Hi Pablo,
2016-06-23 19:11 GMT+08:00 Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>:
>> -static int cpu_mt_check(const struct xt_mtchk_param *par)
>> -{
>> - const struct xt_cpu_info *info = par->matchinfo;
>> -
>> - if (info->invert & ~1)
>> - return -EINVAL;
>> - return 0;
>> -}
>
> This trick is there so we can convert info->invert to info->flags in
> the future without a new revision (given the binary interface did not
> change). I'm not convinced there is much of benefit from getting rid
> of this little extra _check() code that runs from the control plane
> path.
>
Thanks for pointing this out. At my first glace, I think this _check
is tricky and a little ugly,
so I try to remove it and send this patch.
As you said, if we add new flags in the future, for example, we
support a new flag like this
"iptables -A INPUT -m cpu --cpu 0 --flagXXX". When the user use the
new iptables utility
but the kernel is old, currently kernel will reject this request,
because we don't recognize the
"flagXXX".
But apply my patch, kernel will just ignore this unknown flag, this
will confuse the user.
And change a new revision seems unworthy.
So I'd rather not apply this pacth.
Thanks.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
