[PATCH] Last vestiges of NFC

[PATCH] Last vestiges of NFC

[Peter Riley]

[-- Attachment #1: Type: text/plain, Size: 1399 bytes --]


Hello!

It appears that the tweaking of NFC_* bits of nfcache was almost completely
done away with around the times of these threads:

http://lists.netfilter.org/pipermail/netfilter-devel/2005-February/018448.html
http://lists.netfilter.org/pipermail/netfilter-devel/2005-May/019574.html

But I found some vestiges remaining in iptables-1.3.8 that look like this

 static void init(struct ipt_entry_match *m, unsigned int *nfcache)
 {
-	*nfcache |= NFC_UNKNOWN;
 }

remaining in the init() functions of these extensions:

     libipt_policy.c    libip6t_policy.c
     libipt_connmark.c  libip6t_connmark.c

The first patch attached below removes these.


But anyway, the question I *really* want to raise is whether the is_same()
comparison functions in libip4tc.c and libip6tc.c might be changed to *not*
compare nfcache bits:

-	if (a->nfcache != b->nfcache
-	    || a->target_offset != b->target_offset
+	if (a->target_offset != b->target_offset
 	    || a->next_offset != b->next_offset)
 		return NULL;

The problem I find is that old userspace tools that still set the nfcache
bits create rules that cannot be match-deleted by newer versions of iptables,
because these bits are no longer set up in iptables but are still compared.
It seems there is no harm in removing this.  The second patch attached below
makes this change.

Thank you for considering these minor changes.

Best Regards!



[-- Attachment #2: vestiges-of-NFC-in-extensions.patch --]
[-- Type: text/plain, Size: 1848 bytes --]

diff -Naur iptables-1.3.8.orig/extensions/libip6t_connmark.c iptables-1.3.8/extensions/libip6t_connmark.c
--- iptables-1.3.8.orig/extensions/libip6t_connmark.c	2007-01-23 04:50:00.000000000 -0800
+++ iptables-1.3.8/extensions/libip6t_connmark.c	2007-08-24 17:30:35.000000000 -0700
@@ -48,8 +48,6 @@
 static void
 init(struct ip6t_entry_match *m, unsigned int *nfcache)
 {
-	/* Can't cache this. */
-	*nfcache |= NFC_UNKNOWN;
 }
 
 /* Function which parses command options; returns true if it
diff -Naur iptables-1.3.8.orig/extensions/libip6t_policy.c iptables-1.3.8/extensions/libip6t_policy.c
--- iptables-1.3.8.orig/extensions/libip6t_policy.c	2007-01-23 04:50:00.000000000 -0800
+++ iptables-1.3.8/extensions/libip6t_policy.c	2007-08-24 17:30:44.000000000 -0700
@@ -135,7 +135,6 @@
 
 static void init(struct ip6t_entry_match *m, unsigned int *nfcache)
 {
-	*nfcache |= NFC_UNKNOWN;
 }
 
 static int parse_direction(char *s)
diff -Naur iptables-1.3.8.orig/extensions/libipt_connmark.c iptables-1.3.8/extensions/libipt_connmark.c
--- iptables-1.3.8.orig/extensions/libipt_connmark.c	2007-01-23 04:50:00.000000000 -0800
+++ iptables-1.3.8/extensions/libipt_connmark.c	2007-08-24 17:30:51.000000000 -0700
@@ -48,8 +48,6 @@
 static void
 init(struct ipt_entry_match *m, unsigned int *nfcache)
 {
-	/* Can't cache this. */
-	*nfcache |= NFC_UNKNOWN;
 }
 
 /* Function which parses command options; returns true if it
diff -Naur iptables-1.3.8.orig/extensions/libipt_policy.c iptables-1.3.8/extensions/libipt_policy.c
--- iptables-1.3.8.orig/extensions/libipt_policy.c	2007-01-23 04:50:00.000000000 -0800
+++ iptables-1.3.8/extensions/libipt_policy.c	2007-08-24 17:31:01.000000000 -0700
@@ -95,7 +95,6 @@
 
 static void init(struct ipt_entry_match *m, unsigned int *nfcache)
 {
-	*nfcache |= NFC_UNKNOWN;
 }
 
 static int parse_direction(char *s)





[-- Attachment #3: vestiges-of-NFC-in-is_same.patch --]
[-- Type: text/plain, Size: 926 bytes --]

diff -Naur iptables-1.3.8.orig/libiptc/libip4tc.c iptables-1.3.8/libiptc/libip4tc.c
--- iptables-1.3.8.orig/libiptc/libip4tc.c	2007-01-23 04:49:53.000000000 -0800
+++ iptables-1.3.8/libiptc/libip4tc.c	2007-08-24 17:54:47.000000000 -0700
@@ -204,8 +204,7 @@
 			return NULL;
 	}
 
-	if (a->nfcache != b->nfcache
-	    || a->target_offset != b->target_offset
+	if (a->target_offset != b->target_offset
 	    || a->next_offset != b->next_offset)
 		return NULL;
 
diff -Naur iptables-1.3.8.orig/libiptc/libip6tc.c iptables-1.3.8/libiptc/libip6tc.c
--- iptables-1.3.8.orig/libiptc/libip6tc.c	2007-01-23 04:49:53.000000000 -0800
+++ iptables-1.3.8/libiptc/libip6tc.c	2007-08-24 17:54:37.000000000 -0700
@@ -236,8 +236,7 @@
 			return NULL;
 	}
 
-	if (a->nfcache != b->nfcache
-	    || a->target_offset != b->target_offset
+	if (a->target_offset != b->target_offset
 	    || a->next_offset != b->next_offset)
 		return NULL;
 

Re: [PATCH] Last vestiges of NFC

[Peter Riley]

Hi,

> But I found some vestiges remaining in iptables-1.3.8 that look like this
> -	*nfcache |= NFC_UNKNOWN;
> remaining in the init() functions of these extensions:
> 
>      libipt_policy.c    libip6t_policy.c
>      libipt_connmark.c  libip6t_connmark.c


Oops, nevermind about connmark.  I see that's already taken care of
recently in latest svn.  But the policy modules still have it.

Best Regards,
Peter

Re: [PATCH] Last vestiges of NFC

[Patrick McHardy]

Peter Riley wrote:
> Hi,
> 
>> But I found some vestiges remaining in iptables-1.3.8 that look like this
>> -	*nfcache |= NFC_UNKNOWN;
>> remaining in the init() functions of these extensions:
>>
>>      libipt_policy.c    libip6t_policy.c
>>      libipt_connmark.c  libip6t_connmark.c
> 
> 
> Oops, nevermind about connmark.  I see that's already taken care of
> recently in latest svn.  But the policy modules still have it.


I count 132 occurences of nfcache (a few are in headers that must stay
though). I'll happily apply a patch that kills them all.

Re: [PATCH] Last vestiges of NFC

[Peter Riley]

Patrick McHardy wrote:
> 
> I count 132 occurences of nfcache (a few are in headers that must stay
> though). I'll happily apply a patch that kills them all.
> 

Patrick, yes I get 134 occurrences on 132 lines in current svn.
The breakdown appears to me to be:

51   init() function declarations in match and target extensions

52   parse() function declarations in match extensions only
     (not counting connlimit and multiport which are more complicated than
     one declaration per file)

2    parse related function declarations in connlimit
4    parse related function declarations in multiport

5+5  calls in iptables.c & ip6tables.c to ->init() or ->parse() members above

3    occurrences in xtables.h that prototype the above:

     struct xtables_match
     {...
         void (*init)(struct xt_entry_match *m, unsigned int *nfcache);

         int (*parse)(int c, char **argv, int invert, unsigned int *flags,
             const void *entry, unsigned int *nfcache, struct xt_entry_match **match);

     struct xtables_target
     {...
         void (*init)(struct xt_entry_target *t, unsigned int *nfcache);

3+3  occurrences in dump_entry() in libip4tc.c and libip4tc.c for debugging:

	printf("Cache: %08X ", e->nfcache);
	if (e->nfcache & NFC_ALTERED) printf("ALTERED ");
	if (e->nfcache & NFC_UNKNOWN) printf("UNKNOWN ");

     It seems that there is good reason for printing out nfcache contents as long as
     those bits are still present in structs ipt_entry/ip6t_entry defined in headers
     on the kernel side.  After all, this is how I tracked down the problem I am
     reporting to begin with!


What all this leaves remaining are the occurrences I mentioned in previous message
whose removal doesn't break anything:


1+1  in libipt_policy.c and libip6t_policy.c init() functions where NFC bits are
     still being set:

          *nfcache |= NFC_UNKNOWN;

     These (among similar others that have already been removed) crept in
     subsequent to Pablo Neira's NFC-killer patches that I mentioned in original
     post.

2+2  occurrences in the libip4tc.c and libip4tc.c  is_same()  comparisons:

          if (a->nfcache != b->nfcache
              ...) return NULL;

     These are the occurrences causing problems. As mentioned, this prevents
     iptables from being able to delete-by-match any rules created by old
     userspace tools that still set nfcache bits in entries -- the entries are
     not considered "same" because (only) the nfcache bits differ (modulo the
     match mask of course).

-----
=134 Total


Please let me know if I can do anything more regarding this.


Best Regards,
Peter

Re: [PATCH] Last vestiges of NFC

[Jan Engelhardt]

On Aug 30 2007 08:13, Peter Riley wrote:
>Patrick McHardy wrote:
>> 
>> I count 132 occurences of nfcache (a few are in headers that must stay
>> though). I'll happily apply a patch that kills them all.
>> 
>
>Patrick, yes I get 134 occurrences on 132 lines in current svn.
>The breakdown appears to me to be:
[...]

>	printf("Cache: %08X ", e->nfcache);
>	if (e->nfcache & NFC_ALTERED) printf("ALTERED ");
>	if (e->nfcache & NFC_UNKNOWN) printf("UNKNOWN ");
>
>     It seems that there is good reason for printing out nfcache contents as long as
>     those bits are still present in structs ipt_entry/ip6t_entry defined in headers
>     on the kernel side.  After all, this is how I tracked down the problem I am
>     reporting to begin with!

