From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Eric Leblond <eric@regit.org>
Cc: netfilter-devel@vger.kernel.org
Subject: Re: [PATCH 1/2] netfilter: REJECT: separate reusable code
Date: Fri, 20 Dec 2013 10:50:59 +0100 [thread overview]
Message-ID: <20131220095059.GA13371@localhost> (raw)
In-Reply-To: <1386834281-28347-2-git-send-email-eric@regit.org>
Hi Eric,
Some comments on this patch.
On Thu, Dec 12, 2013 at 08:44:40AM +0100, Eric Leblond wrote:
> This patch prepares the addition of TCP reset support in
> the nft_reject module by moving reusable code into a header
> file.
>
> Signed-off-by: Eric Leblond <eric@regit.org>
> ---
> include/net/netfilter/nf_reject.h | 297 ++++++++++++++++++++++++++++++++++++++
> net/ipv4/netfilter/ipt_REJECT.c | 124 +---------------
> net/ipv6/netfilter/ip6t_REJECT.c | 177 +----------------------
> 3 files changed, 307 insertions(+), 291 deletions(-)
> create mode 100644 include/net/netfilter/nf_reject.h
>
> diff --git a/include/net/netfilter/nf_reject.h b/include/net/netfilter/nf_reject.h
> new file mode 100644
> index 0000000..0bb089a
> --- /dev/null
> +++ b/include/net/netfilter/nf_reject.h
> @@ -0,0 +1,297 @@
> +#ifndef _NF_REJECT_H
> +#define _NF_REJECT_H
> +
> +#include <net/ip.h>
> +#include <net/tcp.h>
> +#include <net/route.h>
> +#include <net/dst.h>
> +
> +#if IS_ENABLED(CONFIG_IP6_NF_IPTABLES)
> +#include <net/ipv6.h>
> +#include <net/ip6_route.h>
> +#include <linux/netfilter_ipv6.h>
> +#endif
> +
> +static inline void send_unreach(struct sk_buff *skb_in, int code)
> +{
> + icmp_send(skb_in, ICMP_DEST_UNREACH, code, 0);
> +}
> +
> +/* Send RST reply */
> +static inline void send_reset(struct sk_buff *oldskb, int hook)
I think that this function is too large to use the inline approach
that we have used in nft_queue. I've been considering moving this
common code to a different module and export these symbols but I
don't find a nice way to make it.
So my suggestion is to have two different include files:
include/net/netfilter/ipv4/nf_reject.h, that contains:
static inline void send_unreach(...
static void send_reset(...
that you can include from ipt_REJECT and nft_reject.
And include/net/netfilter/ipv6/nf_reject.h, that contains:
static inline void send_unreach6(...
static void send_reset6(...
that you can include from ip6t_REJECT and nft_reject.
While at it, it is probably good to prepend the prefix nf_ to those
functions.
Let me know if you have any concern with this approach.
next prev parent reply other threads:[~2013-12-20 9:51 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-12-11 0:42 [RFC PATCH 0/2] nft: improve reject support Eric Leblond
2013-12-11 0:42 ` [PATCH 1/2] netfilter: REJECT: separate reusable code Eric Leblond
2013-12-11 0:42 ` [PATCH 2/2] netfilter: nft: reject support for IPv6 and TCP reset Eric Leblond
2013-12-12 7:44 ` [RFC PATCH 0/2] nft: finish reject support Eric Leblond
2013-12-12 7:44 ` [PATCH 1/2] netfilter: REJECT: separate reusable code Eric Leblond
2013-12-20 9:50 ` Pablo Neira Ayuso [this message]
2013-12-27 14:51 ` Eric Leblond
2013-12-29 11:28 ` [RFC PATCHv3 finish reject support] Eric Leblond
2013-12-29 11:28 ` [RFC PATCHv3 1/2] netfilter: REJECT: separate reusable code Eric Leblond
2013-12-30 17:18 ` Pablo Neira Ayuso
2013-12-29 11:28 ` [RFC PATCHv3 2/2] netfilter: nft: reject support for IPv6 and TCP reset Eric Leblond
2013-12-30 17:18 ` Pablo Neira Ayuso
2013-12-12 7:44 ` [PATCH " Eric Leblond
2013-12-12 7:55 ` Tomasz Bursztyka
2013-12-12 7:57 ` Tomasz Bursztyka
2013-12-12 8:14 ` Eric Leblond
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20131220095059.GA13371@localhost \
--to=pablo@netfilter.org \
--cc=eric@regit.org \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.