x_tables vs. nf-hipac
laforge at netfilter.org
Tue Oct 11 19:52:05 CEST 2005
On Tue, Oct 11, 2005 at 04:55:46PM +0000, Bart De Schuymer wrote:
> > One rally sad thing is that arp_tables was deprived of matches, so we
> > only have targets. This means we cannot use any of the x_tables matches
> > (such as limit, mark, ...).
> Yeah, I know. But I don't see why it can't be added, this shouldn't
> break backwards compatibility. The struct arpt_entry has the members
> target_offset and next_offset...
ah, ok. That sounds good. Maybe someone is willing to add match
support after x_tables is merged.
> > If you would be willing to harmonize here (I think this only affects
> > kernel space data structures that are not shared with userspace, so no
> > compatibility issues), then eb_tables could directly use x_tables
> > matches - if that is desired.
> It's probably not worth it...
Yes, that's what I figured.
> > However, ebtables matches quite nicely with pkt_tables (some people have
> > suggested renaming it into nf_tables). This is mainly because of the
> > "watchers". A pkt_tables rule has
> > - any number of matches
> > - any number of targets (that have a "void" function and don't return
> > anything)
> > - one user-specified verdict.
> > so all watchers can be implemented as targets. So it all boils down on
> > how much time I can find to complete pkt_tables. Maybe at some point
> > early 2006, after we've survived the nf_conntrack merge, and added
> > proper support for userspace conntrack helpers.
> I'll wait for that then. Hopefully it will allow the RETURN verdict for
> target modules. I'll concentrate on finalising the current ebtables
> version in cvs for now.
As I said, target modules are "void" so they don't return anything.
It's userspace who tells the kernel what verdict to use. userspace
Target plugins will probably try to choose a reasonable default (e.g.
DROP in the case of REJECT), but the sysadmin can override it.
If a target really has to drop a packet (because of whatever problem, we
have the "hotdrop" mechanism. But that should be the exception, not the
btw: did you yet hav a chance to test my ebt_log/ebt_ulog changes?
- Harald Welte <laforge at netfilter.org> http://netfilter.org/
"Fragmentation is like classful addressing -- an interesting early
architectural error that shows how much experimentation was going
on while IP was being designed." -- Paul Vixie
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: not available
Url : /pipermail/netfilter-devel/attachments/20051011/1c1d90b4/attachment-0001.pgp
More information about the netfilter-devel