ERROR target in /proc/net/ip_tables_targets

ERROR target in /proc/net/ip_tables_targets

[Herve Eychenne]

 Hi,

Yet another thing to be patched that would probably take more time
being added to TODO list than being done. ;-)

# cat /proc/net/ip_tables_targets
REJECT
TCPMSS
LOG
MASQUERADE
TOS
DNAT
SNAT

ERROR
#

Hmmm... well, "\nERROR\n" seems to be an intruder, don't you think?
I looked at the code, and this ERROR target seems to be a marker for
the beginning of user-chains... but you will agree with me that this
implementation detail has absolutely nothing to do in a target listing
publicly available to userspace.
I would have been happy to write a small patch to fix this, but as I
cannot really explain the presence of the preceding '\n' after a quick
look, I prefer to leave that "removal" to more experienced people.
Thanks in advance.

 Herve

-- 
 _
(°=  Hervé Eychenne
//)
v_/_ WallFire project:  http://www.wallfire.org/

Re: ERROR target in /proc/net/ip_tables_targets

[Patrick McHardy]

Hi Herve,

On Thu, 27 Nov 2003, Herve Eychenne wrote:

> Hmmm... well, "\nERROR\n" seems to be an intruder, don't you think?
> I looked at the code, and this ERROR target seems to be a marker for
> the beginning of user-chains... but you will agree with me that this
> implementation detail has absolutely nothing to do in a target listing
> publicly available to userspace.
> I would have been happy to write a small patch to fix this, but as I
> cannot really explain the presence of the preceding '\n' after a quick
> look, I prefer to leave that "removal" to more experienced people.
> Thanks in advance.

The newline comes from the entry in the targets list before
ipt_error_target, ipt_standard_target. Its name is defined in
include/linux/netfilter_ipv4/ip_tables.h as "". I made the patch
which added the ip_{matches,targets}_names files to /proc long ago
and noticed it back then, but came to the conclusion that hiding
them wasn't worth the additional code uglyness. The ipt_get_targets
function uses the existing list macros to walk the targets list,
these don't support skipping entries. The print function which is
called for each element is also used for matches and tables, so adding
code for skipping specific targets in there is also not very nice.
I would just count it as a minor uglyness and hope for a better way
to get matches/targets/tables with pkt_tables ;)

BTW: At least the "" target should logically be visible to userspace,
many users use it without realizing it by providing no target at all ;)

Best regards,
Patrick

>
>  Herve
>
> --
>  _
> (°=  Hervé Eychenne
> //)
> v_/_ WallFire project:  http://www.wallfire.org/
>

Re: ERROR target in /proc/net/ip_tables_targets

[Herve Eychenne]

On Thu, Nov 27, 2003 at 05:53:27AM +0100, Patrick McHardy wrote:

 Hi Patrick,

> On Thu, 27 Nov 2003, Herve Eychenne wrote:

> > Hmmm... well, "\nERROR\n" seems to be an intruder, don't you think?
> > I looked at the code, and this ERROR target seems to be a marker for
> > the beginning of user-chains... but you will agree with me that this
> > implementation detail has absolutely nothing to do in a target listing
> > publicly available to userspace.
> > I would have been happy to write a small patch to fix this, but as I
> > cannot really explain the presence of the preceding '\n' after a quick
> > look, I prefer to leave that "removal" to more experienced people.
> > Thanks in advance.

> The newline comes from the entry in the targets list before
> ipt_error_target, ipt_standard_target. Its name is defined in
> include/linux/netfilter_ipv4/ip_tables.h as "". I made the patch
> which added the ip_{matches,targets}_names files to /proc long ago
> and noticed it back then, but came to the conclusion that hiding
> them wasn't worth the additional code uglyness. The ipt_get_targets
> function uses the existing list macros to walk the targets list,
> these don't support skipping entries. The print function which is
> called for each element is also used for matches and tables, so adding
> code for skipping specific targets in there is also not very nice.
> I would just count it as a minor uglyness and hope for a better way
> to get matches/targets/tables with pkt_tables ;)

Yes, except than when you do a cat /proc/net/ip_tables_targets and
read "ERROR" at the end of the list, you get the strong (and
unpleasant) feeling that something went wrong and that the list may
not be complete (even if _you_ (netfilter developer) know it is).

So (even if I understand your concerns at the time you wrote the
patch) this is IMHO not acceptable.
Please, let's not sacrifice "ignorant" user time and confidence for a
few duplicate lines of kernel code...

 Herve

-- 
 _
(°=  Hervé Eychenne
//)
v_/_ WallFire project:  http://www.wallfire.org/

Re: ERROR target in /proc/net/ip_tables_targets

[Patrick McHardy]

On Thu, 27 Nov 2003, Herve Eychenne wrote:

> Yes, except than when you do a cat /proc/net/ip_tables_targets and
> read "ERROR" at the end of the list, you get the strong (and
> unpleasant) feeling that something went wrong and that the list may
> not be complete (even if _you_ (netfilter developer) know it is).

I never thought of it this way .. I actually had to laugh out about my
ignorance not realizing what ERROR means to most people ;)

> So (even if I understand your concerns at the time you wrote the
> patch) this is IMHO not acceptable.
> Please, let's not sacrifice "ignorant" user time and confidence for a
> few duplicate lines of kernel code...
>
>  Herve

Yes I totally understand your point, I'm going to fix it when I get
around.

Best regards,
Patrick

>
> --
>  _
> (°=  Hervé Eychenne
> //)
> v_/_ WallFire project:  http://www.wallfire.org/
>

Re: ERROR target in /proc/net/ip_tables_targets

[Herve Eychenne]

On Thu, Nov 27, 2003 at 06:20:06AM +0100, Patrick McHardy wrote:

> On Thu, 27 Nov 2003, Herve Eychenne wrote:

> > Yes, except than when you do a cat /proc/net/ip_tables_targets and
> > read "ERROR" at the end of the list, you get the strong (and
> > unpleasant) feeling that something went wrong and that the list may
> > not be complete (even if _you_ (netfilter developer) know it is).

> I never thought of it this way .. I actually had to laugh out about my
> ignorance not realizing what ERROR means to most people ;)

> > So (even if I understand your concerns at the time you wrote the
> > patch) this is IMHO not acceptable.
> > Please, let's not sacrifice "ignorant" user time and confidence for a
> > few duplicate lines of kernel code...

> Yes I totally understand your point, I'm going to fix it when I get
> around.

$ uname -a
Linux comet 2.6.4 #29 Thu Mar 18 19:42:39 CET 2004 i686 GNU/Linux

And it's still there. Is there patch? If yes, it has not been
submitted upstream...

 Herve

-- 
 _
(°=  Hervé Eychenne
//)
v_/_ WallFire project:  http://www.wallfire.org/

Re: ERROR target in /proc/net/ip_tables_targets

[Patrick McHardy]

Herve Eychenne wrote:
>
> $ uname -a
> Linux comet 2.6.4 #29 Thu Mar 18 19:42:39 CET 2004 i686 GNU/Linux
> 
> And it's still there. Is there patch? If yes, it has not been
> submitted upstream...

Thanks for reminding me, it seems I lost the last patch.
I've added a new one to pom-ng as proc-no-internal-targets.

Regards
Patrick


> 
>  Herve
>