On 18.10.2016 22:55, Florian Westphal wrote: > Same as above, except that it would check sp->xvec[X], for a fixed (user > defined) value of X, rather then searching all of sp->xvec[]. > > Or, putting it differently, in 1) user providides data (ip address, > spi, ...) and sp->xvec is the haystack we will search in. > > I expect most users and use cases are covered by this, rather than 2). > > For 2), user gives a policy index and tells us if they want saddr, > daddr, spi or reqid and we will then copy it to a register. > > (Where another nft expression, e.g. cmp, can evaluate it) > > So 2) is only needed when exact matching of the entire policies > is requested (--strict) mode. > > If you think we can go without strict, then only 1) is needed. > > The drawback is that 1) is very un-nftables like, but alas, I don't > think we can avoid it. well, I think being able to search all policies would be a nifty thing to have. But sure, doing the first thing would be much better and more suitable as a replacement for -m policy in nftables. -- Mit freundlichen Grüßen/Kind Regards, Noel Kuntze GPG Key ID: 0x63EC6658 Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
Attachment:
signature.asc
Description: OpenPGP digital signature
