From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Jan Engelhardt <jengelh@inai.de>
Cc: "Maciej Żenczykowski" <zenczykowski@gmail.com>,
"Cong Wang" <xiyou.wangcong@gmail.com>,
"Cong Wang" <amwang@redhat.com>,
netfilter-devel@vger.kernel.org,
"Patrick McHardy" <kaber@trash.net>,
"David S. Miller" <davem@davemloft.net>,
netfilter@vger.kernel.org
Subject: Re: [Patch net-next] netfilter: remove xt_NOTRACK
Date: Tue, 4 Sep 2012 15:58:10 +0200 [thread overview]
Message-ID: <20120904135810.GA12207@1984> (raw)
In-Reply-To: <alpine.LNX.2.01.1209040539040.9352@frira.zrqbmnf.qr>
On Tue, Sep 04, 2012 at 05:57:28AM +0200, Jan Engelhardt wrote:
>
> On Tuesday 2012-09-04 02:14, Maciej Żenczykowski wrote:
>
> >+<----->if (cs->target->alias == NULL)^M
> >+<-----><------>strcpy(cs->target->t->u.user.name, cs->jumpto);^M
> >+<----->else^M
> >+<-----><------>strcpy(cs->target->t->u.user.name, cs->target->alias);^M
> >
> >I'd have probably written if (cs->target->alias) copy(alias) else copy(jumpto)
> >
> >doesn't this all really belong in the CT files now?
> >ie. libxt_CT.c not libxt_NOTRACK.c
>
> I think so too.
> Furthermore, I have refined Pablo's patch.
>
> 0. vcurrent was not updated, now done.
> 1. Loading libxt_NOTRACK.so would still ask the kernel for NOTRACK.0
> (function "compatible_revision"), now addressed.
> 2. NOTRACK.0 can now directly map to CT.1, instead of going through CT.0.
> 3. Do away with libxt_NOTRACK.c, and resolve the dlopen call by
> providing a symlink.
>
> Not solved:
> 4. Since NOTRACK now always maps to CT, "-j NOTRACK"
> has become unusable on sufficiently old kernels.
> Should we even bother?
>
> [ Agglomeration of two patches in git://git.inai.de/iptables master ]
> diff --git a/configure.ac b/configure.ac
> index 861f5b3..a45d9ab 100644
> --- a/configure.ac
> +++ b/configure.ac
> @@ -2,8 +2,8 @@
> AC_INIT([iptables], [1.4.15])
>
> # See libtool.info "Libtool's versioning system"
> -libxtables_vcurrent=8
> -libxtables_vage=1
> +libxtables_vcurrent=9
> +libxtables_vage=0
>
> AC_CONFIG_AUX_DIR([build-aux])
> AC_CONFIG_HEADERS([config.h])
> diff --git a/extensions/GNUmakefile.in b/extensions/GNUmakefile.in
> index 218dc3a..92ac63d 100644
> --- a/extensions/GNUmakefile.in
> +++ b/extensions/GNUmakefile.in
> @@ -39,6 +39,7 @@ endif
> # Wildcard module list
> #
> pfx_build_mod := $(patsubst ${srcdir}/libxt_%.c,%,$(sort $(wildcard ${srcdir}/libxt_*.c)))
> +pfx_build_mod += NOTRACK
> @ENABLE_IPV4_TRUE@ pf4_build_mod := $(patsubst ${srcdir}/libipt_%.c,%,$(sort $(wildcard ${srcdir}/libipt_*.c)))
> @ENABLE_IPV6_TRUE@ pf6_build_mod := $(patsubst ${srcdir}/libip6t_%.c,%,$(sort $(wildcard ${srcdir}/libip6t_*.c)))
> pfx_build_mod := $(filter-out @blacklist_modules@,${pfx_build_mod})
> @@ -100,6 +101,8 @@ lib%.oo: ${srcdir}/lib%.c
> xt_RATEEST_LIBADD = -lm
> xt_statistic_LIBADD = -lm
>
> +libxt_NOTRACK.so: libxt_CT.so
> + ln -s $< $@
>
> #
> # Static bits
> diff --git a/extensions/libxt_CT.c b/extensions/libxt_CT.c
> index 27a20e2..8012a59 100644
> --- a/extensions/libxt_CT.c
> +++ b/extensions/libxt_CT.c
> @@ -248,6 +248,13 @@ static void ct_save_v1(const void *ip, const struct xt_entry_target *target)
> printf(" --zone %u", info->zone);
> }
>
> +static void notrack_tg_init(struct xt_entry_target *target)
> +{
> + struct xt_ct_target_info_v1 *info = (void *)target->data;
> +
> + info->flags |= XT_CT_NOTRACK;
> +}
> +
> static struct xtables_target ct_target_reg[] = {
> {
> .family = NFPROTO_UNSPEC,
> @@ -274,6 +281,19 @@ static struct xtables_target ct_target_reg[] = {
> .x6_parse = ct_parse_v1,
> .x6_options = ct_opts_v1,
> },
> + {
> + .family = NFPROTO_UNSPEC,
> + .name = "NOTRACK",
> + .revision = 0,
> + .real_name = "CT",
> + .real_rev = 1,
> + .version = XTABLES_VERSION,
> + .size = XT_ALIGN(sizeof(struct xt_ct_target_info_v1)),
> + .userspacesize = offsetof(struct xt_ct_target_info_v1, ct),
> + .print = ct_print_v1,
> + .save = ct_save_v1,
> + .init = notrack_tg_init,
> + },
We also need to add support for real_rev 0 of the CT target. Just to
make sure that we don't break with old kernels.
I've pulled this and pushed out to the notrack-removal branch of
iptables. The idea would be to fix this issue above and to merge that
that couple of patches once 3.7-rc1 is released.
prev parent reply other threads:[~2012-09-04 13:58 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-08-26 6:23 [Patch net-next] netfilter: remove xt_NOTRACK Cong Wang
2012-08-26 10:42 ` Maciej Żenczykowski
2012-08-26 20:04 ` Jan Engelhardt
2012-09-03 7:57 ` Cong Wang
2012-09-03 8:33 ` Oliver
2012-09-03 11:50 ` Maciej Żenczykowski
2012-09-03 15:31 ` Pablo Neira Ayuso
2012-09-03 19:24 ` Pablo Neira Ayuso
2012-09-04 0:14 ` Maciej Żenczykowski
2012-09-04 3:57 ` Jan Engelhardt
2012-09-04 5:29 ` Maciej Żenczykowski
2012-09-04 8:58 ` Pablo Neira Ayuso
2012-09-04 15:15 ` Jan Engelhardt
2012-09-04 15:58 ` Pablo Neira Ayuso
2012-09-04 13:58 ` Pablo Neira Ayuso [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20120904135810.GA12207@1984 \
--to=pablo@netfilter.org \
--cc=amwang@redhat.com \
--cc=davem@davemloft.net \
--cc=jengelh@inai.de \
--cc=kaber@trash.net \
--cc=netfilter-devel@vger.kernel.org \
--cc=netfilter@vger.kernel.org \
--cc=xiyou.wangcong@gmail.com \
--cc=zenczykowski@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).