From: Massimiliano Hofer <max@nucleus.it>
To: netfilter-devel@lists.netfilter.org
Subject: Re: new ABI
Date: Fri, 18 Aug 2006 23:40:25 +0200 [thread overview]
Message-ID: <200608182340.26555.max@nucleus.it> (raw)
In-Reply-To: <1086.83.88.199.217.1155906363.squirrel@mail.parknet.dk>
On Friday 18 August 2006 3:06 pm, Simon Lodal wrote:
> > Also keep in mind that we can allow several targets. I previously in
> > another mail talked about actions. Its not needed i think, but might
> > make it easier to distringuisch between jumps, ending targets and just
> > changing and logging targets. It should be perfect legal already today
> > to say:
> >
> > iptables -m match -j other_chain -j LOG -j other_chain2 -j DROP -j TTL
>
> LOG + DROP in one rule would be a huge improvement. Even though it would
> just reintroduce an ipchains feature.
I like the idea of actions. I could perform separate type of mangling and
other non "terminal" things with separate rules without worrying about
precedence and specific combinations. The current use of "--continue" with
some, but not all, targets really should be handles in a more general way and
actions looks like a good solution to me.
> I would like to do it in a generic way: Introduce a "match index" variable
> that can be set by matches and used by targets. A "--dports 1000:1023"
> match has 24 possible matches, so it would set the index to between 0 and
> 23. Same can be done for IP, sets; all other matches that have a finite
> set of possible matches and can enumerate them.
What if we just assign a numeric index to every rule (plus an additional index
for individual matches). This would let us identify rules for future changes,
but we could go a step farther and let people choose a specific label if they
want to.
This way we could jump to a separate chain or just to label two rules away.
If we combine this with my proposal for "functional chains" we could represent
a whole lot of complex rulesets with far less rules than today.
> I agree with all your points, perhaps except the XML part ... I am one of
> those non-converts. But you may be right anyway. It would be nice to have
> an standard way to define a ruleset, as descriptive data rather than
> commands.
I'm a non-convert too, but perhaps it doesn't matter. The final userspace
representation is irrelevant to the kernel and might be a matter of a few
additional scripts.
--
Saluti,
Massimiliano Hofer
Nucleus
next prev parent reply other threads:[~2006-08-18 21:40 UTC|newest]
Thread overview: 31+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-08-14 21:12 new ABI Massimiliano Hofer
2006-08-15 0:00 ` Joakim Axelsson
2006-08-15 8:39 ` Amin Azez
2006-08-15 22:08 ` Massimiliano Hofer
2006-08-15 12:14 ` Simon Lodal
2006-08-15 22:57 ` Massimiliano Hofer
2006-08-18 14:14 ` Simon Lodal
2006-08-18 21:40 ` Massimiliano Hofer
2006-08-18 14:50 ` Amin Azez
2006-08-23 18:06 ` Sven Anders
2006-08-23 21:19 ` Massimiliano Hofer
2006-08-24 7:57 ` Sven Anders
2006-08-16 12:16 ` Joakim Axelsson
2006-08-16 12:29 ` Joakim Axelsson
2006-08-16 14:40 ` Joakim Axelsson
2006-08-18 13:06 ` Simon Lodal
2006-08-18 21:40 ` Massimiliano Hofer [this message]
2006-08-18 22:24 ` Massimiliano Hofer
2006-08-22 8:46 ` Jozsef Kadlecsik
2006-08-23 5:01 ` Patrick McHardy
2006-08-23 13:48 ` Joakim Axelsson
2006-08-24 9:20 ` Jozsef Kadlecsik
2006-08-24 13:48 ` Joakim Axelsson
2006-08-24 8:50 ` Jozsef Kadlecsik
2006-08-24 10:58 ` Massimiliano Hofer
2006-08-24 11:22 ` Jozsef Kadlecsik
2006-08-24 13:13 ` Massimiliano Hofer
2006-08-24 16:47 ` Patrick McHardy
2006-08-23 21:13 ` Massimiliano Hofer
2006-08-24 10:15 ` Jozsef Kadlecsik
2006-09-04 22:26 ` Massimiliano Hofer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200608182340.26555.max@nucleus.it \
--to=max@nucleus.it \
--cc=netfilter-devel@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.