On Mon, Feb 09, 2004 at 02:49:43PM -0800, Mike Mestnik wrote: > Are there any plans to add this to the patch-o-matic? If nothing else > could you put a link on your links page. Since the original authors of l7-filter did never contact us, we didn't know about their project at all. In fact, you are the first one mentioning it to me, and I'm now reading through their source. Although I'm not a fan of doing stuff like this inside the kernel, I think it is still a valid candidate for patch-o-matic (ng). However, this is up to the original software authors. A couple of comments: - put all the new struct ip_conntrack members into a seperate sub-structure (like the 'nat' and 'helper' substructures do) - think about type usage. Use unsigned int for stuff like numpackets, since it is not likely to become negative ;) - Adhere to CodingStyle (tab-width indent, ...) - use arch-independent types in ipt_childlevel_info, or it will break on sparc64 and other archs - don't put regexp.c/ressub.c into linux/include/linux/regexp. This belongs together with the iptables module - Add sufficient GPL notices to every - Please decouple the 'childlevel' match and submit it seperately. We could even submit it to the kernel soon. - I can't see any locking in your code, and I don't think it's SMP safe One additional question: - Did you consider basing your work on top of libqsearch? (http://www.cartel-securite.fr/pbiondi/libqsearch.html) libqsearch is IMHO the preferred (and already existing and widely deployed, even in commercial products) way of doing pattern matching inside the kernel. -- - Harald Welte <laforge@xxxxxxxxxxxxx> http://www.netfilter.org/ ============================================================================ "Fragmentation is like classful addressing -- an interesting early architectural error that shows how much experimentation was going on while IP was being designed." -- Paul Vixie
Attachment:
signature.asc
Description: Digital signature
