Re: state match is obsolete 1.4.17

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, 15 Jan 2013, Jan Engelhardt wrote:

> On Tuesday 2013-01-15 14:22, Jozsef Kadlecsik wrote:
> >> 
> >> state is currently aliased and translated to conntrack in iptables
> >> if the kernel has it. No scripts are broken.
> >> 
> >> If the aliasing is done in userspace, the kernel part can be removed -
> >> someday maybe.
> >
> >The aliasing is already done in userspace. One types in "state" and it's 
> >converted into "conntrack" and that is then sent to the kernel. (So as far 
> >as I see if the ipt_state, etc module aliases were added to the conntrack 
> >module, even the state kernel module could be removed.)
> 
> The module aliases were added because the module in fact (still) supports
> the "state" extension by that name.

No, please don't "still". It implies "for a while, then it won't".
 
> >However I suggest to delete the obsolete warnings completely from iptables 
> >and let these cases silently be handled as aliases.
> 
> Then users will complain about spooky action at a distance.
> (silent changing of rules) - not a great perspective either.
> The obsolescence warning is an important part of documenting
> changed behavior, and you really really do not want to take
> that away from users.

With passing one more internal flag, indicating that the "state" alias is 
used, the "conntrack" module can remain completely hidden and the user can 
list/save exactly the same command as the issued one.

I do not want to take away the "state" match at all from the users, and 
don't want it to be tainted by a warning either. This is a basic match 
used everywhere and there's no point in forcing everyone to use a new 
syntax.

Best regards,
Jozsef
-
E-mail  : kadlec@xxxxxxxxxxxxxxxxx, kadlecsik.jozsef@xxxxxxxxxxxxx
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : Wigner Research Centre for Physics, Hungarian Academy of Sciences
          H-1525 Budapest 114, POB. 49, Hungary
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html


[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux