From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Cc: Jan Engelhardt <jengelh@inai.de>,
Victor Julien <lists@inliniac.net>,
Nick Edwards <nick.z.edwards@gmail.com>,
netfilter@vger.kernel.org, netfilter-devel@vger.kernel.org,
mbr@cipherdyne.org
Subject: Re: [PATCH]: Keep the "state" match as alias [Re: state match is obsolete 1.4.17]
Date: Wed, 23 Jan 2013 11:08:45 +0100 [thread overview]
Message-ID: <20130123100845.GA31972@1984> (raw)
In-Reply-To: <alpine.DEB.2.00.1301230936030.2373@blackhole.kfki.hu>
On Wed, Jan 23, 2013 at 10:00:19AM +0100, Jozsef Kadlecsik wrote:
> On Wed, 23 Jan 2013, Pablo Neira Ayuso wrote:
>
> > On Tue, Jan 22, 2013 at 10:47:35PM +0100, Jozsef Kadlecsik wrote:
> > > On Fri, 18 Jan 2013, Pablo Neira Ayuso wrote:
> > >
> > > > On Tue, Jan 15, 2013 at 06:28:11PM +0100, Jozsef Kadlecsik wrote:
> > > > > On Tue, 15 Jan 2013, Jozsef Kadlecsik wrote:
> > > > >
> > > > > > With passing one more internal flag, indicating that the "state" alias is
> > > > > > used, the "conntrack" module can remain completely hidden and the user can
> > > > > > list/save exactly the same command as the issued one.
> > > > >
> > > > > Here follows the patch which introduces match module aliases (the same can
> > > > > be done for targets as well). The alias is handled as it were a real
> > > > > extension while it's actually handled by another module. Listing/saving
> > > > > keeps the alias name and options.
> > > > >
> > > > > The "state" extension is the first example of such an alias.
> > > >
> > > > I like this symmetrical aliasing approach.
> > > >
> > > > The aim is to get rid of redundant things in the kernel. And with
> > > > this, we can get that without disturbing users.
> > > >
> > > > Would you do the same for the NOTRACK target?
> > >
> > > Yes, but looking through the modules, I see a lot of inconsistencies: in
> > > listing match names capitalized, some match/target doesn't print its name,
> > > missing whitespaces, etc.
> > >
> > > I'm going to fix those, but quite a lot of simplification could be
> > > achieved if the options at listing and saving could be generated by the
> > > same function in a match/target. Like instead of
> > >
> > > ttl match TTL == xxx
> > >
> > > I propose to list the match as
> > >
> > > ttl eq xxx
> > >
> > > (That is generate listings by striping off the dashes and the match/target
> > > name prefix from the options.)
> > >
> > > The question is: do we have a "stable API" in listings, at this level?
> >
> > I remember that, while discussing nfacct, some people mentioned that
> > they were using scripts to parse iptables -L -n to digest counters.
>
> The counters part is not affected.
>
> > I have also found some perl extension [1] that parses `iptables -L -n'
> > output.
> >
> > [1] http://search.cpan.org/dist/IPTables-Parse/
>
> Sigh. Why 'iptables -L -n' is used and not 'iptables-save -c'?
Good question :-). I don't have an answer for that, probably the
author.
> Looking at the perl module, the proposed changes would break the parsing
> of the options of the SNAT/DNAT targets. It'd be not hard to prepare the
> module to handle current/proposed formats.
Yes. That will fix that module for latest iptables, but would still
break with old iptables versions unless you add some workaround to
that script.
Don't get me wrong, I don't like those inconsistencies either. We have
to decide if we care to likely break existing applications parsing
iptables -L -n.
next prev parent reply other threads:[~2013-01-23 10:08 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <CAMD-=V+PhM3NLpWyxB0G4KUN6D+-XKL0PZCBAuyUXUw56gmuJw@mail.gmail.com>
[not found] ` <alpine.LNX.2.01.1301150958390.16853@nerf07.vanv.qr>
[not found] ` <50F5273F.5020205@inliniac.net>
2013-01-15 10:06 ` state match is obsolete 1.4.17 Jozsef Kadlecsik
2013-01-15 12:06 ` Born Without
2013-01-15 12:49 ` Jan Engelhardt
2013-01-15 13:22 ` Jozsef Kadlecsik
2013-01-15 13:53 ` Jan Engelhardt
2013-01-15 14:49 ` Jozsef Kadlecsik
2013-01-15 17:28 ` [PATCH]: Keep the "state" match as alias [Re: state match is obsolete 1.4.17] Jozsef Kadlecsik
2013-01-18 0:28 ` Pablo Neira Ayuso
2013-01-22 21:47 ` Jozsef Kadlecsik
2013-01-22 21:58 ` Jan Engelhardt
2013-01-23 9:06 ` Jozsef Kadlecsik
2013-01-23 3:03 ` Pablo Neira Ayuso
2013-01-23 9:00 ` Jozsef Kadlecsik
2013-01-23 10:08 ` Pablo Neira Ayuso [this message]
[not found] ` <CAMD-=V+p0gv+amQearBpGPD0q3zALUEfQj6xCoTTg197jN3_5A@mail.gmail.com>
2013-01-16 0:11 ` state match is obsolete 1.4.17 Jan Engelhardt
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130123100845.GA31972@1984 \
--to=pablo@netfilter.org \
--cc=jengelh@inai.de \
--cc=kadlec@blackhole.kfki.hu \
--cc=lists@inliniac.net \
--cc=mbr@cipherdyne.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=netfilter@vger.kernel.org \
--cc=nick.z.edwards@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).