From: Laszlo Attila Toth <panther@balabit.hu>
To: Jan Engelhardt <jengelh@computergmbh.de>
Cc: kaber@trash.net, netfilter-devel@vger.kernel.org
Subject: Re: [PATCHv3 2/2][RESEND] Addrtype match extension: limit addrtype check on the packet's interface
Date: Fri, 16 Nov 2007 16:30:03 +0100 [thread overview]
Message-ID: <473DB77B.4090206@balabit.hu> (raw)
In-Reply-To: <Pine.LNX.4.64.0711161604060.3340@fbirervta.pbzchgretzou.qr>
Jan Engelhardt írta:
> On Nov 16 2007 15:22, Laszlo Attila Toth wrote:
>> Addrtype match has a new revision (1), which lets address type checking
>> limited to the interface the current packet belongs to. Either incoming
>> or outgoing interface can be used depending on the current hook. In the
>> FORWARD hook two maches should be used if both interfaces have to be checked.
>
> Hey would not it be cool if this was bumped to xt_addrtype,
> using .revision=0 with ipt_addrtype_info (with the old functionality),
> and let .revision=1 use xt_addrtype_info (with the new functionality).
> Much like the recently posted xt_tos/xt_owner.
xt_addrtype is ok, but the module loading in the userspace part
(iptables) tries to load the libxt_addrtype.so first and only if it is
not succeeded try to load libipt_addrtype.so also the latter shared
object will never be loaded.
Also it may be better if only the xt_addrtype remains and
ipt_addrtype_info is used for the old one and xt_addrtype_info for the
new one. But it may be confusing: ipt_* in the xt_* files...
>
>> -struct ipt_addrtype_info {
>> +enum
>> +{
>> + IPT_ADDRTYPE_INVERT_SOURCE = 0x0001,
>> + IPT_ADDRTYPE_INVERT_DEST = 0x0002,
>> + IPT_ADDRTYPE_LIMIT_IFACE_IN = 0x0004,
>> + IPT_ADDRTYPE_LIMIT_IFACE_OUT = 0x0008,
>> +};
>> +
>> +struct ipt_addrtype_info_v1 {
>> + u_int16_t source; /* source-type mask */
>> + u_int16_t dest; /* dest-type mask */
>> + u_int32_t flags;
>> +};
>> +
>> +struct ipt_addrtype_info_v0 {
>
> Is it actually ok to change ipt_addrtype_info into ipt_addrtype_info_v0?
> It does not break binary compat, but source-level compat.
>
>
Hm, you are right. I checked this in xt_MARK, it doesn't use the _v0
suffix for the old _info structure. I'll change this in addrtype.
--
Attila
-
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2007-11-16 15:30 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-11-15 17:14 [PATCHv3 0/2+1] Find address type on the packet's interface Laszlo Attila Toth
2007-11-15 17:14 ` [PATCHv3 1/2] Find address type on a specific or on any interface Laszlo Attila Toth
2007-11-15 17:14 ` [PATCHv3 2/2] Addrtype match extension: limit addrtype check on the packet's interface Laszlo Attila Toth
2007-11-15 17:14 ` [PATCHv3 iptables] Find address type on a specific or on any interface Laszlo Attila Toth
2007-11-16 14:22 ` [PATCHv3 2/2][RESEND] Addrtype match extension: limit addrtype check on the packet's interface Laszlo Attila Toth
2007-11-16 15:06 ` Jan Engelhardt
2007-11-16 15:30 ` Laszlo Attila Toth [this message]
2007-11-16 16:49 ` Jan Engelhardt
2007-11-16 17:19 ` Laszlo Attila Toth
2007-11-16 17:53 ` Jan Engelhardt
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=473DB77B.4090206@balabit.hu \
--to=panther@balabit.hu \
--cc=jengelh@computergmbh.de \
--cc=kaber@trash.net \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).