On Sun, Aug 21, 2011 at 12:25 AM, Jan Engelhardt <jengelh@xxxxxxxxxx> wrote: > > [oh, the mailing list daemon seems unresponsive for I have not > received the 2nd copy, and neither did the web crawlers...] > > No, I goofed and sent html, which it kicked back. > On Saturday 2011-08-20 23:40, Dave Taht wrote: > > >I keep seeing inversion match fixes go by on this version of iptables. I ran > >across one also, on the port to cerowrt of this version of iptables, in the > >"dscp" tables matches. > > > >http://www.bufferbloat.net/issues/216#note-48 > > > >but have not poked into it further (am travelling). Fixed? > > This is unfortunate indeed, but somewhat owed to the fact that this was > not encoded reliably previously, in other words, negations were > sometimes erroneously allowed as each match checked for this themselves. > > With the move to the Guided Option Parser, negation became centrally > checked and thus needs to be explicit mentioned. With the initial > conversion to GOP, I may have missed adding XTOPT_INVERT in some cases > because of that repetitive action. > > Yeah, there are other extensions (xt_dccp) that I have come across in my > audit sweep of all extensions so far. I saw the fixes to dccp go by today, but where I'd hit the problem was with the 'dscp' matches. I have a test implementation of diffserv ( https://github.com/dtaht/Diffserv ) where a quick test against this release of iptables showed the inversion regression as per the above bug note... regrettably I'm away from a build machine, internet, etc for a few more days. -- Dave Täht SKYPE: davetaht US Tel: 1-239-829-5608 http://the-edge.blogspot.com -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
