[PATCH 0/3] Introduce aliases for matches and targets

[PATCH 0/3] Introduce aliases for matches and targets

[Jozsef Kadlecsik]

The next patches introduce the alias support for matches and targets in
iptables. The goal is to keep the old syntax of matches/targets merged
into "super" matches/targets. This way firewall scripts can run unmodified,
using the old extensions.

The NOTRACK alias requires a new revision of the CT target (flags are checked
in the current revision). Next follows the kernel part of the patches. Until
the new revision is missing, instead of the warning, a notice is printed
to the users.

Please comment/ACK the patches.

Best regards,
Jozsef

Jozsef Kadlecsik (3):
  Introduce match/target aliases
  Add the "state" alias to the "conntrack" match
  Add the "NOTRACK" alias to the "CT" target

 extensions/libxt_CT.c                  |   48 ++++++++++++++++++++++++++++++++
 extensions/libxt_NOTRACK.man           |    4 +-
 extensions/libxt_conntrack.c           |   27 ++++++++++++++++--
 extensions/libxt_state.man             |    2 +-
 include/linux/netfilter/xt_CT.h        |    5 ++-
 include/linux/netfilter/xt_conntrack.h |    1 +
 include/xtables.h                      |   16 ++++++++++
 iptables/ip6tables.c                   |   34 ++++++++++++----------
 iptables/iptables.c                    |   34 ++++++++++++----------
 9 files changed, 132 insertions(+), 39 deletions(-)

[PATCH 1/3] Introduce match/target aliases

[Jozsef Kadlecsik]

The match/target alias allows us to support the syntax of matches, targets
targets merged into other matches/targets.

Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
---
 include/xtables.h    |   16 ++++++++++++++++
 iptables/ip6tables.c |   34 ++++++++++++++++++----------------
 iptables/iptables.c  |   34 ++++++++++++++++++----------------
 3 files changed, 52 insertions(+), 32 deletions(-)

diff --git a/include/xtables.h b/include/xtables.h
index 75de958..c35a6e6 100644
--- a/include/xtables.h
+++ b/include/xtables.h
@@ -201,6 +201,10 @@ struct xtables_lmap {
 	struct xtables_lmap *next;
 };
 
+enum xtables_ext_flags {
+	XTABLES_EXT_ALIAS = 1 << 0,
+};
+
 /* Include file for additions: new matches and targets. */
 struct xtables_match
 {
@@ -218,6 +222,9 @@ struct xtables_match
 	/* Revision of match (0 by default). */
 	u_int8_t revision;
 
+	/* Extension flags */
+	u_int8_t ext_flags;
+
 	u_int16_t family;
 
 	/* Size of match data. */
@@ -251,6 +258,9 @@ struct xtables_match
 	/* ip is struct ipt_ip * for example */
 	void (*save)(const void *ip, const struct xt_entry_match *match);
 
+	/* Print match name or alias */
+	const char *(*alias)(const struct xt_entry_match *match);
+
 	/* Pointer to list of extra command-line options */
 	const struct option *extra_opts;
 
@@ -289,6 +299,9 @@ struct xtables_target
 	/* Revision of target (0 by default). */
 	u_int8_t revision;
 
+	/* Extension flags */
+	u_int8_t ext_flags;
+
 	u_int16_t family;
 
 
@@ -322,6 +335,9 @@ struct xtables_target
 	void (*save)(const void *ip,
 		     const struct xt_entry_target *target);
 
+	/* Print target name or alias */
+	const char *(*alias)(const struct xt_entry_target *target);
+
 	/* Pointer to list of extra command-line options */
 	const struct option *extra_opts;
 
diff --git a/iptables/ip6tables.c b/iptables/ip6tables.c
index 556647f..4cfbea3 100644
--- a/iptables/ip6tables.c
+++ b/iptables/ip6tables.c
@@ -1000,7 +1000,8 @@ static int print_match_save(const struct xt_entry_match *e,
 		xtables_find_match(e->u.user.name, XTF_TRY_LOAD, NULL);
 
 	if (match) {
-		printf(" -m %s", e->u.user.name);
+		printf(" -m %s",
+			match->alias ? match->alias(e) : e->u.user.name);
 
