From: Florian Westphal <fw@strlen.de>
To: Pablo Neira Ayuso <pablo@netfilter.org>
Cc: Willem de Bruijn <willemb@google.com>,
netfilter-devel <netfilter-devel@vger.kernel.org>,
Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>,
Florian Westphal <fw@strlen.de>
Subject: Re: [PATCH next v3] iptables: add xt_bpf match
Date: Tue, 22 Jan 2013 09:46:57 +0100 [thread overview]
Message-ID: <20130122084657.GE8541@breakpoint.cc> (raw)
In-Reply-To: <20130121134434.GA12865@1984>
Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> On Fri, Jan 18, 2013 at 11:48:34AM -0500, Willem de Bruijn wrote:
> [...]
> > To compile code right now, the little bpf compiler that I emailed
> > before can be downloaded from
> > http://code.google.com/p/kernel/downloads/detail?name=bpf2decimal.c
> >
> > I don't think that a compiler has to be shipped with iptables itself,
> > let alone make iptables link against libraries. That said, it is not
> > impossible to detect pcap.h in configure.ac and optionally enable a
> > "-m bpf --string" mode that calls pcap_compile_nopcap from within
> > libxt_bpf, so let me know if you would like me to code that up. I can
> > also try to send a patch to tcpdump that extends compilation (`-ddd -y
> > <type>`) to arbitrary link layer types.
>
> We have to decide if:
>
> a) we add a new hard library dependency to iptables (libpcap) for just
> for one single module, that is, the libxt_bpf depends on libpcap.
>
> or
>
> b) provide a separate utility to generate the BPF filter in text-based
> format from some utility that accepts tcpdump-like syntax. The utility
> can be distributed in the utils directory and it would not be
> mandatory to compile it if libpcap is not present.
>
> I'd like to hear pro and cons arguments from others on this.
a) is arguably more user friendly, however, I don't think we can
retain the 'text representation' for iptables-save so users
would still be confronted with the compiled data at some point
(i.e., they need to write down the original expression anyway to
figure out what the rule they added 6 months back actually does...)
I would go with b) for now; we can always move to a) later on, but not
the other way around (would kill backwards compatibility).
next prev parent reply other threads:[~2013-01-22 8:47 UTC|newest]
Thread overview: 58+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-12-05 19:22 [PATCH rfc] netfilter: two xtables matches Willem de Bruijn
2012-12-05 19:22 ` [PATCH 1/2] netfilter: add xt_priority xtables match Willem de Bruijn
2012-12-08 0:04 ` [PATCH] [RFC] netfilter: add xt_skbuff " Willem de Bruijn
2012-12-08 3:23 ` Pablo Neira Ayuso
2012-12-09 20:24 ` Willem de Bruijn
2012-12-09 20:28 ` [PATCH] " Willem de Bruijn
2012-12-05 19:22 ` [PATCH 2/2] netfilter: add xt_bpf " Willem de Bruijn
2012-12-05 19:48 ` Pablo Neira Ayuso
2012-12-05 20:10 ` Willem de Bruijn
2012-12-07 13:16 ` Pablo Neira Ayuso
2012-12-07 16:56 ` Willem de Bruijn
2012-12-08 3:31 ` Pablo Neira Ayuso
2012-12-08 16:02 ` Daniel Borkmann
2012-12-09 21:52 ` [PATCH next] iptables: add xt_bpf match Willem de Bruijn
2013-01-08 3:21 ` Pablo Neira Ayuso
2013-01-09 1:58 ` Willem de Bruijn
2013-01-09 9:52 ` Pablo Neira Ayuso
2013-01-10 0:08 ` Willem de Bruijn
2013-01-10 0:08 ` [PATCH next v2] " Willem de Bruijn
2013-01-10 0:15 ` [PATCH next v3] " Willem de Bruijn
2013-01-17 23:53 ` Pablo Neira Ayuso
2013-01-18 16:48 ` Willem de Bruijn
2013-01-18 17:17 ` [PATCH next] " Willem de Bruijn
2013-01-21 11:28 ` Pablo Neira Ayuso
2013-01-21 11:33 ` Pablo Neira Ayuso
2013-01-21 11:42 ` Florian Westphal
2013-01-21 12:03 ` Pablo Neira Ayuso
2013-01-21 16:02 ` Willem de Bruijn
2013-01-21 13:44 ` [PATCH next v3] " Pablo Neira Ayuso
2013-01-22 8:46 ` Florian Westphal [this message]
2013-01-22 9:46 ` Jozsef Kadlecsik
2013-01-22 10:03 ` Maciej Żenczykowski
2013-01-22 11:11 ` Pablo Neira Ayuso
2013-01-23 15:59 ` Willem de Bruijn
2013-01-23 16:21 ` Pablo Neira Ayuso
2013-01-23 16:38 ` Willem de Bruijn
2013-01-23 18:56 ` Pablo Neira Ayuso
2013-02-18 3:44 ` [PATCH] utils: bpf_compile Willem de Bruijn
2013-02-20 10:38 ` Daniel Borkmann
2013-02-21 4:35 ` Willem de Bruijn
2013-02-21 13:43 ` Daniel Borkmann
2013-03-12 15:44 ` [PATCH next] " Willem de Bruijn
2013-04-01 22:20 ` Pablo Neira Ayuso
2013-04-03 15:32 ` Willem de Bruijn
2013-04-04 9:34 ` Pablo Neira Ayuso
2013-02-18 3:52 ` [PATCH next v3] iptables: add xt_bpf match Willem de Bruijn
2013-02-24 2:15 ` Maciej Żenczykowski
2013-02-27 20:39 ` Willem de Bruijn
2012-12-05 19:28 ` [PATCH rfc] netfilter: two xtables matches Willem de Bruijn
2012-12-05 20:00 ` Jan Engelhardt
2012-12-05 21:45 ` Willem de Bruijn
2012-12-05 21:50 ` Willem de Bruijn
2012-12-05 22:35 ` Jan Engelhardt
2012-12-06 5:22 ` Pablo Neira Ayuso
2012-12-06 21:12 ` Willem de Bruijn
2012-12-07 7:22 ` Pablo Neira Ayuso
2012-12-07 13:20 ` Pablo Neira Ayuso
2012-12-07 17:26 ` Willem de Bruijn
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130122084657.GE8541@breakpoint.cc \
--to=fw@strlen.de \
--cc=kadlec@blackhole.kfki.hu \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
--cc=willemb@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).