Hi Pablo, On Wed, Jan 7, 2015 at 7:56 PM, Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote: > 1) strict type checking in the dump case (for the ctnetlink_filter > object), instead of relying on the genering void * to keep the > ct_iterate happy. It adds a bit more code but I prefer it like this. > > 2) Explicitly reject mark filters when marks are not supported. This > changes the previous behaviour, but I think this is good to have so > userspace knows that what it is requesting is not support (instead of > silently ignoring it). > > 3) add helper function to allocate the filter object, so this always > needs explicit release. > > Please, have a look a it and let me know if you're fine with it. I'll > pass it to net-next (upcoming 3.20). Thank you for making the improvements, the patch looks a lot better now! I only have on question/comment. What is the reason behind adding the ctnl_flush_filter()? Isn't it enough to have ctnetlink_filter() return 1 in case of match and 0 otherwise. At least, the way I think, it makes more sense when I read the code that if this function returns false, we should ignore conntrack entry due to no match. So the check in ctnetlink_dump_table() should read !ctnetlink_filter(). In addition, there is a small typo in the commit log. In the last paragraph it says ctnetlink_apply_filter(). After your changes, it is just called ctnetlink_filter(). Thanks again for your help. -Kristian -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
