From: Peter Riley <Peter.Riley@hotpop.com>
To: netfilter-devel@lists.netfilter.org
Subject: [PATCH] Last vestiges of NFC
Date: Sat, 25 Aug 2007 10:21:38 -0700 [thread overview]
Message-ID: <46D06522.2090509@hotpop.com> (raw)
[-- Attachment #1: Type: text/plain, Size: 1399 bytes --]
Hello!
It appears that the tweaking of NFC_* bits of nfcache was almost completely
done away with around the times of these threads:
http://lists.netfilter.org/pipermail/netfilter-devel/2005-February/018448.html
http://lists.netfilter.org/pipermail/netfilter-devel/2005-May/019574.html
But I found some vestiges remaining in iptables-1.3.8 that look like this
static void init(struct ipt_entry_match *m, unsigned int *nfcache)
{
- *nfcache |= NFC_UNKNOWN;
}
remaining in the init() functions of these extensions:
libipt_policy.c libip6t_policy.c
libipt_connmark.c libip6t_connmark.c
The first patch attached below removes these.
But anyway, the question I *really* want to raise is whether the is_same()
comparison functions in libip4tc.c and libip6tc.c might be changed to *not*
compare nfcache bits:
- if (a->nfcache != b->nfcache
- || a->target_offset != b->target_offset
+ if (a->target_offset != b->target_offset
|| a->next_offset != b->next_offset)
return NULL;
The problem I find is that old userspace tools that still set the nfcache
bits create rules that cannot be match-deleted by newer versions of iptables,
because these bits are no longer set up in iptables but are still compared.
It seems there is no harm in removing this. The second patch attached below
makes this change.
Thank you for considering these minor changes.
Best Regards!
[-- Attachment #2: vestiges-of-NFC-in-extensions.patch --]
[-- Type: text/plain, Size: 1848 bytes --]
diff -Naur iptables-1.3.8.orig/extensions/libip6t_connmark.c iptables-1.3.8/extensions/libip6t_connmark.c
--- iptables-1.3.8.orig/extensions/libip6t_connmark.c 2007-01-23 04:50:00.000000000 -0800
+++ iptables-1.3.8/extensions/libip6t_connmark.c 2007-08-24 17:30:35.000000000 -0700
@@ -48,8 +48,6 @@
static void
init(struct ip6t_entry_match *m, unsigned int *nfcache)
{
- /* Can't cache this. */
- *nfcache |= NFC_UNKNOWN;
}
/* Function which parses command options; returns true if it
diff -Naur iptables-1.3.8.orig/extensions/libip6t_policy.c iptables-1.3.8/extensions/libip6t_policy.c
--- iptables-1.3.8.orig/extensions/libip6t_policy.c 2007-01-23 04:50:00.000000000 -0800
+++ iptables-1.3.8/extensions/libip6t_policy.c 2007-08-24 17:30:44.000000000 -0700
@@ -135,7 +135,6 @@
static void init(struct ip6t_entry_match *m, unsigned int *nfcache)
{
- *nfcache |= NFC_UNKNOWN;
}
static int parse_direction(char *s)
diff -Naur iptables-1.3.8.orig/extensions/libipt_connmark.c iptables-1.3.8/extensions/libipt_connmark.c
--- iptables-1.3.8.orig/extensions/libipt_connmark.c 2007-01-23 04:50:00.000000000 -0800
+++ iptables-1.3.8/extensions/libipt_connmark.c 2007-08-24 17:30:51.000000000 -0700
@@ -48,8 +48,6 @@
static void
init(struct ipt_entry_match *m, unsigned int *nfcache)
{
- /* Can't cache this. */
- *nfcache |= NFC_UNKNOWN;
}
/* Function which parses command options; returns true if it
diff -Naur iptables-1.3.8.orig/extensions/libipt_policy.c iptables-1.3.8/extensions/libipt_policy.c
--- iptables-1.3.8.orig/extensions/libipt_policy.c 2007-01-23 04:50:00.000000000 -0800
+++ iptables-1.3.8/extensions/libipt_policy.c 2007-08-24 17:31:01.000000000 -0700
@@ -95,7 +95,6 @@
static void init(struct ipt_entry_match *m, unsigned int *nfcache)
{
- *nfcache |= NFC_UNKNOWN;
}
static int parse_direction(char *s)
[-- Attachment #3: vestiges-of-NFC-in-is_same.patch --]
[-- Type: text/plain, Size: 926 bytes --]
diff -Naur iptables-1.3.8.orig/libiptc/libip4tc.c iptables-1.3.8/libiptc/libip4tc.c
--- iptables-1.3.8.orig/libiptc/libip4tc.c 2007-01-23 04:49:53.000000000 -0800
+++ iptables-1.3.8/libiptc/libip4tc.c 2007-08-24 17:54:47.000000000 -0700
@@ -204,8 +204,7 @@
return NULL;
}
- if (a->nfcache != b->nfcache
- || a->target_offset != b->target_offset
+ if (a->target_offset != b->target_offset
|| a->next_offset != b->next_offset)
return NULL;
diff -Naur iptables-1.3.8.orig/libiptc/libip6tc.c iptables-1.3.8/libiptc/libip6tc.c
--- iptables-1.3.8.orig/libiptc/libip6tc.c 2007-01-23 04:49:53.000000000 -0800
+++ iptables-1.3.8/libiptc/libip6tc.c 2007-08-24 17:54:37.000000000 -0700
@@ -236,8 +236,7 @@
return NULL;
}
- if (a->nfcache != b->nfcache
- || a->target_offset != b->target_offset
+ if (a->target_offset != b->target_offset
|| a->next_offset != b->next_offset)
return NULL;
next reply other threads:[~2007-08-25 17:21 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-08-25 17:21 Peter Riley [this message]
2007-08-25 18:07 ` [PATCH] Last vestiges of NFC Peter Riley
2007-08-29 16:58 ` Patrick McHardy
2007-08-30 15:13 ` Peter Riley
2007-08-30 18:40 ` Jan Engelhardt
2007-08-31 14:25 ` Peter Riley
2007-08-31 16:19 ` Patrick McHardy
2007-09-01 19:31 ` Peter Riley
2007-09-01 19:57 ` Peter Riley
2007-09-02 12:01 ` Patrick McHardy
2007-09-02 11:59 ` Patrick McHardy
2007-08-31 9:38 ` Patrick McHardy
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=46D06522.2090509@hotpop.com \
--to=peter.riley@hotpop.com \
--cc=netfilter-devel@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).