x_tables vs. nf-hipac

Harald Welte laforge at netfilter.org
Tue Oct 11 19:52:05 CEST 2005 

On Tue, Oct 11, 2005 at 04:55:46PM +0000, Bart De Schuymer wrote:
> > One rally sad thing is that arp_tables was deprived of matches, so we
> > only have targets.  This means we cannot use any of the x_tables matches 
> > (such as limit, mark, ...).
> 
> Yeah, I know. But I don't see why it can't be added, this shouldn't
> break backwards compatibility. The struct arpt_entry has the members
> target_offset and next_offset...

ah, ok. That sounds good.  Maybe someone is willing to add match
support after x_tables is merged.

> > If you would be willing to harmonize here (I think this only affects
> > kernel space data structures that are not shared with userspace, so no
> > compatibility issues), then eb_tables could directly use x_tables
> > matches - if that is desired.
> 
> It's probably not worth it...

Yes, that's what I figured.
 
> > However, ebtables matches quite nicely with pkt_tables (some people have
> > suggested renaming it into nf_tables).  This is mainly because of the
> > "watchers".  A pkt_tables rule has 
> > - any number of matches
> > - any number of targets (that have a "void" function and don't return
> >   anything)
> > - one user-specified verdict.
> > 
> > so all watchers can be implemented as targets.  So it all boils down on
> > how much time I can find to complete pkt_tables. Maybe at some point
> > early 2006, after we've survived the nf_conntrack merge, and added
> > proper support for userspace conntrack helpers.
> 
> I'll wait for that then. Hopefully it will allow the RETURN verdict for
> target modules. I'll concentrate on finalising the current ebtables
> version in cvs for now.

As I said, target modules are "void" so they don't return anything.
It's userspace who tells the kernel what verdict to use.   userspace
Target plugins will probably try to choose a reasonable default (e.g.
DROP in the case of REJECT), but the sysadmin can override it.  

If a target really has to drop a packet (because of whatever problem, we
have the "hotdrop" mechanism.  But that should be the exception, not the
standard case.

Cheers,

btw: did you yet hav a chance to test my ebt_log/ebt_ulog changes?
-- 
- Harald Welte <laforge at netfilter.org>                 http://netfilter.org/
============================================================================
  "Fragmentation is like classful addressing -- an interesting early
   architectural error that shows how much experimentation was going
   on while IP was being designed."                    -- Paul Vixie
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : /pipermail/netfilter-devel/attachments/20051011/1c1d90b4/attachment-0001.pgp

More information about the netfilter-devel mailing list