On 8/14/2019 4:19 PM, Pablo Neira Ayuso wrote: > On Wed, Aug 14, 2019 at 10:00:37AM +0200, Pablo Neira Ayuso wrote: > [...] >>>>> @@ -86,6 +110,8 @@ static int nft_tunnel_get_init(const struct nft_ctx *ctx, >>>>> len = sizeof(u8); >>>>> break; >>>>> case NFT_TUNNEL_ID: >>>>> + case NFT_TUNNEL_SRC_IP: >>>>> + case NFT_TUNNEL_DST_IP: >>>> Missing policy updates, ie. nft_tunnel_key_policy. >>> I don't understand why it need update nft_tunnel_key_policy >>> which is used for tunnel_obj action. This NFT_TUNNEL_SRC/DST_IP is used >>> for tunnel_expr >> It seems there is no policy object for _get_eval(), add it. > There is. It is actually nft_tunnel_policy. nft_tunnel_policy contain a NFTA_TUNNEL_KEY NFTA_TUNNEL_KEY support NFT_TUNNEL_ID, NFT_TUNNEL_SRC/DST_IP I think the NFTA_TUNNEL_KEY means a match key which can be tun_id, tun_src, tun_dst
