Re: [PATCHv3 2/2][RESEND] Addrtype match extension: limit addrtype check on the packet's interface

[Laszlo Attila Toth <panther@balabit.hu>]

Jan Engelhardt írta:
> On Nov 16 2007 15:22, Laszlo Attila Toth wrote:
>> Addrtype match has a new revision (1), which lets address type checking
>> limited to the interface the current packet belongs to. Either incoming
>> or outgoing interface can be used depending on the current hook. In the
>> FORWARD hook two maches should be used if both interfaces have to be checked.
> 
> Hey would not it be cool if this was bumped to xt_addrtype,
> using .revision=0 with ipt_addrtype_info (with the old functionality),
> and let .revision=1 use xt_addrtype_info (with the new functionality).
> Much like the recently posted xt_tos/xt_owner.

xt_addrtype is ok, but the module loading in the userspace part 
(iptables) tries to load the libxt_addrtype.so first and only if it is 
not succeeded try to load libipt_addrtype.so also the latter shared 
object will never be loaded.

Also it may be better if only the xt_addrtype remains and 
ipt_addrtype_info is used for the old one and xt_addrtype_info for the 
new one. But it may be confusing: ipt_* in the xt_* files...

> 
>> -struct ipt_addrtype_info {
>> +enum
>> +{
>> +	IPT_ADDRTYPE_INVERT_SOURCE	= 0x0001,
>> +	IPT_ADDRTYPE_INVERT_DEST	= 0x0002,
>> +	IPT_ADDRTYPE_LIMIT_IFACE_IN	= 0x0004,
>> +	IPT_ADDRTYPE_LIMIT_IFACE_OUT	= 0x0008,
>> +};
>> +
>> +struct ipt_addrtype_info_v1 {
>> +	u_int16_t	source;		/* source-type mask */
>> +	u_int16_t	dest;		/* dest-type mask */
>> +	u_int32_t	flags;
>> +};
>> +
>> +struct ipt_addrtype_info_v0 {
> 
> Is it actually ok to change ipt_addrtype_info into ipt_addrtype_info_v0?
> It does not break binary compat, but source-level compat.
> 
> 

Hm, you are right. I checked this in xt_MARK, it doesn't use the _v0 
suffix for the old _info structure. I'll change this in addrtype.

--
Attila
-
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html