounting on object is needed to detect deletion of chains that are
still in used, rule refer to chains either via direct jump/goto or via
verdict map. When handling the transaction batch is needed to know what
can be deleted or not.
The private set data part of struct nft_set contains anything which is
directly referenced from rules, maps? What I wanted to suggest is to keep
the set structure part which is referenced/pointed to from rules, etc.
intact but separate the private set data part so that it could be handled
independently.
[It seems I miss something.]
Best regards,
Jozsef
