On Fri, Jan 10, 2014 at 08:10:25PM +0100, Pablo Neira Ayuso wrote: > On Fri, Jan 10, 2014 at 06:06:25PM +0000, Patrick McHardy wrote: > > On Fri, Jan 10, 2014 at 03:32:52PM +0100, Pablo Neira Ayuso wrote: > > > > > > So are you proposing to add a new object for statements in > > > libnftables? That will require a new infrastructure which would be > > > very similar to what we have in the current expressions. > > > > Well, the infrastructure should be pretty small. In fact you could > > probably map everything to expressions internally (although I don't > > think adding new infrastructure would be much effort), I would just > > rather not create an API that confuses fundamental types. > > libnftables is the very low level library, as it is very close to the > kernel details, I would stick to the expression simplification that we > have in the kernel. Ok sure. Just wanted to bring it up. > > > To that extend, that would also require a new infrastructure in the > > > kernel so we also have statements there. I think one of the good > > > things of the nf_tables kernel side is that we didn't make any > > > distinction between matches/targets (or call it > > > expressions/statements). > > > > In the kernel that was deliberate and is only internal to the kernel > > (well, and libraries and so on). I considered it, but I think in the > > kernel its more important to keep the code base and APIs as small > > as possible. > > Anyone working with libnftables should be familiar with the kernel > code, the current approach maps 1 to 1 what we have in the kernel. > > I still think the statement/expression concept should remain in the > scope of nft. We'll have a high level library at some point, I guess > that will be based on the (generalized) nft code, so we can provide > a nft_compile() function similar to what libpcap provides to translate > nft syntax to rules. > > My proposal is to leave the expressions / statements concepts to the > scope of nft and the upcoming high level library. As said, libnftables > is low level stuff, it is just mirroring what we have in the kernel. Ok that's fine with me for a low level library. Wondering whether the high layer library should actually be called libnftables though. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
