Patchwork netfilter: xtables: remove table restrictions from some modules

login
register
mail settings
Submitter Jan Engelhardt
Date Dec. 18, 2012, 2:07 p.m.
Message ID <1355839621-14206-1-git-send-email-jengelh@inai.de>
Download mbox | patch
Permalink /patch/207126/
State Not Applicable
Headers show

Comments

Jan Engelhardt - Dec. 18, 2012, 2:07 p.m.
I cannot think of a reason to limit the use of these modules to the
"mangle" table or their hooks. TOS/DSCP is not only used to influence
a routing decision, for example.

Signed-off-by: Jan Engelhardt <jengelh@inai.de>
---

Are there any pitfalls I am not aware of?
Could conntrack be upset if TCPOPTSTRIP/CHECKSUM can execute
at different places?


 net/ipv4/netfilter/ipt_ECN.c   |    1 -
 net/netfilter/xt_CHECKSUM.c    |    1 -
 net/netfilter/xt_CLASSIFY.c    |    3 ---
 net/netfilter/xt_DSCP.c        |    4 ----
 net/netfilter/xt_HL.c          |    2 --
 net/netfilter/xt_TCPOPTSTRIP.c |    2 --
 6 files changed, 13 deletions(-)
Maciej ┼╗enczykowski - Dec. 21, 2012, 10:19 a.m.
I'm not sure about the current state.
But there used to be code that would cause a mangle tables tos change
to trigger a reroute.
I'm guessing this wouldn't work if tos was changed from another table.

On Tue, Dec 18, 2012 at 3:07 PM, Jan Engelhardt <jengelh@inai.de> wrote:
> I cannot think of a reason to limit the use of these modules to the
> "mangle" table or their hooks. TOS/DSCP is not only used to influence
> a routing decision, for example.
>
> Signed-off-by: Jan Engelhardt <jengelh@inai.de>
> ---
>
> Are there any pitfalls I am not aware of?
> Could conntrack be upset if TCPOPTSTRIP/CHECKSUM can execute
> at different places?
>
>
>  net/ipv4/netfilter/ipt_ECN.c   |    1 -
>  net/netfilter/xt_CHECKSUM.c    |    1 -
>  net/netfilter/xt_CLASSIFY.c    |    3 ---
>  net/netfilter/xt_DSCP.c        |    4 ----
>  net/netfilter/xt_HL.c          |    2 --
>  net/netfilter/xt_TCPOPTSTRIP.c |    2 --
>  6 files changed, 13 deletions(-)
>
> diff --git a/net/ipv4/netfilter/ipt_ECN.c b/net/ipv4/netfilter/ipt_ECN.c
> index 4bf3dc4..5508113 100644
> --- a/net/ipv4/netfilter/ipt_ECN.c
> +++ b/net/ipv4/netfilter/ipt_ECN.c
> @@ -119,7 +119,6 @@ static struct xt_target ecn_tg_reg __read_mostly = {
>         .family         = NFPROTO_IPV4,
>         .target         = ecn_tg,
>         .targetsize     = sizeof(struct ipt_ECN_info),
> -       .table          = "mangle",
>         .checkentry     = ecn_tg_check,
>         .me             = THIS_MODULE,
>  };
> diff --git a/net/netfilter/xt_CHECKSUM.c b/net/netfilter/xt_CHECKSUM.c
> index 0f642ef..153d5c3 100644
> --- a/net/netfilter/xt_CHECKSUM.c
> +++ b/net/netfilter/xt_CHECKSUM.c
> @@ -51,7 +51,6 @@ static struct xt_target checksum_tg_reg __read_mostly = {
>         .family         = NFPROTO_UNSPEC,
>         .target         = checksum_tg,
>         .targetsize     = sizeof(struct xt_CHECKSUM_info),
> -       .table          = "mangle",
>         .checkentry     = checksum_tg_check,
>         .me             = THIS_MODULE,
>  };
> diff --git a/net/netfilter/xt_CLASSIFY.c b/net/netfilter/xt_CLASSIFY.c
> index af9c4da..c988093 100644
> --- a/net/netfilter/xt_CLASSIFY.c
> +++ b/net/netfilter/xt_CLASSIFY.c
> @@ -42,8 +42,6 @@ static struct xt_target classify_tg_reg[] __read_mostly = {
>                 .name       = "CLASSIFY",
>                 .revision   = 0,
>                 .family     = NFPROTO_UNSPEC,
> -               .hooks      = (1 << NF_INET_LOCAL_OUT) | (1 << NF_INET_FORWARD) |
> -                             (1 << NF_INET_POST_ROUTING),
>                 .target     = classify_tg,
>                 .targetsize = sizeof(struct xt_classify_target_info),
>                 .me         = THIS_MODULE,
> @@ -52,7 +50,6 @@ static struct xt_target classify_tg_reg[] __read_mostly = {
>                 .name       = "CLASSIFY",
>                 .revision   = 0,
>                 .family     = NFPROTO_ARP,
> -               .hooks      = (1 << NF_ARP_OUT) | (1 << NF_ARP_FORWARD),
>                 .target     = classify_tg,
>                 .targetsize = sizeof(struct xt_classify_target_info),
>                 .me         = THIS_MODULE,
> diff --git a/net/netfilter/xt_DSCP.c b/net/netfilter/xt_DSCP.c
> index ae82716..0a9ff64 100644
> --- a/net/netfilter/xt_DSCP.c
> +++ b/net/netfilter/xt_DSCP.c
> @@ -118,7 +118,6 @@ static struct xt_target dscp_tg_reg[] __read_mostly = {
>                 .checkentry     = dscp_tg_check,
>                 .target         = dscp_tg,
>                 .targetsize     = sizeof(struct xt_DSCP_info),
