From: Jan Engelhardt <jengelh@inai.de>
To: pablo@netfilter.org
Cc: jhs@mojatatu.com, netfilter-devel@vger.kernel.org
Subject: [PATCH] netfilter: xtables: remove table restrictions from some modules
Date: Tue, 18 Dec 2012 15:07:01 +0100 [thread overview]
Message-ID: <1355839621-14206-1-git-send-email-jengelh@inai.de> (raw)
I cannot think of a reason to limit the use of these modules to the
"mangle" table or their hooks. TOS/DSCP is not only used to influence
a routing decision, for example.
Signed-off-by: Jan Engelhardt <jengelh@inai.de>
---
Are there any pitfalls I am not aware of?
Could conntrack be upset if TCPOPTSTRIP/CHECKSUM can execute
at different places?
net/ipv4/netfilter/ipt_ECN.c | 1 -
net/netfilter/xt_CHECKSUM.c | 1 -
net/netfilter/xt_CLASSIFY.c | 3 ---
net/netfilter/xt_DSCP.c | 4 ----
net/netfilter/xt_HL.c | 2 --
net/netfilter/xt_TCPOPTSTRIP.c | 2 --
6 files changed, 13 deletions(-)
diff --git a/net/ipv4/netfilter/ipt_ECN.c b/net/ipv4/netfilter/ipt_ECN.c
index 4bf3dc4..5508113 100644
--- a/net/ipv4/netfilter/ipt_ECN.c
+++ b/net/ipv4/netfilter/ipt_ECN.c
@@ -119,7 +119,6 @@ static struct xt_target ecn_tg_reg __read_mostly = {
.family = NFPROTO_IPV4,
.target = ecn_tg,
.targetsize = sizeof(struct ipt_ECN_info),
- .table = "mangle",
.checkentry = ecn_tg_check,
.me = THIS_MODULE,
};
diff --git a/net/netfilter/xt_CHECKSUM.c b/net/netfilter/xt_CHECKSUM.c
index 0f642ef..153d5c3 100644
--- a/net/netfilter/xt_CHECKSUM.c
+++ b/net/netfilter/xt_CHECKSUM.c
@@ -51,7 +51,6 @@ static struct xt_target checksum_tg_reg __read_mostly = {
.family = NFPROTO_UNSPEC,
.target = checksum_tg,
.targetsize = sizeof(struct xt_CHECKSUM_info),
- .table = "mangle",
.checkentry = checksum_tg_check,
.me = THIS_MODULE,
};
diff --git a/net/netfilter/xt_CLASSIFY.c b/net/netfilter/xt_CLASSIFY.c
index af9c4da..c988093 100644
--- a/net/netfilter/xt_CLASSIFY.c
+++ b/net/netfilter/xt_CLASSIFY.c
@@ -42,8 +42,6 @@ static struct xt_target classify_tg_reg[] __read_mostly = {
.name = "CLASSIFY",
.revision = 0,
.family = NFPROTO_UNSPEC,
- .hooks = (1 << NF_INET_LOCAL_OUT) | (1 << NF_INET_FORWARD) |
- (1 << NF_INET_POST_ROUTING),
.target = classify_tg,
.targetsize = sizeof(struct xt_classify_target_info),
.me = THIS_MODULE,
@@ -52,7 +50,6 @@ static struct xt_target classify_tg_reg[] __read_mostly = {
.name = "CLASSIFY",
.revision = 0,
.family = NFPROTO_ARP,
- .hooks = (1 << NF_ARP_OUT) | (1 << NF_ARP_FORWARD),
.target = classify_tg,
.targetsize = sizeof(struct xt_classify_target_info),
.me = THIS_MODULE,
diff --git a/net/netfilter/xt_DSCP.c b/net/netfilter/xt_DSCP.c
index ae82716..0a9ff64 100644
--- a/net/netfilter/xt_DSCP.c
+++ b/net/netfilter/xt_DSCP.c
@@ -118,7 +118,6 @@ static struct xt_target dscp_tg_reg[] __read_mostly = {
.checkentry = dscp_tg_check,
.target = dscp_tg,
.targetsize = sizeof(struct xt_DSCP_info),
- .table = "mangle",
.me = THIS_MODULE,
},
{
@@ -127,14 +126,12 @@ static struct xt_target dscp_tg_reg[] __read_mostly = {
.checkentry = dscp_tg_check,
.target = dscp_tg6,
.targetsize = sizeof(struct xt_DSCP_info),
- .table = "mangle",
.me = THIS_MODULE,
},
{
.name = "TOS",
.revision = 1,
.family = NFPROTO_IPV4,
- .table = "mangle",
.target = tos_tg,
.targetsize = sizeof(struct xt_tos_target_info),
.me = THIS_MODULE,
@@ -143,7 +140,6 @@ static struct xt_target dscp_tg_reg[] __read_mostly = {
.name = "TOS",
.revision = 1,
.family = NFPROTO_IPV6,
- .table = "mangle",
.target = tos_tg6,
.targetsize = sizeof(struct xt_tos_target_info),
.me = THIS_MODULE,
diff --git a/net/netfilter/xt_HL.c b/net/netfilter/xt_HL.c
index 1535e87..4da5db3 100644
--- a/net/netfilter/xt_HL.c
+++ b/net/netfilter/xt_HL.c
@@ -137,7 +137,6 @@ static struct xt_target hl_tg_reg[] __read_mostly = {
.family = NFPROTO_IPV4,
.target = ttl_tg,
.targetsize = sizeof(struct ipt_TTL_info),
- .table = "mangle",
.checkentry = ttl_tg_check,
.me = THIS_MODULE,
},
@@ -147,7 +146,6 @@ static struct xt_target hl_tg_reg[] __read_mostly = {
.family = NFPROTO_IPV6,
.target = hl_tg6,
.targetsize = sizeof(struct ip6t_HL_info),
- .table = "mangle",
.checkentry = hl_tg6_check,
.me = THIS_MODULE,
},
diff --git a/net/netfilter/xt_TCPOPTSTRIP.c b/net/netfilter/xt_TCPOPTSTRIP.c
index 25fd1c4..b42c02e 100644
--- a/net/netfilter/xt_TCPOPTSTRIP.c
+++ b/net/netfilter/xt_TCPOPTSTRIP.c
@@ -103,7 +103,6 @@ static struct xt_target tcpoptstrip_tg_reg[] __read_mostly = {
{
.name = "TCPOPTSTRIP",
.family = NFPROTO_IPV4,
- .table = "mangle",
.proto = IPPROTO_TCP,
.target = tcpoptstrip_tg4,
.targetsize = sizeof(struct xt_tcpoptstrip_target_info),
@@ -113,7 +112,6 @@ static struct xt_target tcpoptstrip_tg_reg[] __read_mostly = {
{
.name = "TCPOPTSTRIP",
.family = NFPROTO_IPV6,
- .table = "mangle",
.proto = IPPROTO_TCP,
.target = tcpoptstrip_tg6,
.targetsize = sizeof(struct xt_tcpoptstrip_target_info),
--
1.7.10.4
next reply other threads:[~2012-12-18 14:07 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-12-18 14:07 Jan Engelhardt [this message]
2012-12-21 10:19 ` [PATCH] netfilter: xtables: remove table restrictions from some modules Maciej Żenczykowski
2012-12-21 11:02 ` Jan Engelhardt
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1355839621-14206-1-git-send-email-jengelh@inai.de \
--to=jengelh@inai.de \
--cc=jhs@mojatatu.com \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).