* [PATCH] netfilter: xtables: remove table restrictions from some modules
@ 2012-12-18 14:07 Jan Engelhardt
2012-12-21 10:19 ` Maciej Żenczykowski
0 siblings, 1 reply; 3+ messages in thread
From: Jan Engelhardt @ 2012-12-18 14:07 UTC (permalink / raw)
To: pablo; +Cc: jhs, netfilter-devel
I cannot think of a reason to limit the use of these modules to the
"mangle" table or their hooks. TOS/DSCP is not only used to influence
a routing decision, for example.
Signed-off-by: Jan Engelhardt <jengelh@inai.de>
---
Are there any pitfalls I am not aware of?
Could conntrack be upset if TCPOPTSTRIP/CHECKSUM can execute
at different places?
net/ipv4/netfilter/ipt_ECN.c | 1 -
net/netfilter/xt_CHECKSUM.c | 1 -
net/netfilter/xt_CLASSIFY.c | 3 ---
net/netfilter/xt_DSCP.c | 4 ----
net/netfilter/xt_HL.c | 2 --
net/netfilter/xt_TCPOPTSTRIP.c | 2 --
6 files changed, 13 deletions(-)
diff --git a/net/ipv4/netfilter/ipt_ECN.c b/net/ipv4/netfilter/ipt_ECN.c
index 4bf3dc4..5508113 100644
--- a/net/ipv4/netfilter/ipt_ECN.c
+++ b/net/ipv4/netfilter/ipt_ECN.c
@@ -119,7 +119,6 @@ static struct xt_target ecn_tg_reg __read_mostly = {
.family = NFPROTO_IPV4,
.target = ecn_tg,
.targetsize = sizeof(struct ipt_ECN_info),
- .table = "mangle",
.checkentry = ecn_tg_check,
.me = THIS_MODULE,
};
diff --git a/net/netfilter/xt_CHECKSUM.c b/net/netfilter/xt_CHECKSUM.c
index 0f642ef..153d5c3 100644
--- a/net/netfilter/xt_CHECKSUM.c
+++ b/net/netfilter/xt_CHECKSUM.c
@@ -51,7 +51,6 @@ static struct xt_target checksum_tg_reg __read_mostly = {
.family = NFPROTO_UNSPEC,
.target = checksum_tg,
.targetsize = sizeof(struct xt_CHECKSUM_info),
- .table = "mangle",
.checkentry = checksum_tg_check,
.me = THIS_MODULE,
};
diff --git a/net/netfilter/xt_CLASSIFY.c b/net/netfilter/xt_CLASSIFY.c
index af9c4da..c988093 100644
--- a/net/netfilter/xt_CLASSIFY.c
+++ b/net/netfilter/xt_CLASSIFY.c
@@ -42,8 +42,6 @@ static struct xt_target classify_tg_reg[] __read_mostly = {
.name = "CLASSIFY",
.revision = 0,
.family = NFPROTO_UNSPEC,
- .hooks = (1 << NF_INET_LOCAL_OUT) | (1 << NF_INET_FORWARD) |
- (1 << NF_INET_POST_ROUTING),
.target = classify_tg,
.targetsize = sizeof(struct xt_classify_target_info),
.me = THIS_MODULE,
@@ -52,7 +50,6 @@ static struct xt_target classify_tg_reg[] __read_mostly = {
.name = "CLASSIFY",
.revision = 0,
.family = NFPROTO_ARP,
- .hooks = (1 << NF_ARP_OUT) | (1 << NF_ARP_FORWARD),
.target = classify_tg,
.targetsize = sizeof(struct xt_classify_target_info),
.me = THIS_MODULE,
diff --git a/net/netfilter/xt_DSCP.c b/net/netfilter/xt_DSCP.c
index ae82716..0a9ff64 100644
--- a/net/netfilter/xt_DSCP.c
+++ b/net/netfilter/xt_DSCP.c
@@ -118,7 +118,6 @@ static struct xt_target dscp_tg_reg[] __read_mostly = {
.checkentry = dscp_tg_check,
.target = dscp_tg,
.targetsize = sizeof(struct xt_DSCP_info),
- .table = "mangle",
.me = THIS_MODULE,
},
{