 		/* some matches don't provide a save function */
 		if (match->save)
@@ -1089,16 +1090,8 @@ void print_rule6(const struct ip6t_entry *e,
 	if (counters < 0)
 		printf(" -c %llu %llu", (unsigned long long)e->counters.pcnt, (unsigned long long)e->counters.bcnt);
 
-	/* Print target name */
+	/* Print target name and targinfo part */
 	target_name = ip6tc_get_target(e, h);
-	if (target_name && (*target_name != '\0'))
-#ifdef IP6T_F_GOTO
-		printf(" -%c %s", e->ipv6.flags & IP6T_F_GOTO ? 'g' : 'j', target_name);
-#else
-		printf(" -j %s", target_name);
-#endif
-
-	/* Print targinfo part */
 	t = ip6t_get_target((struct ip6t_entry *)e);
 	if (t->u.user.name[0]) {
 		struct xtables_target *target =
@@ -1110,6 +1103,7 @@ void print_rule6(const struct ip6t_entry *e,
 			exit(1);
 		}
 
+		printf(" -j %s", target->alias ? target->alias(t) : target_name);
 		if (target->save)
 			target->save(&e->ipv6, t);
 		else {
@@ -1124,7 +1118,13 @@ void print_rule6(const struct ip6t_entry *e,
 				exit(1);
 			}
 		}
-	}
+	} else if (target_name && (*target_name != '\0'))
+#ifdef IP6T_F_GOTO
+		printf(" -%c %s", e->ipv6.flags & IP6T_F_GOTO ? 'g' : 'j', target_name);
+#else
+		printf(" -j %s", target_name);
+#endif
+
 	printf("\n");
 }
 
@@ -1229,9 +1229,10 @@ static void command_jump(struct iptables_command_state *cs)
 		strcpy(cs->target->t->u.user.name, cs->jumpto);
 	} else {
 		strcpy(cs->target->t->u.user.name, cs->target->real_name);
-		fprintf(stderr, "WARNING: The %s target is obsolete. "
-		        "Use %s instead.\n",
-		        cs->jumpto, cs->target->real_name);
+		if (!(cs->target->ext_flags & XTABLES_EXT_ALIAS))
+			fprintf(stderr, "Notice: The %s target is converted into %s target "
+			        "in rule listing and saving.\n",
+			        cs->jumpto, cs->target->real_name);
 	}
 	cs->target->t->u.user.revision = cs->target->revision;
 
@@ -1265,8 +1266,9 @@ static void command_match(struct iptables_command_state *cs)
 		strcpy(m->m->u.user.name, m->name);
 	} else {
 		strcpy(m->m->u.user.name, m->real_name);
-		fprintf(stderr, "WARNING: The %s match is obsolete. "
-		        "Use %s instead.\n", m->name, m->real_name);
+		if (!(m->ext_flags & XTABLES_EXT_ALIAS))
+			fprintf(stderr, "Notice: The %s match is converted into %s match "
+			        "in rule listing and saving.\n", m->name, m->real_name);
 	}
 	m->m->u.user.revision = m->revision;
 
diff --git a/iptables/iptables.c b/iptables/iptables.c
index 00e3f01..085eea1 100644
--- a/iptables/iptables.c
+++ b/iptables/iptables.c
@@ -991,7 +991,8 @@ static int print_match_save(const struct xt_entry_match *e,
 		xtables_find_match(e->u.user.name, XTF_TRY_LOAD, NULL);
 
 	if (match) {
-		printf(" -m %s", e->u.user.name);
+		printf(" -m %s",
+			match->alias ? match->alias(e) : e->u.user.name);
 
 		/* some matches don't provide a save function */
 		if (match->save)
@@ -1080,16 +1081,8 @@ void print_rule4(const struct ipt_entry *e,
 	if (counters < 0)
 		printf(" -c %llu %llu", (unsigned long long)e->counters.pcnt, (unsigned long long)e->counters.bcnt);
 
-	/* Print target name */
+	/* Print target name and targinfo part */
 	target_name = iptc_get_target(e, h);
-	if (target_name && (*target_name != '\0'))
-#ifdef IPT_F_GOTO
-		printf(" -%c %s", e->ip.flags & IPT_F_GOTO ? 'g' : 'j', target_name);
-#else
-		printf(" -j %s", target_name);
-#endif
-
-	/* Print targinfo part */
 	t = ipt_get_target((struct ipt_entry *)e);
 	if (t->u.user.name[0]) {
 		const struct xtables_target *target =
@@ -1101,6 +1094,7 @@ void print_rule4(const struct ipt_entry *e,
 			exit(1);
 		}
 
