On Tue, Feb 18, 2014 at 10:58:29AM +0100, Pablo Neira Ayuso wrote: > On Tue, Feb 18, 2014 at 09:52:10AM +0000, Patrick McHardy wrote: > > > > Sure, just wanted to be clear about which types of errors may cause > > a fatal error. > > Talking about errors when building the higher level expression tree > from the netlink message, I think nft should output some low-level > expression if it fails to interpret it in a human readable way / nft > syntax way. Not sure how exactly to do that. It will never really fail unless the rule has real errors like using data that hasn't been loaded before. It will always result in *some* expression, so how would be determine that? > We already discussed that third party applications may decide to skip > nft as use the netlink interface to build sophisticated filters, in > that case, I think those tools should not break the output of nft if > it fails to understand what it gets from the kernel. I'm actually not sure nft really could fail if the expression returned from the kernel makes any sense at all. Worst case should be that it translates it to literate expressions used by the kernel (IOW, payload @raw-expression & val ^ val2 >= ... instead of some simplified form). -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
