From: Patrick McHardy <kaber@trash.net>
To: Jan Engelhardt <jengelh@computergmbh.de>
Cc: Pablo Neira Ayuso <pablo@netfilter.org>,
Netfilter Developer Mailing List
<netfilter-devel@vger.kernel.org>
Subject: Re: [NETFILTER]: xt_conntrack: add port and direction matching
Date: Sun, 20 Jan 2008 14:15:03 +0100 [thread overview]
Message-ID: <47934957.6000109@trash.net> (raw)
In-Reply-To: <Pine.LNX.4.64.0801201410320.14598@fbirervta.pbzchgretzou.qr>
Jan Engelhardt wrote:
> On Jan 20 2008 14:00, Patrick McHardy wrote:
>> Another nitpick: we support masks for the addresses, ranges of ports
>> would be nice to have here as well.
>
> Well well why don't we just add address ranges too then :p
> Do we need it so badly?
We already have masks, which is probably good enough.
>
>> I also don't think the protocol
>> check is very useful in this case since all conntrack entries contain
>> port numbers or something similar.
>
> Is IPv4-in-IPv4 or IPv6-in-IPv4 conntracked like UDP is?
Sure, by proto_generic, which uses 0 for the port numbers.
> The protocol check is important though, because IPPROTO_GRE is
> _not_ included, since, it's not something that has a port.
It has the keys, which are also just a numerical value. Don't
think of it as ports but as "layer 4 protocol keys".
next prev parent reply other threads:[~2008-01-20 13:16 UTC|newest]
Thread overview: 109+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-01-02 20:18 [PATCH 0/27] Netfilter update Jan Engelhardt
2008-01-02 20:24 ` [PATCH 1/27] remove ipt_TOS.c Jan Engelhardt
2008-01-02 20:25 ` Jan Engelhardt
2008-01-04 14:25 ` Patrick McHardy
2008-01-02 20:25 ` [PATCH 2/27] Change semantic of mask value in xt_TOS Jan Engelhardt
2008-01-04 14:27 ` Patrick McHardy
2008-01-02 20:26 ` [PATCH 3/27] Properly set the TOS field " Jan Engelhardt
2008-01-04 14:30 ` Patrick McHardy
2008-01-02 20:26 ` [PATCH 4/27] Annotate start of kernel fields in NF headers Jan Engelhardt
2008-01-04 14:33 ` Patrick McHardy
2008-01-02 20:26 ` [PATCH 5/27] Remove CONFIG_COMPAT code in xt_hashlimit, xt_limit Jan Engelhardt
2008-01-04 14:37 ` Patrick McHardy
2008-01-10 23:01 ` Jan Engelhardt
2008-01-11 9:36 ` Patrick McHardy
2008-01-02 20:27 ` [PATCH 6/27] xt_CONNMARK target, revision 1 Jan Engelhardt
2008-01-04 14:41 ` Patrick McHardy
2008-01-04 14:46 ` Jan Engelhardt
2008-01-04 14:45 ` Patrick McHardy
2008-01-04 15:02 ` Jan Engelhardt
2008-01-04 15:00 ` Patrick McHardy
2008-01-02 20:27 ` [PATCH 7/27] xt_MARK target, revision 2 Jan Engelhardt
2008-01-04 14:46 ` Patrick McHardy
2008-01-02 20:27 ` [PATCH 8/27] xt_connmark match, revision 1 Jan Engelhardt
2008-01-04 14:47 ` Patrick McHardy
2008-01-04 14:56 ` Patrick McHardy
2008-01-04 15:03 ` Jan Engelhardt
2008-01-04 15:05 ` Patrick McHardy
2008-01-02 20:28 ` [PATCH 9/27] Extend nf_inet_addr with in{,6}_addr Jan Engelhardt
2008-01-04 14:49 ` Patrick McHardy
2008-01-04 15:01 ` Jan Engelhardt
2008-01-02 20:28 ` [PATCH 10/27] xt_conntrack match, revision 1 Jan Engelhardt
2008-01-04 14:53 ` Patrick McHardy
2008-01-04 15:05 ` Jan Engelhardt
2008-01-04 15:07 ` Patrick McHardy
2008-01-04 15:28 ` Jan Engelhardt
2008-01-15 6:48 ` Patrick McHardy
2008-01-15 12:31 ` Jan Engelhardt
2008-01-15 14:13 ` Patrick McHardy
2008-01-16 18:02 ` [NETFILTER]: xt_conntrack: add port and direction matching Jan Engelhardt
2008-01-17 13:52 ` Pablo Neira Ayuso
2008-01-17 15:00 ` Jan Engelhardt
2008-01-20 13:00 ` Patrick McHardy