@@ -127,14 +126,12 @@ static struct xt_target dscp_tg_reg[] __read_mostly = {
.checkentry = dscp_tg_check,
.target = dscp_tg6,
.targetsize = sizeof(struct xt_DSCP_info),
- .table = "mangle",
.me = THIS_MODULE,
},
{
.name = "TOS",
.revision = 1,
.family = NFPROTO_IPV4,
- .table = "mangle",
.target = tos_tg,
.targetsize = sizeof(struct xt_tos_target_info),
.me = THIS_MODULE,
@@ -143,7 +140,6 @@ static struct xt_target dscp_tg_reg[] __read_mostly = {
.name = "TOS",
.revision = 1,
.family = NFPROTO_IPV6,
- .table = "mangle",
.target = tos_tg6,
.targetsize = sizeof(struct xt_tos_target_info),
.me = THIS_MODULE,
diff --git a/net/netfilter/xt_HL.c b/net/netfilter/xt_HL.c
index 1535e87..4da5db3 100644
--- a/net/netfilter/xt_HL.c
+++ b/net/netfilter/xt_HL.c
@@ -137,7 +137,6 @@ static struct xt_target hl_tg_reg[] __read_mostly = {
.family = NFPROTO_IPV4,
.target = ttl_tg,
.targetsize = sizeof(struct ipt_TTL_info),
- .table = "mangle",
.checkentry = ttl_tg_check,
.me = THIS_MODULE,
},
@@ -147,7 +146,6 @@ static struct xt_target hl_tg_reg[] __read_mostly = {
.family = NFPROTO_IPV6,
.target = hl_tg6,
.targetsize = sizeof(struct ip6t_HL_info),
- .table = "mangle",
.checkentry = hl_tg6_check,
.me = THIS_MODULE,
},
diff --git a/net/netfilter/xt_TCPOPTSTRIP.c b/net/netfilter/xt_TCPOPTSTRIP.c
index 25fd1c4..b42c02e 100644
--- a/net/netfilter/xt_TCPOPTSTRIP.c
+++ b/net/netfilter/xt_TCPOPTSTRIP.c
@@ -103,7 +103,6 @@ static struct xt_target tcpoptstrip_tg_reg[] __read_mostly = {
{
.name = "TCPOPTSTRIP",
.family = NFPROTO_IPV4,
- .table = "mangle",
.proto = IPPROTO_TCP,
.target = tcpoptstrip_tg4,
.targetsize = sizeof(struct xt_tcpoptstrip_target_info),
@@ -113,7 +112,6 @@ static struct xt_target tcpoptstrip_tg_reg[] __read_mostly = {
{
.name = "TCPOPTSTRIP",
.family = NFPROTO_IPV6,
- .table = "mangle",
.proto = IPPROTO_TCP,
.target = tcpoptstrip_tg6,
.targetsize = sizeof(struct xt_tcpoptstrip_target_info),
--
1.7.10.4
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH] netfilter: xtables: remove table restrictions from some modules
2012-12-18 14:07 [PATCH] netfilter: xtables: remove table restrictions from some modules Jan Engelhardt
@ 2012-12-21 10:19 ` Maciej Żenczykowski
2012-12-21 11:02 ` Jan Engelhardt
0 siblings, 1 reply; 3+ messages in thread
From: Maciej Żenczykowski @ 2012-12-21 10:19 UTC (permalink / raw)
To: Jan Engelhardt; +Cc: pablo, jhs, netfilter-devel
I'm not sure about the current state.
But there used to be code that would cause a mangle tables tos change
to trigger a reroute.
I'm guessing this wouldn't work if tos was changed from another table.
On Tue, Dec 18, 2012 at 3:07 PM, Jan Engelhardt <jengelh@inai.de> wrote:
> I cannot think of a reason to limit the use of these modules to the
> "mangle" table or their hooks. TOS/DSCP is not only used to influence
> a routing decision, for example.
