[PATCH iptables 1/2] extensions: libxt_NFLOG: display nflog-size even if it is zero

netfilter-devel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH iptables 1/2] extensions: libxt_NFLOG: display nflog-size even if it is zero
@ 2016-07-18 14:14 Liping Zhang
  2016-07-18 14:14 ` [PATCH iptables 2/2] extensions: libxt_NFLOG: translate to nft log snaplen if nflog-size is specified Liping Zhang
  2016-07-19 18:17 ` [PATCH iptables 1/2] extensions: libxt_NFLOG: display nflog-size even if it is zero Pablo Neira Ayuso
  0 siblings, 2 replies; 5+ messages in thread
From: Liping Zhang @ 2016-07-18 14:14 UTC (permalink / raw)
  To: pablo; +Cc: netfilter-devel, Liping Zhang

From: Liping Zhang <liping.zhang@spreadtrum.com>

The following iptables rules have the different semantics:
  # iptables -A INPUT -j NFLOG
  # iptables -A INPUT -j NFLOG --nflog-size 0

But they are all displayed as "-A INPUT -j NFLOG", so if
the user input the following commands, the original semantics
will be broken.
  # iptables-save | iptables-restore

Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com>
---
 extensions/libxt_NFLOG.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/extensions/libxt_NFLOG.c b/extensions/libxt_NFLOG.c
index 8c67066..a747951 100644
--- a/extensions/libxt_NFLOG.c
+++ b/extensions/libxt_NFLOG.c
@@ -83,7 +83,7 @@ static void nflog_print(const struct xt_nflog_info *info, char *prefix)
 	}
 	if (info->group)
 		printf(" %snflog-group %u", prefix, info->group);
-	if (info->len && info->flags & XT_NFLOG_F_COPY_LEN)
+	if (info->flags & XT_NFLOG_F_COPY_LEN)
 		printf(" %snflog-size %u", prefix, info->len);
 	else if (info->len)
 		printf(" %snflog-range %u", prefix, info->len);
-- 
2.5.5



^ permalink raw reply related	[flat|nested] 5+ messages in thread

* [PATCH iptables 2/2] extensions: libxt_NFLOG: translate to nft log snaplen if nflog-size is specified
  2016-07-18 14:14 [PATCH iptables 1/2] extensions: libxt_NFLOG: display nflog-size even if it is zero Liping Zhang
@ 2016-07-18 14:14 ` Liping Zhang
  2016-07-19 18:17   ` Pablo Neira Ayuso
  2016-07-19 18:17 ` [PATCH iptables 1/2] extensions: libxt_NFLOG: display nflog-size even if it is zero Pablo Neira Ayuso
  1 sibling, 1 reply; 5+ messages in thread
From: Liping Zhang @ 2016-07-18 14:14 UTC (permalink / raw)
  To: pablo; +Cc: netfilter-devel, Liping Zhang

From: Liping Zhang <liping.zhang@spreadtrum.com>

The nflog-size was introduced by commit 7070b1f3c88a ("extensions:
libxt_NFLOG: nflog-range does not truncate packets"). Then make
the nflog-range become deprecated, because it has no effect from
the beginning.

So when we do translation, nft log snaplen is translated only if the
nflog-size is specified.

Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com>
---
 extensions/libxt_NFLOG.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/extensions/libxt_NFLOG.c b/extensions/libxt_NFLOG.c
index a747951..dad83f6 100644
--- a/extensions/libxt_NFLOG.c
+++ b/extensions/libxt_NFLOG.c
@@ -112,7 +112,7 @@ static void nflog_print_xlate(const struct xt_nflog_info *info,
 	xt_xlate_add(xl, "log ");
 	if (info->prefix[0] != '\0')
 		xt_xlate_add(xl, "prefix \\\"%s\\\" ", info->prefix);
-	if (info->len)
+	if (info->flags & XT_NFLOG_F_COPY_LEN)
 		xt_xlate_add(xl, "snaplen %u ", info->len);
 	if (info->threshold != XT_NFLOG_DEFAULT_THRESHOLD)
 		xt_xlate_add(xl, "queue-threshold %u ", info->threshold);
-- 
2.5.5



