From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Hans Schillstrom <hans@schillstrom.com>
Cc: netfilter-devel@vger.kernel.org
Subject: Re: [PATCH 2/2] extensions: add HMARK target
Date: Mon, 16 Jul 2012 14:22:33 +0200 [thread overview]
Message-ID: <20120716122233.GA15107@1984> (raw)
In-Reply-To: <tqndgm6.1b88e2552b09f599e7127d46418a73b3@obelix.schillstrom.com>
On Sun, Jul 15, 2012 at 12:53:46AM +0200, Hans Schillstrom wrote:
[...]
> >I'll be OK to make --hmark-offset mandatory, BTW.
>
> Well, if people use it to other things than PBR it will be bad to have it mandatory
> so I think we leave it as it is.
Sorry, I missed this mail and pushed this into master. Already made it
mandatory. Send me a patch if you want to relax this. I'll apply it.
> I don't like is that MODE_L3 is gone
> L3 can be substituted by using --hamrk-tuple src, dst. so that might be OK
> but there is no flag set. (causing a lot of extra cpu cycles)
This saves cycles for some specific case, but at the cost of adding
some branch misprediction in other case (ie. more cycles in other
cases). If we aim to genericity, we have to remove it.
BTW, I'd like to see some follow-up patch to support ICMP. We can just
generate the hash mark it using the src,dst,proto parts. That should
be easy.
> All masks have gone from set to zero, (due to hmark-tuple ?)
> If it's more clear or not , I don't know but the man page needs to be updated
> --hmark-tuple ct alone doesn't do much.
You're right, I fixed this in a follow-up patch now in master.
> iptables \-t mangle \-A PREROUTING \-m state \-\-state NEW
> - \-j HMARK \-\-hmark-tuple ct \-\-hmark-offset 10000 \-\-hmark\-mod 10
> change to
> + \-j HMARK \-\-hmark-tuple ct,src,dst \-\-hmark-offset 10000 \-\-hmark\-mod 10
> \-\-hmark\-rnd 0xfeedcafe
>
> Some faults found during my first sanity check.
> (I have not run any real tests so far, just some manual command tests
> Due to the new behaviour and syntax the test suite needs some update)
I've applied this patch below. Please, add description next time.
> diff --git a/extensions/libxt_HMARK.c b/extensions/libxt_HMARK.c
> index ee2629d..053bc10 100644
> --- a/extensions/libxt_HMARK.c
> +++ b/extensions/libxt_HMARK.c
> @@ -280,15 +280,15 @@ static void HMARK_check(struct xt_fcheck_call *cb)
>
> static void HMARK_print(const struct xt_hmark_info *info)
> {
> - if (info->flags & XT_HMARK_FLAG(XT_HMARK_SPORT))
> + if (info->flags & XT_HMARK_FLAG(XT_HMARK_SPORT_MASK))
> printf("sport-mask 0x%x ", htons(info->port_mask.p16.src));
> - if (info->flags & XT_HMARK_FLAG(XT_HMARK_DPORT))
> + if (info->flags & XT_HMARK_FLAG(XT_HMARK_DPORT_MASK))
> printf("dport-mask 0x%x ", htons(info->port_mask.p16.dst));
> if (info->flags & XT_HMARK_FLAG(XT_HMARK_SPI))
> printf("spi-mask 0x%x ", htonl(info->port_mask.v32));
> - if (info->flags & XT_HMARK_FLAG(XT_HMARK_SPORT_MASK))
> + if (info->flags & XT_HMARK_FLAG(XT_HMARK_SPORT))
> printf("sport-set 0x%x ", htons(info->port_set.p16.src));
> - if (info->flags & XT_HMARK_FLAG(XT_HMARK_DPORT_MASK))
> + if (info->flags & XT_HMARK_FLAG(XT_HMARK_DPORT))
> printf("dport-set 0x%x ", htons(info->port_set.p16.dst));
> if (info->flags & XT_HMARK_FLAG(XT_HMARK_SPI_MASK))
> printf("spi-set 0x%x ", htonl(info->port_set.v32));
> @@ -333,11 +333,11 @@ static void HMARK_ip4_print(const void *ip,
> if (info->flags & XT_HMARK_FLAG(XT_HMARK_CT))
> printf("ct, ");
> if (info->flags & XT_HMARK_FLAG(XT_HMARK_SADDR_MASK))
> - printf("src-prefix %s ",
> - xtables_ipmask_to_numeric(&info->src_mask.in) + 1);
> + printf("src-prefix %d ",
> + xtables_ipmask_to_cidr(&info->src_mask.in));
> if (info->flags & XT_HMARK_FLAG(XT_HMARK_DADDR_MASK))
> - printf("dst-prefix %s ",
> - xtables_ipmask_to_numeric(&info->dst_mask.in) + 1);
> + printf("dst-prefix %d ",
> + xtables_ipmask_to_cidr(&info->dst_mask.in));
> HMARK_print(info);
> }
>
>
>
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2012-07-16 12:22 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-07-14 22:53 Re[2]: [PATCH 2/2] extensions: add HMARK target Hans Schillstrom
2012-07-16 12:22 ` Pablo Neira Ayuso [this message]
-- strict thread matches above, loose matches on Subject: below --
2012-07-12 7:34 Hans Schillstrom
2012-07-12 15:29 ` Pablo Neira Ayuso
2012-07-12 7:29 Hans Schillstrom
2012-07-10 23:17 [PATCH 0/2] revamped HMARK extension pablo
2012-07-10 23:17 ` [PATCH 2/2] extensions: add HMARK target pablo
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20120716122233.GA15107@1984 \
--to=pablo@netfilter.org \
--cc=hans@schillstrom.com \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).