lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:	Thu, 29 Nov 2007 17:23:59 +0100
From:	Laszlo Attila Toth <panther@...abit.hu>
To:	Patrick McHardy <kaber@...sh.net>
CC:	Lutz Jaenicke <ljaenicke@...ominate.com>,
	David Miller <davem@...emloft.net>, netdev@...r.kernel.org,
	netfilter-devel@...r.kernel.org
Subject: Re: [PATCHv6 iptables]Interface group match

Patrick McHardy írta:
> Laszlo Attila Toth wrote:
>> Lutz Jaenicke írta:
>>> On Tue, Nov 20, 2007 at 02:14:28PM +0100, Laszlo Attila Toth wrote:
>>>> Interface group values can be checked on both input and output 
>>>> interfaces
>>>> with optional mask.
>>>
>>>> Index: extensions/libxt_ifgroup.c
>>>> ===================================================================
>>>> --- extensions/libxt_ifgroup.c    (revision 0)
>>>> +++ extensions/libxt_ifgroup.c    (revision 0)
>>>
>>>> +        info->in_group = strtoul(optarg, &end, 0);
>>>
>>> This is somewhat inconsistent with the iproute patch which targets
>>> specific groups (with names).
>>> Should iptables be allowed to read "/etc/iproute2/rt_ifgroup"?
>>
>> It would be good but cannot be used if a mask is set and only values 
>> less than 256 can be used with names.
> 
> 
> Why 256? I can see no such limitation. For masks you could
> simply allow to define masks in rt_ifgroup too and use
> name/name or simply name/0xmask.


256 because it is the size of a static array (and I don't want allocate 
too much memory when other arrays such as the routing table names also 
have this size). In the current version I posted some minutes ago 
0..2^32-1  can be used.

The syntax "name/0xmask" is simply too strange for me.

> 
>>> There is no standard API like getservbyname()...
>>
>> The code of iproute2 should be copied. If Patrick says it is ok,  I'll 
>> write this part.
> 
> 
> Of course. Please put the tab part somewhere common, I always
> wanted to have named firewall marks shared with ip and tc
> and I believe Balazs wanted that too :)

Ok. Yes, he wants :)


-- 
Attila
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists