[PATCH 0/3] cleanups for matches
Harald Welte
laforge at netfilter.org
Fri Jan 20 09:11:51 CET 2006
On Fri, Jan 20, 2006 at 11:25:09AM +0900, Yasuyuki KOZAKAI wrote:
>
> From: Yasuyuki KOZAKAI <yasuyuki.kozakai at toshiba.co.jp>
> Date: Mon, 16 Jan 2006 18:36:33 +0900 (JST)
>
> > These patches are just for cleanup. I didn't cleanup ip6t_esp.c because
> > I have a patch for xt_esp.c. It looks unnecessary to skip IPv6 extension
> > headers before ESP in match() if ip6_packet_match() does it.
> > After some tests, I'll send it.
>
> Hmm.. we cannot do that without breaking compatibility of ip6t_esp.
> Because this forces us to add '-p esp' to ip6tables command. The current
> ip6t_esp doesn't require it.
We shouldn't require ourselves to be compatible to bugs. There is no
point in matching ESP SPI when the protocol != esp. So any ruleset that
would no longer work with the new xt_esp was most likely invalid anyway.
> JFYI, I attached a patch for xt_esp I wrote at first time. It's sad to drop it,
> but let's keep the current code...
I would want to push this forward (for post-2.6.16). Patrick has some
infrastructural changes for the checkfn, which we want to push into
net-2.6.17 once it opens. I would like to ask you to re-submit your
xt_esp after that time.
btw: Your patch doesn't seem to modify the existing ip[6]t_esp.h header
files.
--
- Harald Welte <laforge at netfilter.org> http://netfilter.org/
============================================================================
"Fragmentation is like classful addressing -- an interesting early
architectural error that shows how much experimentation was going
on while IP was being designed." -- Paul Vixie
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : /pipermail/netfilter-devel/attachments/20060120/424c50b2/attachment.pgp
More information about the netfilter-devel
mailing list