On Thu, Jul 05, 2018 at 05:22:23PM +0200, Pablo Neira Ayuso wrote:
> On Thu, Jul 05, 2018 at 05:14:20PM +0200, Máté Eckl wrote:
> > On Thu, Jun 21, 2018 at 01:42:14PM +0200, Pablo Neira Ayuso wrote:
> > > On Thu, Jun 21, 2018 at 01:01:31PM +0200, Phil Sutter wrote:
> > > [...]
> > > > On Thu, Jun 21, 2018 at 11:26:37AM +0200, Máté Eckl wrote:
> > > > > By the way, there's a question I haven't met yet. Prio spec is used by not only
> > > > > hook_spec but also flowtable_block. Are these standard priorities applicable for
> > > > > flowtable priorities? Or should I make it specific to chains?
> > >
> > > Only the filter priority you can apply to the flowtable_block.
> >
> > Is there a man page you could recommend to read more about flowtables? Maybe one
> > of an older tool? I haven't find much about this.
>
> man nft.
>
> There is also: Documentation/networking/nf_flowtable.txt
But these don't say anything about filter or anything.. I'd like to see if it
makes any sense here. It seems not to make any for now. How about leaving
flowtables alone with this change and only apply this for chains?
> > > Note that standard priorities may depend on family, so you may need to
> > > do the chain_std_prio_lookup() from the evaluation phase, instead of
> > > doing it from the parser.
> > >
> > > Telling this only filter applies to arp, bridge and netdev families
> > > IIRC.
> > >
> > > Have a look and let us know.
> >
> > This is what I found:
> > iptables
> > filter
> > nat (dstnat, srcnat)
> > mangle
> > raw
> > security
> > arptables
> > filter
> > ebtables
> > filter
> > nat (dstnat, srcnat)
> > broute (no corresponding priority value)
> >
> > I have an implementation to handle this, but I'd still like to do the
> > name->number translation outside the eval funcitons.
>
> Why you willing to make your life so complicated? :-)
I will need to refactor the chain structure and initialisation, so it actually
seemed to be less complicatad so far. But I guess I have no other options.
> > Is there any way to get the family of the context in the parser? I'd like to do
> > something like this:
> > standard_prio : STRING
> > {
> > int tmp = chain_std_prio_lookup(something->family, $1);
> > [...]
> > }
> > ;
> >
> > I tried chain family but it is not initialised at this point.
>
> Problem with bison is that context may not even be there by when this
> standard_prio rule runs.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