2008-01-20 13:12 ` Jan Engelhardt
2008-01-20 13:15 ` Patrick McHardy [this message]
2008-01-20 16:48 ` Jan Engelhardt
2008-01-20 16:55 ` Patrick McHardy
2008-01-21 1:14 ` Pablo Neira Ayuso
2008-01-21 1:15 ` Jan Engelhardt
2008-01-21 1:18 ` Pablo Neira Ayuso
2008-01-21 1:31 ` Jan Engelhardt
2008-01-21 1:19 ` Patrick McHardy
2008-01-02 20:28 ` [PATCH 11/27] xt_hashlimit: use the new union nf_inet_addr Jan Engelhardt
2008-01-04 14:57 ` Patrick McHardy
2008-01-15 5:53 ` Patrick McHardy
2008-01-02 20:28 ` [PATCH 12/27] xt_hashlimit match, revision 1 Jan Engelhardt
2008-01-04 14:59 ` Patrick McHardy
2008-01-04 15:07 ` Jan Engelhardt
2008-01-02 20:29 ` [PATCH 13/27] xt_helper: Do not bypass RCU Jan Engelhardt
2008-01-04 15:01 ` Patrick McHardy
2008-01-04 15:09 ` Jan Engelhardt
2008-01-02 20:29 ` [PATCH 14/27] xt_helper match, revision 1 Jan Engelhardt
2008-01-04 15:03 ` Patrick McHardy
2008-01-02 20:29 ` [PATCH 15/27] xt_length " Jan Engelhardt
2008-01-04 15:22 ` Patrick McHardy
2008-01-04 15:43 ` Jan Engelhardt
2008-01-02 20:30 ` [PATCH 16/27] xt_mark " Jan Engelhardt
2008-01-04 15:23 ` Patrick McHardy
2008-01-02 20:30 ` [PATCH 17/27] xt_pkttype: Add explicit check for IPv4 Jan Engelhardt
2008-01-04 15:24 ` Patrick McHardy
2008-01-02 20:30 ` [PATCH 18/27] xt_pkttype IPv6 multicast address recognition Jan Engelhardt
2008-01-04 15:26 ` Patrick McHardy
2008-01-02 20:30 ` [PATCH 19/27] xt_policy: use the new unoin nf_inet_addr Jan Engelhardt
2008-01-08 15:48 ` Patrick McHardy
2008-01-08 15:54 ` Jan Engelhardt
2008-01-08 15:54 ` Patrick McHardy
2008-01-08 16:42 ` Jan Engelhardt
2008-01-02 20:30 ` [PATCH 20/27] Update modules' descriptions Jan Engelhardt
2008-01-08 15:50 ` Patrick McHardy
2008-01-08 15:55 ` Jan Engelhardt
2008-01-08 15:54 ` Patrick McHardy
2008-01-08 16:13 ` Jan Engelhardt
2008-01-08 16:18 ` Patrick McHardy
2008-01-02 20:31 ` [PATCH 21/27] Convert unfixated types to fixated ones Jan Engelhardt
2008-01-08 15:52 ` Patrick McHardy
2008-01-08 16:14 ` Jan Engelhardt
2008-01-02 20:31 ` [PATCH 22/27] Rename ipt_iprange to xt_iprange Jan Engelhardt
2008-01-08 15:55 ` Patrick McHardy
2008-01-08 16:16 ` Jan Engelhardt
2008-01-08 16:22 ` Patrick McHardy
2008-01-08 16:25 ` Patrick McHardy
2008-01-09 13:55 ` Jan Engelhardt
2008-01-10 15:52 ` Patrick McHardy
2008-01-02 20:31 ` [PATCH 23/27] xt_iprange match, revision 1 Jan Engelhardt
2008-01-08 15:56 ` Patrick McHardy
2008-01-08 16:22 ` Jan Engelhardt
2008-01-08 16:26 ` Patrick McHardy
2008-01-02 20:33 ` [PATCH 24/27] Merge ipt_REJECT and ip6t_REJECT into xt_REJECT Jan Engelhardt
2008-01-08 15:59 ` Patrick McHardy
2008-01-02 20:34 ` [PATCH 25/27] Merge ipt_ah and ip6t_ah into xt_ah Jan Engelhardt
2008-01-08 16:03 ` Patrick McHardy
2008-01-02 20:34 ` [PATCH 26/27] Unknot xt_ah IPv6 logic Jan Engelhardt
2008-01-02 20:34 ` [PATCH 27/27] Update feature-removal-schedule.txt Jan Engelhardt
2008-01-08 16:33 ` Patrick McHardy
2008-01-08 16:38 ` Jan Engelhardt
2008-01-08 16:39 ` Patrick McHardy
2008-01-08 16:56 ` Jan Engelhardt
2008-01-15 16:16 ` Patrick McHardy
-- strict thread matches above, loose matches on Subject: below --
2008-01-24 22:38 [NETFILTER]: xt_conntrack: add port and direction matching Jan Engelhardt
2008-01-29 13:08 ` Patrick McHardy
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=47934957.6000109@trash.net \
--to=kaber@trash.net \
--cc=jengelh@computergmbh.de \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.