From: Pablo Neira Ayuso <pablo@netfilter.org>
To: "Christian Göttsche" <cgzones@googlemail.com>
Cc: netfilter-devel@vger.kernel.org
Subject: Re: nftables: secmark support
Date: Mon, 18 Nov 2019 19:30:13 +0100 [thread overview]
Message-ID: <20191118183013.zaaupujid7pnmp33@salvia> (raw)
In-Reply-To: <20191118181849.k4tb5rnmcuzigbaw@salvia>
On Mon, Nov 18, 2019 at 07:18:49PM +0100, Pablo Neira Ayuso wrote:
> Hi Christian,
>
> On Mon, Nov 18, 2019 at 05:44:07PM +0100, Christian Göttsche wrote:
> > Am Mo., 28. Okt. 2019 um 15:27 Uhr schrieb Christian Göttsche
> > <cgzones@googlemail.com>:
> > > > This is what your patch [6] does, right? If you don't mind to rebase
> > > > it I can have a look if I can propose you something else than this new
> > > > keyword.
> > >
> > > Attached at the end (base on 707ad229d48f2ba7920541527b755b155ddedcda)
> >
> > friendly ping; any progress?
> >
> > rebased against 4a382ec54a8c09df1a625ddc7d32fc06257c596d at
> > https://paste.debian.net/1116802/
>
> Thanks for following up on this. A few comments on your patch:
>
> 1) I would replace secmark_raw by secmark instead. I think we should
> hide this assymmetry to the user. I would suggest you also extend
> the evaluation phase, ie. expr_evaluate_meta() and expr_evaluate_ct()
> to bail out in case the user tries to match on the raw packet / ct
> secmark ID. IIRC, the only usecase for this raw ID is to save and
> to restore the secmark from/to the packet to/from the conntrack
> object.
>
> And a few minor issues:
>
> 2) Please remove meta_key_unqualified chunk.
>
> meta_key_unqualified SET stmt_expr
I mean, this update (moving the location of this rule) is not
necessary, right? Thanks.
> 3) Remove the reset command chunk too:
>
> --- a/src/rule.c
> +++ b/src/rule.c
> @@ -2539,6 +2539,12 @@ static int do_command_reset(struct netlink_ctx
> *ctx, struct cmd *cmd)
> case CMD_OBJ_QUOTA:
> type = NFT_OBJECT_QUOTA;
> break;
> + case CMD_OBJ_SECMARKS:
> + dump = true;
> + /* fall through */
> + case CMD_OBJ_SECMARK:
> + type = NFT_OBJECT_SECMARK;
> + break;
> default:
> BUG("invalid command object type %u\n", cmd->obj);
> }
>
> Thanks.
next prev parent reply other threads:[~2019-11-18 18:30 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-10-22 15:57 nftables: secmark support Christian Göttsche
2019-10-22 17:34 ` Pablo Neira Ayuso
2019-10-28 14:27 ` Christian Göttsche
2019-11-18 16:44 ` Christian Göttsche
2019-11-18 18:18 ` Pablo Neira Ayuso
2019-11-18 18:30 ` Pablo Neira Ayuso [this message]
2019-11-19 19:02 ` Christian Göttsche
2019-11-19 19:40 ` Pablo Neira Ayuso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20191118183013.zaaupujid7pnmp33@salvia \
--to=pablo@netfilter.org \
--cc=cgzones@googlemail.com \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.