Re: [PATCH] Last vestiges of NFC

[Patrick McHardy <kaber@trash.net>]

Peter Riley wrote:
> Jan Engelhardt wrote:
>> On Aug 30 2007 08:13, Peter Riley wrote:
>>> Patrick McHardy wrote:
>>>> I count 132 occurences of nfcache (a few are in headers that must stay
>>>> though). I'll happily apply a patch that kills them all.
>>>>
>>> Patrick, yes I get 134 occurrences on 132 lines in current svn.
>>> The breakdown appears to me to be:
>> [...]
>>
>> Do we still need nfcache anyway?
>>
> 
> It seems to me there are three options....
> 
> [...]
>    Forget about ass-backwards compatibility and purge your cache!


We don't care about binary compatiblity between different userspace
releases. All we care about is not breaking userspace<->kernel
compatiblity.

> Alter the
>    iptables extension API in xtables.h so the function prototypes for ->init()
>    and ->parse() stop causing all the crap to be passed. But leave the really
>    hard ob-struct-ion in your ipt_entry. It may be too painful to reach that
>    deep down into the kernel to remove it.
> 
>    Then, you can flush out all of those toxins in the extensions and cleanse
>    the calls to them in iptables.c.  Those nasty blockages that iptables can't
>    purge because of the (a->nfcache != b->nfcache) comparison can be rooted out
>    too (as in #1).
> 
>    But let's be realistic, the fresh healthy feeling won't last forever.
>    The next time you come down with a bug and really need to make a dump,
>    dump_entry() should still be able to pass the bits of cache out of your
>    ipt_entry.  At least keep this bit:  printf("Cache: %08X ", e->nfcache);


The kernel doesn't use it, its *always* zero.

> Behind curtain #3: Is that a goat? a gnu?  No, a penguin!!
>          (Plus we'll let your friends can keep their enemas.  Penguin gets one too!)
> 
>    Go deeper, purge every last one of the 134 stinky bits of nfcache! The iptables
>    headers change as before, and now kernel headers ip_tables.h and ip6_tables.h
>    can drop nfcache in struct ipt_entry/compat_ipt_entry/ip6t_entry.  Even get rid
>    of the #define NFC_* in ./include/linux/netfilter*.h.  Hold nothing back...

Thats not possible since it breaks userspace <-> kernel compatiblity.

I prefer to get rid of all of them where possible, but if you want
to do only #1, thats also fine.