[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <3512771A-B2D4-48F5-90A6-AF0FAA1633D5@elte.hu>
Date: Thu, 30 Apr 2009 22:26:24 +0200
From: Tóth László Attila <panther@...e.hu>
To: David Miller <davem@...emloft.net>
Cc: panther@...abit.hu, kaber@...sh.net, mingo@...e.hu,
netdev@...r.kernel.org, netfilter-devel@...r.kernel.org,
hidden@....bme.hu, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] xt_socket: checks for the state of nf_conntrack
Hi Dave,
On 2009.04.30., at 18:39, David Miller wrote:
> From: Laszlo Attila Toth <panther@...abit.hu>
> Date: Thu, 30 Apr 2009 17:35:55 +0200
>
>> xt_socket can use connection tracking, and checks whether it is a
>> module.
>>
>> Signed-off-by: Laszlo Attila Toth <panther@...abit.hu>
>
> I don't understand why we want what this is doing....
>
Most of the time the source / destination addresses and ports of the
packet are enough to lookup the corresponding socket. With the SNAT
target this kind of lookup is broken. The socket match is in the
mangle table, before nat, thus it can see only the destination address
set by the SNAT target (this is the reply direction). If we want to
support SNAT, we need nf_conntrack. But this is optional, if
connection tracking is not in the kernel, the socket match will
compiled without it....
>> + depends on !NF_CONNTRACK || NF_CONNTRACK
>
> This means that if NF_CONNTRACK is modular, it won't allow
> the xt_socket code to be built.
>
I checked that if NF_.CONNTRACK is disabled, the socket match will be
allowed to be built either into a module, or into vmlinuz. If
NF_CONNTRACK is "y", it is exactly the same. If NF_CONNTRACK=m, the
socket match can only be a module.
> However, all of this stuff should be buildable modular.
--
Attila--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists