On Tue, Aug 04, 2020 at 04:24:12PM +0200, Pablo Neira Ayuso wrote:
> This patch allows users to specify a unsigned 64-bit cookie for rules.
> The userspace application assigns the cookie number for tracking the rule.
> The cookie needs to be non-zero. This cookie value is only relevant to
> userspace since this resides in the user data area.
>
> Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
> ---
> Phil, you suggested a cookie to track rules, here it is. A few notes:
>
> - This patch is missing json support.
> - No need for kernel update since the cookie is stored in the user data area.
It's also missing the ability to delete a rule using the cookie. I guess
this means userspace will have to fetch the ruleset and map a cookie to
rule handle in order to perform the delete.
# nft add rule inet foobar input tcp dport 666 accept cookie 1234
# nft list ruleset
table inet foobar {
chain input {
tcp dport 666 accept cookie 1234
}
}
# nft delete rule inet foobar input cookie 1234
Error: syntax error, unexpected cookie, expecting handle
delete rule inet foobar input cookie 1234
^^^^^^
