Re: [PATCH netfilter: nft] add connmark module

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hello again,

On Mon, Jan 6, 2014 at 1:49 PM, Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote:
>
> I think one single NFT_META_CONNMARK with the get/set variants should
> be enough to implement the save, restore and set operations that
> xt_connmark provides.
>
> * restore:
>         reg1 = get(NFT_META_CONNMARK)
>         set(NFT_META_MARK, reg1)
>
> * save:
>         reg1 = get(NFT_META_MARK)
>         set(NFT_META_CONNMARK, reg1)
>
> * set:
>         reg1 = immediate(value)
>         set(NFT_META_CONNMARK, reg1)

I have spent some time trying to figure out how to implement this
(with only one NFT_META_CONNMARK), but I can't quite figure it out.
Implementing get and set of ctmark is straight forward and already
working, but restore and save are causing me some problems. They are
both set statements, but the current grammar requires a set statement
to contain an expression. We can use the already existing bitwise
operators instead of the mask provided as an argument to xt_CONNMARK,
so neither save nor restore needs an argument.

I was wondering if you could share your thoughts when you wrote the
pseudo-code? Would an OK solution be to for example add two more
meta_keys and hard-code something like the following statements:
META CONNMARK_SAVE
{
meta_stmt_alloc(&@$, $2, 0);
}
META CONNMARK_RESTORE
{
meta_stmt_alloc(&@$, $2, 0);
}?

-Kristian
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html




[Index of Archives]     [Netfitler Users]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux