On Mon, Nov 18, 2019 at 07:18:49PM +0100, Pablo Neira Ayuso wrote: > Hi Christian, > > On Mon, Nov 18, 2019 at 05:44:07PM +0100, Christian Göttsche wrote: > > Am Mo., 28. Okt. 2019 um 15:27 Uhr schrieb Christian Göttsche > > <cgzones@xxxxxxxxxxxxxx>: > > > > This is what your patch [6] does, right? If you don't mind to rebase > > > > it I can have a look if I can propose you something else than this new > > > > keyword. > > > > > > Attached at the end (base on 707ad229d48f2ba7920541527b755b155ddedcda) > > > > friendly ping; any progress? > > > > rebased against 4a382ec54a8c09df1a625ddc7d32fc06257c596d at > > https://paste.debian.net/1116802/ > > Thanks for following up on this. A few comments on your patch: > > 1) I would replace secmark_raw by secmark instead. I think we should > hide this assymmetry to the user. I would suggest you also extend > the evaluation phase, ie. expr_evaluate_meta() and expr_evaluate_ct() > to bail out in case the user tries to match on the raw packet / ct > secmark ID. IIRC, the only usecase for this raw ID is to save and > to restore the secmark from/to the packet to/from the conntrack > object. > > And a few minor issues: > > 2) Please remove meta_key_unqualified chunk. > > meta_key_unqualified SET stmt_expr I mean, this update (moving the location of this rule) is not necessary, right? Thanks. > 3) Remove the reset command chunk too: > > --- a/src/rule.c > +++ b/src/rule.c > @@ -2539,6 +2539,12 @@ static int do_command_reset(struct netlink_ctx > *ctx, struct cmd *cmd) > case CMD_OBJ_QUOTA: > type = NFT_OBJECT_QUOTA; > break; > + case CMD_OBJ_SECMARKS: > + dump = true; > + /* fall through */ > + case CMD_OBJ_SECMARK: > + type = NFT_OBJECT_SECMARK; > + break; > default: > BUG("invalid command object type %u\n", cmd->obj); > } > > Thanks.