>
> Signed-off-by: Jan Engelhardt <jengelh@inai.de>
> ---
>
> Are there any pitfalls I am not aware of?
> Could conntrack be upset if TCPOPTSTRIP/CHECKSUM can execute
> at different places?
>
>
> net/ipv4/netfilter/ipt_ECN.c | 1 -
> net/netfilter/xt_CHECKSUM.c | 1 -
> net/netfilter/xt_CLASSIFY.c | 3 ---
> net/netfilter/xt_DSCP.c | 4 ----
> net/netfilter/xt_HL.c | 2 --
> net/netfilter/xt_TCPOPTSTRIP.c | 2 --
> 6 files changed, 13 deletions(-)
>
> diff --git a/net/ipv4/netfilter/ipt_ECN.c b/net/ipv4/netfilter/ipt_ECN.c
> index 4bf3dc4..5508113 100644
> --- a/net/ipv4/netfilter/ipt_ECN.c
> +++ b/net/ipv4/netfilter/ipt_ECN.c
> @@ -119,7 +119,6 @@ static struct xt_target ecn_tg_reg __read_mostly = {
> .family = NFPROTO_IPV4,
> .target = ecn_tg,
> .targetsize = sizeof(struct ipt_ECN_info),
> - .table = "mangle",
> .checkentry = ecn_tg_check,
> .me = THIS_MODULE,
> };
> diff --git a/net/netfilter/xt_CHECKSUM.c b/net/netfilter/xt_CHECKSUM.c
> index 0f642ef..153d5c3 100644
> --- a/net/netfilter/xt_CHECKSUM.c
> +++ b/net/netfilter/xt_CHECKSUM.c
> @@ -51,7 +51,6 @@ static struct xt_target checksum_tg_reg __read_mostly = {
> .family = NFPROTO_UNSPEC,
> .target = checksum_tg,
> .targetsize = sizeof(struct xt_CHECKSUM_info),
> - .table = "mangle",
> .checkentry = checksum_tg_check,
> .me = THIS_MODULE,
> };
> diff --git a/net/netfilter/xt_CLASSIFY.c b/net/netfilter/xt_CLASSIFY.c
> index af9c4da..c988093 100644
> --- a/net/netfilter/xt_CLASSIFY.c
> +++ b/net/netfilter/xt_CLASSIFY.c
> @@ -42,8 +42,6 @@ static struct xt_target classify_tg_reg[] __read_mostly = {
> .name = "CLASSIFY",
> .revision = 0,
> .family = NFPROTO_UNSPEC,
> - .hooks = (1 << NF_INET_LOCAL_OUT) | (1 << NF_INET_FORWARD) |
> - (1 << NF_INET_POST_ROUTING),
> .target = classify_tg,
> .targetsize = sizeof(struct xt_classify_target_info),
> .me = THIS_MODULE,
> @@ -52,7 +50,6 @@ static struct xt_target classify_tg_reg[] __read_mostly = {
> .name = "CLASSIFY",
> .revision = 0,
> .family = NFPROTO_ARP,
> - .hooks = (1 << NF_ARP_OUT) | (1 << NF_ARP_FORWARD),
> .target = classify_tg,
> .targetsize = sizeof(struct xt_classify_target_info),
> .me = THIS_MODULE,
> diff --git a/net/netfilter/xt_DSCP.c b/net/netfilter/xt_DSCP.c
> index ae82716..0a9ff64 100644
> --- a/net/netfilter/xt_DSCP.c
> +++ b/net/netfilter/xt_DSCP.c
> @@ -118,7 +118,6 @@ static struct xt_target dscp_tg_reg[] __read_mostly = {
> .checkentry = dscp_tg_check,
> .target = dscp_tg,
> .targetsize = sizeof(struct xt_DSCP_info),
> - .table = "mangle",
> .me = THIS_MODULE,
> },
> {
> @@ -127,14 +126,12 @@ static struct xt_target dscp_tg_reg[] __read_mostly = {
> .checkentry = dscp_tg_check,
> .target = dscp_tg6,
> .targetsize = sizeof(struct xt_DSCP_info),
> - .table = "mangle",
> .me = THIS_MODULE,
> },
> {
> .name = "TOS",
> .revision = 1,
> .family = NFPROTO_IPV4,
> - .table = "mangle",
