Re: [PATCH] netfilter: xtables: remove table restrictions from some modules

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



I'm not sure about the current state.
But there used to be code that would cause a mangle tables tos change
to trigger a reroute.
I'm guessing this wouldn't work if tos was changed from another table.

On Tue, Dec 18, 2012 at 3:07 PM, Jan Engelhardt <jengelh@xxxxxxx> wrote:
> I cannot think of a reason to limit the use of these modules to the
> "mangle" table or their hooks. TOS/DSCP is not only used to influence
> a routing decision, for example.
>
> Signed-off-by: Jan Engelhardt <jengelh@xxxxxxx>
> ---
>
> Are there any pitfalls I am not aware of?
> Could conntrack be upset if TCPOPTSTRIP/CHECKSUM can execute
> at different places?
>
>
>  net/ipv4/netfilter/ipt_ECN.c   |    1 -
>  net/netfilter/xt_CHECKSUM.c    |    1 -
>  net/netfilter/xt_CLASSIFY.c    |    3 ---
>  net/netfilter/xt_DSCP.c        |    4 ----
>  net/netfilter/xt_HL.c          |    2 --
>  net/netfilter/xt_TCPOPTSTRIP.c |    2 --
>  6 files changed, 13 deletions(-)
>
> diff --git a/net/ipv4/netfilter/ipt_ECN.c b/net/ipv4/netfilter/ipt_ECN.c
> index 4bf3dc4..5508113 100644
> --- a/net/ipv4/netfilter/ipt_ECN.c
> +++ b/net/ipv4/netfilter/ipt_ECN.c
> @@ -119,7 +119,6 @@ static struct xt_target ecn_tg_reg __read_mostly = {
>         .family         = NFPROTO_IPV4,
>         .target         = ecn_tg,
>         .targetsize     = sizeof(struct ipt_ECN_info),
> -       .table          = "mangle",
>         .checkentry     = ecn_tg_check,
>         .me             = THIS_MODULE,
>  };
> diff --git a/net/netfilter/xt_CHECKSUM.c b/net/netfilter/xt_CHECKSUM.c
> index 0f642ef..153d5c3 100644
> --- a/net/netfilter/xt_CHECKSUM.c
> +++ b/net/netfilter/xt_CHECKSUM.c
> @@ -51,7 +51,6 @@ static struct xt_target checksum_tg_reg __read_mostly = {
>         .family         = NFPROTO_UNSPEC,
>         .target         = checksum_tg,
>         .targetsize     = sizeof(struct xt_CHECKSUM_info),
> -       .table          = "mangle",
>         .checkentry     = checksum_tg_check,
>         .me             = THIS_MODULE,
>  };
> diff --git a/net/netfilter/xt_CLASSIFY.c b/net/netfilter/xt_CLASSIFY.c
> index af9c4da..c988093 100644
> --- a/net/netfilter/xt_CLASSIFY.c
> +++ b/net/netfilter/xt_CLASSIFY.c
> @@ -42,8 +42,6 @@ static struct xt_target classify_tg_reg[] __read_mostly = {
>                 .name       = "CLASSIFY",
>                 .revision   = 0,
>                 .family     = NFPROTO_UNSPEC,
> -               .hooks      = (1 << NF_INET_LOCAL_OUT) | (1 << NF_INET_FORWARD) |
> -                             (1 << NF_INET_POST_ROUTING),
>                 .target     = classify_tg,
>                 .targetsize = sizeof(struct xt_classify_target_info),
>                 .me         = THIS_MODULE,
> @@ -52,7 +50,6 @@ static struct xt_target classify_tg_reg[] __read_mostly = {
>                 .name       = "CLASSIFY",
>                 .revision   = 0,
>                 .family     = NFPROTO_ARP,
> -               .hooks      = (1 << NF_ARP_OUT) | (1 << NF_ARP_FORWARD),
>                 .target     = classify_tg,
>                 .targetsize = sizeof(struct xt_classify_target_info),
>                 .me         = THIS_MODULE,
> diff --git a/net/netfilter/xt_DSCP.c b/net/netfilter/xt_DSCP.c
> index ae82716..0a9ff64 100644
> --- a/net/netfilter/xt_DSCP.c
> +++ b/net/netfilter/xt_DSCP.c
> @@ -118,7 +118,6 @@ static struct xt_target dscp_tg_reg[] __read_mostly = {
>                 .checkentry     = dscp_tg_check,
