All of lore.kernel.org
 help / color / mirror / Atom feed
From: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
To: Patrick McHardy <kaber@trash.net>
Cc: Jan Engelhardt <jengelh@medozas.de>, netfilter-devel@vger.kernel.org
Subject: Re: [PATCH 4/4] netfilter: xtables: schedule xt_state for removal
Date: Thu, 25 Mar 2010 11:17:38 +0100 (CET)	[thread overview]
Message-ID: <alpine.DEB.2.00.1003251109190.21938@blackhole.kfki.hu> (raw)
In-Reply-To: <4BAB359F.6030308@trash.net>

On Thu, 25 Mar 2010, Patrick McHardy wrote:

> Jan Engelhardt wrote:
> > On Wednesday 2010-03-24 16:02, Patrick McHardy wrote:
> >> Jan Engelhardt wrote:
> >>> xt_conntrack has been provided since v2.5.32.
> >>>   
> >> I'm fine with the removal of old revisions, but how are you planning on
> >> informing users about removal of this module? Most people don't read
> >> feature-removal-schedule, and distributions are unable to help with
> >> user written scripts.
> > 
> > I would suggest to do the same as we did with disallowing DROP in the 
> > nat table:
> > 
> >  - a message printed by iptables whenever -m state is used
> > 
> >  - a kernel message whenever whenever a rule with xt_state is created
> > 
> > We did not actually do the kernel side with nat-prohibit-DROP, but I
> > regard it as very useful, as the community was very much able to help
> > itself if only they got the word - and it turned out that dmesg is
> > _the_ place people look in especially when they don't supervise
> > iptables output directly, as with, for example, boot splash where
> > messages are hidden, or server/router devices that one tends to
> > forget about.
> 
> Yes, a kernel message sounds fine and less annoying than an
> iptables message since we can limit it to print only once.
> 
> I'm not really convinced of removing state though, I has never
> caused any maintenance overhead, it requires a lot less memory
> than xt_conntrack and it seems more intuitive to write "-m state"
> than "-m conntrack --ctstate" to me.

I oppose the removal of xt_state, *unless* the userspace "-m state" is 
kept working and the conntrack module automatically supports it.

It's such a basic match that it's simply overkill to remove it.

Best regards,
Jozsef
-
E-mail  : kadlec@blackhole.kfki.hu, kadlec@mail.kfki.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
          H-1525 Budapest 114, POB. 49, Hungary

  reply	other threads:[~2010-03-25 10:17 UTC|newest]

Thread overview: 15+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2010-03-23 20:44 nf-next: removals of old extensions/revs Jan Engelhardt
2010-03-23 20:44 ` [PATCH 1/4] netfilter: xtables: remove xt_hashlimit revision 0 Jan Engelhardt
2010-03-23 20:44 ` [PATCH 2/4] netfilter: xtables: remove xt_multiport " Jan Engelhardt
2010-03-23 20:44 ` [PATCH 3/4] netfilter: xtables: remove xt_string " Jan Engelhardt
2010-03-23 20:45 ` [PATCH 4/4] netfilter: xtables: schedule xt_state for removal Jan Engelhardt
2010-03-24 15:02   ` Patrick McHardy
2010-03-24 15:22     ` Jan Engelhardt
2010-03-25 10:06       ` Patrick McHardy
2010-03-25 10:17         ` Jozsef Kadlecsik [this message]
2010-03-25 10:26           ` Patrick McHardy
2010-03-25 12:38             ` Jan Engelhardt
2010-03-25 12:43               ` Jozsef Kadlecsik
2010-03-25 12:49                 ` Patrick McHardy
2010-03-25 16:09                   ` Jan Engelhardt
2010-03-25 18:51                 ` Jan Engelhardt

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=alpine.DEB.2.00.1003251109190.21938@blackhole.kfki.hu \
    --to=kadlec@blackhole.kfki.hu \
    --cc=jengelh@medozas.de \
    --cc=kaber@trash.net \
    --cc=netfilter-devel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.