BORBELY Zoltan wrote:
On Tue, Jun 17, 2008 at 12:43:37AM +0200, Patrick McHardy wrote:
I understand that, the expectation part looks like a subset of what
a helper module does though, with the only differences that a helper
might want to queue the packet. And since expectfn setup also doesn't
belong in nf_conntrack_netlink.c (especially not NAT related expectfns),
this is how I think it should be done.
I attached a new version of the expect setup patch. I think it's general
enough to include into the kernel. What's your opinion? The saved_ip
field is only used by the nf_nat_sip and nf_nat_h323 helpers, we only
need it if we want to set expectfn of our choice.
+++ linux/net/netfilter/nf_conntrack_netlink.c 2008-06-23 17:00:26.000000000 +0200
+#ifdef CONFIG_NF_NAT_NEEDED
+ if (cda[CTA_EXPECT_NAT]) {
+ exp->expectfn = nf_nat_follow_master;
+ err = nla_parse_nested(tb, CTA_EXPNAT_MAX,
+ cda[CTA_EXPECT_NAT], NULL);
+ if (err < 0)
+ goto out;
+
+ if (tb[CTA_EXPNAT_SAVED_PROTO])
+ exp->saved_proto.all = nla_get_be16(tb[CTA_EXPNAT_SAVED_PROTO]);
+ if (tb[CTA_EXPNAT_DIRECTION]) {
+ exp->dir = nla_get_u8(tb[CTA_EXPNAT_DIRECTION]);
+ if (exp->dir != IP_CT_DIR_ORIGINAL &&
+ exp->dir != IP_CT_DIR_REPLY) {
+ err = -EINVAL;
+ goto out;
+ }
+ } else
+ exp->dir = IP_CT_DIR_ORIGINAL;
+ }
+#endif
As I said previously, NAT related things don't belong in
nf_conntrack_netlink.c. The existing ones should be moved
out since they add module dependencies that are simply wrong
(conntrack should *never* depend on NAT).
This patch also adds an interface that is too specialized
for your use case instead of doing it in a way that is
generically useful, which would mean at least providing
helper private expectfn selection. The expectfn selection
should probably use the expectation classes, although I'm
open to be convinced otherwise.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
