Here are the patches for directional key support that I have. They pass our regression test suite, another advantage is that nft will no longer parse 'ct saddr 1.2.3.4', it notices that a direction is missing. The disadvantage is that we also have (not-yet added) keys 'packets' and 'bytes'. These are trivial to add, since they need a direction, just like ct (s|d)addr. But in byte/packet case it would be good to also allow matching on total bytes combined (original+reply). And that either needs 'ambiguos' keys, i.e. allow ct packets original > 42 (tells kernel: I want packet count in original direction) ct packets > 42 (tells kernel: I want original+reply direction). or a '+' expression so that we can ct packets original + ct packets reply and so sum via intermediate expression. So don't apply this yet, I'll have another stab at attemting to not change the parser at all but instead attempt to resolve this during evaluation, as Pablo suggested, i.e. ct direction original -> ct direction = original BUT ct direction = original ct saddr -> merge into single a single ct expression, asking for saddr in original direction. Patrick, if you have any advice wrt the nft grammar I'd be glad to hear it. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
