On Fri, Oct 27, 2017 at 02:52:02PM +0200, Florian Westphal wrote: > Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote: > > > index 43ac0909195f..91f7b9e1c472 100644 > > > --- a/tests/py/inet/icmpX.t > > > +++ b/tests/py/inet/icmpX.t > > > @@ -3,8 +3,8 @@ > > > *inet;test-inet;input > > > > > > ip protocol icmp icmp type echo-request;ok;icmp type echo-request > > > -icmp type echo-request;ok > > > +icmp type echo-request;ok;meta nfproto ipv4 icmp type echo-request > > > > I read a couple of times your description above and I must be > > overlooking anything. > > > > To me, "icmp type echo-request" in bridge/inet/netdev should result in > > two implicit dependencies, so this ends up looking like this: > > > > 1) check for IPv4, then... > > 2) check for ICMP in iph->protocol, then... > > 3) check for ICMP type. > > > > This would be the default reasonable behaviour. > > > > Then, we have to deal with specific corner cases, where we should > > cancel dependencies. > > > > Am I missing anything? > > Sorry, I overlooked this on my first reply. > > Your assesment is correct, that is indeed the default reasonable > behaviour, but, when removing, we have limited information on > the rule at the moment. > > So this is really: > > 1) check for IPv4, then... > 2) check for some l4 protocol > > ... from a dependency removal perspective. > and 2) doesn't provide enough information to decide if the dependency > is needed or not. We probably need to make an initial pass of the entire rule, populate context, then kill these dependencies once we have a global view on what is being expressed there. Make sense to you? -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