Do we still need nfcache anyway?


	Jan
-- 

Re: [PATCH] Last vestiges of NFC

[Peter Riley]

[-- Attachment #1: Type: text/plain, Size: 4220 bytes --]

Jan Engelhardt wrote:
> On Aug 30 2007 08:13, Peter Riley wrote:
>> Patrick McHardy wrote:
>>>
>>> I count 132 occurences of nfcache (a few are in headers that must stay
>>> though). I'll happily apply a patch that kills them all.
>>>
>> Patrick, yes I get 134 occurrences on 132 lines in current svn.
>> The breakdown appears to me to be:
> [...]
> 
> Do we still need nfcache anyway?
> 

It seems to me there are three options....

Let's Make A Deal and say three "curtains":

Behind curtain #1 is... ** A Late-Summer Vacation Package in Las Vegas!! **

    You've worked hard enough, it's hot and dry out, so just do the minimum,
    kick back and relax...

    Leave the kernel headers alone, leave the iptables headers alone.
    Then

    struct xtables_match keeps    void (*init)(..., unsigned int *nfcache);
                                  int (*parse)(..., unsigned int *nfcache, ...);

    struct xtables_target keeps   void (*init)(..., unsigned int *nfcache);

    So the passing of *nfcache in the ->parse() and ->init() members of the
    extensions stays, plus the occurrences in the calls to them, and the
    debugging dump too.  But this is the bulk of the occurrences Patrick
    mentioned...  Only the small vestiges that actually do something are
    removed from is_same() and the two policy extensions.

    I hear the Vegas greens (shall I say browns?) ain't much good for golfing
    (nothing but sand traps in the desert), so the nfcache-golfing scores won't
    improve very much:  134 - 6 = 128.

    But the best part is: no one ever has to know! What happens in Vegas stays
    in Vegas.  No backwards compatibility breakage.

    It's a long patch-y road out to Las Vegas, but thankfully, with this option,
    Pablo already did most of the driving!

Behind curtain #2: ** Free enemas for you, and your friends! **

   Forget about ass-backwards compatibility and purge your cache! Alter the
   iptables extension API in xtables.h so the function prototypes for ->init()
   and ->parse() stop causing all the crap to be passed. But leave the really
   hard ob-struct-ion in your ipt_entry. It may be too painful to reach that
   deep down into the kernel to remove it.

   Then, you can flush out all of those toxins in the extensions and cleanse
   the calls to them in iptables.c.  Those nasty blockages that iptables can't
   purge because of the (a->nfcache != b->nfcache) comparison can be rooted out
   too (as in #1).

   But let's be realistic, the fresh healthy feeling won't last forever.
   The next time you come down with a bug and really need to make a dump,
   dump_entry() should still be able to pass the bits of cache out of your
   ipt_entry.  At least keep this bit:  printf("Cache: %08X ", e->nfcache);

   Now, every john out there with cache stuck in his libipt_POOBAR.c extension
   is going to have to join in.  So the downside is, while this option might be
   cathartic for you, some of your friends may end up feeling a little ... violated.
   And to be pointed and blunt (ouch), a lot of old code will go into the toilet,
   down the drain.

   With that newfound looseness in the hips, though, your handicap can greatly
   improve:  nfcache-golf score = 134 - 128 = 6.


Behind curtain #3: Is that a goat? a gnu?  No, a penguin!!
         (Plus we'll let your friends can keep their enemas.  Penguin gets one too!)

   Go deeper, purge every last one of the 134 stinky bits of nfcache! The iptables
   headers change as before, and now kernel headers ip_tables.h and ip6_tables.h
   can drop nfcache in struct ipt_entry/compat_ipt_entry/ip6t_entry.  Even get rid
   of the #define NFC_* in ./include/linux/netfilter*.h.  Hold nothing back...

   Those with kernel patches or userspace tools will all just have to suck it up
   like the extensions people had to in #2.  But when you're asked what you did
   last summer, you'll have a big change to tell them about!  :-)


Time to choose!

(Apologies to Monty Hall, The City of Las Vegas, and all who thought that was lame...)

Best Regards,
Peter

PS- My vote, if indeed I have one, is for #1 with no breakage of backwards
compatibility. See the fixed up patch attached. Is it worthwhile to go further?




[-- Attachment #2: iptables-summer-in-vegas.patch --]
[-- Type: text/plain, Size: 1695 bytes --]

diff -Naur iptables.orig/extensions/libip6t_policy.c iptables/extensions/libip6t_policy.c
--- iptables.orig/extensions/libip6t_policy.c	2007-08-31 06:20:54.000000000 -0700
+++ iptables/extensions/libip6t_policy.c	2007-08-31 06:22:58.000000000 -0700
@@ -135,7 +135,6 @@
 
 static void init(struct xt_entry_match *m, unsigned int *nfcache)
 {
-	*nfcache |= NFC_UNKNOWN;
 }
 
 static int parse_direction(char *s)
diff -Naur iptables.orig/extensions/libipt_policy.c iptables/extensions/libipt_policy.c
--- iptables.orig/extensions/libipt_policy.c	2007-08-31 06:20:55.000000000 -0700
+++ iptables/extensions/libipt_policy.c	2007-08-31 06:23:11.000000000 -0700
@@ -95,7 +95,6 @@
 
 static void init(struct xt_entry_match *m, unsigned int *nfcache)
 {
-	*nfcache |= NFC_UNKNOWN;
 }
 
 static int parse_direction(char *s)
diff -Naur iptables.orig/libiptc/libip4tc.c iptables/libiptc/libip4tc.c
--- iptables.orig/libiptc/libip4tc.c	2007-08-31 06:20:51.000000000 -0700
+++ iptables/libiptc/libip4tc.c	2007-08-31 06:23:53.000000000 -0700
@@ -204,8 +204,7 @@
 			return NULL;
 	}
 
-	if (a->nfcache != b->nfcache
-	    || a->target_offset != b->target_offset
+	if (a->target_offset != b->target_offset
 	    || a->next_offset != b->next_offset)
 		return NULL;
 
diff -Naur iptables.orig/libiptc/libip6tc.c iptables/libiptc/libip6tc.c
--- iptables.orig/libiptc/libip6tc.c	2007-08-31 06:20:51.000000000 -0700
+++ iptables/libiptc/libip6tc.c	2007-08-31 06:24:12.000000000 -0700
@@ -236,8 +236,7 @@
 			return NULL;
 	}
 
-	if (a->nfcache != b->nfcache
-	    || a->target_offset != b->target_offset
+	if (a->target_offset != b->target_offset
 	    || a->next_offset != b->next_offset)
 		return NULL;
 

Re: [PATCH] Last vestiges of NFC

[Patrick McHardy]

Peter Riley wrote:
> Jan Engelhardt wrote:
>> On Aug 30 2007 08:13, Peter Riley wrote:
>>> Patrick McHardy wrote:
>>>> I count 132 occurences of nfcache (a few are in headers that must stay
>>>> though). I'll happily apply a patch that kills them all.
>>>>
>>> Patrick, yes I get 134 occurrences on 132 lines in current svn.
>>> The breakdown appears to me to be:
>> [...]
>>
>> Do we still need nfcache anyway?
>>
> 
> It seems to me there are three options....
> 
> [...]
>    Forget about ass-backwards compatibility and purge your cache!


We don't care about binary compatiblity between different userspace
releases. All we care about is not breaking userspace<->kernel
compatiblity.

> Alter the
>    iptables extension API in xtables.h so the function prototypes for ->init()
>    and ->parse() stop causing all the crap to be passed. But leave the really
>    hard ob-struct-ion in your ipt_entry. It may be too painful to reach that
>    deep down into the kernel to remove it.
> 
>    Then, you can flush out all of those toxins in the extensions and cleanse
>    the calls to them in iptables.c.  Those nasty blockages that iptables can't
>    purge because of the (a->nfcache != b->nfcache) comparison can be rooted out
>    too (as in #1).
> 
>    But let's be realistic, the fresh healthy feeling won't last forever.
>    The next time you come down with a bug and really need to make a dump,
>    dump_entry() should still be able to pass the bits of cache out of your
>    ipt_entry.  At least keep this bit:  printf("Cache: %08X ", e->nfcache);


The kernel doesn't use it, its *always* zero.

> Behind curtain #3: Is that a goat? a gnu?  No, a penguin!!
>          (Plus we'll let your friends can keep their enemas.  Penguin gets one too!)
> 
>    Go deeper, purge every last one of the 134 stinky bits of nfcache! The iptables
>    headers change as before, and now kernel headers ip_tables.h and ip6_tables.h
>    can drop nfcache in struct ipt_entry/compat_ipt_entry/ip6t_entry.  Even get rid
>    of the #define NFC_* in ./include/linux/netfilter*.h.  Hold nothing back...

Thats not possible since it breaks userspace <-> kernel compatiblity.

I prefer to get rid of all of them where possible, but if you want
to do only #1, thats also fine.

Re: [PATCH] Last vestiges of NFC

[Peter Riley]

[-- Attachment #1: Type: text/plain, Size: 1765 bytes --]

Patrick McHardy wrote:
> Peter Riley wrote:
>> Jan Engelhardt wrote:
>>> On Aug 30 2007 08:13, Peter Riley wrote:
>>>> Patrick McHardy wrote:
>>>>>
>>>>> I count 132 occurences of nfcache (a few are in headers that must stay
>>>>> though). I'll happily apply a patch that kills them all.
>>>>>
> [...]
> We don't care about binary compatiblity between different userspace
> releases. All we care about is not breaking userspace<->kernel
> compatiblity.

Ahh, ok ok. I was thrown off by "a few are in headers that must stay."
Since the only occurrences in iptables headers are the prototypes for
the ->init() and ->parse() members in the extensions API, that implied
nearly all occurrences really had to stay.

