[PATCH] xt_socket: checks for the state of nf

netfilter-devel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH] xt_socket: checks for the state of nf_conntrack
@ 2009-04-30 15:35 Laszlo Attila Toth
  2009-04-30 16:39 ` David Miller
  2009-05-01 22:22 ` David Miller
  0 siblings, 2 replies; 4+ messages in thread
From: Laszlo Attila Toth @ 2009-04-30 15:35 UTC (permalink / raw)
  To: davem, kaber
  Cc: mingo, netdev, netfilter-devel, hidden, linux-kernel,
	Laszlo Attila Toth

xt_socket can use connection tracking, and checks whether it is a module.

Signed-off-by: Laszlo Attila Toth <panther@balabit.hu>
---
 net/netfilter/Kconfig |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index 881203c..cb3ad74 100644
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@@ -837,6 +837,7 @@ config NETFILTER_XT_MATCH_SOCKET
 	depends on NETFILTER_TPROXY
 	depends on NETFILTER_XTABLES
 	depends on NETFILTER_ADVANCED
+	depends on !NF_CONNTRACK || NF_CONNTRACK
 	select NF_DEFRAG_IPV4
 	help
 	  This option adds a `socket' match, which can be used to match
-- 
1.6.2.2.404.ge96f3


^ permalink raw reply related	[flat|nested] 4+ messages in thread

* Re: [PATCH] xt_socket: checks for the state of nf_conntrack
  2009-04-30 15:35 [PATCH] xt_socket: checks for the state of nf_conntrack Laszlo Attila Toth
@ 2009-04-30 16:39 ` David Miller
  2009-04-30 20:26   ` Tóth László Attila
  2009-05-01 22:22 ` David Miller
  1 sibling, 1 reply; 4+ messages in thread
From: David Miller @ 2009-04-30 16:39 UTC (permalink / raw)
  To: panther; +Cc: kaber, mingo, netdev, netfilter-devel, hidden, linux-kernel

From: Laszlo Attila Toth <panther@balabit.hu>
Date: Thu, 30 Apr 2009 17:35:55 +0200

> xt_socket can use connection tracking, and checks whether it is a module.
> 
> Signed-off-by: Laszlo Attila Toth <panther@balabit.hu>

I don't understand why we want what this is doing....

> +	depends on !NF_CONNTRACK || NF_CONNTRACK

This means that if NF_CONNTRACK is modular, it won't allow
the xt_socket code to be built.

However, all of this stuff should be buildable modular.

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH] xt_socket: checks for the state of nf_conntrack
  2009-04-30 16:39 ` David Miller
@ 2009-04-30 20:26   ` Tóth László Attila
  0 siblings, 0 replies; 4+ messages in thread
From: Tóth László Attila @ 2009-04-30 20:26 UTC (permalink / raw)
  To: David Miller
  Cc: panther, kaber, mingo, netdev, netfilter-devel, hidden,
	linux-kernel

Hi Dave,

On 2009.04.30., at 18:39, David Miller wrote:

> From: Laszlo Attila Toth <panther@balabit.hu>
> Date: Thu, 30 Apr 2009 17:35:55 +0200
>
>> xt_socket can use connection tracking, and checks whether it is a  
>> module.
>>
>> Signed-off-by: Laszlo Attila Toth <panther@balabit.hu>
>
> I don't understand why we want what this is doing....
>

Most of the time the source / destination addresses and ports of the  
packet are enough to lookup the corresponding socket. With the SNAT  
target this kind of lookup is broken. The socket match is in the  
mangle table, before nat, thus it can see only the destination address  
set by the SNAT target (this is the reply direction). If we want to  
support SNAT, we need nf_conntrack.  But this is optional, if  
connection tracking is not in the kernel, the socket match will  
compiled without it....

>> +	depends on !NF_CONNTRACK || NF_CONNTRACK
>
> This means that if NF_CONNTRACK is modular, it won't allow
> the xt_socket code to be built.
>

I checked that if NF_\x10CONNTRACK is disabled, the socket match will be  
allowed to be built either into a module, or into vmlinuz. If  
NF_CONNTRACK is "y", it is exactly the same. If NF_CONNTRACK=m, the  
socket match can only be a module.

> However, all of this stuff should be buildable modular.

--
Attila

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH] xt_socket: checks for the state of nf_conntrack
  2009-04-30 15:35 [PATCH] xt_socket: checks for the state of nf_conntrack Laszlo Attila Toth
  2009-04-30 16:39 ` David Miller
@ 2009-05-01 22:22 ` David Miller
  1 sibling, 0 replies; 4+ messages in thread
From: David Miller @ 2009-05-01 22:22 UTC (permalink / raw)
  To: panther; +Cc: kaber, mingo, netdev, netfilter-devel, hidden, linux-kernel

From: Laszlo Attila Toth <panther@balabit.hu>
Date: Thu, 30 Apr 2009 17:35:55 +0200

> xt_socket can use connection tracking, and checks whether it is a module.
> 
> Signed-off-by: Laszlo Attila Toth <panther@balabit.hu>

Applied, thanks.

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2009-05-01 22:22 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2009-04-30 15:35 [PATCH] xt_socket: checks for the state of nf_conntrack Laszlo Attila Toth
2009-04-30 16:39 ` David Miller
2009-04-30 20:26   ` Tóth László Attila
2009-05-01 22:22 ` David Miller

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).