Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote: > > I can't remove the if () because that would make it possible to lookup > > for meter-type sets. > > Why is this a problem? I was worried about this exposing expr pointers in the nft registers but that won't happen (lookup expr doesn't care, only dynset will check for attached expression coming from set). I will send a patch to zap this check. However, that still is a problem because that means "dynamic" can't be used in kernels < 5.4 . > I think we can just check instead from nft_lookup if there is an > extension in this then, instead of checking for the NFT_SET_EVAL flag > to fix this. Hence, you can make lookups on dynamic sets, but not on > dynamic sets with extensions. What do you mean?
