Hello, Le vendredi 19 juillet 2013 à 14:28 +0200, Pablo Neira Ayuso a écrit : > Hi Eric, > > On Sat, Jul 06, 2013 at 05:33:57PM +0200, Eric Leblond wrote: > > This patch adds support for "insert before" and "add after" > > rule operation. > > The rule handle syntax has an new optional after/before field > > which take a handle as argument. > > Here is two examples: > > nft add rule filter output after 5 ip daddr 1.2.3.1 drop > > nft insert rule filter output before 5 ip daddr 1.2.3.1 drop > > While testing this new feature, I noticed that the parser was > accepting this: > > nft add rule filter output after 5 ip daddr 1.2.3.1 drop > nft insert rule filter output after 5 ip daddr 1.2.3.1 drop > > Note that 'add' and 'insert' become semantically equivalent, which > seems inconsistent to me. Yes, forgot to mention that. > While fixing it using the 'before' and 'after', I noticed that 'add' > and 'insert' already tell us where to put the new rule, so 'after' and > 'before' were repeating again what we want to do. I have reworked this > patch to change this initial syntax: > > nft add rule filter output position 5 ip daddr 1.2.3.1 drop > nft insert rule filter output position 5 ip daddr 1.2.3.1 drop > > We can support the after and before, but that would imply some extra > evaluation after the parsing that would make the patch bigger. So I > prefered to go the simpler solution. I agree with the following modification. I did not find better than this so, it is ok for me :) Patch tested. It works well. BR, -- Eric
Attachment:
signature.asc
Description: This is a digitally signed message part
