From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Stephen Clark <sclark46@earthlink.net>
Cc: Florian Westphal <fw@strlen.de>,
netfilter-devel <netfilter-devel@vger.kernel.org>
Subject: Re: [PATCH RFC v2] netfilter: add connlabel conntrack extension
Date: Thu, 15 Nov 2012 14:06:10 +0100 [thread overview]
Message-ID: <20121115130610.GA4929@1984> (raw)
In-Reply-To: <50A4E5A5.2000607@earthlink.net>
On Thu, Nov 15, 2012 at 07:52:53AM -0500, Stephen Clark wrote:
> On 11/15/2012 07:13 AM, Pablo Neira Ayuso wrote:
> >Hi Florian,
> >
> >On Mon, Nov 12, 2012 at 01:47:05PM +0100, Florian Westphal wrote:
> >>Pablo Neira Ayuso<pablo@netfilter.org> wrote:
> >>>>diff --git a/net/netfilter/nf_conntrack_labels.c b/net/netfilter/nf_conntrack_labels.c
> >>>>new file mode 100644
> >>>>index 0000000..eab398b
> >>>>--- /dev/null
> >>>>+++ b/net/netfilter/nf_conntrack_labels.c
> >>>>@@ -0,0 +1,143 @@
> >>>>+#include<linux/ctype.h>
> >>>>+#include<linux/export.h>
> >>>>+#include<linux/jhash.h>
> >>>>+#include<linux/spinlock.h>
> >>>>+#include<linux/types.h>
> >>>>+#include<linux/slab.h>
> >>>>+
> >>>>+#include<net/netfilter/nf_conntrack_ecache.h>
> >>>>+#include<net/netfilter/nf_conntrack_labels.h>
> >>>>+
> >>>>+static int labels_set_realloc(struct nf_conn_labels *l,
> >>>>+ struct __nf_conn_labels_rcu_ptr *oldptr, u16 bit)
> >>>I think we can simplify this code if we use the CT target to set the
> >>>number of labels that we'll use, so we skip allocations in runtime and
> >>>possible reallocation.
> >>>
> >>>... -t raw -j CT --labels 32
> >>I'm not convinced yet ;-)
> >>
> >>I think we should avoid to make users fiddle with CT target options
> >>just to get certain functionality working.
> >I agree that we should try to keep things easy for users.
> >
> >Still, since the conntrack helper discussion during the last workshop,
> >I think that users should explicitly enable conntrack features they
> >want via iptables.
> >
> >In that direction, I've been toying with some patches to explicitly
> >enable connectiong tracking via the CT target, ie. instead of tracking
> >everything by default and using NOTRACK to say what you don't what
> >(like we do now), tell what you want to track via some explict rule.
> >PF people are doing it that way.
> >
> >Still that's an important semantic change so we'll have to keep some
> >compatibility mode for some time
>
> Yeah, like forever!! Do you realize what a drastic change this would
> be? How many users actually use NOTRACK, and if they do it is for a
> very specific case. Most users expect CONNTRACK to happen.
Aware of it. I already mentioned that we would need to add some
compatibility mode to have dual working mode, relying on the compat
behaviour by default, so noone would be affected.
prev parent reply other threads:[~2012-11-15 13:06 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-11-02 12:43 [PATCH RFC v2] netfilter: add connlabel conntrack extension Florian Westphal
2012-11-07 20:04 ` Florian Westphal
2012-11-12 6:44 ` Pablo Neira Ayuso
2012-11-12 12:30 ` Florian Westphal
2012-11-12 16:24 ` Pablo Neira Ayuso
2012-11-12 16:32 ` Florian Westphal
2012-11-12 19:02 ` Pablo Neira Ayuso
2012-11-12 6:50 ` Pablo Neira Ayuso
2012-11-12 12:47 ` Florian Westphal
2012-11-15 12:13 ` Pablo Neira Ayuso
2012-11-15 12:50 ` Florian Westphal
2012-11-15 13:09 ` Pablo Neira Ayuso
2012-11-15 12:52 ` Stephen Clark
2012-11-15 13:06 ` Pablo Neira Ayuso [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20121115130610.GA4929@1984 \
--to=pablo@netfilter.org \
--cc=fw@strlen.de \
--cc=netfilter-devel@vger.kernel.org \
--cc=sclark46@earthlink.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).