Hello!
It appears that the tweaking of NFC_* bits of nfcache was almost completely
done away with around the times of these threads:
http://lists.netfilter.org/pipermail/netfilter-devel/2005-February/018448.html
http://lists.netfilter.org/pipermail/netfilter-devel/2005-May/019574.html
But I found some vestiges remaining in iptables-1.3.8 that look like this
static void init(struct ipt_entry_match *m, unsigned int *nfcache)
{
- *nfcache |= NFC_UNKNOWN;
}
remaining in the init() functions of these extensions:
libipt_policy.c libip6t_policy.c
libipt_connmark.c libip6t_connmark.c
The first patch attached below removes these.
But anyway, the question I *really* want to raise is whether the is_same()
comparison functions in libip4tc.c and libip6tc.c might be changed to *not*
compare nfcache bits:
- if (a->nfcache != b->nfcache
- || a->target_offset != b->target_offset
+ if (a->target_offset != b->target_offset
|| a->next_offset != b->next_offset)
return NULL;
The problem I find is that old userspace tools that still set the nfcache
bits create rules that cannot be match-deleted by newer versions of iptables,
because these bits are no longer set up in iptables but are still compared.
It seems there is no harm in removing this. The second patch attached below
makes this change.
Thank you for considering these minor changes.
Best Regards!
It appears that the tweaking of NFC_* bits of nfcache was almost completely
done away with around the times of these threads:
http://lists.netfilter.org/pipermail/netfilter-devel/2005-February/018448.html
http://lists.netfilter.org/pipermail/netfilter-devel/2005-May/019574.html
But I found some vestiges remaining in iptables-1.3.8 that look like this
static void init(struct ipt_entry_match *m, unsigned int *nfcache)
{
- *nfcache |= NFC_UNKNOWN;
}
remaining in the init() functions of these extensions:
libipt_policy.c libip6t_policy.c
libipt_connmark.c libip6t_connmark.c
The first patch attached below removes these.
But anyway, the question I *really* want to raise is whether the is_same()
comparison functions in libip4tc.c and libip6tc.c might be changed to *not*
compare nfcache bits:
- if (a->nfcache != b->nfcache
- || a->target_offset != b->target_offset
+ if (a->target_offset != b->target_offset
|| a->next_offset != b->next_offset)
return NULL;
The problem I find is that old userspace tools that still set the nfcache
bits create rules that cannot be match-deleted by newer versions of iptables,
because these bits are no longer set up in iptables but are still compared.
It seems there is no harm in removing this. The second patch attached below
makes this change.
Thank you for considering these minor changes.
Best Regards!