From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Liping Zhang <zlpnobody@163.com>
Cc: netfilter-devel@vger.kernel.org,
Liping Zhang <liping.zhang@spreadtrum.com>
Subject: Re: [PATCH nf-next] netfilter: nft_queue: check the validation of queues_total and queuenum
Date: Fri, 9 Sep 2016 16:04:34 +0200 [thread overview]
Message-ID: <20160909140434.GA25982@salvia> (raw)
In-Reply-To: <1473172417-8311-1-git-send-email-zlpnobody@163.com>
On Tue, Sep 06, 2016 at 10:33:37PM +0800, Liping Zhang wrote:
> From: Liping Zhang <liping.zhang@spreadtrum.com>
>
> Although the validation of queues_total and queuenum is checked in nft
> utility, but user can add nft rules via nfnetlink, so it is necessary
> to check the validation at the nft_queue expr init routine too.
Applied, thanks.
More comments on things I see on nft_queue at this stage:
1) Another issue, I can see nfqueue_hash() depends on
CONFIG_IP6_NF_IPTABLES, this is not good since nft_queue
infrastructure should not depend on iptables. Probably making this
dependent of CONFIG_IPV6 is enough, unless you find anything better.
2) It would be good if nft_queue takes a _SREG_FROM and _SREG_TO to
select the queue numbers, in a similar fashion to nft_nat. The idea is
that we allow plugging nft_queue into nftables mapping, currently this
is not working given that the queue number is passed as an attribute
that contains the value.
3) It would be good to add py tests with larger range. I remember that
the range 1-65535 currently doesn't work in both nft_queue and
xt_NFQUEUE because the queue_total arithmetics are not right.
It would be great if you can have a look into this.
Thanks!
next prev parent reply other threads:[~2016-09-09 14:04 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-09-06 14:33 [PATCH nf-next] netfilter: nft_queue: check the validation of queues_total and queuenum Liping Zhang
2016-09-09 14:04 ` Pablo Neira Ayuso [this message]
2016-09-10 4:56 ` Liping Zhang
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160909140434.GA25982@salvia \
--to=pablo@netfilter.org \
--cc=liping.zhang@spreadtrum.com \
--cc=netfilter-devel@vger.kernel.org \
--cc=zlpnobody@163.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).