Phil Sutter <phil@xxxxxx> wrote: > On Mon, Jul 22, 2019 at 02:17:47PM +0200, Florian Westphal wrote: > > Phil Sutter <phil@xxxxxx> wrote: > > > use for "no data available" situations. This whole attempt feels a bit > > > futile. Maybe we should introduce something to signal "no value" so that > > > cmp expression will never match for '==' and always for '!='? Not sure > > > how to realize this via registers. Also undecided about '<' and '>' ops. > > > > Whats the point? > > IIRC, Pablo's demand for not aborting in nft_meta in case of > insufficient data was to insert a value into dreg which will never > match. I think the idea was to avoid accidental matching in situations > where a match doesn't make sense. I think the only contraint is that it must not overlap with a legitimate ifindex. But 0 cannot occur, so 'meta iif 0' will only match in case no input interface existed -- I think thats fine and might even be desired. > For ifindex or ifname I can't come up with a good example, but let's > assume we set dreg to 0 for 'meta l4proto' if pkt->tprot is not > initialized (i.e., pkt->tprot_set is false for whatever reason). A rule > 'meta l4proto == 0' would start to match even if l4proto of the packet > is not 0. Thats my point, we can't use a value that can occur normally. > Remember, the original problem was that with iptables-legacy, I can do > '! -i foobar' in POSTROUTING chain and it will always match. With > iptables-nft, the same rule will never match. O know. > Maybe we should just go with fixing for iifname/oifname only and leave > the rest as-is? I would propose to go with '0' dreg for ifindex, "" for name and leave rest as-is.
