Hi Tomasz,
Thanks for looking into this, comments below.
On Tue, Mar 25, 2014 at 06:39:47PM +0200, Tomasz Bursztyka wrote:
> NFT_META_IBRIFNAME to get packet input bridge interface name
> NFT_META_OBRIFNAME to get packet output bridge interface name
>
> Suggested-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
> Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@xxxxxxxxxxxxxxx>
> ---
>
> Hi Pablo,
>
> Does that design sounds proper?
> I added the nft type right away in nft_meta.c
> to reuse as much as possible, only the evaluation is a bit specific.
>
> I haven't tested yet, I will do the support of this meta key for nft tool
> accordingly.
>
> Tomasz
>
> include/uapi/linux/netfilter/nf_tables.h | 4 ++
> net/netfilter/nft_meta.c | 79 +++++++++++++++++++++++++++++++-
> 2 files changed, 81 insertions(+), 2 deletions(-)
>
> diff --git a/include/uapi/linux/netfilter/nf_tables.h b/include/uapi/linux/netfilter/nf_tables.h
> index 83c985a..e3c98f9 100644
[...]
> @@ -304,8 +356,13 @@ nft_meta_select_ops(const struct nft_ctx *ctx,
> if (tb[NFTA_META_DREG] && tb[NFTA_META_SREG])
> return ERR_PTR(-EINVAL);
>
> - if (tb[NFTA_META_DREG])
> + if (tb[NFTA_META_DREG]) {
> +#ifdef CONFIG_NF_TABLES_BRIDGE
> + if (ctx->aif->family == NFPROTO_BRIDGE)
> + return &nft_meta_bridge_get_ops;
> +#endif
I really think we have to use Patrick's new infrastructure that allows
us to add new expression flavours per family. It should just need a
couple of exported symbols in nft_meta.c that you can use from the new
net/bridge/netfilter/nft_meta.c file. We should avoid these ifdef
games.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
