On Thu, Jul 05, 2018 at 05:14:20PM +0200, Máté Eckl wrote:
> On Thu, Jun 21, 2018 at 01:42:14PM +0200, Pablo Neira Ayuso wrote:
> > On Thu, Jun 21, 2018 at 01:01:31PM +0200, Phil Sutter wrote:
> > [...]
> > > On Thu, Jun 21, 2018 at 11:26:37AM +0200, Máté Eckl wrote:
> > > > By the way, there's a question I haven't met yet. Prio spec is used by not only
> > > > hook_spec but also flowtable_block. Are these standard priorities applicable for
> > > > flowtable priorities? Or should I make it specific to chains?
> >
> > Only the filter priority you can apply to the flowtable_block.
>
> Is there a man page you could recommend to read more about flowtables? Maybe one
> of an older tool? I haven't find much about this.
man nft.
There is also: Documentation/networking/nf_flowtable.txt
> > Note that standard priorities may depend on family, so you may need to
> > do the chain_std_prio_lookup() from the evaluation phase, instead of
> > doing it from the parser.
> >
> > Telling this only filter applies to arp, bridge and netdev families
> > IIRC.
> >
> > Have a look and let us know.
>
> This is what I found:
> iptables
> filter
> nat (dstnat, srcnat)
> mangle
> raw
> security
> arptables
> filter
> ebtables
> filter
> nat (dstnat, srcnat)
> broute (no corresponding priority value)
>
> I have an implementation to handle this, but I'd still like to do the
> name->number translation outside the eval funcitons.
Why you willing to make your life so complicated? :-)
> Is there any way to get the family of the context in the parser? I'd like to do
> something like this:
> standard_prio : STRING
> {
> int tmp = chain_std_prio_lookup(something->family, $1);
> [...]
> }
> ;
>
> I tried chain family but it is not initialised at this point.
Problem with bison is that context may not even be there by when this
standard_prio rule runs.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
