Re: [PATCHv6 iptables]Interface group match

[Laszlo Attila Toth <panther@balabit.hu>]

Patrick McHardy írta:
> Laszlo Attila Toth wrote:
>> Lutz Jaenicke írta:
>>> On Tue, Nov 20, 2007 at 02:14:28PM +0100, Laszlo Attila Toth wrote:
>>>> Interface group values can be checked on both input and output 
>>>> interfaces
>>>> with optional mask.
>>>
>>>> Index: extensions/libxt_ifgroup.c
>>>> ===================================================================
>>>> --- extensions/libxt_ifgroup.c    (revision 0)
>>>> +++ extensions/libxt_ifgroup.c    (revision 0)
>>>
>>>> +        info->in_group = strtoul(optarg, &end, 0);
>>>
>>> This is somewhat inconsistent with the iproute patch which targets
>>> specific groups (with names).
>>> Should iptables be allowed to read "/etc/iproute2/rt_ifgroup"?
>>
>> It would be good but cannot be used if a mask is set and only values 
>> less than 256 can be used with names.
> 
> 
> Why 256? I can see no such limitation. For masks you could
> simply allow to define masks in rt_ifgroup too and use
> name/name or simply name/0xmask.


256 because it is the size of a static array (and I don't want allocate 
too much memory when other arrays such as the routing table names also 
have this size). In the current version I posted some minutes ago 
0..2^32-1  can be used.

The syntax "name/0xmask" is simply too strange for me.

> 
>>> There is no standard API like getservbyname()...
>>
>> The code of iproute2 should be copied. If Patrick says it is ok,  I'll 
>> write this part.
> 
> 
> Of course. Please put the tab part somewhere common, I always
> wanted to have named firewall marks shared with ip and tc
> and I believe Balazs wanted that too :)

Ok. Yes, he wants :)


-- 
Attila
-
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html