From: Patrick McHardy <kaber@trash.net>
To: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Cc: Pablo Neira Ayuso <pablo@netfilter.org>, netfilter-devel@vger.kernel.org
Subject: Re: [PATCH] Reserve nfnetlink subsys ids.
Date: Fri, 12 Jun 2009 15:07:14 +0200 [thread overview]
Message-ID: <4A325302.2000100@trash.net> (raw)
In-Reply-To: <alpine.DEB.2.00.0906121413070.30679@blackhole.kfki.hu>
Jozsef Kadlecsik wrote:
> On Fri, 12 Jun 2009, Patrick McHardy wrote:
>
>> I didn't mean to finally say no, just wondering if there are special
>> circumstances which would justify an exception.
>
> No need for an exception, there's a much nicer solution.
>
> What is my main problem actually? That currently there is no way for an
> extension-specific error reporting from the kernel to iptables when
> there's some problem with a rule. Therefore in order to catch the typical
> mistakes, I have to check the existence of the set specified on the
> iptables command line before the rules are sent to the kernel. It is done
> by querying the kernel about the set, currently via *sockopt calls. But
> when ipset is migrated to nfnetlink, it'd mean libnfnetlink dependecy,
> just for the sake of the set match/target in iptables. That's a too high
> price and I'm not willing to pay it.
>
> So what I'm working on it is a protocol change in iptables itself (:-),
> which is fully backward compatible.
>
> - add a new sockopt option, IPT_SO_GET_REPLACE, which is used instead of
> IPT_SO_SET_REPLACE (if supported by the kernel. New iptables will
> use IPT_SO_SET_REPLACE with old kernels.)
> - new checkentry functions, which return the extension-specific error
> codes instead of a simple boolean value
> - if any error is detected by the checkentry funtions, IPT_SO_GET_REPLACE
> returns the corresponding full ipt_entry, with the offset stored in
> comefrom to the match/target which produced the error
> - the userspace match/targets, with their new error function,
> can translate the received error code to the appropriate error message
> and can insert any specific data into the text using the offset into the
> ipt_entry.
>
> So we'll be able to report back exactly what is wrong with the given rule.
> No need anymore to print 'Run `dmesg' for more information.' :-).
That sounds pretty cool.
> And from the set match/target point of view, I won't have to query the
> kernel at all :-)).
>
> So far, working on the kernel part, surprisingly small modifications are
> required.
I'm looking forward to finally have reasonable error reporting :)
next prev parent reply other threads:[~2009-06-12 13:07 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-06-11 11:36 [PATCH] Reserve nfnetlink subsys ids Jozsef Kadlecsik
2009-06-11 14:08 ` Patrick McHardy
2009-06-11 14:26 ` Pablo Neira Ayuso
2009-06-11 14:43 ` Pablo Neira Ayuso
2009-06-11 14:49 ` Patrick McHardy
2009-06-11 21:51 ` Jozsef Kadlecsik
2009-06-12 12:08 ` Patrick McHardy
2009-06-12 13:02 ` Jozsef Kadlecsik
2009-06-12 13:07 ` Patrick McHardy [this message]
2009-06-12 13:18 ` Jan Engelhardt
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4A325302.2000100@trash.net \
--to=kaber@trash.net \
--cc=kadlec@blackhole.kfki.hu \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.