On 16 January 2014 19:05, Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote: > > The kernel will complain if we pass invalid combinations, I don't want > to have this early validation code in the library. > The problem is that as far as I've tested, the kernel unconditionally returns 'dir' [0]. If we print in XML/JSON the data obtained from the kernel, <dir> is also printed, while it may be totally undesirable (for example, for a latter parsing of that XML/JSON meant to be resended to the kernel). I think we need this check, in libnftables or nft. I don't see the point of allowing such a disruptive combination of attributes. We already have similar checks in other objects to disallow invalid combinations, see [1] [2]. What do you think? > > Not related to this patch, but better I prefer if you use: > nft_rule_expr_set_u8(...) instead of these two lines above. > I agree. But I think it would be better if all ops are of the same kind. So I will patch all non-shorcuts ops like this all around libnftables, unless you say otherwise, before this patch. regards [0] http://git.kernel.org/cgit/linux/kernel/git/pablo/nftables.git/tree/net/netfilter/nft_ct.c#n306 [1] http://git.netfilter.org/libnftables/tree/src/chain.c#n48 [2] http://git.netfilter.org/libnftables/tree/src/expr/bitwise.c#n269 -- Arturo Borrero González -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
