[PATCH] firewall3: remove unnecessary fw3_has_table

Wenli Looi wlooi at ucalgary.ca
Fri Feb 11 11:10:51 PST 2022 

Sorry, forgot to reply all

On Fri, Feb 11, 2022 at 11:09 AM Wenli Looi <wlooi at ucalgary.ca> wrote:
>
> Hi Rui,
>
> Yes, I believe it still works. Every place where fw3_has_table is
> called, we check immediately after if fw3_ipt_open succeeds, which
> makes fw3_has_table superfluous?
>
> I added a few print statements to fw3_ipt_open to check the case you mentioned:
>
> root at OpenWrt:~# fw3 restart 2>/dev/null
> fw3_ipt_open SUCCESS for v4 filter
> fw3_ipt_open SUCCESS for v4 nat
> fw3_ipt_open SUCCESS for v4 mangle
> fw3_ipt_open FAILED for v4 raw
> fw3_ipt_open FAILED for v6 filter
> fw3_ipt_open FAILED for v6 nat
> fw3_ipt_open FAILED for v6 mangle
> fw3_ipt_open FAILED for v6 raw
> fw3_ipt_open SUCCESS for v4 filter
> fw3_ipt_open SUCCESS for v4 nat
> fw3_ipt_open SUCCESS for v4 mangle
> fw3_ipt_open FAILED for v4 raw
> fw3_ipt_open FAILED for v6 filter
> fw3_ipt_open FAILED for v6 nat
> fw3_ipt_open FAILED for v6 mangle
> fw3_ipt_open FAILED for v6 raw
> root at OpenWrt:~# opkg install kmod-ipt-raw
> Installing kmod-ipt-raw (5.10.96-1) to root...
> Downloading https://downloads.openwrt.org/snapshots/targets/x86/64/kmods/5.10.96-1-d70ff298d8114a0df4de3fc8fa861191/kmod-ipt-raw_5.10.96-1_x86_64.ipk
> Configuring kmod-ipt-raw.
> root at OpenWrt:~# fw3 restart 2>/dev/null
> fw3_ipt_open SUCCESS for v4 filter
> fw3_ipt_open SUCCESS for v4 nat
> fw3_ipt_open SUCCESS for v4 mangle
> fw3_ipt_open SUCCESS for v4 raw
> fw3_ipt_open FAILED for v6 filter
> fw3_ipt_open FAILED for v6 nat
> fw3_ipt_open FAILED for v6 mangle
> fw3_ipt_open FAILED for v6 raw
> fw3_ipt_open SUCCESS for v4 filter
> fw3_ipt_open SUCCESS for v4 nat
> fw3_ipt_open SUCCESS for v4 mangle
> fw3_ipt_open SUCCESS for v4 raw
> fw3_ipt_open FAILED for v6 filter
> fw3_ipt_open FAILED for v6 nat
> fw3_ipt_open FAILED for v6 mangle
> fw3_ipt_open FAILED for v6 raw
>
> Thanks!
> Wenli
>
> On Fri, Feb 11, 2022 at 1:04 AM Rui Salvaterra <rsalvaterra at gmail.com> wrote:
> >
> > Hi, Wenli,
> >
> > On Thu, 10 Feb 2022 at 19:19, Wenli Looi <wlooi at ucalgary.ca> wrote:
> > >
> > > Hi Rui and Ansuel,
> > >
> > > Can you take a look at this patch I sent a while ago for firewall3? I
> > > think it is a better solution for the problem in kernel 5.15+ that is
> > > identified here.
> > >
> > > http://lists.openwrt.org/pipermail/openwrt-devel/2022-January/037534.html
> > >
> > > Note that Ansuel's commit also seems to fix the problem with
> > > LXC/LXD/Docker, because poking the table with fw3_ipt_open makes it
> > > show up in ip_tables_names under Linux containers. However, as stated
> > > in the commit, I don't think we need to check ip_tables_names at all?
> >
> > [patch snipped]
> >
> > Does this still work when a table missing from the system? In other
> > words, when a table is compiled as a module, available in an
> > installable kernel package, but not installed in the system by default
> > (as is the case for the raw table in the kmod-ipt-raw package)? That's
> > the point of fw3_has_table, to check if a table exists in the system
> > before using it.
> >
> > Thanks,
> > Rui

More information about the openwrt-devel mailing list