On Mon, Jul 22, 2019 at 02:17:47PM +0200, Florian Westphal wrote: > Phil Sutter <phil@xxxxxx> wrote: > > use for "no data available" situations. This whole attempt feels a bit > > futile. Maybe we should introduce something to signal "no value" so that > > cmp expression will never match for '==' and always for '!='? Not sure > > how to realize this via registers. Also undecided about '<' and '>' ops. > > Whats the point? IIRC, Pablo's demand for not aborting in nft_meta in case of insufficient data was to insert a value into dreg which will never match. I think the idea was to avoid accidental matching in situations where a match doesn't make sense. For ifindex or ifname I can't come up with a good example, but let's assume we set dreg to 0 for 'meta l4proto' if pkt->tprot is not initialized (i.e., pkt->tprot_set is false for whatever reason). A rule 'meta l4proto == 0' would start to match even if l4proto of the packet is not 0. Remember, the original problem was that with iptables-legacy, I can do '! -i foobar' in POSTROUTING chain and it will always match. With iptables-nft, the same rule will never match. Maybe we should just go with fixing for iifname/oifname only and leave the rest as-is? Cheers, Phil
