On 16 January 2014 22:22, Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote: > On Thu, Jan 16, 2014 at 09:46:17PM +0100, Arturo Borrero Gonzalez wrote: >> On 16 January 2014 19:05, Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote: >> > >> > The kernel will complain if we pass invalid combinations, I don't want >> > to have this early validation code in the library. >> > >> >> The problem is that as far as I've tested, the kernel unconditionally >> returns 'dir' [0]. > > Then I think we have to fix the kernel, it should not dump an > attribute that we don't need. I can see that nft is currently not > using the direction at all, so such change should not break anything. > >> If we print in XML/JSON the data obtained from the kernel, <dir> is >> also printed, while it may be totally undesirable (for example, for a >> latter parsing of that XML/JSON meant to be resended to the kernel). >> I think we need this check, in libnftables or nft. >> >> I don't see the point of allowing such a disruptive combination of attributes. > > I agree those combinations don't make sense, but let just the kernel > bail out when we pass invalid combinations. Otherwise, the library > makes internal decisions that we simply cannot change as we'll have > 3rd party userspace application relying on it. And we may want to > extend the kernel behaviour in some way that may clash with old > libraries. Really, we have to avoid this, it's just troubles in the > long run. OK, good to know. I delete this patch from my local repo. I'm working in a kernel patch on top of your nftables kernel [0]. regards. [0] http://git.kernel.org/cgit/linux/kernel/git/pablo/nftables.git/ -- Arturo Borrero González -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
