On Wed, Oct 30, 2019 at 06:26:49PM +0100, Phil Sutter wrote: [...] > Patches 1 to 5 implement required changes and are rather boring by > themselves: When converting an nftnl rule to iptables command state, > cache access is required (to lookup set references). nft_handle is passed now all over the place, this allows anyone to access all of its content. This layering design was done on purpose, to avoid giving access to all information to the callers, instead force the developer to give a reason to show why it needs something else from wherever he is. I'm not entirely convinced exposing the handle everywhere just because you need to access the set cache is the way to go.
