On Fri, Jul 27, 2018 at 01:28:21PM +0200, Phil Sutter wrote:
> Hi,
>
> On Fri, Jul 27, 2018 at 11:48:18AM +0200, Pablo Neira Ayuso wrote:
> > On Fri, Jul 27, 2018 at 12:22:40AM +0200, Phil Sutter wrote:
> > > Reverse IP address lookups may take a long time, something that's not
> > > expected from {ip,ip6,eb,arp}tables-save. Moreover, due to lack of an
> > > appropriate commandline option, it is not even avoidable for users.
> > >
> > > Setting FMT_NUMERIC by default comes with a drawback, though: Things
> > > which may be represented by human-readable name without introducing any
> > > significant delay (such as e.g. opcode in arptables output) will be
> > > printed by numeric value as well. Sadly, trying to fix this by
> > > introducing a FMT_NORESOLVE bit turns things into a mess since e.g.
> > > 'print' callback of struct xtables_match receives only the numeric flag
> > > via parameter, not a full format variable.
> >
> > -save doesn't print names / it doesn't do reverse IP address lookups.
> >
> > What am I missing here?
>
> Oh, I see! I noticed the problem when testing arptables-save and assumed
> it would happen for the others as well. Aparently I was wrong:
>
> ip{,6}tables-save use dedicated routines for printing the rule, for
> extensions a callback named 'save' is used instead of the 'print' one
> for regular output.
>
> In ebtables-save, the problem doesn't exist at all since IP addresses
> occur only in extensions and none of them do reverse lookups (actually,
> none of them seems to respect the 'numeric' parameter in the first
> place).
>
> So this is a bug in my arptables-save implementation: Code is shared
> between 'print_rule' and 'save_rule' family op callbacks and I missed
> that both callbacks should divert in this aspect. That's easy to fix,
> I'll just arrange for FMT_NUMERIC to be set in 'save_rule' case.
>
> For arptables extensions (there are only two), I have two options:
>
> A) Write a 'save' callback which doesn't do the reverse lookup.
> B) Align code with ebtables and simply never attempt to resolve
> addresses.
>
> While A) requires slightly more effort, B) will disable reverse lookups
> in mangle extension for regular 'arptables -L' output. What do you
> prefer?
Simpler to align code with ebtables, I mean B). We can have a look at
A) in the midrun it helps us consolidate code.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