+		printf(" -j %s", target->alias ? target->alias(t) : target_name);
 		if (target->save)
 			target->save(&e->ip, t);
 		else {
@@ -1115,7 +1109,13 @@ void print_rule4(const struct ipt_entry *e,
 				exit(1);
 			}
 		}
-	}
+	} else if (target_name && (*target_name != '\0'))
+#ifdef IPT_F_GOTO
+		printf(" -%c %s", e->ip.flags & IPT_F_GOTO ? 'g' : 'j', target_name);
+#else
+		printf(" -j %s", target_name);
+#endif
+
 	printf("\n");
 }
 
@@ -1222,9 +1222,10 @@ static void command_jump(struct iptables_command_state *cs)
 	} else {
 		/* Alias support for userspace side */
 		strcpy(cs->target->t->u.user.name, cs->target->real_name);
-		fprintf(stderr, "WARNING: The %s target is obsolete. "
-		        "Use %s instead.\n",
-		        cs->jumpto, cs->target->real_name);
+		if (!(cs->target->ext_flags & XTABLES_EXT_ALIAS))
+			fprintf(stderr, "Notice: The %s target is converted into %s target "
+			        "in rule listing and saving.\n",
+			        cs->jumpto, cs->target->real_name);
 	}
 	cs->target->t->u.user.revision = cs->target->revision;
 
@@ -1259,8 +1260,9 @@ static void command_match(struct iptables_command_state *cs)
 		strcpy(m->m->u.user.name, m->name);
 	} else {
 		strcpy(m->m->u.user.name, m->real_name);
-		fprintf(stderr, "WARNING: The %s match is obsolete. "
-		        "Use %s instead.\n", m->name, m->real_name);
+		if (!(m->ext_flags & XTABLES_EXT_ALIAS))
+			fprintf(stderr, "Notice: the %s match is converted into %s match "
+			        "in rule listing and saving.\n", m->name, m->real_name);
 	}
 	m->m->u.user.revision = m->revision;
 
-- 
1.7.0.4

[PATCH 2/3] Add the "state" alias to the "conntrack" match

[Jozsef Kadlecsik]

Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
---
 extensions/libxt_conntrack.c           |   27 ++++++++++++++++++++++++---
 extensions/libxt_state.man             |    2 +-
 include/linux/netfilter/xt_conntrack.h |    1 +
 3 files changed, 26 insertions(+), 4 deletions(-)

diff --git a/extensions/libxt_conntrack.c b/extensions/libxt_conntrack.c
index c37f14d..f7704eb 100644
--- a/extensions/libxt_conntrack.c
+++ b/extensions/libxt_conntrack.c
@@ -801,7 +801,9 @@ conntrack_dump(const struct xt_conntrack_mtinfo3 *info, const char *prefix,
 	if (info->match_flags & XT_CONNTRACK_STATE) {
 		if (info->invert_flags & XT_CONNTRACK_STATE)
 			printf(" !");
-		printf(" %sctstate", prefix);
+		printf(" %s%s", prefix,
+			info->match_flags & XT_CONNTRACK_STATE_ALIAS
+				? "state" : "ctstate");
 		print_state(info->state_mask);
 	}
 
@@ -902,6 +904,15 @@ conntrack_dump(const struct xt_conntrack_mtinfo3 *info, const char *prefix,
 	}
 }
 
+static const char *
+conntrack_print_name_alias(const struct xt_entry_match *match)
+{
+	struct xt_conntrack_mtinfo1 *info = (void *)match->data;
+
+	return info->match_flags & XT_CONNTRACK_STATE_ALIAS
+		? "state" : "conntrack";
+}
+
 static void conntrack_print(const void *ip, const struct xt_entry_match *match,
                             int numeric)
 {
@@ -1083,7 +1094,7 @@ static void state_ct1_parse(struct xt_option_call *cb)
 	struct xt_conntrack_mtinfo1 *sinfo = cb->data;
 
 	xtables_option_parse(cb);
-	sinfo->match_flags = XT_CONNTRACK_STATE;
+	sinfo->match_flags = XT_CONNTRACK_STATE | XT_CONNTRACK_STATE_ALIAS;
 	sinfo->state_mask = state_parse_states(cb->arg);
 	if (cb->invert)
 		sinfo->invert_flags |= XT_CONNTRACK_STATE;
@@ -1094,7 +1105,7 @@ static void state_ct23_parse(struct xt_option_call *cb)
 	struct xt_conntrack_mtinfo3 *sinfo = cb->data;
 
 	xtables_option_parse(cb);
-	sinfo->match_flags = XT_CONNTRACK_STATE;
+	sinfo->match_flags = XT_CONNTRACK_STATE | XT_CONNTRACK_STATE_ALIAS;
 	sinfo->state_mask = state_parse_states(cb->arg);
 	if (cb->invert)
 		sinfo->invert_flags |= XT_CONNTRACK_STATE;
@@ -1158,6 +1169,7 @@ static struct xtables_match conntrack_mt_reg[] = {
 		.x6_fcheck     = conntrack_mt_check,
 		.print         = conntrack_print,
 		.save          = conntrack_save,
+		.alias	       = conntrack_print_name_alias,
 		.x6_options    = conntrack_mt_opts_v0,
 	},
 	{
@@ -1172,6 +1184,7 @@ static struct xtables_match conntrack_mt_reg[] = {
 		.x6_fcheck     = conntrack_mt_check,
 		.print         = conntrack1_mt4_print,
 		.save          = conntrack1_mt4_save,
+		.alias	       = conntrack_print_name_alias,
 		.x6_options    = conntrack2_mt_opts,
 	},
 	{
@@ -1186,6 +1199,7 @@ static struct xtables_match conntrack_mt_reg[] = {
 		.x6_fcheck     = conntrack_mt_check,
 		.print         = conntrack1_mt6_print,
 		.save          = conntrack1_mt6_save,
+		.alias	       = conntrack_print_name_alias,
 		.x6_options    = conntrack2_mt_opts,
 	},
 	{
@@ -1200,6 +1214,7 @@ static struct xtables_match conntrack_mt_reg[] = {
 		.x6_fcheck     = conntrack_mt_check,
 		.print         = conntrack2_mt_print,
 		.save          = conntrack2_mt_save,
+		.alias	       = conntrack_print_name_alias,
 		.x6_options    = conntrack2_mt_opts,
 	},
 	{
@@ -1214,6 +1229,7 @@ static struct xtables_match conntrack_mt_reg[] = {
 		.x6_fcheck     = conntrack_mt_check,
 		.print         = conntrack2_mt6_print,
 		.save          = conntrack2_mt6_save,
+		.alias	       = conntrack_print_name_alias,
 		.x6_options    = conntrack2_mt_opts,
 	},
 	{
@@ -1228,6 +1244,7 @@ static struct xtables_match conntrack_mt_reg[] = {
 		.x6_fcheck     = conntrack_mt_check,
 		.print         = conntrack3_mt_print,
 		.save          = conntrack3_mt_save,
+		.alias	       = conntrack_print_name_alias,
 		.x6_options    = conntrack3_mt_opts,
 	},
 	{
@@ -1242,6 +1259,7 @@ static struct xtables_match conntrack_mt_reg[] = {
 		.x6_fcheck     = conntrack_mt_check,
 		.print         = conntrack3_mt6_print,
 		.save          = conntrack3_mt6_save,
+		.alias	       = conntrack_print_name_alias,
 		.x6_options    = conntrack3_mt_opts,
 	},
 	{
@@ -1249,6 +1267,7 @@ static struct xtables_match conntrack_mt_reg[] = {
 		.name          = "state",
 		.real_name     = "conntrack",
 		.revision      = 1,
+		.ext_flags     = XTABLES_EXT_ALIAS,
 		.version       = XTABLES_VERSION,
 		.size          = XT_ALIGN(sizeof(struct xt_conntrack_mtinfo1)),
 		.userspacesize = XT_ALIGN(sizeof(struct xt_conntrack_mtinfo1)),
@@ -1261,6 +1280,7 @@ static struct xtables_match conntrack_mt_reg[] = {
 		.name          = "state",
 		.real_name     = "conntrack",
 		.revision      = 2,
+		.ext_flags     = XTABLES_EXT_ALIAS,
 		.version       = XTABLES_VERSION,
 		.size          = XT_ALIGN(sizeof(struct xt_conntrack_mtinfo2)),
 		.userspacesize = XT_ALIGN(sizeof(struct xt_conntrack_mtinfo2)),
@@ -1273,6 +1293,7 @@ static struct xtables_match conntrack_mt_reg[] = {
 		.name          = "state",
 		.real_name     = "conntrack",
 		.revision      = 3,
+		.ext_flags     = XTABLES_EXT_ALIAS,
 		.version       = XTABLES_VERSION,
 		.size          = XT_ALIGN(sizeof(struct xt_conntrack_mtinfo3)),
 		.userspacesize = XT_ALIGN(sizeof(struct xt_conntrack_mtinfo3)),
diff --git a/extensions/libxt_state.man b/extensions/libxt_state.man
index bd60468..ec096ca 100644
--- a/extensions/libxt_state.man
+++ b/extensions/libxt_state.man
@@ -1,4 +1,4 @@
-The "state" module is an obsolete version of "conntrack".
+The "state" extension is a subset of the "conntrack" module.
 "state" allows access to the connection tracking state for this packet.
 .TP
 [\fB!\fP] \fB\-\-state\fP \fIstate\fP
diff --git a/include/linux/netfilter/xt_conntrack.h b/include/linux/netfilter/xt_conntrack.h
index 74b904d..e971501 100644
--- a/include/linux/netfilter/xt_conntrack.h
+++ b/include/linux/netfilter/xt_conntrack.h
@@ -30,6 +30,7 @@ enum {
 	XT_CONNTRACK_REPLSRC_PORT = 1 << 10,
 	XT_CONNTRACK_REPLDST_PORT = 1 << 11,
 	XT_CONNTRACK_DIRECTION    = 1 << 12,
+	XT_CONNTRACK_STATE_ALIAS  = 1 << 13,
 };
 
 struct xt_conntrack_mtinfo1 {
-- 
1.7.0.4

[PATCH 3/3] Add the "NOTRACK" alias to the "CT" target

[Jozsef Kadlecsik]

Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
---
 extensions/libxt_CT.c           |   48 +++++++++++++++++++++++++++++++++++++++
 extensions/libxt_NOTRACK.man    |    4 +-
 include/linux/netfilter/xt_CT.h |    5 +++-
 3 files changed, 54 insertions(+), 3 deletions(-)

diff --git a/extensions/libxt_CT.c b/extensions/libxt_CT.c
index a576a95..dbafea9 100644
--- a/extensions/libxt_CT.c
+++ b/extensions/libxt_CT.c
@@ -191,6 +191,10 @@ ct_print_v1(const void *ip, const struct xt_entry_target *target, int numeric)
 	const struct xt_ct_target_info_v1 *info =
 		(const struct xt_ct_target_info_v1 *)target->data;
 
+	if (info->flags & XT_CT_NOTRACK_ALIAS) {
+		printf (" NOTRACK");
+		return;
+	}
 	printf(" CT");
 	if (info->flags & XT_CT_NOTRACK)
 		printf(" notrack");
@@ -213,6 +217,8 @@ static void ct_save(const void *ip, const struct xt_entry_target *target)
 	const struct xt_ct_target_info *info =
 		(const struct xt_ct_target_info *)target->data;
 
+	if (info->flags & XT_CT_NOTRACK_ALIAS)
+		return;
 	if (info->flags & XT_CT_NOTRACK)
 		printf(" --notrack");
 	if (info->helper[0])
@@ -232,6 +238,8 @@ static void ct_save_v1(const void *ip, const struct xt_entry_target *target)
 	const struct xt_ct_target_info_v1 *info =
 		(const struct xt_ct_target_info_v1 *)target->data;
 
+	if (info->flags & XT_CT_NOTRACK_ALIAS)
+		return;
 	if (info->flags & XT_CT_NOTRACK)
 		printf(" --notrack");
 	if (info->helper[0])
@@ -248,6 +256,14 @@ static void ct_save_v1(const void *ip, const struct xt_entry_target *target)
 		printf(" --zone %u", info->zone);
 }
 
