Arturo Borrero Gonzalez <arturo.borrero.glez@xxxxxxxxx> wrote:
> Hi Florian,
>
> thanks for working on this, here my comments.
>
> On 14 September 2016 at 19:45, Florian Westphal <fw@xxxxxxxxx> wrote:
> > Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote:
> >> On Mon, Sep 12, 2016 at 09:00:25PM +0200, Florian Westphal wrote:
> >> > Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote:
> >> > > fib lookup ip daddr . oif
> >> > >
> >> > > As you are basically looking for the route based on IPv4 address and
> >> > > the output interface, so this boils down to:
> >> > >
> >> > > fib lookup $expr $flags
> >> >
> >> > How would the kernel disentangle the register data?
> >>
> >> What I'm proposing is to represent this as a concatenation, since this
> >> represents the tuple that you use to look up for route.
> >>
> >> > (i.e., how do i know where in the sreg e.g. the daddr is
> >> > that i need to stuff in the flowi struct?)
> >>
> >> You can iterate over the concatenation compound from the
> >> netlink_linearize path, it is just a list of expressions. Then, you
> >> can set the NFTA_FIB_* netlink attribute using them.
> >
> > I found this to be ugly and cumbersome, I'd propose following
> > syntax instead:
> >
> > FIB fib_type fib_family '{' fib_addr fib_key_flags '}'
> >
> > The {} are needed because I'd like to use 'mark' and 'oif' in flags but
> > these can also be expressions, i.e. I need something that tells
> > the parser when end of FIB flags are reached (so instead of { }
> > it could also use single ';' or something else ...)
> >
> > This gives following examples:
> >
> > fib oif { saddr } # ip route get $saddr, place ifindex into register)
> > fib oif { saddr mark,saddr,oif } # same, but populate flowi .saddr,mark,oif
> > members as well
> >
> > fib oif { daddr mark,saddr,oif } # same, except that flowi.daddr is set
> > # to iph->daddr)
> >
>
>
> Using {} in the syntax for something which is not a set or a map seems
> a bit confusing to me.
We also use it for the flow statement, but I agree its not nice.
Other solution I see is to not use mark and oif and come up
with new/different keyword, but thats not good either.
Yet another option:
FIB fib_type fib_family fib_key_flags fib_addr
Which is not ambiguous anymore as either saddr or daddr will terminate
the statement. We'd have to remove the saddr option but I don't think its a
problem (the iptables rpfilter modules set flowi.saddr if packet daddr
is unicast address).
Would give following syntax :
fib oif mark saddr
fib oif saddr
fib oif mark,oif daddr
fib addrtype oif daddr
Or remove unqualified meta keywords, that should work as well.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
