On 02.03, Pablo Neira Ayuso wrote: > Currently, we have four xtables extensions that cannot be used from the > xt over nft compat layer. The problem is that they need real access to > the full blown xt_entry to validate that the rule comes with the right > dependencies. This check was introduced to overcome the lack of > sufficient userspace dependency validation in iptables. > > To resolve this problem, this patch introduces a new field to the > xt_tgchk_param structure that tell us if the target is executed from > nft_compat context. > > The four affected extensions are: > > 1) CLUSTERIP, this target has been superseded by xt_cluster. So just > bail out by returning -EINVAL. > > 2) TCPMSS. Relax the checking when used from nft_compat and make sure > that we skip !syn packets in case userspace provides a wrong > configuration. > > 3) SYMPROXY6. Don't check for e->ipv6.flags, we can instead check > for e->ipv6.proto as other extensions do, if zero then it doesn't > fulfill the dependency. But we don't perform a protocol match in ip6_tables if the IP6T_F_PROTO flag is not given. ip6_tables differs from ip_tables in this regard. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html