From: Patrick McHardy <kaber@trash.net>
To: Laszlo Attila Toth <panther@balabit.hu>
Cc: netfilter-devel@vger.kernel.org
Subject: Re: [PATCHv2 2/2] Addrtype match extension: limit addrtype check on the packet's interface
Date: Wed, 14 Nov 2007 11:25:01 +0100 [thread overview]
Message-ID: <473ACCFD.50604@trash.net> (raw)
In-Reply-To: <1193235691956-git-send-email-panther@balabit.hu>
Laszlo Attila Toth wrote:
> Addrtype match has a new revision (1), which lets address type checking
> limit to the interface the current packet belongs to. The limitation
> cannot be applied in the FORWARD hook.
>
> Revision 0 lets older userspace programs use the match as earlier.
Dave has opened his net-2.6.25 tree, so time to look at this again.
> +static bool addrtype_match_v1(const struct sk_buff *skb,
> + const struct net_device *in, const struct net_device *out,
> + const struct xt_match *match, const void *matchinfo,
> + int offset, unsigned int protoff, bool *hotdrop)
> +{
> + const struct ipt_addrtype_info_v1 *info = matchinfo;
> + const struct iphdr *iph = ip_hdr(skb);
> + const struct net_device *limit_dev = NULL;
> + bool ret = true;
> +
> + /* not valid in the FORWARD hook */
> + if (info->flags & IPT_ADDRTYPE_LIMIT_IFACE)
> + limit_dev = (in ? in : out);
I would prefer if the user specifies the device to use (in/out)
and have proper checks that its not used on hooks where its
invalid. That would also allow to use it in the FORWARD hook.
Using a single device also doesn't seem to make much sense
in case the match is on both source and dest.
> +
> + if (info->source)
> + ret &= match_type(iph->saddr, limit_dev, info->source) ^
> + (info->flags & IPT_ADDRTYPE_INVERT_SOURCE);
> + if (ret && (info->dest))
Unnecessary parens.
> + ret &= match_type(iph->daddr, limit_dev, info->dest) ^
> + (info->flags & IPT_ADDRTYPE_INVERT_DEST);
> +
> + return ret;
> +}
> +
> +static bool addrtype_checkentry_v1(const char *tablename, const void *ip_void,
> + const struct xt_match *match,
> + void *matchinfo, unsigned int hook_mask)
> +{
> + struct ipt_addrtype_info_v1 *info = matchinfo;
> +
> + if (hook_mask & (1 << NF_IP_FORWARD)
> + && info->flags & IPT_ADDRTYPE_LIMIT_IFACE) {
Please don't reintroduce the weird && on continuation line style, I
try to get rid of it whenever I touch some code.
next prev parent reply other threads:[~2007-11-14 10:25 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-10-24 14:21 [PATCHv2 0/2] Find address type on the packet's interface Laszlo Attila Toth
2007-10-24 14:21 ` Laszlo Attila Toth
[not found] ` <20071024-160736-1193234856.panther@balabit.hu>
2007-10-24 14:21 ` [PATCHv2 1/2] Find address type on a specific or on any interface Laszlo Attila Toth
2007-10-24 14:21 ` Laszlo Attila Toth
2007-10-24 14:21 ` [PATCHv2 2/2] Addrtype match extension: limit addrtype check on the packet's interface Laszlo Attila Toth
2007-10-24 14:21 ` Laszlo Attila Toth
2007-11-14 10:25 ` Patrick McHardy [this message]
2007-10-24 14:21 ` [PATCHv2 iptables] Address type match: limited to incoming or outgoing interface Laszlo Attila Toth
2007-10-24 14:21 ` Laszlo Attila Toth
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=473ACCFD.50604@trash.net \
--to=kaber@trash.net \
--cc=netfilter-devel@vger.kernel.org \
--cc=panther@balabit.hu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.