On Fri, Jan 10, 2014 at 06:06:25PM +0000, Patrick McHardy wrote: > On Fri, Jan 10, 2014 at 03:32:52PM +0100, Pablo Neira Ayuso wrote: > > On Fri, Jan 10, 2014 at 01:58:01PM +0000, Patrick McHardy wrote: > > > On Fri, Jan 10, 2014 at 02:54:35PM +0100, Pablo Neira Ayuso wrote: > > > > On Fri, Jan 10, 2014 at 01:43:43PM +0000, Patrick McHardy wrote: > > > > > On Fri, Jan 10, 2014 at 02:33:06PM +0100, Kristian Evensen wrote: > > > > > > Hi, > > > > > > > > > > > > On Fri, Jan 10, 2014 at 2:27 PM, Patrick McHardy <kaber@xxxxxxxxx> wrote: > > > > > > > No, I'm refering to the (ab)use of the expression. Anything not returning > > > > > > > data is not an expression but a statement. > > > > > > > > > > > > Ok, then I follow :) I followed the naming in meta, but I agree. What > > > > > > would be a good naming convetion? I thought of something like > > > > > > nft_expr_stmt_*. It is a bit clumsy, but it is at least clear that the > > > > > > struct can be used to represent both an expression and a statement. > > > > > > > > > > nft_ct_stmt? This is what we use in nftables f.i. in case of meta. > > > > > > > > Perhaps nft_ct_instr? So we can identify this as the nftables > > > > instruction-set. > > > > > > Well, expressions also belong to the instruction set. A statement is > > > is one (more specific) case of an instruction, as are expressions. > > > Why introduce new terminology that isn't used anywhere else so far > > > if statement is the exact description of what this is and is already > > > used by nftables. > > > > So are you proposing to add a new object for statements in > > libnftables? That will require a new infrastructure which would be > > very similar to what we have in the current expressions. > > Well, the infrastructure should be pretty small. In fact you could > probably map everything to expressions internally (although I don't > think adding new infrastructure would be much effort), I would just > rather not create an API that confuses fundamental types. libnftables is the very low level library, as it is very close to the kernel details, I would stick to the expression simplification that we have in the kernel. > > To that extend, that would also require a new infrastructure in the > > kernel so we also have statements there. I think one of the good > > things of the nf_tables kernel side is that we didn't make any > > distinction between matches/targets (or call it > > expressions/statements). > > In the kernel that was deliberate and is only internal to the kernel > (well, and libraries and so on). I considered it, but I think in the > kernel its more important to keep the code base and APIs as small > as possible. Anyone working with libnftables should be familiar with the kernel code, the current approach maps 1 to 1 what we have in the kernel. I still think the statement/expression concept should remain in the scope of nft. We'll have a high level library at some point, I guess that will be based on the (generalized) nft code, so we can provide a nft_compile() function similar to what libpcap provides to translate nft syntax to rules. My proposal is to leave the expressions / statements concepts to the scope of nft and the upcoming high level library. As said, libnftables is low level stuff, it is just mirroring what we have in the kernel. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