Attached patch *does* change that header incompatibly.

>> [...]
>>   At least keep this bit:  printf("Cache: %08X ", e->nfcache);
> 
> The kernel doesn't use it, its *always* zero.

heh, well the whole point of this thread was about dealing with the
fact that it isn't!  :-P  But no matter, it's all cool now..

In the end I kept that one line in dump_entry() in libip[46]tc.c,
only for the sake of completeness. The dump_entry() function exists
to dump out the members of an ipt_entry. As you said, nfcache must
remain in the struct.  Please delete the line if you still really
want it gone.

> I prefer to get rid of all of them where possible, but if you want

Gotcha, patch attached.

I think there should at least be some kind of prominent changelog or
warning notice somewhere that "prototypes in the iptables extension
API have changed incompatibly after so many years so your custom match
extension may now segmentation fault upon parsing if not updated".

p-o-m-ng probably needs patching now too.  I'll take a look...

Best Regards,
Peter






[-- Attachment #2: iptables-nfcache-enema2.patch --]
[-- Type: text/plain, Size: 46393 bytes --]

Index: include/xtables.h
===================================================================
--- include/xtables.h	(revision 7013)
+++ include/xtables.h	(working copy)
@@ -80,14 +80,13 @@
 	void (*help)(void);
 
 	/* Initialize the match. */
-	void (*init)(struct xt_entry_match *m, unsigned int *nfcache);
+	void (*init)(struct xt_entry_match *m);
 
 	/* Function which parses command options; returns true if it
            ate an option */
 	/* entry is struct ipt_entry for example */
 	int (*parse)(int c, char **argv, int invert, unsigned int *flags,
 		     const void *entry,
-		     unsigned int *nfcache,
 		     struct xt_entry_match **match);
 
 	/* Final check; exit if not ok. */
@@ -137,7 +136,7 @@
 	void (*help)(void);
 
 	/* Initialize the target. */
-	void (*init)(struct xt_entry_target *t, unsigned int *nfcache);
+	void (*init)(struct xt_entry_target *t);
 
 	/* Function which parses command options; returns true if it
            ate an option */
Index: iptables.c
===================================================================
--- iptables.c	(revision 7013)
+++ iptables.c	(working copy)
@@ -1687,7 +1687,7 @@
 				set_revision(target->t->u.user.name,
 					     target->revision);
 				if (target->init != NULL)
-					target->init(target->t, &fw.nfcache);
+					target->init(target->t);
 				opts = merge_options(opts, target->extra_opts, &target->option_offset);
 			}
 			break;
@@ -1739,7 +1739,7 @@
 			strcpy(m->m->u.user.name, m->name);
 			set_revision(m->m->u.user.name, m->revision);
 			if (m->init != NULL)
-				m->init(m->m, &fw.nfcache);
+				m->init(m->m);
 			if (m != m->next)
 				/* Merge options for non-cloned matches */
 				opts = merge_options(opts, m->extra_opts, &m->option_offset);
@@ -1832,7 +1832,6 @@
 						     argv, invert,
 						     &matchp->match->mflags,
 						     &fw,
-						     &fw.nfcache,
 						     &matchp->match->m))
 						break;
 				}
@@ -1885,7 +1884,7 @@
 					set_revision(m->m->u.user.name,
 						     m->revision);
 					if (m->init != NULL)
-						m->init(m->m, &fw.nfcache);
+						m->init(m->m);
 
 					opts = merge_options(opts,
 					    m->extra_opts, &m->option_offset);
@@ -2016,7 +2015,7 @@
 				set_revision(target->t->u.user.name,
 					     target->revision);
 			if (target->init != NULL)
-				target->init(target->t, &fw.nfcache);
+				target->init(target->t);
 		}
 
 		if (!target) {
Index: libiptc/libip4tc.c
===================================================================
--- libiptc/libip4tc.c	(revision 7013)
+++ libiptc/libip4tc.c	(working copy)
@@ -148,10 +148,7 @@
 	printf("Invflags: %02X\n", e->ip.invflags);
 	printf("Counters: %llu packets, %llu bytes\n",
 	       (unsigned long long)e->counters.pcnt, (unsigned long long)e->counters.bcnt);
-	printf("Cache: %08X ", e->nfcache);
-	if (e->nfcache & NFC_ALTERED) printf("ALTERED ");
-	if (e->nfcache & NFC_UNKNOWN) printf("UNKNOWN ");
-	printf("\n");
+	printf("Cache: %08X\n", e->nfcache);
 
 	IPT_MATCH_ITERATE(e, print_match);
 
@@ -204,8 +201,7 @@
 			return NULL;
 	}
 
-	if (a->nfcache != b->nfcache
-	    || a->target_offset != b->target_offset
+	if (a->target_offset != b->target_offset
 	    || a->next_offset != b->next_offset)
 		return NULL;
 
Index: libiptc/libip6tc.c
===================================================================
--- libiptc/libip6tc.c	(revision 7013)
+++ libiptc/libip6tc.c	(working copy)
@@ -179,10 +179,7 @@
 	printf("Invflags: %02X\n", e->ipv6.invflags);
 	printf("Counters: %llu packets, %llu bytes\n",
 	       (unsigned long long)e->counters.pcnt, (unsigned long long)e->counters.bcnt);
-	printf("Cache: %08X ", e->nfcache);
-	if (e->nfcache & NFC_ALTERED) printf("ALTERED ");
-	if (e->nfcache & NFC_UNKNOWN) printf("UNKNOWN ");
-	printf("\n");
+	printf("Cache: %08X\n", e->nfcache);
 	
 	IP6T_MATCH_ITERATE(e, print_match);
 
@@ -236,8 +233,7 @@
 			return NULL;
 	}
 
-	if (a->nfcache != b->nfcache
-	    || a->target_offset != b->target_offset
+	if (a->target_offset != b->target_offset
 	    || a->next_offset != b->next_offset)
 		return NULL;
 
Index: extensions/libxt_connlimit.c
===================================================================
--- extensions/libxt_connlimit.c	(revision 7013)
+++ extensions/libxt_connlimit.c	(working copy)
@@ -24,7 +24,7 @@
 	{NULL},
 };
 
-static void connlimit_init(struct ipt_entry_match *match, unsigned int *nfc)
+static void connlimit_init(struct ipt_entry_match *match)
 {
 	struct xt_connlimit_info *info = (void *)match->data;
 	info->v4_mask = 0xFFFFFFFFUL;
@@ -101,7 +101,6 @@
 
 static int connlimit_parse4(int c, char **argv, int invert,
                             unsigned int *flags, const void *entry,
-                            unsigned int *nfcache,
                             struct xt_entry_match **match)
 {
 	return connlimit_parse(c, argv, invert, flags,
@@ -110,7 +109,6 @@
 
 static int connlimit_parse6(int c, char **argv, int invert,
                             unsigned int *flags, const void *entry,
-                            unsigned int *nfcache,
                             struct xt_entry_match **match)
 {
 	return connlimit_parse(c, argv, invert, flags,
Index: extensions/libxt_comment.c
===================================================================
--- extensions/libxt_comment.c	(revision 7013)
+++ extensions/libxt_comment.c	(working copy)
@@ -46,7 +46,6 @@
 static int
 parse(int c, char **argv, int invert, unsigned int *flags,
       const void *entry,
-      unsigned int *nfcache,
       struct xt_entry_match **match)
 {
 	struct xt_comment_info *commentinfo = (struct xt_comment_info *)(*match)->data;
Index: extensions/libipt_TTL.c
===================================================================
--- extensions/libipt_TTL.c	(revision 7013)
+++ extensions/libipt_TTL.c	(working copy)
@@ -16,7 +16,7 @@
 
 #define IPT_TTL_USED	1
 
-static void init(struct xt_entry_target *t, unsigned int *nfcache)
+static void init(struct xt_entry_target *t)
 {
 }
 
Index: extensions/libxt_string.c
===================================================================
--- extensions/libxt_string.c	(revision 7013)
+++ extensions/libxt_string.c	(working copy)
@@ -54,7 +54,7 @@
 };
 
 static void
-init(struct xt_entry_match *m, unsigned int *nfcache)
+init(struct xt_entry_match *m)
 {
 	struct xt_string_info *i = (struct xt_string_info *) m->data;
 
@@ -171,7 +171,6 @@
 static int
 parse(int c, char **argv, int invert, unsigned int *flags,
       const void *entry,
-      unsigned int *nfcache,
       struct xt_entry_match **match)
 {
 	struct xt_string_info *stringinfo = (struct xt_string_info *)(*match)->data;
Index: extensions/libxt_TCPMSS.c
===================================================================
--- extensions/libxt_TCPMSS.c	(revision 7013)
+++ extensions/libxt_TCPMSS.c	(working copy)
@@ -44,7 +44,7 @@
 
 /* Initialize the target. */
 static void
-init(struct xt_entry_target *t, unsigned int *nfcache)
+init(struct xt_entry_target *t)
 {
 }
 
Index: extensions/libipt_MIRROR.c
===================================================================
--- extensions/libipt_MIRROR.c	(revision 7013)
+++ extensions/libipt_MIRROR.c	(working copy)
@@ -18,7 +18,7 @@
 
 /* Initialize the target. */
 static void
-init(struct xt_entry_target *t, unsigned int *nfcache)
+init(struct xt_entry_target *t)
 {
 }
 
Index: extensions/libip6t_ah.c
===================================================================
--- extensions/libip6t_ah.c	(revision 7013)
+++ extensions/libip6t_ah.c	(working copy)
@@ -72,7 +72,7 @@
 
 /* Initialize the match. */
 static void
-init(struct xt_entry_match *m, unsigned int *nfcache)
+init(struct xt_entry_match *m)
 {
 	struct ip6t_ah *ahinfo = (struct ip6t_ah *)m->data;
 
