From: Eric Leblond <eric@regit.org>
To: Pablo Neira Ayuso <pablo@netfilter.org>
Cc: netfilter-devel@vger.kernel.org
Subject: Re: [PATCH 1/2] netfilter: REJECT: separate reusable code
Date: Fri, 27 Dec 2013 15:51:32 +0100 [thread overview]
Message-ID: <1388155892.6117.7.camel@ice-age2.regit.org> (raw)
In-Reply-To: <20131220095059.GA13371@localhost>
Hello Pablo,
On Fri, 2013-12-20 at 10:50 +0100, Pablo Neira Ayuso wrote:
> Hi Eric,
>
> Some comments on this patch.
>
> On Thu, Dec 12, 2013 at 08:44:40AM +0100, Eric Leblond wrote:
> > This patch prepares the addition of TCP reset support in
> > the nft_reject module by moving reusable code into a header
> > file.
> >
> > Signed-off-by: Eric Leblond <eric@regit.org>
> > ---
> > include/net/netfilter/nf_reject.h | 297 ++++++++++++++++++++++++++++++++++++++
> > net/ipv4/netfilter/ipt_REJECT.c | 124 +---------------
> > net/ipv6/netfilter/ip6t_REJECT.c | 177 +----------------------
> > 3 files changed, 307 insertions(+), 291 deletions(-)
> > create mode 100644 include/net/netfilter/nf_reject.h
> >
> > diff --git a/include/net/netfilter/nf_reject.h b/include/net/netfilter/nf_reject.h
> > new file mode 100644
> > index 0000000..0bb089a
> > --- /dev/null
> > +++ b/include/net/netfilter/nf_reject.h
> > @@ -0,0 +1,297 @@
> > +#ifndef _NF_REJECT_H
> > +#define _NF_REJECT_H
> > +
> > +#include <net/ip.h>
> > +#include <net/tcp.h>
> > +#include <net/route.h>
> > +#include <net/dst.h>
> > +
> > +#if IS_ENABLED(CONFIG_IP6_NF_IPTABLES)
> > +#include <net/ipv6.h>
> > +#include <net/ip6_route.h>
> > +#include <linux/netfilter_ipv6.h>
> > +#endif
> > +
> > +static inline void send_unreach(struct sk_buff *skb_in, int code)
> > +{
> > + icmp_send(skb_in, ICMP_DEST_UNREACH, code, 0);
> > +}
> > +
> > +/* Send RST reply */
> > +static inline void send_reset(struct sk_buff *oldskb, int hook)
>
> I think that this function is too large to use the inline approach
> that we have used in nft_queue. I've been considering moving this
> common code to a different module and export these symbols but I
> don't find a nice way to make it.
>
> So my suggestion is to have two different include files:
>
> include/net/netfilter/ipv4/nf_reject.h, that contains:
>
> static inline void send_unreach(...
> static void send_reset(...
>
> that you can include from ipt_REJECT and nft_reject.
>
> And include/net/netfilter/ipv6/nf_reject.h, that contains:
>
> static inline void send_unreach6(...
> static void send_reset6(...
>
> that you can include from ip6t_REJECT and nft_reject.
>
> While at it, it is probably good to prepend the prefix nf_ to those
> functions.
>
> Let me know if you have any concern with this approach.
I've implemented this but there is a corner case that I don't like: if
IPv6 is build as module then nft reject should be build as module too.
Putting a dependency on IPv6 to nft reject is not working as IPv4 only
setup will not be possible.
So I only see two solutions:
1. We make IPv6 to be dependent of nft reject IPv6 (I don"t think
this is a good choice)
2. We keep two separate versions of the nft reject module (IPv4 and
IPv6) to avoid this problem (not satisfying solution).
Do you have a better idea ?
I'm in favor of 2. as I think that it is a bit too much to act on IPv6
configuration value.
FYI the build message is:
net/built-in.o: In function `nft_reject_eval':
:(.text+0x2774a): undefined reference to `nf_ip6_checksum'
:(.text+0x27792): undefined reference to `ip6_route_output'
BR,
--
Eric Leblond <eric@regit.org>
next prev parent reply other threads:[~2013-12-27 14:51 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-12-11 0:42 [RFC PATCH 0/2] nft: improve reject support Eric Leblond
2013-12-11 0:42 ` [PATCH 1/2] netfilter: REJECT: separate reusable code Eric Leblond
2013-12-11 0:42 ` [PATCH 2/2] netfilter: nft: reject support for IPv6 and TCP reset Eric Leblond
2013-12-12 7:44 ` [RFC PATCH 0/2] nft: finish reject support Eric Leblond
2013-12-12 7:44 ` [PATCH 1/2] netfilter: REJECT: separate reusable code Eric Leblond
2013-12-20 9:50 ` Pablo Neira Ayuso
2013-12-27 14:51 ` Eric Leblond [this message]
2013-12-29 11:28 ` [RFC PATCHv3 finish reject support] Eric Leblond
2013-12-29 11:28 ` [RFC PATCHv3 1/2] netfilter: REJECT: separate reusable code Eric Leblond
2013-12-30 17:18 ` Pablo Neira Ayuso
2013-12-29 11:28 ` [RFC PATCHv3 2/2] netfilter: nft: reject support for IPv6 and TCP reset Eric Leblond
2013-12-30 17:18 ` Pablo Neira Ayuso
2013-12-12 7:44 ` [PATCH " Eric Leblond
2013-12-12 7:55 ` Tomasz Bursztyka
2013-12-12 7:57 ` Tomasz Bursztyka
2013-12-12 8:14 ` Eric Leblond
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1388155892.6117.7.camel@ice-age2.regit.org \
--to=eric@regit.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).