Re: [PATCH nft 1/2] Introduce socket matching

On Thu, May 17, 2018 at 04:42:15PM +0200, Florian Westphal wrote: > Máté Eckl wrote: > > +socket_stmt: SOCKET EXISTS /* with the actual > > implementation we cannot match abscence */ > > I think we should go for a native expression. > > I'll leave it

Re: [PATCH nft 1/2] Introduce socket matching

Máté Eckl wrote: > +socket_stmt : SOCKET EXISTS /* with the actual > implementation we cannot match abscence */ I think we should go for a native expression. I'll leave it up to you what you'd like to do next. There are a few options: 1. First go for TPROXY

Re: [PATCH nft 1/2] Introduce socket matching

Máté Eckl wrote: > Originally I also added the following lines but it made the print too slow for > the test to pass. > > It printed the following warning: > inet/socket.t: WARNING: line 8: 'add rule ip sockip4 sockchain socket > exists': 'socket exists' mismatches

Re: [PATCH nft 1/2] Introduce socket matching

Originally I also added the following lines but it made the print too slow for the test to pass. It printed the following warning: inet/socket.t: WARNING: line 8: 'add rule ip sockip4 sockchain socket exists': 'socket exists' mismatches 'socke' inet/socket.t: WARNING: line 9:

[PATCH nft 1/2] Introduce socket matching

Socket matching is achieved using the nft_compat interface. The list of known limitations of the current implementation are: * The absence of a corresponding socket cannot be matched (`socket missing`). * Only transparent socket flag can be matched, nowildcard is not a flag, it should be