>                 .target         = dscp_tg,
>                 .targetsize     = sizeof(struct xt_DSCP_info),
> -               .table          = "mangle",
>                 .me             = THIS_MODULE,
>         },
>         {
> @@ -127,14 +126,12 @@ static struct xt_target dscp_tg_reg[] __read_mostly = {
>                 .checkentry     = dscp_tg_check,
>                 .target         = dscp_tg6,
>                 .targetsize     = sizeof(struct xt_DSCP_info),
> -               .table          = "mangle",
>                 .me             = THIS_MODULE,
>         },
>         {
>                 .name           = "TOS",
>                 .revision       = 1,
>                 .family         = NFPROTO_IPV4,
> -               .table          = "mangle",
>                 .target         = tos_tg,
>                 .targetsize     = sizeof(struct xt_tos_target_info),
>                 .me             = THIS_MODULE,
> @@ -143,7 +140,6 @@ static struct xt_target dscp_tg_reg[] __read_mostly = {
>                 .name           = "TOS",
>                 .revision       = 1,
>                 .family         = NFPROTO_IPV6,
> -               .table          = "mangle",
>                 .target         = tos_tg6,
>                 .targetsize     = sizeof(struct xt_tos_target_info),
>                 .me             = THIS_MODULE,
> diff --git a/net/netfilter/xt_HL.c b/net/netfilter/xt_HL.c
> index 1535e87..4da5db3 100644
> --- a/net/netfilter/xt_HL.c
> +++ b/net/netfilter/xt_HL.c
> @@ -137,7 +137,6 @@ static struct xt_target hl_tg_reg[] __read_mostly = {
>                 .family     = NFPROTO_IPV4,
>                 .target     = ttl_tg,
>                 .targetsize = sizeof(struct ipt_TTL_info),
> -               .table      = "mangle",
>                 .checkentry = ttl_tg_check,
>                 .me         = THIS_MODULE,
>         },
> @@ -147,7 +146,6 @@ static struct xt_target hl_tg_reg[] __read_mostly = {
>                 .family     = NFPROTO_IPV6,
>                 .target     = hl_tg6,
>                 .targetsize = sizeof(struct ip6t_HL_info),
> -               .table      = "mangle",
>                 .checkentry = hl_tg6_check,
>                 .me         = THIS_MODULE,
>         },
> diff --git a/net/netfilter/xt_TCPOPTSTRIP.c b/net/netfilter/xt_TCPOPTSTRIP.c
> index 25fd1c4..b42c02e 100644
> --- a/net/netfilter/xt_TCPOPTSTRIP.c
> +++ b/net/netfilter/xt_TCPOPTSTRIP.c
> @@ -103,7 +103,6 @@ static struct xt_target tcpoptstrip_tg_reg[] __read_mostly = {
>         {
>                 .name       = "TCPOPTSTRIP",
>                 .family     = NFPROTO_IPV4,
> -               .table      = "mangle",
>                 .proto      = IPPROTO_TCP,
>                 .target     = tcpoptstrip_tg4,
>                 .targetsize = sizeof(struct xt_tcpoptstrip_target_info),
> @@ -113,7 +112,6 @@ static struct xt_target tcpoptstrip_tg_reg[] __read_mostly = {
>         {
>                 .name       = "TCPOPTSTRIP",
>                 .family     = NFPROTO_IPV6,
> -               .table      = "mangle",
>                 .proto      = IPPROTO_TCP,
>                 .target     = tcpoptstrip_tg6,
>                 .targetsize = sizeof(struct xt_tcpoptstrip_target_info),
> --
> 1.7.10.4
>
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
> the body of a message to majordomo@xxxxxxxxxxxxxxx
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html


[Index of Archives]     [Netfitler Users]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux