From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Eric Leblond <eric@regit.org>
Cc: netfilter-devel@vger.kernel.org
Subject: Re: [PATCH 1/2] netfilter: REJECT: separate reusable code
Date: Fri, 20 Dec 2013 10:50:59 +0100 [thread overview]
Message-ID: <20131220095059.GA13371@localhost> (raw)
In-Reply-To: <1386834281-28347-2-git-send-email-eric@regit.org>
Hi Eric,
Some comments on this patch.
On Thu, Dec 12, 2013 at 08:44:40AM +0100, Eric Leblond wrote:
> This patch prepares the addition of TCP reset support in
> the nft_reject module by moving reusable code into a header
> file.
>
> Signed-off-by: Eric Leblond <eric@regit.org>
> ---
> include/net/netfilter/nf_reject.h | 297 ++++++++++++++++++++++++++++++++++++++
> net/ipv4/netfilter/ipt_REJECT.c | 124 +---------------
> net/ipv6/netfilter/ip6t_REJECT.c | 177 +----------------------
> 3 files changed, 307 insertions(+), 291 deletions(-)
> create mode 100644 include/net/netfilter/nf_reject.h
>
> diff --git a/include/net/netfilter/nf_reject.h b/include/net/netfilter/nf_reject.h
> new file mode 100644
> index 0000000..0bb089a
> --- /dev/null
> +++ b/include/net/netfilter/nf_reject.h
> @@ -0,0 +1,297 @@
> +#ifndef _NF_REJECT_H
> +#define _NF_REJECT_H
> +
> +#include <net/ip.h>
> +#include <net/tcp.h>
> +#include <net/route.h>
> +#include <net/dst.h>
> +
> +#if IS_ENABLED(CONFIG_IP6_NF_IPTABLES)
> +#include <net/ipv6.h>
> +#include <net/ip6_route.h>
> +#include <linux/netfilter_ipv6.h>
> +#endif
> +
> +static inline void send_unreach(struct sk_buff *skb_in, int code)
> +{
> + icmp_send(skb_in, ICMP_DEST_UNREACH, code, 0);
> +}
> +
> +/* Send RST reply */
> +static inline void send_reset(struct sk_buff *oldskb, int hook)
I think that this function is too large to use the inline approach
that we have used in nft_queue. I've been considering moving this
common code to a different module and export these symbols but I
don't find a nice way to make it.
So my suggestion is to have two different include files:
include/net/netfilter/ipv4/nf_reject.h, that contains:
static inline void send_unreach(...
static void send_reset(...
that you can include from ipt_REJECT and nft_reject.
And include/net/netfilter/ipv6/nf_reject.h, that contains:
static inline void send_unreach6(...
static void send_reset6(...
that you can include from ip6t_REJECT and nft_reject.
While at it, it is probably good to prepend the prefix nf_ to those
functions.
Let me know if you have any concern with this approach.
next prev parent reply other threads:[~2013-12-20 9:51 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-12-11 0:42 [RFC PATCH 0/2] nft: improve reject support Eric Leblond
2013-12-11 0:42 ` [PATCH 1/2] netfilter: REJECT: separate reusable code Eric Leblond
2013-12-11 0:42 ` [PATCH 2/2] netfilter: nft: reject support for IPv6 and TCP reset Eric Leblond
2013-12-12 7:44 ` [RFC PATCH 0/2] nft: finish reject support Eric Leblond
2013-12-12 7:44 ` [PATCH 1/2] netfilter: REJECT: separate reusable code Eric Leblond
2013-12-20 9:50 ` Pablo Neira Ayuso [this message]
2013-12-27 14:51 ` Eric Leblond
2013-12-29 11:28 ` [RFC PATCHv3 finish reject support] Eric Leblond
2013-12-29 11:28 ` [RFC PATCHv3 1/2] netfilter: REJECT: separate reusable code Eric Leblond
2013-12-30 17:18 ` Pablo Neira Ayuso
2013-12-29 11:28 ` [RFC PATCHv3 2/2] netfilter: nft: reject support for IPv6 and TCP reset Eric Leblond
2013-12-30 17:18 ` Pablo Neira Ayuso
2013-12-12 7:44 ` [PATCH " Eric Leblond
2013-12-12 7:55 ` Tomasz Bursztyka
2013-12-12 7:57 ` Tomasz Bursztyka
2013-12-12 8:14 ` Eric Leblond
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20131220095059.GA13371@localhost \
--to=pablo@netfilter.org \
--cc=eric@regit.org \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).