Re: [PATCH libnftables] Add support for ct set

Arturo Borrero Gonzalez <arturo.borrero.glez@xxxxxxxxx> · Tue, 7 Jan 2014 18:13:16 +0100

On 7 January 2014 16:15, Kristian Evensen <kristian.evensen@xxxxxxxxx> wrote:
> From: Kristian Evensen <kristian.evensen@xxxxxxxxx>
>

Hi Kristian,

some minor comments below.

> This patch adds userspace support for setting properties of tracked connections.
> Currently, the connection mark is supported. This can be used to implemented the
> same functionality as iptables -j CONNMARK --save-mark.
>
> Signed-off-by: Kristian Evensen <kristian.evensen@xxxxxxxxx>
> diff --git a/src/expr/ct.c b/src/expr/ct.c
> index 46e3cef..a509216 100644
> --- a/src/expr/ct.c
> +++ b/src/expr/ct.c
> @@ -24,7 +24,10 @@
>
>  struct nft_expr_ct {
>         enum nft_ct_keys        key;
> -       uint32_t                dreg;   /* enum nft_registers */
> +       union{

note the missing space after union definition.

> @@ -235,11 +257,17 @@ static int nft_rule_expr_ct_xml_parse(struct nft_rule_expr *e, mxml_node_t *tree
>         uint8_t dir;
>
>         reg = nft_mxml_reg_parse(tree, "dreg", MXML_DESCEND_FIRST);
> -       if (reg < 0)
> -               return -1;
> +       if (reg >= 0) {
> +               ct->dreg = reg;
> +               e->flags |= (1 << NFT_EXPR_CT_DREG);
> +       } else {
> +               reg = nft_mxml_reg_parse(tree, "sreg", MXML_DESCEND_FIRST);
> +               if (reg < 0)
> +                       return -1;
>
> -       ct->dreg = reg;
> -       e->flags |= (1 << NFT_EXPR_CT_DREG);
> +               ct->sreg = reg;
> +               e->flags |= (1 << NFT_EXPR_CT_SREG);
> +       }

Looking at this, I think we should fail if neither dreg nor sreg are
present. I guess we need at least one of two and if not, the
expression is invalid. Also in JSON parsing.

A similar improvement is required in src/expr/meta.c

regards

-- 
Arturo Borrero González
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html