@@ -86,7 +86,6 @@
 static int
 parse(int c, char **argv, int invert, unsigned int *flags,
       const void *entry,
-      unsigned int *nfcache,
       struct xt_entry_match **match)
 {
 	struct ip6t_ah *ahinfo = (struct ip6t_ah *)(*match)->data;
Index: extensions/libipt_conntrack.c
===================================================================
--- extensions/libipt_conntrack.c	(revision 7013)
+++ extensions/libipt_conntrack.c	(working copy)
@@ -168,7 +168,6 @@
 static int
 parse(int c, char **argv, int invert, unsigned int *flags,
       const void *entry,
-      unsigned int *nfcache,
       struct xt_entry_match **match)
 {
 	struct ipt_conntrack_info *sinfo = (struct ipt_conntrack_info *)(*match)->data;
Index: extensions/libxt_SECMARK.c
===================================================================
--- extensions/libxt_SECMARK.c	(revision 7013)
+++ extensions/libxt_SECMARK.c	(working copy)
@@ -29,7 +29,7 @@
 };
 
 /* Initialize the target. */
-static void init(struct xt_entry_target *t, unsigned int *nfcache)
+static void init(struct xt_entry_target *t)
 { }
 
 /*
Index: extensions/libxt_quota.c
===================================================================
--- extensions/libxt_quota.c	(revision 7013)
+++ extensions/libxt_quota.c	(working copy)
@@ -60,7 +60,7 @@
 static int
 parse(int c, char **argv, int invert, unsigned int *flags,
       const void *entry,
-      unsigned int *nfcache, struct xt_entry_match **match)
+      struct xt_entry_match **match)
 {
         struct xt_quota_info *info = (struct xt_quota_info *) (*match)->data;
 
Index: extensions/libxt_multiport.c
===================================================================
--- extensions/libxt_multiport.c	(revision 7013)
+++ extensions/libxt_multiport.c	(working copy)
@@ -135,7 +135,7 @@
 
 /* Initialize the match. */
 static void
-init(struct xt_entry_match *m, unsigned int *nfcache)
+init(struct xt_entry_match *m)
 {
 }
 
@@ -213,7 +213,6 @@
 static int
 parse(int c, char **argv, int invert, unsigned int *flags,
 	 const void *e,
-	 unsigned int *nfcache,
 	 struct xt_entry_match **match)
 {
 	const struct ipt_entry *entry = e;
@@ -224,7 +223,6 @@
 static int
 parse6(int c, char **argv, int invert, unsigned int *flags,
 	 const void *e,
-	 unsigned int *nfcache,
 	 struct xt_entry_match **match)
 {
 	const struct ip6t_entry *entry = (const struct ip6t_entry *)e;
@@ -280,7 +278,6 @@
 static int
 parse_v1(int c, char **argv, int invert, unsigned int *flags,
 	 const void *e,
-	 unsigned int *nfcache,
 	 struct xt_entry_match **match)
 {
 	const struct ipt_entry *entry = e;
@@ -291,7 +288,6 @@
 static int
 parse6_v1(int c, char **argv, int invert, unsigned int *flags,
 	  const void *e,
-	  unsigned int *nfcache,
 	  struct xt_entry_match **match)
 {
 	const struct ip6t_entry *entry = (const struct ip6t_entry *)e;
Index: extensions/libxt_mac.c
===================================================================
--- extensions/libxt_mac.c	(revision 7013)
+++ extensions/libxt_mac.c	(working copy)
@@ -57,7 +57,6 @@
 static int
 parse(int c, char **argv, int invert, unsigned int *flags,
       const void *entry,
-      unsigned int *nfcache,
       struct xt_entry_match **match)
 {
 	struct xt_mac_info *macinfo = (struct xt_mac_info *)(*match)->data;
Index: extensions/libxt_NOTRACK.c
===================================================================
--- extensions/libxt_NOTRACK.c	(revision 7013)
+++ extensions/libxt_NOTRACK.c	(working copy)
@@ -18,7 +18,7 @@
 
 /* Initialize the target. */
 static void
-init(struct xt_entry_target *t, unsigned int *nfcache)
+init(struct xt_entry_target *t)
 {
 }
 
Index: extensions/libipt_REDIRECT.c
===================================================================
--- extensions/libipt_REDIRECT.c	(revision 7013)
+++ extensions/libipt_REDIRECT.c	(working copy)
@@ -30,7 +30,7 @@
 
 /* Initialize the target. */
 static void
-init(struct xt_entry_target *t, unsigned int *nfcache)
+init(struct xt_entry_target *t)
 {
 	struct ip_nat_multi_range *mr = (struct ip_nat_multi_range *)t->data;
 
Index: extensions/libxt_statistic.c
===================================================================
--- extensions/libxt_statistic.c	(revision 7013)
+++ extensions/libxt_statistic.c	(working copy)
@@ -36,7 +36,6 @@
 static int
 parse(int c, char **argv, int invert, unsigned int *flags,
       const void *entry,
-      unsigned int *nfcache,
       struct xt_entry_match **match)
 {
 	double prob;
Index: extensions/libxt_CONNMARK.c
===================================================================
--- extensions/libxt_CONNMARK.c	(revision 7013)
+++ extensions/libxt_CONNMARK.c	(working copy)
@@ -58,7 +58,7 @@
 
 /* Initialize the target. */
 static void
-init(struct xt_entry_target *t, unsigned int *nfcache)
+init(struct xt_entry_target *t)
 {
 }
 
Index: extensions/libxt_NFQUEUE.c
===================================================================
--- extensions/libxt_NFQUEUE.c	(revision 7013)
+++ extensions/libxt_NFQUEUE.c	(working copy)
@@ -14,7 +14,7 @@
 #include <linux/netfilter/x_tables.h>
 #include <linux/netfilter/xt_NFQUEUE.h>
 
-static void init(struct xt_entry_target *t, unsigned int *nfcache)
+static void init(struct xt_entry_target *t)
 {
 }
 
Index: extensions/libxt_connmark.c
===================================================================
--- extensions/libxt_connmark.c	(revision 7013)
+++ extensions/libxt_connmark.c	(working copy)
@@ -49,7 +49,6 @@
 static int
 parse(int c, char **argv, int invert, unsigned int *flags,
       const void *entry,
-      unsigned int *nfcache,
       struct xt_entry_match **match)
 {
 	struct xt_connmark_info *markinfo = (struct xt_connmark_info *)(*match)->data;
Index: extensions/libxt_sctp.c
===================================================================
--- extensions/libxt_sctp.c	(revision 7013)
+++ extensions/libxt_sctp.c	(working copy)
@@ -42,8 +42,7 @@
 
 /* Initialize the match. */
 static void
-init(struct xt_entry_match *m,
-     unsigned int *nfcache)
+init(struct xt_entry_match *m)
 {
 	int i;
 	struct xt_sctp_info *einfo = (struct xt_sctp_info *)m->data;
@@ -263,7 +262,6 @@
 static int
 parse(int c, char **argv, int invert, unsigned int *flags,
       const void *entry,
-      unsigned int *nfcache,
       struct xt_entry_match **match)
 {
 	struct xt_sctp_info *einfo
Index: extensions/libipt_addrtype.c
===================================================================
--- extensions/libipt_addrtype.c	(revision 7013)
+++ extensions/libipt_addrtype.c	(working copy)
@@ -82,7 +82,7 @@
 #define IPT_ADDRTYPE_OPT_DSTTYPE	0x2
 
 static int parse(int c, char **argv, int invert, unsigned int *flags,
-		const void *entry, unsigned int *nfcache,
+		const void *entry,
 		struct xt_entry_match **match)
 {
 	struct ipt_addrtype_info *info =
Index: extensions/libxt_helper.c
===================================================================
--- extensions/libxt_helper.c	(revision 7013)
+++ extensions/libxt_helper.c	(working copy)
@@ -29,7 +29,6 @@
 static int
 parse(int c, char **argv, int invert, unsigned int *flags,
       const void *entry,
-      unsigned int *nfcache,
       struct xt_entry_match **match)
 {
 	struct xt_helper_info *info = (struct xt_helper_info *)(*match)->data;
Index: extensions/libxt_hashlimit.c
===================================================================
--- extensions/libxt_hashlimit.c	(revision 7013)
+++ extensions/libxt_hashlimit.c	(working copy)
@@ -96,7 +96,7 @@
 
 /* Initialize the match. */
 static void
-init(struct xt_entry_match *m, unsigned int *nfcache)
+init(struct xt_entry_match *m)
 {
 	struct xt_hashlimit_info *r = (struct xt_hashlimit_info *)m->data;
 
@@ -152,7 +152,6 @@
 static int
 parse(int c, char **argv, int invert, unsigned int *flags,
       const void *entry,
-      unsigned int *nfcache,
       struct xt_entry_match **match)
 {
 	struct xt_hashlimit_info *r = 
Index: extensions/libxt_esp.c
===================================================================
--- extensions/libxt_esp.c	(revision 7013)
+++ extensions/libxt_esp.c	(working copy)
@@ -71,7 +71,7 @@
 
 /* Initialize the match. */
 static void
-init(struct xt_entry_match *m, unsigned int *nfcache)
+init(struct xt_entry_match *m)
 {
 	struct xt_esp *espinfo = (struct xt_esp *)m->data;
 
@@ -85,7 +85,6 @@
 static int
 parse(int c, char **argv, int invert, unsigned int *flags,
       const void *entry,
-      unsigned int *nfcache,
       struct xt_entry_match **match)
 {
 	struct xt_esp *espinfo = (struct xt_esp *)(*match)->data;
Index: extensions/libipt_MASQUERADE.c
===================================================================
--- extensions/libipt_MASQUERADE.c	(revision 7013)
+++ extensions/libipt_MASQUERADE.c	(working copy)
@@ -31,7 +31,7 @@
 
 /* Initialize the target. */
 static void
-init(struct xt_entry_target *t, unsigned int *nfcache)
+init(struct xt_entry_target *t)
 {
 	struct ip_nat_multi_range *mr = (struct ip_nat_multi_range *)t->data;
 
