From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Darren Willis <djw@google.com>
Cc: Jan Engelhardt <jengelh@medozas.de>,
Netfilter Developer Mailing List
<netfilter-devel@vger.kernel.org>
Subject: Re: [PATCH] DHCPv6 connection tracker helper
Date: Wed, 29 Feb 2012 00:54:56 +0100 [thread overview]
Message-ID: <20120228235456.GA30286@1984> (raw)
In-Reply-To: <CAFntDkz4QtCrgHNFNp6Bn1dGco3HCWthYaFLN_-bUVb2q0wPjQ@mail.gmail.com>
On Mon, Feb 27, 2012 at 01:18:58PM +0900, Darren Willis wrote:
> > 1) In the last Netfilter workshop, we decided that we're targeting
> > towards explicit helper configuration via iptables, ie. something
> > like:
> >
> > ip6tables -I OUTPUT -t raw -s $SRC -d $DST \
> > -p udp --dport 547 -j CT --helper dhcpv6
> >
> > According to your report, this is exactly what distributors don't
> > want to do.
>
> Interesting. Well, my impression is that distributions don't wan't to
> add rules, but if they can't avoid it, they'll just have to cope.
> Is this changeover coming in the immediate future?
Yes. I'd like to send a patch for RFC to the mailing list any time
soon. I'll include you in the CC.
> > 2) The helper infrastructure is allowing us to filter broadcast
> > traffic but I think that it's been designed for a different purpose.
> > I know, we don't have any better by now. But in the meanwhile, we're
> > adding specific helpers to support each broadcast protocol.
>
> Agreed, while I think for now this helper is fine, I think it'd be
> nice to have a more generic multicast/broadcast helper, although it'd
> still need to have specific protocols baked into it to work (maybe
> netbios, dhcpv6, mDNS, LLMNR, SSDP, neighbour discovery, other
> things).
This is exactly what scares me. I don't like the idea of bloating the
kernel with lots of helpers for each single protocol.
I'm currently working on one user-space helper infrastructure. We can
use that infrastructure to implement this helper and many others.
I've got the patch in one branch of my kernel tree, it's still
experimental stuff, but I expect to have it done soon.
Would you be OK with we make this (and other helpers that will surely
follow up) in user-space?
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2012-02-28 23:54 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-02-10 2:30 [PATCH] DHCPv6 connection tracker helper Darren Willis
2012-02-10 11:18 ` Pablo Neira Ayuso
2012-02-13 4:07 ` Darren Willis
2012-02-13 23:05 ` Pablo Neira Ayuso
2012-02-13 9:55 ` Jan Engelhardt
2012-02-14 0:46 ` Pablo Neira Ayuso
2012-02-15 9:00 ` Darren Willis
2012-02-15 17:13 ` Jan Engelhardt
2012-02-16 4:56 ` Darren Willis
2012-02-24 17:54 ` Pablo Neira Ayuso
2012-02-27 4:18 ` Darren Willis
2012-02-28 23:54 ` Pablo Neira Ayuso [this message]
2012-03-02 3:59 ` Darren Willis
2012-03-03 13:35 ` Pablo Neira Ayuso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20120228235456.GA30286@1984 \
--to=pablo@netfilter.org \
--cc=djw@google.com \
--cc=jengelh@medozas.de \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).