Hi,
On Fri, Jul 27, 2018 at 11:48:18AM +0200, Pablo Neira Ayuso wrote:
> On Fri, Jul 27, 2018 at 12:22:40AM +0200, Phil Sutter wrote:
> > Reverse IP address lookups may take a long time, something that's not
> > expected from {ip,ip6,eb,arp}tables-save. Moreover, due to lack of an
> > appropriate commandline option, it is not even avoidable for users.
> >
> > Setting FMT_NUMERIC by default comes with a drawback, though: Things
> > which may be represented by human-readable name without introducing any
> > significant delay (such as e.g. opcode in arptables output) will be
> > printed by numeric value as well. Sadly, trying to fix this by
> > introducing a FMT_NORESOLVE bit turns things into a mess since e.g.
> > 'print' callback of struct xtables_match receives only the numeric flag
> > via parameter, not a full format variable.
>
> -save doesn't print names / it doesn't do reverse IP address lookups.
>
> What am I missing here?
Oh, I see! I noticed the problem when testing arptables-save and assumed
it would happen for the others as well. Aparently I was wrong:
ip{,6}tables-save use dedicated routines for printing the rule, for
extensions a callback named 'save' is used instead of the 'print' one
for regular output.
In ebtables-save, the problem doesn't exist at all since IP addresses
occur only in extensions and none of them do reverse lookups (actually,
none of them seems to respect the 'numeric' parameter in the first
place).
So this is a bug in my arptables-save implementation: Code is shared
between 'print_rule' and 'save_rule' family op callbacks and I missed
that both callbacks should divert in this aspect. That's easy to fix,
I'll just arrange for FMT_NUMERIC to be set in 'save_rule' case.
For arptables extensions (there are only two), I have two options:
A) Write a 'save' callback which doesn't do the reverse lookup.
B) Align code with ebtables and simply never attempt to resolve
addresses.
While A) requires slightly more effort, B) will disable reverse lookups
in mangle extension for regular 'arptables -L' output. What do you
prefer?
Thanks, Phil
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