Index: extensions/libipt_set.c
===================================================================
--- extensions/libipt_set.c	(revision 7013)
+++ extensions/libipt_set.c	(working copy)
@@ -38,7 +38,7 @@
 };
 
 /* Initialize the match. */
-static void init(struct xt_entry_match *match, unsigned int *nfcache)
+static void init(struct xt_entry_match *match)
 {
 	struct ipt_set_info_match *info = 
 		(struct ipt_set_info_match *) match->data;
@@ -52,7 +52,7 @@
 static int
 parse(int c, char **argv, int invert, unsigned int *flags,
       const void *entry,
-      unsigned int *nfcache, struct xt_entry_match **match)
+      struct xt_entry_match **match)
 {
 	struct ipt_set_info_match *myinfo = 
 		(struct ipt_set_info_match *) (*match)->data;
Index: extensions/libxt_pkttype.c
===================================================================
--- extensions/libxt_pkttype.c	(revision 7013)
+++ extensions/libxt_pkttype.c	(working copy)
@@ -87,7 +87,6 @@
 
 static int parse(int c, char **argv, int invert, unsigned int *flags,
       const void *entry,
-      unsigned int *nfcache,
       struct xt_entry_match **match)
 {
 	struct xt_pkttype_info *info = (struct xt_pkttype_info *)(*match)->data;
Index: extensions/libipt_realm.c
===================================================================
--- extensions/libipt_realm.c	(revision 7013)
+++ extensions/libipt_realm.c	(working copy)
@@ -157,7 +157,6 @@
 static int
 parse(int c, char **argv, int invert, unsigned int *flags,
       const void *entry,
-      unsigned int *nfcache,
       struct xt_entry_match **match)
 {
 	struct ipt_realm_info *realminfo = (struct ipt_realm_info *)(*match)->data;
Index: extensions/libxt_connbytes.c
===================================================================
--- extensions/libxt_connbytes.c	(revision 7013)
+++ extensions/libxt_connbytes.c	(working copy)
@@ -50,7 +50,6 @@
 static int
 parse(int c, char **argv, int invert, unsigned int *flags,
       const void *entry,
-      unsigned int *nfcache,
       struct xt_entry_match **match)
 {
 	struct xt_connbytes_info *sinfo = (struct xt_connbytes_info *)(*match)->data;
Index: extensions/libipt_tos.c
===================================================================
--- extensions/libipt_tos.c	(revision 7013)
+++ extensions/libipt_tos.c	(working copy)
@@ -77,7 +77,6 @@
 static int
 parse(int c, char **argv, int invert, unsigned int *flags,
       const void *entry,
-      unsigned int *nfcache,
       struct xt_entry_match **match)
 {
 	struct ipt_tos_info *tosinfo = (struct ipt_tos_info *)(*match)->data;
Index: extensions/libip6t_LOG.c
===================================================================
--- extensions/libip6t_LOG.c	(revision 7013)
+++ extensions/libip6t_LOG.c	(working copy)
@@ -44,7 +44,7 @@
 
 /* Initialize the target. */
 static void
-init(struct xt_entry_target *t, unsigned int *nfcache)
+init(struct xt_entry_target *t)
 {
 	struct ip6t_log_info *loginfo = (struct ip6t_log_info *)t->data;
 
Index: extensions/libxt_dccp.c
===================================================================
--- extensions/libxt_dccp.c	(revision 7013)
+++ extensions/libxt_dccp.c	(working copy)
@@ -26,8 +26,7 @@
 
 /* Initialize the match. */
 static void
-init(struct xt_entry_match *m,
-     unsigned int *nfcache)
+init(struct xt_entry_match *m)
 {
 	struct xt_dccp_info *einfo = (struct xt_dccp_info *)m->data;
 
@@ -135,7 +134,6 @@
 static int
 parse(int c, char **argv, int invert, unsigned int *flags,
       const void *entry,
-      unsigned int *nfcache,
       struct xt_entry_match **match)
 {
 	struct xt_dccp_info *einfo
Index: extensions/libxt_CLASSIFY.c
===================================================================
--- extensions/libxt_CLASSIFY.c	(revision 7013)
+++ extensions/libxt_CLASSIFY.c	(working copy)
@@ -28,7 +28,7 @@
 
 /* Initialize the target. */
 static void
-init(struct xt_entry_target *t, unsigned int *nfcache)
+init(struct xt_entry_target *t)
 {
 }
 
Index: extensions/libipt_recent.c
===================================================================
--- extensions/libipt_recent.c	(revision 7013)
+++ extensions/libipt_recent.c	(working copy)
@@ -68,7 +68,7 @@
   
 /* Initialize the match. */
 static void
-init(struct xt_entry_match *match, unsigned int *nfcache)
+init(struct xt_entry_match *match)
 {
 	struct ipt_recent_info *info = (struct ipt_recent_info *)(match)->data;
 
@@ -85,7 +85,6 @@
 static int
 parse(int c, char **argv, int invert, unsigned int *flags,
       const void *entry,
-      unsigned int *nfcache,
       struct xt_entry_match **match)
 {
 	struct ipt_recent_info *info = (struct ipt_recent_info *)(*match)->data;
Index: extensions/libxt_physdev.c
===================================================================
--- extensions/libxt_physdev.c	(revision 7013)
+++ extensions/libxt_physdev.c	(working copy)
@@ -35,14 +35,13 @@
 };
 
 static void
-init(struct xt_entry_match *m, unsigned int *nfcache)
+init(struct xt_entry_match *m)
 {
 }
 
 static int
 parse(int c, char **argv, int invert, unsigned int *flags,
       const void *entry,
-      unsigned int *nfcache,
       struct xt_entry_match **match)
 {
 	struct xt_physdev_info *info =
Index: extensions/libipt_unclean.c
===================================================================
--- extensions/libipt_unclean.c	(revision 7013)
+++ extensions/libipt_unclean.c	(working copy)
@@ -18,7 +18,6 @@
 static int
 parse(int c, char **argv, int invert, unsigned int *flags,
       const void *entry,
-      unsigned int *nfcache,
       struct xt_entry_match **match)
 {
 	return 0;
Index: extensions/libipt_ah.c
===================================================================
--- extensions/libipt_ah.c	(revision 7013)
+++ extensions/libipt_ah.c	(working copy)
@@ -68,7 +68,7 @@
 
 /* Initialize the match. */
 static void
-init(struct xt_entry_match *m, unsigned int *nfcache)
+init(struct xt_entry_match *m)
 {
 	struct ipt_ah *ahinfo = (struct ipt_ah *)m->data;
 
@@ -82,7 +82,6 @@
 static int
 parse(int c, char **argv, int invert, unsigned int *flags,
       const void *entry,
-      unsigned int *nfcache,
       struct xt_entry_match **match)
 {
 	struct ipt_ah *ahinfo = (struct ipt_ah *)(*match)->data;
Index: extensions/libxt_dscp.c
===================================================================
--- extensions/libxt_dscp.c	(revision 7013)
+++ extensions/libxt_dscp.c	(working copy)
@@ -76,7 +76,6 @@
 static int
 parse(int c, char **argv, int invert, unsigned int *flags,
       const void *entry,
-      unsigned int *nfcache,
       struct xt_entry_match **match)
 {
 	struct xt_dscp_info *dinfo
Index: extensions/libxt_mark.c
===================================================================
--- extensions/libxt_mark.c	(revision 7013)
+++ extensions/libxt_mark.c	(working copy)
@@ -30,7 +30,6 @@
 static int
 parse(int c, char **argv, int invert, unsigned int *flags,
       const void *entry,
-      unsigned int *nfcache,
       struct xt_entry_match **match)
 {
 	struct xt_mark_info *markinfo = (struct xt_mark_info *)(*match)->data;
Index: extensions/libxt_TRACE.c
===================================================================
--- extensions/libxt_TRACE.c	(revision 7013)
+++ extensions/libxt_TRACE.c	(working copy)
@@ -18,7 +18,7 @@
 
 /* Initialize the target. */
 static void
-init(struct xt_entry_target *t, unsigned int *nfcache)
+init(struct xt_entry_target *t)
 {
 }
 
Index: extensions/libxt_standard.c
===================================================================
--- extensions/libxt_standard.c	(revision 7013)
+++ extensions/libxt_standard.c	(working copy)
@@ -18,7 +18,7 @@
 
 /* Initialize the target. */
 static void
-init(struct xt_entry_target *t, unsigned int *nfcache)
+init(struct xt_entry_target *t)
 {
 }
 
Index: extensions/libipt_ttl.c
===================================================================
--- extensions/libipt_ttl.c	(revision 7013)
+++ extensions/libipt_ttl.c	(working copy)
@@ -25,7 +25,7 @@
 }
 
 static int parse(int c, char **argv, int invert, unsigned int *flags,
-		const void *entry, unsigned int *nfcache,
+		const void *entry,
 		struct xt_entry_match **match)
 {
 	struct ipt_ttl_info *info = (struct ipt_ttl_info *) (*match)->data;
Index: extensions/libip6t_state.c
===================================================================
--- extensions/libip6t_state.c	(revision 7013)
+++ extensions/libip6t_state.c	(working copy)
@@ -66,7 +66,6 @@
 static int
 parse(int c, char **argv, int invert, unsigned int *flags,
       const void *entry,
-      unsigned int *nfcache,
       struct xt_entry_match **match)
 {
 	struct ipt_state_info *sinfo = (struct ipt_state_info *)(*match)->data;
Index: extensions/libipt_connrate.c
===================================================================
--- extensions/libipt_connrate.c	(revision 7013)
+++ extensions/libipt_connrate.c	(working copy)
@@ -77,7 +77,6 @@
 static int
 parse(int c, char **argv, int invert, unsigned int *flags,
       const void *entry,
-      unsigned int *nfcache,
       struct xt_entry_match **match)
 {
 	struct ipt_connrate_info *sinfo = (struct ipt_connrate_info *)(*match)->data;
Index: extensions/libxt_limit.c
===================================================================
--- extensions/libxt_limit.c	(revision 7013)
+++ extensions/libxt_limit.c	(working copy)
@@ -74,7 +74,7 @@
 
 /* Initialize the match. */
 static void
-init(struct xt_entry_match *m, unsigned int *nfcache)
+init(struct xt_entry_match *m)
 {
 	struct xt_rateinfo *r = (struct xt_rateinfo *)m->data;
 
@@ -94,7 +94,6 @@
 static int
 parse(int c, char **argv, int invert, unsigned int *flags,
       const void *entry,
-      unsigned int *nfcache,
       struct xt_entry_match **match)
 {
 	struct xt_rateinfo *r = (struct xt_rateinfo *)(*match)->data;
Index: extensions/libip6t_dst.c
===================================================================
--- extensions/libip6t_dst.c	(revision 7013)
+++ extensions/libip6t_dst.c	(working copy)
@@ -118,7 +118,7 @@
 
 /* Initialize the match. */
 static void
-init(struct xt_entry_match *m, unsigned int *nfcache)
+init(struct xt_entry_match *m)
 {
 	struct ip6t_opts *optinfo = (struct ip6t_opts *)m->data;
 
@@ -133,7 +133,6 @@
 static int
 parse(int c, char **argv, int invert, unsigned int *flags,
       const void *entry,
-      unsigned int *nfcache,
       struct xt_entry_match **match)
 {
 	struct ip6t_opts *optinfo = (struct ip6t_opts *)(*match)->data;
Index: extensions/libip6t_owner.c
===================================================================
--- extensions/libip6t_owner.c	(revision 7013)
+++ extensions/libip6t_owner.c	(working copy)
@@ -52,7 +52,6 @@
 static int
 parse(int c, char **argv, int invert, unsigned int *flags,
       const void *entry,
-      unsigned int *nfcache,
       struct xt_entry_match **match)
 {
 	struct ip6t_owner_info *ownerinfo = (struct ip6t_owner_info *)(*match)->data;
Index: extensions/libip6t_HL.c
===================================================================
--- extensions/libip6t_HL.c	(revision 7013)
+++ extensions/libip6t_HL.c	(working copy)
@@ -16,7 +16,7 @@
 
 #define IP6T_HL_USED	1
 
-static void init(struct xt_entry_target *t, unsigned int *nfcache)
+static void init(struct xt_entry_target *t)
 {
 }
 
Index: extensions/libipt_owner.c
===================================================================
--- extensions/libipt_owner.c	(revision 7013)
+++ extensions/libipt_owner.c	(working copy)
@@ -54,7 +54,6 @@
 static int
 parse(int c, char **argv, int invert, unsigned int *flags,
       const void *entry,
-      unsigned int *nfcache,
       struct xt_entry_match **match)
 {
 	struct ipt_owner_info *ownerinfo = (struct ipt_owner_info *)(*match)->data;
Index: extensions/libip6t_REJECT.c
===================================================================
--- extensions/libip6t_REJECT.c	(revision 7013)
+++ extensions/libip6t_REJECT.c	(working copy)
@@ -72,7 +72,7 @@
 
 /* Allocate and initialize the target. */
 static void
-init(struct xt_entry_target *t, unsigned int *nfcache)
+init(struct xt_entry_target *t)
 {
 	struct ip6t_reject_info *reject = (struct ip6t_reject_info *)t->data;
 
Index: extensions/libipt_ECN.c
===================================================================
--- extensions/libipt_ECN.c	(revision 7013)
+++ extensions/libipt_ECN.c	(working copy)
@@ -17,7 +17,7 @@
 #include <linux/netfilter_ipv4/ip_tables.h>
 #include <linux/netfilter_ipv4/ipt_ECN.h>
 
-static void init(struct xt_entry_target *t, unsigned int *nfcache)
+static void init(struct xt_entry_target *t)
 {
 }
 
Index: extensions/libip6t_rt.c
===================================================================
--- extensions/libip6t_rt.c	(revision 7013)
+++ extensions/libip6t_rt.c	(working copy)
@@ -139,7 +139,7 @@
 
 /* Initialize the match. */
 static void
-init(struct xt_entry_match *m, unsigned int *nfcache)
+init(struct xt_entry_match *m)
 {
 	struct ip6t_rt *rtinfo = (struct ip6t_rt *)m->data;
 
@@ -157,7 +157,6 @@
 static int
 parse(int c, char **argv, int invert, unsigned int *flags,
       const void *entry,
-      unsigned int *nfcache,
       struct xt_entry_match **match)
 {
 	struct ip6t_rt *rtinfo = (struct ip6t_rt *)(*match)->data;
Index: extensions/libip6t_condition.c
===================================================================
--- extensions/libip6t_condition.c	(revision 7013)
+++ extensions/libip6t_condition.c	(working copy)
@@ -26,7 +26,7 @@
 
 static int
 parse(int c, char **argv, int invert, unsigned int *flags,
-      const void *entry, unsigned int *nfcache,
+      const void *entry,
       struct xt_entry_match **match)
 {
 	struct condition6_info *info =
Index: extensions/libxt_length.c
===================================================================
--- extensions/libxt_length.c	(revision 7013)
+++ extensions/libxt_length.c	(working copy)
@@ -67,7 +67,6 @@
 static int
 parse(int c, char **argv, int invert, unsigned int *flags,
       const void *entry,
-      unsigned int *nfcache,
       struct xt_entry_match **match)
 {
 	struct xt_length_info *info = (struct xt_length_info *)(*match)->data;
Index: extensions/libip6t_eui64.c
===================================================================
--- extensions/libip6t_eui64.c	(revision 7013)
+++ extensions/libip6t_eui64.c	(working copy)
@@ -27,7 +27,6 @@
 static int
 parse(int c, char **argv, int invert, unsigned int *flags,
       const void *entry,
-      unsigned int *nfcache,
       struct xt_entry_match **match)
 {
 	return 0;
Index: extensions/libipt_SAME.c
===================================================================
--- extensions/libipt_SAME.c	(revision 7013)
+++ extensions/libipt_SAME.c	(working copy)
@@ -38,7 +38,7 @@
 
 /* Initialize the target. */
 static void
-init(struct xt_entry_target *t, unsigned int *nfcache)
+init(struct xt_entry_target *t)
 {
 	struct ipt_same_info *mr = (struct ipt_same_info *)t->data;
 
Index: extensions/libip6t_policy.c
===================================================================
--- extensions/libip6t_policy.c	(revision 7013)
+++ extensions/libip6t_policy.c	(working copy)
@@ -133,9 +133,8 @@
 
 /* End duplicated code from ip6tables.c */
 
-static void init(struct xt_entry_match *m, unsigned int *nfcache)
+static void init(struct xt_entry_match *m)
 {
-	*nfcache |= NFC_UNKNOWN;
 }
 
 static int parse_direction(char *s)
@@ -167,7 +166,6 @@
 
 static int parse(int c, char **argv, int invert, unsigned int *flags,
                  const void *entry,
-                 unsigned int *nfcache,
                  struct xt_entry_match **match)
 {
 	struct ip6t_policy_info *info = (void *)(*match)->data;
Index: extensions/libipt_condition.c
===================================================================
--- extensions/libipt_condition.c	(revision 7013)
+++ extensions/libipt_condition.c	(working copy)
@@ -26,7 +26,7 @@
 
 static int
 parse(int c, char **argv, int invert, unsigned int *flags,
-      const void *entry, unsigned int *nfcache,
+      const void *entry,
       struct xt_entry_match **match)
 {
 	struct condition_info *info =
Index: extensions/libxt_udp.c
===================================================================
--- extensions/libxt_udp.c	(revision 7013)
+++ extensions/libxt_udp.c	(working copy)
@@ -55,7 +55,7 @@
 
 /* Initialize the match. */
 static void
-init(struct xt_entry_match *m, unsigned int *nfcache)
+init(struct xt_entry_match *m)
 {
 	struct xt_udp *udpinfo = (struct xt_udp *)m->data;
 
@@ -70,7 +70,6 @@
 static int
 parse(int c, char **argv, int invert, unsigned int *flags,
       const void *entry,
-      unsigned int *nfcache,
       struct xt_entry_match **match)
 {
 	struct xt_udp *udpinfo = (struct xt_udp *)(*match)->data;
Index: extensions/libipt_icmp.c
===================================================================
--- extensions/libipt_icmp.c	(revision 7013)
+++ extensions/libipt_icmp.c	(working copy)
@@ -169,7 +169,7 @@
 
 /* Initialize the match. */
 static void
-init(struct xt_entry_match *m, unsigned int *nfcache)
+init(struct xt_entry_match *m)
 {
 	struct ipt_icmp *icmpinfo = (struct ipt_icmp *)m->data;
 
@@ -182,7 +182,6 @@
 static int
 parse(int c, char **argv, int invert, unsigned int *flags,
       const void *entry,
-      unsigned int *nfcache,
       struct xt_entry_match **match)
 {
 	struct ipt_icmp *icmpinfo = (struct ipt_icmp *)(*match)->data;
Index: extensions/libip6t_mh.c
===================================================================
--- extensions/libip6t_mh.c	(revision 7013)
+++ extensions/libip6t_mh.c	(working copy)
@@ -67,7 +67,7 @@
 	print_types_all();
 }
 
-static void init(struct xt_entry_match *m, unsigned int *nfcache)
+static void init(struct xt_entry_match *m)
 {
 	struct ip6t_mh *mhinfo = (struct ip6t_mh *)m->data;
 
@@ -127,7 +127,6 @@
 
 static int parse(int c, char **argv, int invert, unsigned int *flags,
 		 const void *entry,
-		 unsigned int *nfcache,
 		 struct xt_entry_match **match)
 {
 	struct ip6t_mh *mhinfo = (struct ip6t_mh *)(*match)->data;
Index: extensions/libip6t_frag.c
===================================================================
--- extensions/libip6t_frag.c	(revision 7013)
+++ extensions/libip6t_frag.c	(working copy)
@@ -78,7 +78,7 @@
 
