2009-04-30 15:36:50

by Laszlo Attila Toth

[permalink] [raw]
Subject: [PATCH] xt_socket: checks for the state of nf_conntrack

xt_socket can use connection tracking, and checks whether it is a module.

Signed-off-by: Laszlo Attila Toth <[email protected]>
---
net/netfilter/Kconfig | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)

diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index 881203c..cb3ad74 100644
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@@ -837,6 +837,7 @@ config NETFILTER_XT_MATCH_SOCKET
depends on NETFILTER_TPROXY
depends on NETFILTER_XTABLES
depends on NETFILTER_ADVANCED
+ depends on !NF_CONNTRACK || NF_CONNTRACK
select NF_DEFRAG_IPV4
help
This option adds a `socket' match, which can be used to match
--
1.6.2.2.404.ge96f3


2009-04-30 16:39:30

by David Miller

[permalink] [raw]
Subject: Re: [PATCH] xt_socket: checks for the state of nf_conntrack

From: Laszlo Attila Toth <[email protected]>
Date: Thu, 30 Apr 2009 17:35:55 +0200

> xt_socket can use connection tracking, and checks whether it is a module.
>
> Signed-off-by: Laszlo Attila Toth <[email protected]>

I don't understand why we want what this is doing....

> + depends on !NF_CONNTRACK || NF_CONNTRACK

This means that if NF_CONNTRACK is modular, it won't allow
the xt_socket code to be built.

However, all of this stuff should be buildable modular.

2009-04-30 20:26:41

by Tóth László Attila

[permalink] [raw]
Subject: Re: [PATCH] xt_socket: checks for the state of nf_conntrack

Hi Dave,

On 2009.04.30., at 18:39, David Miller wrote:

> From: Laszlo Attila Toth <[email protected]>
> Date: Thu, 30 Apr 2009 17:35:55 +0200
>
>> xt_socket can use connection tracking, and checks whether it is a
>> module.
>>
>> Signed-off-by: Laszlo Attila Toth <[email protected]>
>
> I don't understand why we want what this is doing....
>

Most of the time the source / destination addresses and ports of the
packet are enough to lookup the corresponding socket. With the SNAT
target this kind of lookup is broken. The socket match is in the
mangle table, before nat, thus it can see only the destination address
set by the SNAT target (this is the reply direction). If we want to
support SNAT, we need nf_conntrack. But this is optional, if
connection tracking is not in the kernel, the socket match will
compiled without it....

>> + depends on !NF_CONNTRACK || NF_CONNTRACK
>
> This means that if NF_CONNTRACK is modular, it won't allow
> the xt_socket code to be built.
>

I checked that if NF_CONNTRACK is disabled, the socket match will be
allowed to be built either into a module, or into vmlinuz. If
NF_CONNTRACK is "y", it is exactly the same. If NF_CONNTRACK=m, the
socket match can only be a module.

> However, all of this stuff should be buildable modular.

--
Attila-