On Wed, Apr 03, 2013 at 02:38:38PM +0200, Arturo Borrero Gonzalez wrote:
> 2013/4/2 Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>:
> > On Tue, Apr 02, 2013 at 07:18:39PM +0200, Arturo Borrero Gonzalez wrote:
> >> If cmp and bitwise are going to always have DATA_VALUE, and imm
> >> depending on what was set, I think we could do:
> >>
> >> int nft_data_reg_snprintf(char *buf, union data_reg *data, int type, ...)
> >> switch(type)
> >> return nft_data_reg_snprintf_'type'(buf, data, ...)
> >
> > where 'type' can be: value, verdict or chain.
> >
> >> And the same applies when parsing XML.
> >
> > Exactly.
>
> I propose to use this format:
>
> for DATA_VALUE:
>
> <expr type=cmp>
> [...]
> <cmpdata>
> <data_reg type=value>
> <len>N</len>
> <data0>reg->val[i]</data0>
> [...]
> <dataN>reg->val[n]</dataN>
> </data_reg>
> </cmpdata>
> </expr>
>
> This way we also export/import the len of reg->val (actually reg->len)
>
> For DATA_VERDICT or DATA_CHAIN:
> <data_reg type=verdict>
> <verdict>int</verdict>
> <chain>string</chain>
> </data_reg>
>
> assuming verdict and chain are always used together, despite of node
> '<verdict>' or '<chain>' being not set (but present with no value)
>
> For DATA_VERDICT or DATA_CHAIN:
> <data_reg type=verdict>
> <verdict>int</verdict>
> <chain>string</chain>
> </data_reg>
The verdict and the chain are mutually exclusive. So it has to be:
* For DATA_VERDICT:
<data_reg type=verdict>
<verdict>string</verdict>
</data_reg>
where string can be accept, drop, return. Better use the string than
the value, it's human readable and people can edit it without knowing
the mapping between values and verdicts.
* For DATA_CHAIN:
<data_reg type=verdict>
<chain>string</chain>
</data_reg>
where string is the chain name. This chain is the chain to jump in
case of matching (like in iptables: -j some_chain).
Regards.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
