From: David Fabian <david.fabian@cldn.cz>
To: Arturo Borrero Gonzalez <arturo@netfilter.org>
Cc: Pablo Neira Ayuso <pablo@netfilter.org>,
Netfilter Development Mailing list
<netfilter-devel@vger.kernel.org>
Subject: Re: question about UNDEFINE/REDEFINE
Date: Tue, 30 Jan 2018 12:22:35 +0100 [thread overview]
Message-ID: <5560485.OA0SLqNG1b@voxel> (raw)
In-Reply-To: <CAOkSjBiHTwW_9rQhznubKnZ=DJJsySK4qo_XJ3r4PLAmKXt35w@mail.gmail.com>
Hello Arturo,
Dne pátek 26. ledna 2018 19:43:18 CET, Arturo Borrero Gonzalez napsal(a):
> My suggestion is to simply create one variable per value:
>
> define INET_IFACES_VLAN43 = { bond0.x, bond3.y}
> define INET_IFACES_VLAN3 = { bond3.x, bond3.y}
> define XXX_VLAN43 = xxx
> define XXX_VLAN3 = xxx
>
> you could generate such a file, something like 'defines.nft' and
> include it once in your main ruleset file.
that is exactly the boilerplate that we are trying to avoid. By using
consistent (and non-unique) variable names we are able to freely move the
rules from one customer to another without rewriting every use of a variable
every time. We also do not want to build a code-generating harness in bash (or
any other language) since that would sort of defeat the purpose of scripting
in nftables in my eyes. the redefine keyword was just my first idea to solve the
problem of a single flat variable scope. There may be a better approach but I
think that if nftables wants to have scripting capabilities, some kind of
variable scoping (even in flat notation) and more ubiquitous variable use
within rules is necessary.
I event went so far and made some experimental patches that allowed me to use
string variables and string concatenation in places like interface names and
rule targets. With that I was able to create very generic rules and I tied
them to a customer/VLAN just by changing one or two constants in the header of
a file (e.g. the VLAN number). Of course, I had to use redefine in the header.
--
S pozdravem,
David Fabian
Cluster Design, s.r.o.
prev parent reply other threads:[~2018-01-30 11:22 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-01-22 13:53 question about UNDEFINE/REDEFINE David Fabian
2018-01-23 11:07 ` Pablo Neira Ayuso
2018-01-23 12:40 ` David Fabian
2018-01-26 13:45 ` Pablo Neira Ayuso
2018-01-26 13:48 ` Pablo Neira Ayuso
2018-01-30 11:05 ` David Fabian
2018-02-13 11:52 ` David Fabian
2018-01-26 18:43 ` Arturo Borrero Gonzalez
2018-01-30 11:22 ` David Fabian [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5560485.OA0SLqNG1b@voxel \
--to=david.fabian@cldn.cz \
--cc=arturo@netfilter.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).