+static const char *
+ct_print_name_alias(const struct xt_entry_target *target)
+{
+	struct xt_ct_target_info *info = (void *)target->data;
+
+	return info->flags & XT_CT_NOTRACK_ALIAS ? "NOTRACK" : "CT";
+}
+
 static void notrack_ct0_tg_init(struct xt_entry_target *target)
 {
 	struct xt_ct_target_info *info = (void *)target->data;
@@ -262,6 +278,13 @@ static void notrack_ct1_tg_init(struct xt_entry_target *target)
 	info->flags = XT_CT_NOTRACK;
 }
 
+static void notrack_ct2_tg_init(struct xt_entry_target *target)
+{
+	struct xt_ct_target_info_v1 *info = (void *)target->data;
+
+	info->flags = XT_CT_NOTRACK | XT_CT_NOTRACK_ALIAS;
+}
+
 static struct xtables_target ct_target_reg[] = {
 	{
 		.family		= NFPROTO_UNSPEC,
@@ -289,6 +312,20 @@ static struct xtables_target ct_target_reg[] = {
 		.x6_options	= ct_opts_v1,
 	},
 	{
+		.family		= NFPROTO_UNSPEC,
+		.name		= "CT",
+		.revision	= 2,
+		.version	= XTABLES_VERSION,
+		.size		= XT_ALIGN(sizeof(struct xt_ct_target_info_v1)),
+		.userspacesize	= offsetof(struct xt_ct_target_info_v1, ct),
+		.help		= ct_help_v1,
+		.print		= ct_print_v1,
+		.save		= ct_save_v1,
+		.alias		= ct_print_name_alias,
+		.x6_parse	= ct_parse_v1,
+		.x6_options	= ct_opts_v1,
+	},
+	{
 		.family        = NFPROTO_UNSPEC,
 		.name          = "NOTRACK",
 		.real_name     = "CT",
@@ -311,6 +348,17 @@ static struct xtables_target ct_target_reg[] = {
 	{
 		.family        = NFPROTO_UNSPEC,
 		.name          = "NOTRACK",
+		.real_name     = "CT",
+		.revision      = 2,
+		.ext_flags     = XTABLES_EXT_ALIAS,
+		.version       = XTABLES_VERSION,
+		.size          = XT_ALIGN(sizeof(struct xt_ct_target_info_v1)),
+		.userspacesize = offsetof(struct xt_ct_target_info_v1, ct),
+		.init          = notrack_ct2_tg_init,
+	},
+	{
+		.family        = NFPROTO_UNSPEC,
+		.name          = "NOTRACK",
 		.revision      = 0,
 		.version       = XTABLES_VERSION,
 	},
diff --git a/extensions/libxt_NOTRACK.man b/extensions/libxt_NOTRACK.man
index 633b965..4302b93 100644
--- a/extensions/libxt_NOTRACK.man
+++ b/extensions/libxt_NOTRACK.man
@@ -1,3 +1,3 @@
-This target disables connection tracking for all packets matching that rule.
-It is obsoleted by \-j CT \-\-notrack. Like CT, NOTRACK can only be used in
+This extension disables connection tracking for all packets matching that rule.
+It is equivalent with \-j CT \-\-notrack. Like CT, NOTRACK can only be used in
 the \fBraw\fP table.
diff --git a/include/linux/netfilter/xt_CT.h b/include/linux/netfilter/xt_CT.h
index a064b8a..54528fd 100644
--- a/include/linux/netfilter/xt_CT.h
+++ b/include/linux/netfilter/xt_CT.h
@@ -3,7 +3,10 @@
 
 #include <linux/types.h>
 
-#define XT_CT_NOTRACK	0x1
+enum {
+	XT_CT_NOTRACK		= 1 << 0,
+	XT_CT_NOTRACK_ALIAS	= 1 << 1,
+};
 
 struct xt_ct_target_info {
 	__u16 flags;
-- 
1.7.0.4

Re: [PATCH 0/3] Introduce aliases for matches and targets

[Pablo Neira Ayuso]

Hi Jozsef,

On Mon, Jan 28, 2013 at 09:32:52PM +0100, Jozsef Kadlecsik wrote:
> The next patches introduce the alias support for matches and targets in
> iptables. The goal is to keep the old syntax of matches/targets merged
> into "super" matches/targets. This way firewall scripts can run unmodified,
> using the old extensions.
> 
> The NOTRACK alias requires a new revision of the CT target (flags are checked
> in the current revision). Next follows the kernel part of the patches. Until
> the new revision is missing, instead of the warning, a notice is printed
> to the users.

I'm proposing a new version for the CT target. I wanted to merge
common code of revision 0 and 1 since time ago, then it follows the
patch to add the new flag.

> Please comment/ACK the patches.

I like this.

Re: [PATCH 0/3] Introduce aliases for matches and targets

[Jozsef Kadlecsik]

Hi Pablo,

On Mon, 28 Jan 2013, Jozsef Kadlecsik wrote:

> The next patches introduce the alias support for matches and targets in
> iptables. The goal is to keep the old syntax of matches/targets merged
> into "super" matches/targets. This way firewall scripts can run unmodified,
> using the old extensions.
> 
> The NOTRACK alias requires a new revision of the CT target (flags are checked
> in the current revision). Next follows the kernel part of the patches. Until
> the new revision is missing, instead of the warning, a notice is printed
> to the users.
> 
> Please comment/ACK the patches.

Is it OK then to apply these patches in the git tree of iptables?

Best regards,
Jozsef
-
E-mail  : kadlec@blackhole.kfki.hu, kadlecsik.jozsef@wigner.mta.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : Wigner Research Centre for Physics, Hungarian Academy of Sciences
          H-1525 Budapest 114, POB. 49, Hungary

Re: [PATCH 0/3] Introduce aliases for matches and targets

[Pablo Neira Ayuso]

On Wed, Jan 30, 2013 at 10:05:19PM +0100, Jozsef Kadlecsik wrote:
> Hi Pablo,
> 
> On Mon, 28 Jan 2013, Jozsef Kadlecsik wrote:
> 
> > The next patches introduce the alias support for matches and targets in
> > iptables. The goal is to keep the old syntax of matches/targets merged
> > into "super" matches/targets. This way firewall scripts can run unmodified,
> > using the old extensions.
> > 
> > The NOTRACK alias requires a new revision of the CT target (flags are checked
> > in the current revision). Next follows the kernel part of the patches. Until
> > the new revision is missing, instead of the warning, a notice is printed
> > to the users.
> > 
> > Please comment/ACK the patches.
> 
> Is it OK then to apply these patches in the git tree of iptables?

You can apply the basic symmetric aliasing infrastructure plus the
state match to the stable branch.

The aliasing for the CT target would have to wait in the next branch
of iptables until 3.9-rc1 is released.

Thanks Jozsef.

Re: [PATCH 0/3] Introduce aliases for matches and targets

[Jozsef Kadlecsik]

On Thu, 31 Jan 2013, Pablo Neira Ayuso wrote:

> On Wed, Jan 30, 2013 at 10:05:19PM +0100, Jozsef Kadlecsik wrote:
> > Hi Pablo,
> > 
> > On Mon, 28 Jan 2013, Jozsef Kadlecsik wrote:
> > 
> > > The next patches introduce the alias support for matches and targets in
> > > iptables. The goal is to keep the old syntax of matches/targets merged
> > > into "super" matches/targets. This way firewall scripts can run unmodified,
> > > using the old extensions.
> > > 
> > > The NOTRACK alias requires a new revision of the CT target (flags are checked
> > > in the current revision). Next follows the kernel part of the patches. Until
> > > the new revision is missing, instead of the warning, a notice is printed
> > > to the users.
> > > 
> > > Please comment/ACK the patches.
> > 
> > Is it OK then to apply these patches in the git tree of iptables?
> 
> You can apply the basic symmetric aliasing infrastructure plus the
> state match to the stable branch.
> 
> The aliasing for the CT target would have to wait in the next branch
> of iptables until 3.9-rc1 is released.

The patches are applied except the last one for the CT target.

Best regards
Jozsef
-
E-mail  : kadlec@blackhole.kfki.hu, kadlecsik.jozsef@wigner.mta.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : Wigner Research Centre for Physics, Hungarian Academy of Sciences
          H-1525 Budapest 114, POB. 49, Hungary