On Tue, Jun 21, 2016 at 09:35:55AM +0800, Liping Zhang wrote:
> Hi Marcelo,
>
> 2016-06-20 23:48 GMT+08:00 Marcelo Ricardo Leitner <marcelo.leitner@xxxxxxxxx>:
> >
> > A different check/log is made for ip6:
> > nf_reject_ip6_tcphdr_get():
> > /* IP header checks: fragment, too short. */
> > if (proto != IPPROTO_TCP || *otcplen < sizeof(struct tcphdr)) {
> > pr_debug("proto(%d) != IPPROTO_TCP or too short (len = %d)\n",
> > proto, *otcplen);
> > return NULL;
> > }
> >
> > Would be nice to have some consistency on this log message as it
> > increases debug-ability.
> >
>
> Thanks for your opinion.
>
> But you can see, there are many inconsistent things between
> nf_reject_ip6_tcphdr_get and nf_reject_ip_tcphdr_get.
That's true, yet sooner or later we can catch up the differences.
>
> For example, when tcp->rst is set, reject_ip6 will call
> pr_debug("RST is set\n"), while there's nothing in reject_ip4.
>
> IMO, these debug informations are almost useless, so there's
> no need to add this debug info only for consistent with nf_reject_ip6.
Fair enough. Although I did the comment, I don't have a strong opinion
on this.
Thanks,
Marcelo
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