^ permalink raw reply related	[flat|nested] 5+ messages in thread

* Re: [PATCH iptables 2/2] extensions: libxt_NFLOG: translate to nft log snaplen if nflog-size is specified
  2016-07-18 14:14 ` [PATCH iptables 2/2] extensions: libxt_NFLOG: translate to nft log snaplen if nflog-size is specified Liping Zhang
@ 2016-07-19 18:17   ` Pablo Neira Ayuso
  0 siblings, 0 replies; 5+ messages in thread
From: Pablo Neira Ayuso @ 2016-07-19 18:17 UTC (permalink / raw)
  To: Liping Zhang; +Cc: netfilter-devel, Liping Zhang

On Mon, Jul 18, 2016 at 10:14:28PM +0800, Liping Zhang wrote:
> From: Liping Zhang <liping.zhang@spreadtrum.com>
> 
> The nflog-size was introduced by commit 7070b1f3c88a ("extensions:
> libxt_NFLOG: nflog-range does not truncate packets"). Then make
> the nflog-range become deprecated, because it has no effect from
> the beginning.
> 
> So when we do translation, nft log snaplen is translated only if the
> nflog-size is specified.

Applied, thanks.

So the only chunk missing is userspace nftables, basically set the new
flag when snaplen is set.

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH iptables 1/2] extensions: libxt_NFLOG: display nflog-size even if it is zero
  2016-07-18 14:14 [PATCH iptables 1/2] extensions: libxt_NFLOG: display nflog-size even if it is zero Liping Zhang
  2016-07-18 14:14 ` [PATCH iptables 2/2] extensions: libxt_NFLOG: translate to nft log snaplen if nflog-size is specified Liping Zhang
@ 2016-07-19 18:17 ` Pablo Neira Ayuso
  2016-07-19 22:48   ` Liping Zhang
  1 sibling, 1 reply; 5+ messages in thread
From: Pablo Neira Ayuso @ 2016-07-19 18:17 UTC (permalink / raw)
  To: Liping Zhang; +Cc: netfilter-devel, Liping Zhang

On Mon, Jul 18, 2016 at 10:14:27PM +0800, Liping Zhang wrote:
> From: Liping Zhang <liping.zhang@spreadtrum.com>
> 
> The following iptables rules have the different semantics:
>   # iptables -A INPUT -j NFLOG
>   # iptables -A INPUT -j NFLOG --nflog-size 0
> 
> But they are all displayed as "-A INPUT -j NFLOG", so if
> the user input the following commands, the original semantics
> will be broken.
>   # iptables-save | iptables-restore

Applied, thanks.

Would you also send me a patch to add a test to libxt_NFLOG.t so we
make sure this problem never comes back again?

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH iptables 1/2] extensions: libxt_NFLOG: display nflog-size even if it is zero
  2016-07-19 18:17 ` [PATCH iptables 1/2] extensions: libxt_NFLOG: display nflog-size even if it is zero Pablo Neira Ayuso
@ 2016-07-19 22:48   ` Liping Zhang
  0 siblings, 0 replies; 5+ messages in thread
From: Liping Zhang @ 2016-07-19 22:48 UTC (permalink / raw)
  To: Pablo Neira Ayuso; +Cc: netfilter-devel, Liping Zhang

At 2016-07-20 02:17:15, "Pablo Neira Ayuso" <pablo@netfilter.org> wrote:
>On Mon, Jul 18, 2016 at 10:14:27PM +0800, Liping Zhang wrote:
>> From: Liping Zhang <liping.zhang@spreadtrum.com>
>> 
>> The following iptables rules have the different semantics:
>>   # iptables -A INPUT -j NFLOG
>>   # iptables -A INPUT -j NFLOG --nflog-size 0
>> 
>> But they are all displayed as "-A INPUT -j NFLOG", so if
>> the user input the following commands, the original semantics
>> will be broken.
>>   # iptables-save | iptables-restore
>
>Applied, thanks.
>
>Would you also send me a patch to add a test to libxt_NFLOG.t so we
>make sure this problem never comes back again?

OK, will update libxt_NFLOG.t later

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2016-07-19 22:48 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-07-18 14:14 [PATCH iptables 1/2] extensions: libxt_NFLOG: display nflog-size even if it is zero Liping Zhang
2016-07-18 14:14 ` [PATCH iptables 2/2] extensions: libxt_NFLOG: translate to nft log snaplen if nflog-size is specified Liping Zhang
2016-07-19 18:17   ` Pablo Neira Ayuso
2016-07-19 18:17 ` [PATCH iptables 1/2] extensions: libxt_NFLOG: display nflog-size even if it is zero Pablo Neira Ayuso
2016-07-19 22:48   ` Liping Zhang

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).