> .target = tos_tg,
> .targetsize = sizeof(struct xt_tos_target_info),
> .me = THIS_MODULE,
> @@ -143,7 +140,6 @@ static struct xt_target dscp_tg_reg[] __read_mostly = {
> .name = "TOS",
> .revision = 1,
> .family = NFPROTO_IPV6,
> - .table = "mangle",
> .target = tos_tg6,
> .targetsize = sizeof(struct xt_tos_target_info),
> .me = THIS_MODULE,
> diff --git a/net/netfilter/xt_HL.c b/net/netfilter/xt_HL.c
> index 1535e87..4da5db3 100644
> --- a/net/netfilter/xt_HL.c
> +++ b/net/netfilter/xt_HL.c
> @@ -137,7 +137,6 @@ static struct xt_target hl_tg_reg[] __read_mostly = {
> .family = NFPROTO_IPV4,
> .target = ttl_tg,
> .targetsize = sizeof(struct ipt_TTL_info),
> - .table = "mangle",
> .checkentry = ttl_tg_check,
> .me = THIS_MODULE,
> },
> @@ -147,7 +146,6 @@ static struct xt_target hl_tg_reg[] __read_mostly = {
> .family = NFPROTO_IPV6,
> .target = hl_tg6,
> .targetsize = sizeof(struct ip6t_HL_info),
> - .table = "mangle",
> .checkentry = hl_tg6_check,
> .me = THIS_MODULE,
> },
> diff --git a/net/netfilter/xt_TCPOPTSTRIP.c b/net/netfilter/xt_TCPOPTSTRIP.c
> index 25fd1c4..b42c02e 100644
> --- a/net/netfilter/xt_TCPOPTSTRIP.c
> +++ b/net/netfilter/xt_TCPOPTSTRIP.c
> @@ -103,7 +103,6 @@ static struct xt_target tcpoptstrip_tg_reg[] __read_mostly = {
> {
> .name = "TCPOPTSTRIP",
> .family = NFPROTO_IPV4,
> - .table = "mangle",
> .proto = IPPROTO_TCP,
> .target = tcpoptstrip_tg4,
> .targetsize = sizeof(struct xt_tcpoptstrip_target_info),
> @@ -113,7 +112,6 @@ static struct xt_target tcpoptstrip_tg_reg[] __read_mostly = {
> {
> .name = "TCPOPTSTRIP",
> .family = NFPROTO_IPV6,
> - .table = "mangle",
> .proto = IPPROTO_TCP,
> .target = tcpoptstrip_tg6,
> .targetsize = sizeof(struct xt_tcpoptstrip_target_info),
> --
> 1.7.10.4
>
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH] netfilter: xtables: remove table restrictions from some modules
2012-12-21 10:19 ` Maciej Żenczykowski
@ 2012-12-21 11:02 ` Jan Engelhardt
0 siblings, 0 replies; 3+ messages in thread
From: Jan Engelhardt @ 2012-12-21 11:02 UTC (permalink / raw)
To: Maciej Żenczykowski; +Cc: pablo, jhs, netfilter-devel
On Friday 2012-12-21 11:19, Maciej Żenczykowski wrote:
>I'm not sure about the current state.
>But there used to be code that would cause a mangle tables tos change
>to trigger a reroute.
>I'm guessing this wouldn't work if tos was changed from another table.
Indeed, changing TOS from "filter" will not influence the route,
but you can still do so by way of using TOS in "mangle".
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2012-12-21 11:02 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2012-12-18 14:07 [PATCH] netfilter: xtables: remove table restrictions from some modules Jan Engelhardt
2012-12-21 10:19 ` Maciej Żenczykowski
2012-12-21 11:02 ` Jan Engelhardt
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).