 /* Initialize the match. */
 static void
-init(struct xt_entry_match *m, unsigned int *nfcache)
+init(struct xt_entry_match *m)
 {
 	struct ip6t_frag *fraginfo = (struct ip6t_frag *)m->data;
 
@@ -94,7 +94,6 @@
 static int
 parse(int c, char **argv, int invert, unsigned int *flags,
       const void *entry,
-      unsigned int *nfcache,
       struct xt_entry_match **match)
 {
 	struct ip6t_frag *fraginfo = (struct ip6t_frag *)(*match)->data;
Index: extensions/libipt_ULOG.c
===================================================================
--- extensions/libipt_ULOG.c	(revision 7013)
+++ extensions/libipt_ULOG.c	(working copy)
@@ -53,7 +53,7 @@
 };
 
 /* Initialize the target. */
-static void init(struct xt_entry_target *t, unsigned int *nfcache)
+static void init(struct xt_entry_target *t)
 {
 	struct ipt_ulog_info *loginfo = (struct ipt_ulog_info *) t->data;
 
Index: extensions/libip6t_ipv6header.c
===================================================================
--- extensions/libip6t_ipv6header.c	(revision 7013)
+++ extensions/libip6t_ipv6header.c	(working copy)
@@ -155,7 +155,7 @@
 };
 
 static void
-init(struct xt_entry_match *m, unsigned int *nfcache)
+init(struct xt_entry_match *m)
 {
 	struct ip6t_ipv6header_info *info = (struct ip6t_ipv6header_info *)m->data;
 
@@ -186,7 +186,6 @@
 static int
 parse(int c, char **argv, int invert, unsigned int *flags,
       const void *entry,
-      unsigned int *nfcache,
       struct xt_entry_match **match)
 {
 	struct ip6t_ipv6header_info *info = (struct ip6t_ipv6header_info *)(*match)->data;
Index: extensions/libxt_tcp.c
===================================================================
--- extensions/libxt_tcp.c	(revision 7013)
+++ extensions/libxt_tcp.c	(working copy)
@@ -131,7 +131,7 @@
 
 /* Initialize the match. */
 static void
-init(struct xt_entry_match *m, unsigned int *nfcache)
+init(struct xt_entry_match *m)
 {
 	struct xt_tcp *tcpinfo = (struct xt_tcp *)m->data;
 
@@ -148,7 +148,6 @@
 static int
 parse(int c, char **argv, int invert, unsigned int *flags,
       const void *entry,
-      unsigned int *nfcache,
       struct xt_entry_match **match)
 {
 	struct xt_tcp *tcpinfo = (struct xt_tcp *)(*match)->data;
Index: extensions/libip6t_hl.c
===================================================================
--- extensions/libip6t_hl.c	(revision 7013)
+++ extensions/libip6t_hl.c	(working copy)
@@ -26,7 +26,7 @@
 }
 
 static int parse(int c, char **argv, int invert, unsigned int *flags,
-		const void *entry, unsigned int *nfcache,
+		const void *entry,
 		struct xt_entry_match **match)
 {
 	struct ip6t_hl_info *info = (struct ip6t_hl_info *) (*match)->data;
Index: extensions/libip6t_icmp6.c
===================================================================
--- extensions/libip6t_icmp6.c	(revision 7013)
+++ extensions/libip6t_icmp6.c	(working copy)
@@ -145,7 +145,7 @@
 
 /* Initialize the match. */
 static void
-init(struct xt_entry_match *m, unsigned int *nfcache)
+init(struct xt_entry_match *m)
 {
 	struct ip6t_icmp *icmpv6info = (struct ip6t_icmp *)m->data;
 
@@ -157,7 +157,6 @@
 static int
 parse(int c, char **argv, int invert, unsigned int *flags,
       const void *entry,
-      unsigned int *nfcache,
       struct xt_entry_match **match)
 {
 	struct ip6t_icmp *icmpv6info = (struct ip6t_icmp *)(*match)->data;
Index: extensions/libxt_tcpmss.c
===================================================================
--- extensions/libxt_tcpmss.c	(revision 7013)
+++ extensions/libxt_tcpmss.c	(working copy)
@@ -61,7 +61,6 @@
 static int
 parse(int c, char **argv, int invert, unsigned int *flags,
       const void *entry,
-      unsigned int *nfcache,
       struct xt_entry_match **match)
 {
 	struct xt_tcpmss_match_info *mssinfo =
Index: extensions/libipt_REJECT.c
===================================================================
--- extensions/libipt_REJECT.c	(revision 7013)
+++ extensions/libipt_REJECT.c	(working copy)
@@ -87,7 +87,7 @@
 
 /* Allocate and initialize the target. */
 static void
-init(struct xt_entry_target *t, unsigned int *nfcache)
+init(struct xt_entry_target *t)
 {
 	struct ipt_reject_info *reject = (struct ipt_reject_info *)t->data;
 
Index: extensions/libipt_LOG.c
===================================================================
--- extensions/libipt_LOG.c	(revision 7013)
+++ extensions/libipt_LOG.c	(working copy)
@@ -44,7 +44,7 @@
 
 /* Initialize the target. */
 static void
-init(struct xt_entry_target *t, unsigned int *nfcache)
+init(struct xt_entry_target *t)
 {
 	struct ipt_log_info *loginfo = (struct ipt_log_info *)t->data;
 
Index: extensions/libipt_NETMAP.c
===================================================================
--- extensions/libipt_NETMAP.c	(revision 7013)
+++ extensions/libipt_NETMAP.c	(working copy)
@@ -56,7 +56,7 @@
 
 /* Initialize the target. */
 static void
-init(struct xt_entry_target *t, unsigned int *nfcache)
+init(struct xt_entry_target *t)
 {
 	struct ip_nat_multi_range *mr = (struct ip_nat_multi_range *)t->data;
 
Index: extensions/libxt_DSCP.c
===================================================================
--- extensions/libxt_DSCP.c	(revision 7013)
+++ extensions/libxt_DSCP.c	(working copy)
@@ -22,7 +22,7 @@
 #include "libipt_dscp_helper.c"
 
 
-static void init(struct xt_entry_target *t, unsigned int *nfcache)
+static void init(struct xt_entry_target *t)
 {
 }
 
Index: extensions/libxt_MARK.c
===================================================================
--- extensions/libxt_MARK.c	(revision 7013)
+++ extensions/libxt_MARK.c	(working copy)
@@ -30,7 +30,7 @@
 
 /* Initialize the target. */
 static void
-init(struct xt_entry_target *t, unsigned int *nfcache)
+init(struct xt_entry_target *t)
 {
 }
 
Index: extensions/libipt_SET.c
===================================================================
--- extensions/libipt_SET.c	(revision 7013)
+++ extensions/libipt_SET.c	(working copy)
@@ -41,7 +41,7 @@
 };
 
 /* Initialize the target. */
-static void init(struct xt_entry_target *target, unsigned int *nfcache)
+static void init(struct xt_entry_target *target)
 {
 	struct ipt_set_info_target *info =
 	    (struct ipt_set_info_target *) target->data;
Index: extensions/libipt_policy.c
===================================================================
--- extensions/libipt_policy.c	(revision 7013)
+++ extensions/libipt_policy.c	(working copy)
@@ -93,9 +93,8 @@
 	{ }
 };
 
-static void init(struct xt_entry_match *m, unsigned int *nfcache)
+static void init(struct xt_entry_match *m)
 {
-	*nfcache |= NFC_UNKNOWN;
 }
 
 static int parse_direction(char *s)
@@ -127,7 +126,6 @@
 
 static int parse(int c, char **argv, int invert, unsigned int *flags,
                  const void *entry,
-                 unsigned int *nfcache,
                  struct xt_entry_match **match)
 {
 	struct ipt_policy_info *info = (void *)(*match)->data;
Index: extensions/libxt_NFLOG.c
===================================================================
--- extensions/libxt_NFLOG.c	(revision 7013)
+++ extensions/libxt_NFLOG.c	(working copy)
@@ -32,7 +32,7 @@
 	       IPTABLES_VERSION);
 }
 
-static void init(struct xt_entry_target *t, unsigned int *nfcache)
+static void init(struct xt_entry_target *t)
 {
 	struct xt_nflog_info *info = (struct xt_nflog_info *)t->data;
 
Index: extensions/libipt_ecn.c
===================================================================
--- extensions/libipt_ecn.c	(revision 7013)
+++ extensions/libipt_ecn.c	(working copy)
@@ -36,7 +36,6 @@
 static int
 parse(int c, char **argv, int invert, unsigned int *flags,
       const void *entry,
-      unsigned int *nfcache,
       struct xt_entry_match **match)
 {
 	unsigned int result;
Index: extensions/libipt_TOS.c
===================================================================
--- extensions/libipt_TOS.c	(revision 7013)
+++ extensions/libipt_TOS.c	(working copy)
@@ -54,7 +54,7 @@
 
 /* Initialize the target. */
 static void
-init(struct xt_entry_target *t, unsigned int *nfcache)
+init(struct xt_entry_target *t)
 {
 }
 
Index: extensions/libipt_CLUSTERIP.c
===================================================================
--- extensions/libipt_CLUSTERIP.c	(revision 7013)
+++ extensions/libipt_CLUSTERIP.c	(working copy)
@@ -55,7 +55,7 @@
 };
 
 static void
-init(struct xt_entry_target *t, unsigned int *nfcache)
+init(struct xt_entry_target *t)
 {
 }
 
