From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Florian Westphal <fw@strlen.de>
Cc: Shivani Bhardwaj <shivanib134@gmail.com>,
Netfilter Development Mailing list
<netfilter-devel@vger.kernel.org>
Subject: Re: [PATCH] src: proto: Add missing packet type
Date: Thu, 3 Mar 2016 18:58:18 +0100 [thread overview]
Message-ID: <20160303175818.GA2020@salvia> (raw)
In-Reply-To: <20160301140106.GC4680@breakpoint.cc>
On Tue, Mar 01, 2016 at 03:01:06PM +0100, Florian Westphal wrote:
> Shivani Bhardwaj <shivanib134@gmail.com> wrote:
> > On Tue, Mar 1, 2016 at 6:47 PM, Florian Westphal <fw@strlen.de> wrote:
> > > Shivani Bhardwaj <shivanib134@gmail.com> wrote:
> > >> Add missing packet type "invalid" for DCCP.
> > >>
> > >> Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com>
> > >> ---
> > >> src/proto.c | 1 +
> > >> 1 file changed, 1 insertion(+)
> > >>
> > >> diff --git a/src/proto.c b/src/proto.c
> > >> index 0ed98ed..4d049f5 100644
> > >> --- a/src/proto.c
> > >> +++ b/src/proto.c
> > >> @@ -443,6 +443,7 @@ static const struct symbol_table dccp_pkttype_tbl = {
> > >> SYMBOL("reset", DCCP_PKT_RESET),
> > >> SYMBOL("sync", DCCP_PKT_SYNC),
> > >> SYMBOL("syncack", DCCP_PKT_SYNCACK),
> > >> + SYMBOL("invalid", DCCP_PKT_INVALID),
> > >
> > > I don't think this is a good idea -- when user asks to match
> > > 'invalid' then this will check type == DCCP_PKT_INVALID; however
> > > the correct way would be to ask for type '> synack' (i.e.,
> > > outside of the range of types specified).
> >
> > OK. So, should this be removed from the enum dccp_pkt_type as well?
>
> Yes, but we cannot do this anymore for compatibility reasons :-(
>
> > And, if following iptables rules, one tries to get code corresponding
> > to dccp type invalid using iptables-translate utility, then the
> > corresponding nft rule should be "dccp type gt syncack". Please
> > correct me if I'm wrong here.
>
> Good question.
> Pablo, I think -m dccp is buggy here, it should not have allowed
> INVALID match in the first place.
Right.
> Looking at kernel part it doesn't seem to special-case this
> and will just check for type == INVALID. But such type isn't
> defined in dccp protocol, it just looks like implementation
> helper so DCCP stack can do simpler sanity tests.
>
> So I suggest to not support translation of INVALID to nft and
> to document the INVALID shortoming in iptables-extensions manpage.
>
> Any comments?
That's fine, we can return 0 (no translation available) in that case.
prev parent reply other threads:[~2016-03-03 17:58 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-03-01 12:39 [PATCH] src: proto: Add missing packet type Shivani Bhardwaj
2016-03-01 13:17 ` Florian Westphal
2016-03-01 13:51 ` Shivani Bhardwaj
2016-03-01 14:01 ` Florian Westphal
2016-03-03 17:58 ` Pablo Neira Ayuso [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160303175818.GA2020@salvia \
--to=pablo@netfilter.org \
--cc=fw@strlen.de \
--cc=netfilter-devel@vger.kernel.org \
--cc=shivanib134@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.