Join GitHub today
GitHub is home to over 50 million developers working together to host and review code, manage projects, and build software together.
Sign upWIP: rule: add String() method #108
Conversation
| NFT_STOLEN = 2 | ||
| NFT_QUEUE = 3 | ||
| NFT_REPEAT = 4 | ||
| NFT_STOP = 5 |
This comment has been minimized.
This comment has been minimized.
stapelberg
Aug 8, 2020
Collaborator
Why did we not have these declared before? Where are they canonically defined in the upstream sources? Can you add a link please?
This comment has been minimized.
This comment has been minimized.
greenpau
Aug 9, 2020
Author
Contributor
Why did we not have these declared before? Where are they canonically defined in the upstream sources? Can you add a link please?
There is no definition. They are defined with the following:
const (
VerdictReturn VerdictKind = iota - 5
VerdictGoto
VerdictJump
VerdictBreak
VerdictContinue
VerdictDrop
VerdictAccept
VerdictStolen
VerdictQueue
VerdictRepeat
VerdictStop
)
I am looking in https://github.com/torvalds/linux/blob/47ec5303d73ea344e84f46660fff693c57641386/include/uapi/linux/netfilter/nf_tables.h#L64-L70 ... yet to discover.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
greenpau
Aug 9, 2020
Author
Contributor
@stapelberg , in retrospect, after finding https://git.netfilter.org/libnftnl/tree/src/utils.c#n182, I say was mimicking this function
const char *nftnl_verdict2str(uint32_t verdict)
{
switch (verdict) {
case NF_ACCEPT:
return "accept";
case NF_DROP:
return "drop";
case NF_STOLEN:
return "stolen";
case NF_QUEUE:
return "queue";
case NF_REPEAT:
return "repeat";
case NF_STOP:
return "stop";
case NFT_RETURN:
return "return";
case NFT_JUMP:
return "jump";
case NFT_GOTO:
return "goto";
case NFT_CONTINUE:
return "continue";
case NFT_BREAK:
return "break";
default:
return "unknown";
}
}
This comment has been minimized.
This comment has been minimized.
greenpau
Aug 9, 2020
Author
Contributor
@stapelberg , also the NF_STOLEN comes from https://git.netfilter.org/libnftnl/tree/include/linux/netfilter.h#n9
/* Responses from hook functions. */
#define NF_DROP 0
#define NF_ACCEPT 1
#define NF_STOLEN 2
#define NF_QUEUE 3
#define NF_REPEAT 4
#define NF_STOP 5
#define NF_MAX_VERDICT NF_STOP| var v string | ||
| switch e.Kind { | ||
| case unix.NFT_RETURN: | ||
| v = "return" // -0x5 |
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
greenpau
Aug 9, 2020
Author
Contributor
What did you want to express with these comments?
@stapelberg , just a note as to what the id is for the return.
| t.Fatalf("bad verdict string at %d: %s (received) vs. %s (expected)", i, rr.String(), wantStrings[i]) | ||
| } | ||
|
|
||
| t.Logf("%s", rr) |
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
greenpau
Aug 9, 2020
Author
Contributor
remove debugging left-over?
@stapelberg ,
| @@ -0,0 +1,3 @@ | |||
| go test ./... | |||
This comment has been minimized.
This comment has been minimized.
stapelberg
Aug 8, 2020
Collaborator
Can you remove this file from the commit?
Making testing a little easier is a good idea in general, but I’d like to avoid establishing precedent of shell scripts :)
Maybe a “make test” target in a Makefile in a separate PR would be the best way forward?
This comment has been minimized.
This comment has been minimized.
greenpau
Aug 9, 2020
Author
Contributor
Can you remove this file from the commit?
@stapelberg ,
Maybe a “make test” target in a Makefile in a separate PR would be the best way forward?
@stapelberg , that would be nice! I agree.
greenpau commentedAug 3, 2020
Before this commit: the printing of a rule results in
a pointer address.
After this commit: the printing of a rules results in
a human-readable text.
Resolves: #104
Signed-off-by: Paul Greenberg greenpau@outlook.com