lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <alpine.LNX.2.01.1210252352420.13437@nerf07.vanv.qr> Date: Fri, 26 Oct 2012 00:02:56 +0200 (CEST) From: Jan Engelhardt <jengelh@...i.de> To: Pablo Neira Ayuso <pablo@...filter.org> cc: Netfilter Development Mailing list <netfilter-devel@...r.kernel.org>, Linux Networking Developer Mailing List <netdev@...r.kernel.org> Subject: Re: [RFC] back on nf_tables (plus compatibility layer) On Thursday 2012-10-25 19:06, Pablo Neira Ayuso wrote: >Hi, > >I've been working for a while to recover nf_tables kernel patches and >to implement a compatibility layer so it can be used with existing >x_tables target/match extensions. [...] >2) Provide a fast path to merge this into mainstream. We'll have both > iptables and nftables interfaces during some time in the Linux kernel, > then remove iptables infrastructure at some point. iptables scripts > would not break as we'll have the iptables emulation over nftables. >[...] >One final thing: nftables does not support atomic table commit. The >point here is if we really need this for the emulation utility or we >can live without that. Implementing atomic table replacement in >nftables is not trivial. I have hard time to find this commit table >feature useful. Meanwhile, I am on xtables2 that actually reproduces the set of _really important_ features that currently are in the setsockopt iptables, like atomic table replace and atomic dump. I have updated to the newest tree, and the first set is available in the git repository at: git://git.inai.de/linux xt2-20121025 ---------------------------------------------------------------- netfilter: xtables2: initial table skeletal functions netfilter: xtables2: initial Netlink interface netfilter: xtables2: chain creation and deletion netfilter: xtables2: chain renaming support netfilter: xtables2: transaction commit operation netfilter: xtables2: table replace support netfilter: xtables2: transaction abort support netfilter: xtables2: redirect writes into transaction buffer netfilter: xtables2: supply a revision number include/net/netfilter/xt_core.h | 48 ++ include/uapi/linux/netfilter/Kbuild | 1 + include/uapi/linux/netfilter/nfnetlink.h | 3 +- include/uapi/linux/netfilter/nfnetlink_xtables.h | 52 ++ net/netfilter/Kconfig | 8 +- net/netfilter/Makefile | 2 + net/netfilter/xt_core.c | 204 ++++++++ net/netfilter/xt_nfnetlink.c | 602 ++++++++++++++++++++++ net/netfilter/xt_nfnetlink.h | 7 + 9 files changed, 925 insertions(+), 2 deletions(-) create mode 100644 include/net/netfilter/xt_core.h create mode 100644 include/uapi/linux/netfilter/nfnetlink_xtables.h create mode 100644 net/netfilter/xt_core.c create mode 100644 net/netfilter/xt_nfnetlink.c create mode 100644 net/netfilter/xt_nfnetlink.h ---snip--- with userspace available in the git repository at: git://git.inai.de/libnetfilter_xtables master which contains a test utility xtnl-test to try the code paths that have been added so far on the kernel side. Getting the locking right is sort of a time killer; I hope Eric Dumazet might get interested to have a look on that part, since he has done so much w.r.t. locking in ip_tables already :) -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists