lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Thu, 29 Nov 2007 17:23:59 +0100 From: Laszlo Attila Toth <panther@...abit.hu> To: Patrick McHardy <kaber@...sh.net> CC: Lutz Jaenicke <ljaenicke@...ominate.com>, David Miller <davem@...emloft.net>, netdev@...r.kernel.org, netfilter-devel@...r.kernel.org Subject: Re: [PATCHv6 iptables]Interface group match Patrick McHardy írta: > Laszlo Attila Toth wrote: >> Lutz Jaenicke írta: >>> On Tue, Nov 20, 2007 at 02:14:28PM +0100, Laszlo Attila Toth wrote: >>>> Interface group values can be checked on both input and output >>>> interfaces >>>> with optional mask. >>> >>>> Index: extensions/libxt_ifgroup.c >>>> =================================================================== >>>> --- extensions/libxt_ifgroup.c (revision 0) >>>> +++ extensions/libxt_ifgroup.c (revision 0) >>> >>>> + info->in_group = strtoul(optarg, &end, 0); >>> >>> This is somewhat inconsistent with the iproute patch which targets >>> specific groups (with names). >>> Should iptables be allowed to read "/etc/iproute2/rt_ifgroup"? >> >> It would be good but cannot be used if a mask is set and only values >> less than 256 can be used with names. > > > Why 256? I can see no such limitation. For masks you could > simply allow to define masks in rt_ifgroup too and use > name/name or simply name/0xmask. 256 because it is the size of a static array (and I don't want allocate too much memory when other arrays such as the routing table names also have this size). In the current version I posted some minutes ago 0..2^32-1 can be used. The syntax "name/0xmask" is simply too strange for me. > >>> There is no standard API like getservbyname()... >> >> The code of iproute2 should be copied. If Patrick says it is ok, I'll >> write this part. > > > Of course. Please put the tab part somewhere common, I always > wanted to have named firewall marks shared with ip and tc > and I believe Balazs wanted that too :) Ok. Yes, he wants :) -- Attila - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists