All of lore.kernel.org
 help / color / mirror / Atom feed
* Re: [PATCH 0/2] revamped HMARK extension
@ 2012-07-12  7:23 Hans Schillstrom
  0 siblings, 0 replies; 2+ messages in thread
From: Hans Schillstrom @ 2012-07-12  7:23 UTC (permalink / raw)
  To: pablo; +Cc: netfilter-devel

Hi Pablo,
I'm on Vacation right now but I will give this a test round today.

>Hi Hans,
>
>I'm taking over your initial HMARK extension for iptables and took the freedom
>to revamp it.
>
>It now provides a shortcut for easy configuration:
>
>iptables -I PREROUTING -t mangle -j HMARK \
>	--hmark-tuple src,dst,proto \
>	--hmark-mod 2 \
>	--hmark-rnd 0xfeedcafe
        --hmark-offs 0x100

I think offset is more important, i.e. when doing policy routing  you can't  normally
start at table 0

the --hmark-tuple looks real good, much easier to use !

>
>Where --hmark-tuple can be src,dst,proto,sport,dport,spi,ct
>
>Of course, you cannot set spi and sport/dport at the same time and ct must be
>used all alone.
>
>You can still use the advanced options for fine tweaking --hmark-*-prefix
>and --hmark-*-mask.
>
>I also needed to add some new functions to libxtables to obtain the network
>prefix a.k.a CIDR notation. Also reworked xtables_ip[6]mask_to_numeric.
>Frankly, I think they now look better from the string handling perspective.
>
>Note that the --hmark-rnd and --hmark-mod are mandatory. Specifically, I don't
>want any assumption on --hmark-rnd, users are lazy, they don't set what is not
>mandatory (and I believe this parameter is important).

As I wrote, offset is important and should be mandatory.
Random has a default value, I don't think it should be mandatory.

>
>Please, test and report any issue with this asap. I'd like to integrate this
>into iptables' master branch by when 3.5 is out so people upgrading to that
>kernel can enjoy it.

I'll be back with a test result later today.

>I'm respecting your authorship in the HMARK extension, as you started this
>code.
>
>You can also find these two patches in the hmark branch of the iptables git tree.
>
>Hans Schillstrom (1):
>  extensions: add HMARK target
>
>Pablo Neira Ayuso (1):
>  libxtables: add xtables_ip[6]mask_to_cidr
>
> extensions/libxt_HMARK.c           |  441 ++++++++++++++++++++++++++++++++++++
> extensions/libxt_HMARK.man         |   60 +++++
> include/linux/netfilter/xt_HMARK.h |   50 ++++
> include/xtables.h.in               |    2 +
> libxtables/xtables.c               |   33 ++-
> 5 files changed, 577 insertions(+), 9 deletions(-)
> create mode 100644 extensions/libxt_HMARK.c
> create mode 100644 extensions/libxt_HMARK.man
> create mode 100644 include/linux/netfilter/xt_HMARK.h
>
>-- 
>1.7.10


^ permalink raw reply	[flat|nested] 2+ messages in thread
* [PATCH 0/2] revamped HMARK extension
@ 2012-07-10 23:17 pablo
  0 siblings, 0 replies; 2+ messages in thread
From: pablo @ 2012-07-10 23:17 UTC (permalink / raw)
  To: netfilter-devel; +Cc: Hans Schillstrom

From: Pablo Neira Ayuso <pablo@netfilter.org>

Hi Hans,

I'm taking over your initial HMARK extension for iptables and took the freedom
to revamp it.

It now provides a shortcut for easy configuration:

iptables -I PREROUTING -t mangle -j HMARK \
	--hmark-tuple src,dst,proto \
	--hmark-mod 2 \
	--hmark-rnd 0xfeedcafe

Where --hmark-tuple can be src,dst,proto,sport,dport,spi,ct

Of course, you cannot set spi and sport/dport at the same time and ct must be
used all alone.

You can still use the advanced options for fine tweaking --hmark-*-prefix
and --hmark-*-mask.

I also needed to add some new functions to libxtables to obtain the network
prefix a.k.a CIDR notation. Also reworked xtables_ip[6]mask_to_numeric.
Frankly, I think they now look better from the string handling perspective.

Note that the --hmark-rnd and --hmark-mod are mandatory. Specifically, I don't
want any assumption on --hmark-rnd, users are lazy, they don't set what is not
mandatory (and I believe this parameter is important).

Please, test and report any issue with this asap. I'd like to integrate this
into iptables' master branch by when 3.5 is out so people upgrading to that
kernel can enjoy it.

I'm respecting your authorship in the HMARK extension, as you started this
code.

You can also find these two patches in the hmark branch of the iptables git tree.

Hans Schillstrom (1):
  extensions: add HMARK target

Pablo Neira Ayuso (1):
  libxtables: add xtables_ip[6]mask_to_cidr

 extensions/libxt_HMARK.c           |  441 ++++++++++++++++++++++++++++++++++++
 extensions/libxt_HMARK.man         |   60 +++++
 include/linux/netfilter/xt_HMARK.h |   50 ++++
 include/xtables.h.in               |    2 +
 libxtables/xtables.c               |   33 ++-
 5 files changed, 577 insertions(+), 9 deletions(-)
 create mode 100644 extensions/libxt_HMARK.c
 create mode 100644 extensions/libxt_HMARK.man
 create mode 100644 include/linux/netfilter/xt_HMARK.h

-- 
1.7.10


^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2012-07-12  7:23 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2012-07-12  7:23 [PATCH 0/2] revamped HMARK extension Hans Schillstrom
  -- strict thread matches above, loose matches on Subject: below --
2012-07-10 23:17 pablo

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.