From owner-freebsd-pf@FreeBSD.ORG Mon Dec 2 17:24:51 2013 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id D5237A97 for ; Mon, 2 Dec 2013 17:24:51 +0000 (UTC) Received: from mail-bk0-f48.google.com (mail-bk0-f48.google.com [209.85.214.48]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 634EB163D for ; Mon, 2 Dec 2013 17:24:51 +0000 (UTC) Received: by mail-bk0-f48.google.com with SMTP id v10so5431416bkz.7 for ; Mon, 02 Dec 2013 09:24:49 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:subject:date:user-agent:cc:references :in-reply-to:mime-version:content-type:content-transfer-encoding :message-id; bh=EUqlgtzhFn60AF5ayDagW9l8A8OnILieys9we2ALFYY=; b=QFL//eHcK0uu92KE/Eba6QrCQdT8KGnoW/dFQPRWhoP+BTmRY5Cq23LJ8U7VyPm6CO +KRS0qIM5boYud4dkil8sup6HN1LbDFwkXyUkt6jLTjWN88zE2zEwg1HtDEC05CpB3bw ctKXQLzpWutw6B9VdYsObyJa/ARXJZ8d809DD9yH6yEo2nBnUdsyRHvRyRfEiPGVMVJQ 0e+5oXU8byOpEOQpyS4XSJ23eHzjN6pJ/A9W31KuiFcL7cpZfQyGTYXfbr/1WTNJPLb1 EI5XPi5IjQst9On9Bevmqdk0od6L2JJwN2J9aMcMpOPjsVmNKkAs5uccr1coVicHLzD7 n/4Q== X-Gm-Message-State: ALoCoQlBHmb75WdrTsUB1k75UDhirTvFY4y3zkjHgunf3ovQ0CUjIe32bc2ecf5Ow2dYKLmbNmt0 X-Received: by 10.204.68.199 with SMTP id w7mr53972bki.160.1386001739457; Mon, 02 Dec 2013 08:28:59 -0800 (PST) Received: from zvezda.localnet ([212.48.107.10]) by mx.google.com with ESMTPSA id it12sm8713715bkb.12.2013.12.02.08.28.58 for (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 02 Dec 2013 08:28:58 -0800 (PST) From: Kajetan Staszkiewicz To: Gleb Smirnoff Subject: Re: [patch] Source entries removing is awfully slow. Date: Mon, 2 Dec 2013 17:28:57 +0100 User-Agent: KMail/1.13.7 (Linux/3.10.1; KDE/4.8.4; x86_64; ; ) References: <201303081419.17743.vegeta@tuxpowered.net> <201312012005.54919.vegeta@tuxpowered.net> <20131202153638.GL48919@glebius.int.ru> In-Reply-To: <20131202153638.GL48919@glebius.int.ru> MIME-Version: 1.0 Content-Type: Text/Plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <201312021728.58010.vegeta@tuxpowered.net> Cc: "freebsd-pf@freebsd.org" X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 Dec 2013 17:24:51 -0000 Dnia poniedzia=C5=82ek, 2 grudnia 2013 o 16:36:38 Gleb Smirnoff napisa=C5= =82(a): > Kajetan, >=20 > On Sun, Dec 01, 2013 at 08:05:54PM +0100, Kajetan Staszkiewicz wrote: > K> > Ok. Let's summurize what we need to: > K> > > K> > 1) Switch kill|reset, that affects both -K and -k. > K> > 2) Add option to -K that would kill states. > K> > 3) Add option to -K and -k to specify that argument is a table. > K> > 4) Try not to add new global option keys. > K> > > K> > What we got: > K> > > K> > 1) -k supports specifying that argument is label or id. This is done > via K> > multiple -k specifiers: > K> > > K> > pfctl -k id -k 4823e84500000003 > K> > > K> > 2) -K and -k can be specified twice, meaning -k source -K destinatio= n. > K> > > K> > So, 1) and 2) make order of multiple arguments important. > K> > > K> > The main problem is that we need to keep working current syntax, whi= ch > I K> > find ugly. The biggest problem is that order of arguments matters. > This is K> > really a bad habbit. > K> > > K> > What about if we come with something order-agnostic as alternative to > K> > current syntax? And put all enhanced state/srcnode killing/resetting > into K> > this new syntax, w/o touching current syntax. The current syntax > will be K> > mark as obsoleted in manual page. We might even want to > implement all K> > these new features in a new utility. Not sure there is > a reason to do, so K> > but is possible. > K> > K> I believe it is possible to extend the current syntax without breaking > K> compatibility. Have a look: > K> - A list of -K string1 -K string2... is provided. > K> - Magic keywords are: label, id, table, rdrhost, kill ("states", > K> "rststates"). > K> - If there is a magic keyword at any position, the next position is a > value for K> the keyword. > K> - If there is a string, which is not a magic keyword, at any position, > it is K> src host or dst host, depending on position (first is src, next > is dst). K> - Of course not all keywords apply both to -K and -k (e.g > state's rdrhost is K> src_node's dst). > K> > K> This is: > K> - Compatible with the current syntax. > K> - Extends the syntax to my needs. > K> - By coincidence extedns the syntax for matching by multiple keywords + > src/dst K> at once. Kernel should already handle that, pfctl.c needs to > be changed. K> > K> It can be extended with more magic keywords: srchost, dsthost. This > would make K> order of tuples (-K keyword -K value) fully obsolete. > K> > K> How do you find the idea? >=20 > Well, that would work. I just dislike the current syntax order dependant: >=20 > '-K foo -K bar' isn't equal to '-K bar -K foo' >=20 > But compatibility issue can overweight saneness. Do we have an agreement then? Shall I start developing this? > Hmm, may be it is worth make our discussion public? The freebsd-pf@ > or freebsd-net@ would be okay. I think it's a bit late, but I somehow forgot about this in the first email= =2E=20 Added pf@ now. =2D-=20 | pozdrawiam / greetings | powered by Debian, FreeBSD and CentOS | | Kajetan Staszkiewicz | jabber,email: vegeta()tuxpowered net | | Vegeta | www: http://vegeta.tuxpowered.net | `------------------------^---------------------------------------'