Hi Anders,
2016-10-20 21:52 GMT+08:00 Anders K. Pedersen | Cohaesio <akp@xxxxxxxxxxxx>:
>
> OK, so would it be okay to replace it with
>
> printk_once(KERN_WARNING KBUILD_MODNAME " Address families do not match\n");
>
> ?
>
To this question, I think it's better to do NFT_BREAK sliently, the warning
message seems useless. Actually this can be avoided in userspace,
i.e. in nft.
For example, if you add the following rule in the inet family:
# nft add rule inet filter output ip daddr 1.1.1.1
An implict rule will be added, and this can also be applied to rt expr,
we should first compare nfproto is AF_INET or not:
[ meta load nfproto => reg 1 ]
[ cmp eq reg 1 0x00000002 ]
But after I think it carefully, I think the NFTA_RT_FAMILY attr
seems useless, we can combine these four files nft_rt.c,
nft_rt_ipv4.c, nft_rt_ipv6.c and nft_rt_inet.c into a single one
file nft_rt.c.
For eval, we can use pkt->pf to decide which rt or rt6 nexthop
to be loaded, so ip/ip6/inet family has the same logical now,
for example:
static void nft_rt_get_eval(const struct nft_expr *expr,
struct nft_regs *regs,
const struct nft_pktinfo *pkt)
{
const struct nft_rt *priv = nft_expr_priv(expr);
const struct dst_entry *dst = skb_dst(skb);
if (!dst)
goto err;
switch (key) {
case NEXTHOP:
switch(pkt->pf) {
case IPV4:
case IPV6:
}
case RTCLASSID:
....
}
....
}
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
