allow get/update of flows based only on the tupleReply

Question

allow get/update of flows based only on the tupleReply

dstiliadis opened this issue 6 years ago · 4 comments

In the current implementation updates/gets with a flow that has only the tupleReply defined are blocked by marshal and return an error. This is not required by the netlink API though. Even though for create both are needed, one can update a flow if only the tupleReply information is needed. This is useful when one only cares about the tupleReply state and not the original state.

I have a PR where this seems to work, but I was wondering if there is some other reason for
that choice that I am missing.

Do you see any issues with that? If not, I can create PR.

Answer 1 · 2019-03-25T13:15:46.000Z

Hi @dstiliadis

Thanks, I wasn't aware of that! There's no reason for this other than the fact that it didn't make sense to me to allow this at the time. In hindsight, it makes sense that any reply tuple in a stateful firewall is probably unique. Are you sure there cannot be collisions?

I'd love to see a use case/example so it can be added to the integration suite. 👍 Feel free to make a PR!

Answer 2 · 2019-10-14T07:23:32.000Z

Hi @dstiliadis, any movement here?

Answer 3 · 2019-10-15T17:22:28.000Z

got stack with some things and forgot it. Let me get back to this towards the weekend. Need to clean up the PR and add some tests.

…

On Oct 14, 2019, at 12:23 AM, Timo Beckers ***@***.***> wrote: Hi @dstiliadis, any movement here? — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or unsubscribe.

Answer 4 · 2019-11-12T12:36:27.000Z

This still needs integration tests.