From: Phil Sutter <phil@nwl.cc>
To: Pablo Neira Ayuso <pablo@netfilter.org>
Cc: Florian Westphal <fw@strlen.de>,
netfilter-devel@vger.kernel.org, arturo@netfilter.org
Subject: Re: [PATCH nft] evaluate: disallow anonymous set with empty elements
Date: Wed, 10 Apr 2019 15:37:48 +0200 [thread overview]
Message-ID: <20190410133748.GW4851@orbyte.nwl.cc> (raw)
In-Reply-To: <20190409231925.uancubapdemhdpqn@salvia>
Hi,
On Wed, Apr 10, 2019 at 01:19:25AM +0200, Pablo Neira Ayuso wrote:
> On Tue, Apr 09, 2019 at 04:03:26PM +0200, Florian Westphal wrote:
> > Phil Sutter <phil@nwl.cc> wrote:
> > > Could we maybe find a middle ground where nft still does these
> > > optimizations but prints warnings so users are notified? We might even
> > > introduce -W flag to customize behaviour (-W all (default), -W error
> > > (strict mode), -W none (suppress any non-fatal output on stderr)).
> >
> > I like this proposal.
> >
> > One of the broken tproxy test cases (it prints warning) does this:
> >
> > ip daddr 0.0.0.0/0
>
> Yes, sorry, that's my fault.
>
> > .. and that is always true and could be removed.
> > Different "problem" of course, but it shows that there is ample
> > opportunity for pruning irrelevant expressions.
> >
> > And breaking scripts every time we decide that something is
> > "silly" is a bad decision, imo.
>
> Agreed, this case is slightly bit corner case as they should _not_ be
> doing enclosing single element in brackets in their scripts. But I get
> your point, better adopt a more conservative approach ;-)
>
> > I suspect users will complain about { 1.2.3.4 } being illegal
> > "just because".
>
> I'll explore the warning idea, it can be an initial step before we can
> fully disallow this, so users don't complain about sudden breakage :-)
What I have in mind is "dumb" scripts collecting addresses and adding a
rule matching them in an anonymous set. The case of just a single address
needs additional code, not just an adjustment of the existing one. This
is not so much a matter of bad design or missing education but one of
effort and feasibility.
Cheers, Phil
prev parent reply other threads:[~2019-04-10 13:37 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-04-09 10:59 [PATCH nft] evaluate: disallow anonymous set with empty elements Pablo Neira Ayuso
2019-04-09 13:02 ` Pablo Neira Ayuso
2019-04-09 13:59 ` Phil Sutter
2019-04-09 14:03 ` Florian Westphal
2019-04-09 23:19 ` Pablo Neira Ayuso
2019-04-10 13:37 ` Phil Sutter [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190410133748.GW4851@orbyte.nwl.cc \
--to=phil@nwl.cc \
--cc=arturo@netfilter.org \
--cc=fw@strlen.de \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.