netfilter-devel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Jan Engelhardt <jengelh@inai.de>
Cc: "Maciej Żenczykowski" <zenczykowski@gmail.com>,
	"Cong Wang" <xiyou.wangcong@gmail.com>,
	"Cong Wang" <amwang@redhat.com>,
	netfilter-devel@vger.kernel.org,
	"Patrick McHardy" <kaber@trash.net>,
	"David S. Miller" <davem@davemloft.net>,
	netfilter@vger.kernel.org
Subject: Re: [Patch net-next] netfilter: remove xt_NOTRACK
Date: Tue, 4 Sep 2012 15:58:10 +0200	[thread overview]
Message-ID: <20120904135810.GA12207@1984> (raw)
In-Reply-To: <alpine.LNX.2.01.1209040539040.9352@frira.zrqbmnf.qr>

On Tue, Sep 04, 2012 at 05:57:28AM +0200, Jan Engelhardt wrote:
> 
> On Tuesday 2012-09-04 02:14, Maciej Żenczykowski wrote:
> 
> >+<----->if (cs->target->alias == NULL)^M
> >+<-----><------>strcpy(cs->target->t->u.user.name, cs->jumpto);^M
> >+<----->else^M
> >+<-----><------>strcpy(cs->target->t->u.user.name, cs->target->alias);^M
> >
> >I'd have probably written if (cs->target->alias) copy(alias) else copy(jumpto)
> >
> >doesn't this all really belong in the CT files now?
> >ie. libxt_CT.c not libxt_NOTRACK.c
> 
> I think so too.
> Furthermore, I have refined Pablo's patch.
> 
> 0. vcurrent was not updated, now done.
> 1. Loading libxt_NOTRACK.so would still ask the kernel for NOTRACK.0
>    (function "compatible_revision"), now addressed.
> 2. NOTRACK.0 can now directly map to CT.1, instead of going through CT.0.
> 3. Do away with libxt_NOTRACK.c, and resolve the dlopen call by
>    providing a symlink.
> 
> Not solved:
> 4. Since NOTRACK now always maps to CT, "-j NOTRACK"
>    has become unusable on sufficiently old kernels.
>    Should we even bother?
> 
> [ Agglomeration of two patches in git://git.inai.de/iptables master ]
> diff --git a/configure.ac b/configure.ac
> index 861f5b3..a45d9ab 100644
> --- a/configure.ac
> +++ b/configure.ac
> @@ -2,8 +2,8 @@
>  AC_INIT([iptables], [1.4.15])
>  
>  # See libtool.info "Libtool's versioning system"
> -libxtables_vcurrent=8
> -libxtables_vage=1
> +libxtables_vcurrent=9
> +libxtables_vage=0
>  
>  AC_CONFIG_AUX_DIR([build-aux])
>  AC_CONFIG_HEADERS([config.h])
> diff --git a/extensions/GNUmakefile.in b/extensions/GNUmakefile.in
> index 218dc3a..92ac63d 100644
> --- a/extensions/GNUmakefile.in
> +++ b/extensions/GNUmakefile.in
> @@ -39,6 +39,7 @@ endif
>  #	Wildcard module list
>  #
>  pfx_build_mod := $(patsubst ${srcdir}/libxt_%.c,%,$(sort $(wildcard ${srcdir}/libxt_*.c)))
> +pfx_build_mod += NOTRACK
>  @ENABLE_IPV4_TRUE@ pf4_build_mod := $(patsubst ${srcdir}/libipt_%.c,%,$(sort $(wildcard ${srcdir}/libipt_*.c)))
>  @ENABLE_IPV6_TRUE@ pf6_build_mod := $(patsubst ${srcdir}/libip6t_%.c,%,$(sort $(wildcard ${srcdir}/libip6t_*.c)))
>  pfx_build_mod := $(filter-out @blacklist_modules@,${pfx_build_mod})
> @@ -100,6 +101,8 @@ lib%.oo: ${srcdir}/lib%.c
>  xt_RATEEST_LIBADD   = -lm
>  xt_statistic_LIBADD = -lm
>  
> +libxt_NOTRACK.so: libxt_CT.so
> +	ln -s $< $@
>  
>  #
>  #	Static bits
> diff --git a/extensions/libxt_CT.c b/extensions/libxt_CT.c
> index 27a20e2..8012a59 100644
> --- a/extensions/libxt_CT.c
> +++ b/extensions/libxt_CT.c
> @@ -248,6 +248,13 @@ static void ct_save_v1(const void *ip, const struct xt_entry_target *target)
>  		printf(" --zone %u", info->zone);
>  }
>  
> +static void notrack_tg_init(struct xt_entry_target *target)
> +{
> +	struct xt_ct_target_info_v1 *info = (void *)target->data;
> +
> +	info->flags |= XT_CT_NOTRACK;
> +}
> +
>  static struct xtables_target ct_target_reg[] = {
>  	{
>  		.family		= NFPROTO_UNSPEC,
> @@ -274,6 +281,19 @@ static struct xtables_target ct_target_reg[] = {
>  		.x6_parse	= ct_parse_v1,
>  		.x6_options	= ct_opts_v1,
>  	},
> +	{
> +		.family		= NFPROTO_UNSPEC,
> +		.name		= "NOTRACK",
> +		.revision	= 0,
> +		.real_name	= "CT",
> +		.real_rev	= 1,
> +		.version	= XTABLES_VERSION,
> +		.size		= XT_ALIGN(sizeof(struct xt_ct_target_info_v1)),
> +		.userspacesize	= offsetof(struct xt_ct_target_info_v1, ct),
> +		.print		= ct_print_v1,
> +		.save		= ct_save_v1,
> +		.init		= notrack_tg_init,
> +	},

We also need to add support for real_rev 0 of the CT target. Just to
make sure that we don't break with old kernels.

I've pulled this and pushed out to the notrack-removal branch of
iptables. The idea would be to fix this issue above and to merge that
that couple of patches once 3.7-rc1 is released.

      parent reply	other threads:[~2012-09-04 13:58 UTC|newest]

Thread overview: 15+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2012-08-26  6:23 [Patch net-next] netfilter: remove xt_NOTRACK Cong Wang
2012-08-26 10:42 ` Maciej Żenczykowski
2012-08-26 20:04   ` Jan Engelhardt
2012-09-03  7:57     ` Cong Wang
2012-09-03  8:33       ` Oliver
2012-09-03 11:50         ` Maciej Żenczykowski
2012-09-03 15:31       ` Pablo Neira Ayuso
2012-09-03 19:24         ` Pablo Neira Ayuso
2012-09-04  0:14           ` Maciej Żenczykowski
2012-09-04  3:57             ` Jan Engelhardt
2012-09-04  5:29               ` Maciej Żenczykowski
2012-09-04  8:58                 ` Pablo Neira Ayuso
2012-09-04 15:15                   ` Jan Engelhardt
2012-09-04 15:58                     ` Pablo Neira Ayuso
2012-09-04 13:58               ` Pablo Neira Ayuso [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20120904135810.GA12207@1984 \
    --to=pablo@netfilter.org \
    --cc=amwang@redhat.com \
    --cc=davem@davemloft.net \
    --cc=jengelh@inai.de \
    --cc=kaber@trash.net \
    --cc=netfilter-devel@vger.kernel.org \
    --cc=netfilter@vger.kernel.org \
    --cc=xiyou.wangcong@gmail.com \
    --cc=zenczykowski@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).