Re: [PATCH] Last vestiges of NFC

[Peter Riley <Peter.Riley@hotpop.com>]

Patrick McHardy wrote:
> 
> I count 132 occurences of nfcache (a few are in headers that must stay
> though). I'll happily apply a patch that kills them all.
> 

Patrick, yes I get 134 occurrences on 132 lines in current svn.
The breakdown appears to me to be:

51   init() function declarations in match and target extensions

52   parse() function declarations in match extensions only
     (not counting connlimit and multiport which are more complicated than
     one declaration per file)

2    parse related function declarations in connlimit
4    parse related function declarations in multiport

5+5  calls in iptables.c & ip6tables.c to ->init() or ->parse() members above

3    occurrences in xtables.h that prototype the above:

     struct xtables_match
     {...
         void (*init)(struct xt_entry_match *m, unsigned int *nfcache);

         int (*parse)(int c, char **argv, int invert, unsigned int *flags,
             const void *entry, unsigned int *nfcache, struct xt_entry_match **match);

     struct xtables_target
     {...
         void (*init)(struct xt_entry_target *t, unsigned int *nfcache);

3+3  occurrences in dump_entry() in libip4tc.c and libip4tc.c for debugging:

	printf("Cache: %08X ", e->nfcache);
	if (e->nfcache & NFC_ALTERED) printf("ALTERED ");
	if (e->nfcache & NFC_UNKNOWN) printf("UNKNOWN ");

     It seems that there is good reason for printing out nfcache contents as long as
     those bits are still present in structs ipt_entry/ip6t_entry defined in headers
     on the kernel side.  After all, this is how I tracked down the problem I am
     reporting to begin with!


What all this leaves remaining are the occurrences I mentioned in previous message
whose removal doesn't break anything:


1+1  in libipt_policy.c and libip6t_policy.c init() functions where NFC bits are
     still being set:

          *nfcache |= NFC_UNKNOWN;

     These (among similar others that have already been removed) crept in
     subsequent to Pablo Neira's NFC-killer patches that I mentioned in original
     post.

2+2  occurrences in the libip4tc.c and libip4tc.c  is_same()  comparisons:

          if (a->nfcache != b->nfcache
              ...) return NULL;

     These are the occurrences causing problems. As mentioned, this prevents
     iptables from being able to delete-by-match any rules created by old
     userspace tools that still set nfcache bits in entries -- the entries are
     not considered "same" because (only) the nfcache bits differ (modulo the
     match mask of course).

-----
=134 Total


Please let me know if I can do anything more regarding this.


Best Regards,
Peter