From: "Asbjørn Sloth Tønnesen" <ast@fiberby.dk>
To: Pablo Neira Ayuso <pablo@netfilter.org>
Cc: netfilter-devel@vger.kernel.org
Subject: Re: [PATCH conntrack 4/5 v2] conntrack: add support for netmask filtering
Date: Tue, 02 Feb 2016 15:55:53 +0000 [thread overview]
Message-ID: <1454419553.4393.4@x201s.roaming.asbjorn.biz> (raw)
In-Reply-To: <20160201175625.GA2421@salvia>
[-- Attachment #1: Type: text/plain, Size: 2084 bytes --]
Hi Pablo,
On Mon, 1 Feb 2016 18:56:25 +0100, Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> On Mon, Feb 01, 2016 at 12:17:02PM +0000, Asbjørn Sloth Tønnesen wrote:
> > On Mon, 1 Feb 2016 12:04:23 +0100, Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> > > On Mon, Jan 25, 2016 at 11:15:47AM +0000, Asbjørn Sloth Tønnesen wrote:
> > > > This patch extends --mask-src and --mask-dst to also work
> > > > with the conntrack table, with commands -L, -D, -E and -U.
> > > >
> > > > Signed-off-by: Asbjørn Sloth Tønnesen <ast@fiberby.dk>
> > > > ---
> > > >
> > > > Notes:
> > > > This is almost completely backward compatible,
> > > > since the --mask-* arguments previously gave
> > > > an error is used with these commands and the
> > > > conntrack table.
> > > >
> > > > I have changed the global_family to filter_family,
> > > > and it is only used to pass the family to the callback,
> > > > the alternative would be to change the data argument of
> > > > the callbacks to a struct.
> > >
> > > I see changes with regards to previous patchset, not we don't use
> > > cidr. I think this is better since it allows a more compact way.
> > >
> > > I prefer the cidr-based approach, any reason to drop it?
> >
> > I decided to split them up in several patchsets, each having its
> > own merits. The netmask and CIDR patches are related, but one is about
> > filtering, and the other about adding some sugar to the option parsing.
>
> But we don't get anything with this extra option since it's basically
> equivalent to the cidr based filtering, right?
Except backwards compatability for the expectation table, on the other hand
--mask-* has been broken since August, but thats only v1.4.3 so properly not
long enough to just drop it.
Since the filtering internally uses a bitmask in ct.mask, then keeping the --mask-*
option for all cases is simpler, since it uses the same option flags.
Keeping them also makes it possible to inject funky bitmasks.
--
Best regards
Asbjørn Sloth Tønnesen
Network Engineer
Fiberby ApS - AS42541
next prev parent reply other threads:[~2016-02-02 16:00 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-01-25 11:15 [PATCH conntrack 1/5] conntrack: support delete by label Asbjørn Sloth Tønnesen
2016-01-25 11:15 ` [PATCH conntrack 2/5] conntrack: consolidate filtering Asbjørn Sloth Tønnesen
2016-02-01 11:02 ` Pablo Neira Ayuso
2016-01-25 11:15 ` [PATCH conntrack 3/5] conntrack: cleanup: use switch statements for family checks Asbjørn Sloth Tønnesen
2016-02-01 11:02 ` Pablo Neira Ayuso
2016-01-25 11:15 ` [PATCH conntrack 4/5 v2] conntrack: add support for netmask filtering Asbjørn Sloth Tønnesen
2016-02-01 11:04 ` Pablo Neira Ayuso
2016-02-01 12:17 ` Asbjørn Sloth Tønnesen
2016-02-01 17:56 ` Pablo Neira Ayuso
2016-02-02 15:55 ` Asbjørn Sloth Tønnesen [this message]
2016-02-02 16:34 ` Pablo Neira Ayuso
2016-02-16 18:18 ` Pablo Neira Ayuso
2016-01-25 11:15 ` [PATCH conntrack 5/5 v2] tests: conntrack: add netmask tests Asbjørn Sloth Tønnesen
2016-02-16 18:18 ` Pablo Neira Ayuso
2016-02-01 11:02 ` [PATCH conntrack 1/5] conntrack: support delete by label Pablo Neira Ayuso
2016-02-01 11:20 ` Florian Westphal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1454419553.4393.4@x201s.roaming.asbjorn.biz \
--to=ast@fiberby.dk \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.