> -               .table          = "mangle",
>                 .me             = THIS_MODULE,
>         },
>         {
> @@ -127,14 +126,12 @@ static struct xt_target dscp_tg_reg[] __read_mostly = {
>                 .checkentry     = dscp_tg_check,
>                 .target         = dscp_tg6,
>                 .targetsize     = sizeof(struct xt_DSCP_info),
> -               .table          = "mangle",
>                 .me             = THIS_MODULE,
>         },
>         {
>                 .name           = "TOS",
>                 .revision       = 1,
>                 .family         = NFPROTO_IPV4,
> -               .table          = "mangle",
>                 .target         = tos_tg,
>                 .targetsize     = sizeof(struct xt_tos_target_info),
>                 .me             = THIS_MODULE,
> @@ -143,7 +140,6 @@ static struct xt_target dscp_tg_reg[] __read_mostly = {
>                 .name           = "TOS",
>                 .revision       = 1,
>                 .family         = NFPROTO_IPV6,
> -               .table          = "mangle",
>                 .target         = tos_tg6,
>                 .targetsize     = sizeof(struct xt_tos_target_info),
>                 .me             = THIS_MODULE,
> diff --git a/net/netfilter/xt_HL.c b/net/netfilter/xt_HL.c
> index 1535e87..4da5db3 100644
> --- a/net/netfilter/xt_HL.c
> +++ b/net/netfilter/xt_HL.c
> @@ -137,7 +137,6 @@ static struct xt_target hl_tg_reg[] __read_mostly = {
>                 .family     = NFPROTO_IPV4,
>                 .target     = ttl_tg,
>                 .targetsize = sizeof(struct ipt_TTL_info),
> -               .table      = "mangle",
>                 .checkentry = ttl_tg_check,
>                 .me         = THIS_MODULE,
>         },
> @@ -147,7 +146,6 @@ static struct xt_target hl_tg_reg[] __read_mostly = {
>                 .family     = NFPROTO_IPV6,
>                 .target     = hl_tg6,
>                 .targetsize = sizeof(struct ip6t_HL_info),
> -               .table      = "mangle",
>                 .checkentry = hl_tg6_check,
>                 .me         = THIS_MODULE,
>         },
> diff --git a/net/netfilter/xt_TCPOPTSTRIP.c b/net/netfilter/xt_TCPOPTSTRIP.c
> index 25fd1c4..b42c02e 100644
> --- a/net/netfilter/xt_TCPOPTSTRIP.c
> +++ b/net/netfilter/xt_TCPOPTSTRIP.c
> @@ -103,7 +103,6 @@ static struct xt_target tcpoptstrip_tg_reg[] __read_mostly = {
>         {
>                 .name       = "TCPOPTSTRIP",
>                 .family     = NFPROTO_IPV4,
> -               .table      = "mangle",
>                 .proto      = IPPROTO_TCP,
>                 .target     = tcpoptstrip_tg4,
>                 .targetsize = sizeof(struct xt_tcpoptstrip_target_info),
> @@ -113,7 +112,6 @@ static struct xt_target tcpoptstrip_tg_reg[] __read_mostly = {
>         {
>                 .name       = "TCPOPTSTRIP",
>                 .family     = NFPROTO_IPV6,
> -               .table      = "mangle",
>                 .proto      = IPPROTO_TCP,
>                 .target     = tcpoptstrip_tg6,
>                 .targetsize = sizeof(struct xt_tcpoptstrip_target_info),
> --
> 1.7.10.4
>
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Jan Engelhardt - Dec. 21, 2012, 11:02 a.m.
On Friday 2012-12-21 11:19, Maciej ┼╗enczykowski wrote:

>I'm not sure about the current state.
>But there used to be code that would cause a mangle tables tos change
>to trigger a reroute.
>I'm guessing this wouldn't work if tos was changed from another table.

Indeed, changing TOS from "filter" will not influence the route,
but you can still do so by way of using TOS in "mangle".
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Patch

diff --git a/net/ipv4/netfilter/ipt_ECN.c b/net/ipv4/netfilter/ipt_ECN.c
index 4bf3dc4..5508113 100644
--- a/net/ipv4/netfilter/ipt_ECN.c
+++ b/net/ipv4/netfilter/ipt_ECN.c
@@ -119,7 +119,6 @@  static struct xt_target ecn_tg_reg __read_mostly = {
 	.family		= NFPROTO_IPV4,
 	.target		= ecn_tg,
 	.targetsize	= sizeof(struct ipt_ECN_info),
-	.table		= "mangle",
 	.checkentry	= ecn_tg_check,
 	.me		= THIS_MODULE,
 };
diff --git a/net/netfilter/xt_CHECKSUM.c b/net/netfilter/xt_CHECKSUM.c
index 0f642ef..153d5c3 100644
--- a/net/netfilter/xt_CHECKSUM.c
+++ b/net/netfilter/xt_CHECKSUM.c
@@ -51,7 +51,6 @@  static struct xt_target checksum_tg_reg __read_mostly = {
 	.family		= NFPROTO_UNSPEC,
 	.target		= checksum_tg,
 	.targetsize	= sizeof(struct xt_CHECKSUM_info),
-	.table		= "mangle",
 	.checkentry	= checksum_tg_check,
 	.me		= THIS_MODULE,
 };
diff --git a/net/netfilter/xt_CLASSIFY.c b/net/netfilter/xt_CLASSIFY.c
index af9c4da..c988093 100644
--- a/net/netfilter/xt_CLASSIFY.c
+++ b/net/netfilter/xt_CLASSIFY.c
@@ -42,8 +42,6 @@  static struct xt_target classify_tg_reg[] __read_mostly = {
 		.name       = "CLASSIFY",
 		.revision   = 0,
 		.family     = NFPROTO_UNSPEC,
-		.hooks      = (1 << NF_INET_LOCAL_OUT) | (1 << NF_INET_FORWARD) |
-		              (1 << NF_INET_POST_ROUTING),
 		.target     = classify_tg,
 		.targetsize = sizeof(struct xt_classify_target_info),
 		.me         = THIS_MODULE,
@@ -52,7 +50,6 @@  static struct xt_target classify_tg_reg[] __read_mostly = {
 		.name       = "CLASSIFY",
 		.revision   = 0,
 		.family     = NFPROTO_ARP,
-		.hooks      = (1 << NF_ARP_OUT) | (1 << NF_ARP_FORWARD),
 		.target     = classify_tg,
 		.targetsize = sizeof(struct xt_classify_target_info),
 		.me         = THIS_MODULE,
diff --git a/net/netfilter/xt_DSCP.c b/net/netfilter/xt_DSCP.c
index ae82716..0a9ff64 100644
--- a/net/netfilter/xt_DSCP.c
+++ b/net/netfilter/xt_DSCP.c
@@ -118,7 +118,6 @@  static struct xt_target dscp_tg_reg[] __read_mostly = {
 		.checkentry	= dscp_tg_check,
 		.target		= dscp_tg,
 		.targetsize	= sizeof(struct xt_DSCP_info),
-		.table		= "mangle",
 		.me		= THIS_MODULE,
 	},
 	{
@@ -127,14 +126,12 @@  static struct xt_target dscp_tg_reg[] __read_mostly = {
 		.checkentry	= dscp_tg_check,
 		.target		= dscp_tg6,
 		.targetsize	= sizeof(struct xt_DSCP_info),
-		.table		= "mangle",
 		.me		= THIS_MODULE,
 	},
 	{
 		.name		= "TOS",
 		.revision	= 1,
 		.family		= NFPROTO_IPV4,
-		.table		= "mangle",
 		.target		= tos_tg,
 		.targetsize	= sizeof(struct xt_tos_target_info),
 		.me		= THIS_MODULE,
@@ -143,7 +140,6 @@  static struct xt_target dscp_tg_reg[] __read_mostly = {
 		.name		= "TOS",
 		.revision	= 1,
 		.family		= NFPROTO_IPV6,
-		.table		= "mangle",
 		.target		= tos_tg6,
 		.targetsize	= sizeof(struct xt_tos_target_info),
 		.me		= THIS_MODULE,
diff --git a/net/netfilter/xt_HL.c b/net/netfilter/xt_HL.c
index 1535e87..4da5db3 100644
--- a/net/netfilter/xt_HL.c
+++ b/net/netfilter/xt_HL.c
@@ -137,7 +137,6 @@  static struct xt_target hl_tg_reg[] __read_mostly = {
 		.family     = NFPROTO_IPV4,
 		.target     = ttl_tg,
 		.targetsize = sizeof(struct ipt_TTL_info),
-		.table      = "mangle",
 		.checkentry = ttl_tg_check,
 		.me         = THIS_MODULE,
 	},
@@ -147,7 +146,6 @@  static struct xt_target hl_tg_reg[] __read_mostly = {
 		.family     = NFPROTO_IPV6,
 		.target     = hl_tg6,
 		.targetsize = sizeof(struct ip6t_HL_info),
-		.table      = "mangle",
 		.checkentry = hl_tg6_check,
 		.me         = THIS_MODULE,
 	},
diff --git a/net/netfilter/xt_TCPOPTSTRIP.c b/net/netfilter/xt_TCPOPTSTRIP.c
index 25fd1c4..b42c02e 100644
--- a/net/netfilter/xt_TCPOPTSTRIP.c
+++ b/net/netfilter/xt_TCPOPTSTRIP.c
@@ -103,7 +103,6 @@  static struct xt_target tcpoptstrip_tg_reg[] __read_mostly = {
 	{
 		.name       = "TCPOPTSTRIP",
 		.family     = NFPROTO_IPV4,
-		.table      = "mangle",
 		.proto      = IPPROTO_TCP,
 		.target     = tcpoptstrip_tg4,
 		.targetsize = sizeof(struct xt_tcpoptstrip_target_info),
@@ -113,7 +112,6 @@  static struct xt_target tcpoptstrip_tg_reg[] __read_mostly = {
 	{
 		.name       = "TCPOPTSTRIP",
 		.family     = NFPROTO_IPV6,
-		.table      = "mangle",
 		.proto      = IPPROTO_TCP,
 		.target     = tcpoptstrip_tg6,
 		.targetsize = sizeof(struct xt_tcpoptstrip_target_info),