From: Patrick McHardy <kaber@trash.net>
To: Jan Engelhardt <jengelh@medozas.de>
Cc: netfilter-devel@vger.kernel.org
Subject: Re: [PATCH 4/4] netfilter: xtables: merge registration structure to NFPROTO_UNSPEC
Date: Wed, 31 Mar 2010 11:45:15 +0200 [thread overview]
Message-ID: <4BB319AB.8060306@trash.net> (raw)
In-Reply-To: <alpine.LSU.2.01.1003311109310.7837@obet.zrqbmnf.qr>
Jan Engelhardt wrote:
> On Wednesday 2010-03-31 11:08, Patrick McHardy wrote:
>
>> Jan Engelhardt wrote:
>>
>>> On Wednesday 2010-03-31 11:01, Patrick McHardy wrote:
>>>
>>>> Jan Engelhardt wrote:
>>>>
>>>>>>> This will work because x_tables scans for NFPROTO_UNSPEC,
>>>>>>> and arp/ebtables just using x_tables :-)
>>>>>>>
>>>>>> I'm not sure I'm parsing this correctly. Both will find the match,
>>>>>> however the nf_ct_l3proto_try_module_get() call will fail
>>>>>>
>>>>> It won't fail - it is using par->family, not par->match->family.
>>>>>
>>>> That's broken then.
>>>>
>>> How so?
>>>
>> Because arptables and ebtables shouldn't be able to use this module
>> directly. Even less so after a patch stating "merge registration
>> structure".
>>
>
> arp/ebtables _couldn't_ even use this module. The simple showstopper:
> arp/ebtables simply don't have a corresponding userspace portion for
> it.
That's a really bad argument.
> Indeed nf_ct_l3proto_try_module_get(NFPROTO_BRIDGE) does not make
> much sense, but, in all honesty, xt_state *is* testing for a
> protocol-independent feature, so NFPROTO_UNSPEC is justified IMO.
>
Agreed.
> Also, NFPROTO_BRIDGE is special anyway - it does not refer to an L3
> protocol actually, but to L2 - so, well, it's kinda moot to muse
> about the possibility of calling nf_ct_get(NFPROTO_BRIDGE).
I assume you mean nf_ct_l3proto_try_module_get(). Just as I was saying,
it *will* fail for NFPROTO_BRIDGE/ARP, so everything should be fine. You
disputed this however.
> If you
> _really_ wanted to support state matching at the ARP/EB level, you
> would anyhow have to add a separate ->check function that loads all
> possible L3 trackers. Which is not a big problem per se
> (see patch - no touching of NFPROTO_UNSPEC was needed).
>
That doesn't really work since bridge netfilter is (partially) invoked
before conntrack.
next prev parent reply other threads:[~2010-03-31 9:45 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-03-31 8:03 nf-next: obsolete old extension revisions Jan Engelhardt
2010-03-31 8:03 ` [PATCH 1/4] netfilter: xtables: remove xt_hashlimit revision 0 Jan Engelhardt
2010-03-31 8:03 ` [PATCH 2/4] netfilter: xtables: remove xt_multiport " Jan Engelhardt
2010-03-31 8:03 ` [PATCH 3/4] netfilter: xtables: remove xt_string " Jan Engelhardt
2010-03-31 8:03 ` [PATCH 4/4] netfilter: xtables: merge registration structure to NFPROTO_UNSPEC Jan Engelhardt
2010-03-31 8:31 ` Patrick McHardy
2010-03-31 8:37 ` Jan Engelhardt
2010-03-31 8:41 ` Patrick McHardy
2010-03-31 8:53 ` Jan Engelhardt
2010-03-31 9:01 ` Patrick McHardy
2010-03-31 9:06 ` Jan Engelhardt
2010-03-31 9:08 ` Patrick McHardy
2010-03-31 9:35 ` Jan Engelhardt
2010-03-31 9:45 ` Patrick McHardy [this message]
2010-03-31 9:51 ` Jan Engelhardt
2010-03-31 9:56 ` Patrick McHardy
2010-03-31 10:11 ` Jan Engelhardt
2010-03-31 8:31 ` nf-next: obsolete old extension revisions Patrick McHardy
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4BB319AB.8060306@trash.net \
--to=kaber@trash.net \
--cc=jengelh@medozas.de \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.