From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Jan Engelhardt <jengelh@inai.de>
Cc: netfilter-devel@vger.kernel.org
Subject: Re: [PATCH 2/2] extensions: restore matching any SPI id by default
Date: Mon, 10 Aug 2015 14:04:07 +0200 [thread overview]
Message-ID: <20150810120407.GA3291@salvia> (raw)
In-Reply-To: <alpine.LSU.2.20.1508071321280.18255@nerf40.vanv.qr>
On Fri, Aug 07, 2015 at 01:38:01PM +0200, Jan Engelhardt wrote:
[...]
> When specifying e.g. "-m policy --dir in", the xt_policy kernel
> module will indeedx test for much more than just the direction, but
> the additional tests it does on other fields are idempotent after
> all.
>
> I oppose that idempotent expressions in rules, implicit or explicit,
> shall lead to output when the ruleset is read back. A rule like
>
> -A INPUT -m policy --dir in
>
> should not, by default, cause `iptables -S` to output a
> rule with terms essentially irrelevant to the human reader.
>
> -A INPUT -m policy --dir in --reqid 0:4294967295 --spi
> 0:4294967295 proto 0 --mode 0 --tunnel-src 0.0.0.0/0
> --tunnel-dst 0.0.0.0/0
We're not discussing a policy.
The point is that this has been broken for two years, chances that
users have fixed this in the ruleset without reporting is high, so
restoring the old behaviour may break things again for them.
That's why I'm insisting on the fact that switching to a less obscure
behaviour is a good idea in the very specific case of 'ah' since they
can easily detect that things have change by diffing the new and old
iptables-save output.
If you don't want to send me that follow up patch, that's very bad,
but if I have no other chance I'll make it myself.
next prev parent reply other threads:[~2015-08-10 11:58 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-07-15 12:53 iptables: AH/ESP init fix, and a build fix Jan Engelhardt
2015-07-15 12:53 ` [PATCH 1/2] build: resolve build error involving libnftnl Jan Engelhardt
2015-07-15 16:28 ` Pablo Neira Ayuso
2015-07-15 12:53 ` [PATCH 2/2] extensions: restore matching any SPI id by default Jan Engelhardt
2015-07-15 16:24 ` Pablo Neira Ayuso
2015-07-15 16:41 ` Jan Engelhardt
2015-07-15 16:55 ` Pablo Neira Ayuso
2015-07-15 17:10 ` Jan Engelhardt
2015-07-15 17:30 ` Pablo Neira Ayuso
2015-07-15 17:46 ` Jan Engelhardt
2015-08-07 11:07 ` Pablo Neira Ayuso
2015-08-07 11:38 ` Jan Engelhardt
2015-08-10 12:04 ` Pablo Neira Ayuso [this message]
2015-08-10 12:15 ` Jan Engelhardt
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150810120407.GA3291@salvia \
--to=pablo@netfilter.org \
--cc=jengelh@inai.de \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).