From: Patrick McHardy <kaber@trash.net>
To: Jan Engelhardt <jengelh@medozas.de>
Cc: Dave <finalglide@gmail.com>, netfilter@vger.kernel.org
Subject: Re: POM Xtables???
Date: Thu, 24 Jul 2008 01:21:04 +0200 [thread overview]
Message-ID: <4887BCE0.2050902@trash.net> (raw)
In-Reply-To: <alpine.LNX.1.10.0807010907040.26892@fbirervta.pbzchgretzou.qr>
Jan Engelhardt wrote:
> Still had this in the Draft folder..
>
> On Monday 2008-06-30 22:52, Patrick McHardy wrote:
>> Which rest? Is the list at the end of your mail complete?
>
> Just contains those you have not yet rejected ;-)
Rejections are not necessarily permanent .. but they may require
some convincing. Sometimes the mind just changes over time and
sometimes a convincing argument that it won't make things worse
is needed.
Which is just a general comment, I can only partially remember
which ones I've rejected :)
>>> Hence I have taken up some and fixed them to be straight.
>>> Patrick, what's your judgment on the existing
>>> xt_{LOGMARK,TARPIT,TEE,condition,geoip,ipp2p} modules in xtables-addons?
>>>
>> - LOGMARK - haven't seen it or can't remember
>
> Prints everything that LOG is missing, like nfmark, ctmark, secmark,
> connection state, status. Quite useful when toying around with
> fwmark-based policy routing.
I believe we've discussed this already, just add it to the end
of the MARK output. That would also be most useful since thats
what people already use. ctmark would also be useful for nfnetlink.
>> - TARPIT - fine if remaining issues are fixed
I actually would be quite happy to merge this or help fix the
remaining issues since I know a lot of people use this for
spam trapping.
>> - TEE - same as TARPIT
This one as well (well, the packet duplication feature,
I'm not sure whether it also included some routing hacks).
>> - condition - undecided
>> - geoip - seems like a toy. Whats the use case?
>
> Matching on countries and (possibly) blocking them. People have
> philosophized in the past whether (or not) it could use ipset;
> right now it uses a binary search over ipranges, which is at least
> a known good denominator.
Evgeniy submitted an updated version, I think we already discussed
everything there (IIRC you followed that discussion). A u32 based
replacement would be the preferred choice, and also a nice precedent
that not every userspace match necessarily needs a corresponding
kernel module.
>> - ipp2p - last version I've seen was a *horrible* mess, unless I'm
>> confusing it with the other l7 classifier module out there.
>
> It was ugly from a codingstyle pov, which was fixed. It inspects
> packets
>
> xt_ipp2p I gave it some care and a cleanup. it also "works", that is, it
> matches on bittorrent (something I could test), not all
> (data) connections though, but I guess the control connections are in.
Just send it to netfilter-devel. If its the thing with lots
of hard-coded binary matches full of magic values I'm not
interested :) I'd be more interested in a discussion what
would be necessary to represent all those matches through
the FSM textsearch match or something similar.
next prev parent reply other threads:[~2008-07-23 23:21 UTC|newest]
Thread overview: 33+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-06-27 17:54 POM Xtables??? Dave
2008-06-27 18:58 ` Jan Engelhardt
2008-06-27 20:08 ` Dave
2008-06-27 21:16 ` Jan Engelhardt
2008-06-29 2:20 ` Grant Taylor
2008-06-30 16:04 ` Dave
2008-06-30 16:20 ` Patrick McHardy
2008-06-30 20:46 ` Jan Engelhardt
2008-06-30 20:52 ` Patrick McHardy
2008-07-01 9:43 ` Jozsef Kadlecsik
2008-07-01 9:46 ` Patrick McHardy
2008-07-01 11:38 ` Jan Engelhardt
2008-07-01 11:43 ` Patrick McHardy
2008-07-01 11:50 ` Jan Engelhardt
2008-07-01 11:57 ` Patrick McHardy
2008-07-01 14:05 ` Grant Taylor
2008-07-01 14:10 ` Patrick McHardy
2008-07-01 14:27 ` Grant Taylor
2008-07-01 14:34 ` Patrick McHardy
2008-07-01 14:30 ` Jan Engelhardt
2008-07-23 20:19 ` Jan Engelhardt
2008-07-23 23:21 ` Patrick McHardy [this message]
2008-07-24 8:31 ` James King
2008-07-24 9:21 ` Pablo Neira Ayuso
2008-07-24 9:43 ` Patrick McHardy
2008-08-15 8:17 ` James King
2008-08-19 11:35 ` Brent Clark
2008-08-15 8:48 ` James King
2008-06-30 21:11 ` Jozsef Kadlecsik
2008-06-30 21:47 ` Jan Engelhardt
2008-07-01 10:00 ` Jozsef Kadlecsik
2008-07-01 11:19 ` Jan Engelhardt
2008-06-30 20:18 ` Jan Engelhardt
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4887BCE0.2050902@trash.net \
--to=kaber@trash.net \
--cc=finalglide@gmail.com \
--cc=jengelh@medozas.de \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox