LVS
lvs-devel
Google
 
Web LinuxVirtualServer.org

Re: [PATCH 00/26] IPVS: Add first IPv6 support to IPVS.

To: "Patrick McHardy" <kaber@xxxxxxxxx>
Subject: Re: [PATCH 00/26] IPVS: Add first IPv6 support to IPVS.
Cc: "Simon Horman" <horms@xxxxxxxxxxxx>, "Vince Busam" <vbusam@xxxxxxxxxx>, "Ben Greear" <greearb@xxxxxxxxxxxxxxx>, lvs-devel@xxxxxxxxxxxxxxx, netdev@xxxxxxxxxxxxxxx
From: "Julius Volz" <juliusv@xxxxxxxxxx>
Date: Mon, 16 Jun 2008 02:14:00 +0200
On Fri, Jun 13, 2008 at 5:14 PM, Patrick McHardy <kaber@xxxxxxxxx> wrote:
> Julius Volz wrote:
>> As for compatibility and extensibility, how is that best achieved with
>> netlink? I've seen some examples copy whole C structs into netlink
>> datagrams, but that is obviously what we don't want anymore. So the
>> way to go seems to be to transfer each struct field as a separate
>> netlink attribute, right?
>
> Yes. You can also group those which belong together logically
> in nested attributes.

Thanks. I've now looked closer at Netlink and read the Genetlink implementation.

For the new IPVS interface, is there a preference for the granularity
of the top-level Genetlink operations?

I see three naive possibilities (one Genetlink op per line), if we
start out with a straight mapping from the old API to the new one:

a)
SET - covers all of previous IP_VS_SO_SET_*
GET - covers all of previous IP_VS_SO_GET_*

b) more split up
ADD - services and destinations
EDIT - services and destinations
DEL - services and destinations
SETTIMEOUT
STARTDAEMON
STOPDAEMON
ZERO
(+ granular GET commands...)

c) totally split up
ADD_SVC
ADD_DEST
EDIT_SVC
EDIT_DEST
DEL_SVC
DEL_DEST
SETTIMEOUT
STARTDAEMON
STOPDAEMON
ZERO
(+ granular GET commands...)

I find http://www.linuxfoundation.org/en/Net:Generic_Netlink_HOWTO saying:
===========================
Operation Granularity

While it may be tempting to register a single operation for a Generic
Netlink family and multiplex multiple sub-commands on the single
operation, this is strongly discouraged for security reasons.
Combining multiple behaviors into one operation makes it difficult to
restrict the operations using the existing Linux kernel security
mechanisms.
===========================

Option c) looks reasonable to me and also seems easy to handle in
general. Is this the way to go? Or do we want the interface to look
completely different this time?

Julius

-- 
Google Switzerland GmbH
--
To unsubscribe from this list: send the line "unsubscribe lvs-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html

<Prev in Thread] Current Thread [Next in Thread>