On 07/01/2019 12:45, Florian Westphal wrote:
> Pablo/others, I would propose following change, which i think is
> backwards compatible:
>
> +++ b/net/netfilter/nft_lookup.c
> @@ -37,15 +37,19 @@ void nft_lookup_eval(const struct nft_expr *expr,
>
> found = set->ops->lookup(nft_net(pkt), set, ®s->data[priv->sreg],
> &ext) ^ priv->invert;
> - if (!found) {
> - regs->verdict.code = NFT_BREAK;
> - return;
> - }
>
> - if (set->flags & NFT_SET_MAP)
> + if (set->flags & NFT_SET_MAP) {
> + if (!found) {
> + if (priv->dreg != NFT_REG_VERDICT)
> + regs->verdict.code = NFT_BREAK;
> + return;
> + }
> +
> nft_data_copy(®s->data[priv->dreg],
> nft_set_ext_data(ext), set->dlen);
> -
> + } else if (!found) {
> + regs->verdict.code = NFT_BREAK;
> + }
> }
>
> This makes following rule work:
> tcp dport vmap { 80:accept, 443:accept } counter drop
>
> (if 80/443, we leave via nft_data_copy, so evaluation of ruleset
> terminates with verdict, if no result, we do not set NFT_BREAK
> anymore, so we continue to evaluate remaining expressions (counter, drop).
>
> With jumps to user defined chains this scheme should work as well,
> as we would continue after the rule if we had a match.
>
> If the set doesn't contain verdicts (but e.g. nfmarks), then priv->dreg
> can't be NFT_REG_VERDICT.
>
> If you agree, I will make a formal submission.
>
What's the status of this one?
Attachment:
signature.asc
Description: OpenPGP digital signature
