On Tue, Nov 19, 2019 at 08:02:10PM +0100, Christian Göttsche wrote:
> > > 1) I would replace secmark_raw by secmark instead. I think we should
> > > hide this assymmetry to the user. I would suggest you also extend
> > > the evaluation phase, ie. expr_evaluate_meta() and expr_evaluate_ct()
> > > to bail out in case the user tries to match on the raw packet / ct
> > > secmark ID. IIRC, the only usecase for this raw ID is to save and
> > > to restore the secmark from/to the packet to/from the conntrack
> > > object.
> > >
> > > And a few minor issues:
> > >
> > > 2) Please remove meta_key_unqualified chunk.
> > >
> > > meta_key_unqualified SET stmt_expr
> >
> > I mean, this update (moving the location of this rule) is not
> > necessary, right? Thanks.
>
> Without these, I am stuck with
>
> $ ./src/nft -c -f files/examples/secmark.nft
> files/examples/secmark.nft:64:49-58: Error: Counter expression must be constant
> ct state established,related meta secmark set ct secmark
> ^^^^^^^^^^
meta_stmt : META meta_key SET stmt_expr
{
switch ($2) {
case NFT_META_SECMARK:
$$ = objref_stmt_alloc(&@$);
$$->objref.type = NFT_OBJECT_SECMARK;
$$->objref.expr = $4;
Check for what type of expression you have on $4 from the parser code.
If this is EXPR_META or EXPR_CT, then this is restoring a value. If
that is the case, then you have to use meta_stmt_alloc(), not
objref_stmt_alloc(), since this is not a reference to object.
