On Thu, Oct 31, 2019 at 03:13:14PM +0100, Pablo Neira Ayuso wrote: > On Wed, Oct 30, 2019 at 06:26:49PM +0100, Phil Sutter wrote: > [...] > > Patches 1 to 5 implement required changes and are rather boring by > > themselves: When converting an nftnl rule to iptables command state, > > cache access is required (to lookup set references). > > nft_handle is passed now all over the place, this allows anyone to > access all of its content. This layering design was done on purpose, > to avoid giving access to all information to the callers, instead > force the developer to give a reason to show why it needs something > else from wherever he is. I'm not entirely convinced exposing the > handle everywhere just because you need to access the set cache is the > way to go. In other words: You only need the cache, right? Why don't you just expose cache to these functions which what you need?
