Hi Christian, On Mon, Nov 18, 2019 at 05:44:07PM +0100, Christian Göttsche wrote: > Am Mo., 28. Okt. 2019 um 15:27 Uhr schrieb Christian Göttsche > <cgzones@xxxxxxxxxxxxxx>: > > > This is what your patch [6] does, right? If you don't mind to rebase > > > it I can have a look if I can propose you something else than this new > > > keyword. > > > > Attached at the end (base on 707ad229d48f2ba7920541527b755b155ddedcda) > > friendly ping; any progress? > > rebased against 4a382ec54a8c09df1a625ddc7d32fc06257c596d at > https://paste.debian.net/1116802/ Thanks for following up on this. A few comments on your patch: 1) I would replace secmark_raw by secmark instead. I think we should hide this assymmetry to the user. I would suggest you also extend the evaluation phase, ie. expr_evaluate_meta() and expr_evaluate_ct() to bail out in case the user tries to match on the raw packet / ct secmark ID. IIRC, the only usecase for this raw ID is to save and to restore the secmark from/to the packet to/from the conntrack object. And a few minor issues: 2) Please remove meta_key_unqualified chunk. meta_key_unqualified SET stmt_expr 3) Remove the reset command chunk too: --- a/src/rule.c +++ b/src/rule.c @@ -2539,6 +2539,12 @@ static int do_command_reset(struct netlink_ctx *ctx, struct cmd *cmd) case CMD_OBJ_QUOTA: type = NFT_OBJECT_QUOTA; break; + case CMD_OBJ_SECMARKS: + dump = true; + /* fall through */ + case CMD_OBJ_SECMARK: + type = NFT_OBJECT_SECMARK; + break; default: BUG("invalid command object type %u\n", cmd->obj); } Thanks.
