Re: [PATCH 2/2] Addrtype match extension: limit addrtype check on the packet's interface

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Patrick McHardy írta:
Laszlo Attila Toth wrote:
+static bool match_v1(const struct sk_buff *skb,
           const struct net_device *in, const struct net_device *out,
           const struct xt_match *match, const void *matchinfo,
           int offset, unsigned int protoff, bool *hotdrop)
 {
     const struct ipt_addrtype_info *info = matchinfo;
     const struct iphdr *iph = ip_hdr(skb);
+ const struct net_device *limit_dev = (info->flags & IPT_ADDRTYPE_LIMIT_IFACE) ? in : NULL;


The match can be used on any hook, using the incoming interface
is a bit unflexible. How about using the incoming interface for
src-address and outgoing interface for destination address matches?

But what happens when I use only dst-type in the rule in the INPUT chain?

I think in the INPUT chain the incoming interface with the dst-type and in the OUTPUT chain the outgoing interface with the src-type parameter could be used. And what should I check in the other 3 chains? In FORWARD it seems pointless to let the limit-iface option.

Alternatively add two flags to specify which device to use. You'll
need to add proper checks of course to make sure the interface is
valid for the hook the match is used in.

Hm, I need a hooknum parameter in the match function which exists only in the target functions.


--
Attila
-
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[Index of Archives]     [Netfitler Users]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux