Jan Engelhardt wrote:
On Saturday 2008-10-04 03:22, James King wrote:
I've re-written xt_layer7 (l7-filter) so that it not longer requires
patching of the nf_conn structure for data storage, using ct_extend
instead, with the goal that it can eventually be used against a
vanilla kernel with an unpatched iptables.
I had the same idea too a while back but put off on it - busy with
other iptables things :)
Right now, you still cannot use it with a vanilla kernel because
patches like #3 you attached enlarges the allocated region (remember,
NF_CT_EXT_NUM just increased by one!), which is going to be a big
impact {for users not using all the extensions} {if every imaginable
extensions adds itself a NF_CT_EXT_ number}.
Can someone think of a way to nicely fix this up? Like, a linked
list instead of the ct_extend[] array perhaps? Yes yes, that's not O(1),
but how many extensions at a time are you using anyway!
That would have a pretty big storage and runtime impact, I
don't think its a good idea.
I think I could agree to add something like a NF_CT_EXT_LIST
extensions that wouldn't be used by mainline, but you could
use it for xtables-addons. There's some padding in nf_ct_ext
so it would (currently) not have any negative impact on mainline.
I haven't spent much though on this so it might not work though.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