Index: extensions/libxt_state.c
===================================================================
--- extensions/libxt_state.c	(revision 7013)
+++ extensions/libxt_state.c	(working copy)
@@ -66,7 +66,6 @@
 static int
 parse(int c, char **argv, int invert, unsigned int *flags,
       const void *entry,
-      unsigned int *nfcache,
       struct xt_entry_match **match)
 {
 	struct xt_state_info *sinfo = (struct xt_state_info *)(*match)->data;
Index: extensions/libipt_iprange.c
===================================================================
--- extensions/libipt_iprange.c	(revision 7013)
+++ extensions/libipt_iprange.c	(working copy)
@@ -57,7 +57,6 @@
 static int
 parse(int c, char **argv, int invert, unsigned int *flags,
       const void *entry,
-      unsigned int *nfcache,
       struct xt_entry_match **match)
 {
 	struct ipt_iprange_info *info = (struct ipt_iprange_info *)(*match)->data;
Index: extensions/libip6t_hbh.c
===================================================================
--- extensions/libip6t_hbh.c	(revision 7013)
+++ extensions/libip6t_hbh.c	(working copy)
@@ -117,7 +117,7 @@
 
 /* Initialize the match. */
 static void
-init(struct xt_entry_match *m, unsigned int *nfcache)
+init(struct xt_entry_match *m)
 {
 	struct ip6t_opts *optinfo = (struct ip6t_opts *)m->data;
 
@@ -132,7 +132,6 @@
 static int
 parse(int c, char **argv, int invert, unsigned int *flags,
       const void *entry,
-      unsigned int *nfcache,
       struct xt_entry_match **match)
 {
 	struct ip6t_opts *optinfo = (struct ip6t_opts *)(*match)->data;
Index: ip6tables.c
===================================================================
--- ip6tables.c	(revision 7013)
+++ ip6tables.c	(working copy)
@@ -1627,7 +1627,7 @@
 				target->t->u.target_size = size;
 				strcpy(target->t->u.user.name, jumpto);
 				if (target->init != NULL)
-					target->init(target->t, &fw.nfcache);
+					target->init(target->t);
 				opts = merge_options(opts, target->extra_opts, &target->option_offset);
 			}
 			break;
@@ -1673,7 +1673,7 @@
 			strcpy(m->m->u.user.name, m->name);
 			set_revision(m->m->u.user.name, m->revision);
 			if (m->init != NULL)
-				m->init(m->m, &fw.nfcache);
+				m->init(m->m);
 			if (m != m->next)
 				/* Merge options for non-cloned matches */
 				opts = merge_options(opts, m->extra_opts, &m->option_offset);
@@ -1766,7 +1766,6 @@
 						     argv, invert,
 						     &matchp->match->mflags,
 						     &fw,
-						     &fw.nfcache,
 						     &matchp->match->m))
 						break;
 				}
@@ -1819,7 +1818,7 @@
 					set_revision(m->m->u.user.name,
 						     m->revision);
 					if (m->init != NULL)
-						m->init(m->m, &fw.nfcache);
+						m->init(m->m);
 
 					opts = merge_options(opts,
 					    m->extra_opts, &m->option_offset);
@@ -1948,7 +1947,7 @@
 			target->t->u.target_size = size;
 			strcpy(target->t->u.user.name, jumpto);
 			if (target->init != NULL)
-				target->init(target->t, &fw.nfcache);
+				target->init(target->t);
 		}
 
 		if (!target) {

Re: [PATCH] Last vestiges of NFC

[Peter Riley]

[-- Attachment #1: Type: text/plain, Size: 527 bytes --]

Peter Riley wrote:
> 
> p-o-m-ng probably needs patching now too.  I'll take a look...

A quick check found four occurrences.
These two are in old kernel code.

patchlets/TARPIT/linux/net/ipv4/netfilter/ipt_TARPIT.c
-	nskb->nfcache = 0;

patchlets/IPV4OPTSSTRIP/linux/net/ipv4/netfilter/ipt_IPV4OPTSSTRIP.c
-	skb->nfcache |= NFC_ALTERED;


But these two are in match extensions.  See patch.

patchlets/ipv4options/iptables/extensions/libipt_ipv4options.c
patchlets/u32/iptables/extensions/libipt_u32.c


Best Regards,
Peter




[-- Attachment #2: pom-ng-nfcache-enema2.patch --]
[-- Type: text/plain, Size: 1107 bytes --]

Index: patchlets/ipv4options/iptables/extensions/libipt_ipv4options.c
===================================================================
--- patchlets/ipv4options/iptables/extensions/libipt_ipv4options.c	(revision 7013)
+++ patchlets/ipv4options/iptables/extensions/libipt_ipv4options.c	(working copy)
@@ -40,7 +40,6 @@
 static int
 parse(int c, char **argv, int invert, unsigned int *flags,
       const struct ipt_entry *entry,
-      unsigned int *nfcache,
       struct ipt_entry_match **match)
 {
 	struct ipt_ipv4options_info *info = (struct ipt_ipv4options_info *)(*match)->data;
Index: patchlets/u32/iptables/extensions/libipt_u32.c
===================================================================
--- patchlets/u32/iptables/extensions/libipt_u32.c	(revision 7013)
+++ patchlets/u32/iptables/extensions/libipt_u32.c	(working copy)
@@ -93,7 +93,6 @@
 static int
 parse(int c, char **argv, int invert, unsigned int *flags,
       const struct ipt_entry *entry,
-      unsigned int *nfcache,
       struct ipt_entry_match **match)
 {
 	struct ipt_u32 *data = (struct ipt_u32 *)(*match)->data;

Re: [PATCH] Last vestiges of NFC

[Patrick McHardy]

Peter Riley wrote:
> Peter Riley wrote:
>> p-o-m-ng probably needs patching now too.  I'll take a look...
> 
> A quick check found four occurrences.
> These two are in old kernel code.
> 
> patchlets/TARPIT/linux/net/ipv4/netfilter/ipt_TARPIT.c
> -	nskb->nfcache = 0;
> 
> patchlets/IPV4OPTSSTRIP/linux/net/ipv4/netfilter/ipt_IPV4OPTSSTRIP.c
> -	skb->nfcache |= NFC_ALTERED;


That seems to be 2.4 code.

> But these two are in match extensions.  See patch.
> 
> patchlets/ipv4options/iptables/extensions/libipt_ipv4options.c
> patchlets/u32/iptables/extensions/libipt_u32.c


Also applied, thanks.

Re: [PATCH] Last vestiges of NFC

[Patrick McHardy]

Peter Riley wrote:
> Patrick McHardy wrote:
>>
>> The kernel doesn't use it, its *always* zero.
> 
> heh, well the whole point of this thread was about dealing with the
> fact that it isn't!  :-P  But no matter, it's all cool now..
> 
> In the end I kept that one line in dump_entry() in libip[46]tc.c,
> only for the sake of completeness. The dump_entry() function exists
> to dump out the members of an ipt_entry. As you said, nfcache must
> remain in the struct.  Please delete the line if you still really
> want it gone.


I kept it.

>> I prefer to get rid of all of them where possible, but if you want
> 
> Gotcha, patch attached.


Applied, thanks a lot Peter.

> I think there should at least be some kind of prominent changelog or
> warning notice somewhere that "prototypes in the iptables extension
> API have changed incompatibly after so many years so your custom match
> extension may now segmentation fault upon parsing if not updated".


We had lots of changes in this area very recently anyway
because of the new userspace xtables support, probably
things won't even compile anymore. But I agree, we'll add
a warning to next release announcement.

Re: [PATCH] Last vestiges of NFC

[Patrick McHardy]

On Thu, 30 Aug 2007, Peter Riley wrote:

> Patrick McHardy wrote:
>>
>> I count 132 occurences of nfcache (a few are in headers that must stay
>> though). I'll happily apply a patch that kills them all.
>>
>
> Patrick, yes I get 134 occurrences on 132 lines in current svn.
> The breakdown appears to me to be:
>
> 51   init() function declarations in match and target extensions
>
> 52   parse() function declarations in match extensions only
>     (not counting connlimit and multiport which are more complicated than
>     one declaration per file)
>
> 2    parse related function declarations in connlimit
> 4    parse related function declarations in multiport
>
> 5+5  calls in iptables.c & ip6tables.c to ->init() or ->parse() members above
>
> 3    occurrences in xtables.h that prototype the above:
>
>     struct xtables_match
>     {...
>         void (*init)(struct xt_entry_match *m, unsigned int *nfcache);
>
>         int (*parse)(int c, char **argv, int invert, unsigned int *flags,
>             const void *entry, unsigned int *nfcache, struct xt_entry_match **match);
>
>     struct xtables_target
>     {...
>         void (*init)(struct xt_entry_target *t, unsigned int *nfcache);
>
> 3+3  occurrences in dump_entry() in libip4tc.c and libip4tc.c for debugging:
>
> 	printf("Cache: %08X ", e->nfcache);
> 	if (e->nfcache & NFC_ALTERED) printf("ALTERED ");
> 	if (e->nfcache & NFC_UNKNOWN) printf("UNKNOWN ");
>
>     It seems that there is good reason for printing out nfcache contents as long as
>     those bits are still present in structs ipt_entry/ip6t_entry defined in headers
>     on the kernel side.  After all, this is how I tracked down the problem I am
>     reporting to begin with!
>
>
> What all this leaves remaining are the occurrences I mentioned in previous message
> whose removal doesn't break anything:
>
>
> 1+1  in libipt_policy.c and libip6t_policy.c init() functions where NFC bits are
>     still being set:
>
>          *nfcache |= NFC_UNKNOWN;
>
>     These (among similar others that have already been removed) crept in
>     subsequent to Pablo Neira's NFC-killer patches that I mentioned in original
>     post.
>
> 2+2  occurrences in the libip4tc.c and libip4tc.c  is_same()  comparisons:
>
>          if (a->nfcache != b->nfcache
>              ...) return NULL;
>
>     These are the occurrences causing problems. As mentioned, this prevents
>     iptables from being able to delete-by-match any rules created by old
>     userspace tools that still set nfcache bits in entries -- the entries are
>     not considered "same" because (only) the nfcache bits differ (modulo the
>     match mask of course).
>
> -----
> =134 Total
>
>
> Please let me know if I can do anything more regarding this.


Basically all of them can go except those in include/linux/*.h files.