From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Cc: Netfilter Development Mailing list <netfilter-devel@vger.kernel.org>
Subject: Re: [libnftables PATCH v2] ct: fix key and dir requirements
Date: Thu, 16 Jan 2014 22:22:24 +0100 [thread overview]
Message-ID: <20140116212224.GA27510@localhost> (raw)
In-Reply-To: <CAOkSjBhOb=Z_-KDfpmRko7Vi-U4QVhYUJwkJ1FbDpLjEVD3teA@mail.gmail.com>
On Thu, Jan 16, 2014 at 09:46:17PM +0100, Arturo Borrero Gonzalez wrote:
> On 16 January 2014 19:05, Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> >
> > The kernel will complain if we pass invalid combinations, I don't want
> > to have this early validation code in the library.
> >
>
> The problem is that as far as I've tested, the kernel unconditionally
> returns 'dir' [0].
Then I think we have to fix the kernel, it should not dump an
attribute that we don't need. I can see that nft is currently not
using the direction at all, so such change should not break anything.
> If we print in XML/JSON the data obtained from the kernel, <dir> is
> also printed, while it may be totally undesirable (for example, for a
> latter parsing of that XML/JSON meant to be resended to the kernel).
> I think we need this check, in libnftables or nft.
>
> I don't see the point of allowing such a disruptive combination of attributes.
I agree those combinations don't make sense, but let just the kernel
bail out when we pass invalid combinations. Otherwise, the library
makes internal decisions that we simply cannot change as we'll have
3rd party userspace application relying on it. And we may want to
extend the kernel behaviour in some way that may clash with old
libraries. Really, we have to avoid this, it's just troubles in the
long run.
On the other hand, we should also make sure that the information that
we get from the kernel can be reinjected without troubles. So if you
note similar issues, please report them.
> We already have similar checks in other objects to disallow invalid
> combinations, see [1] [2].
>
> What do you think?
>
> >
> > Not related to this patch, but better I prefer if you use:
> > nft_rule_expr_set_u8(...) instead of these two lines above.
> >
>
> I agree. But I think it would be better if all ops are of the same kind.
Agreed.
> So I will patch all non-shorcuts ops like this all around libnftables,
> unless you say otherwise, before this patch.
That will be a large patch, I guess. I prefer if you hold on with that
cleanup until we have released the first version which is coming soon.
Please, focus on fixes at this stage.
next prev parent reply other threads:[~2014-01-16 21:22 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-01-15 18:20 [libnftables PATCH v2] ct: fix key and dir requirements Arturo Borrero Gonzalez
2014-01-16 18:05 ` Pablo Neira Ayuso
2014-01-16 20:46 ` Arturo Borrero Gonzalez
2014-01-16 21:22 ` Pablo Neira Ayuso [this message]
2014-01-16 22:46 ` Arturo Borrero Gonzalez
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140116212224.GA27510@localhost \
--to=pablo@netfilter.org \
--cc=arturo.borrero.glez@gmail.com \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).