#19506: iptables: l7-protocols files (layer7) get still pulled into firmware
-------------------------------------------------+-------------------------
Reporter: hnyman | Owner: developers
Type: defect | Status: new
Priority: normal | Milestone:
Component: base system | Version: Trunk
Keywords: l7-protocols layer7 qos-scripts |
sqm-scripts |
-------------------------------------------------+-------------------------
I noticed the removal of the layer7 support from iptables and from qos-
scripts a few days ago by r45423, r45424 and r45425
So, I was pretty surprised when there still was a directory
/etc/l7-protocols/ with ~25 kB of files in my newly compiled system.
After some investigation it looks to me that both qos-scripts and sqm-
scripts still pull in the l7-protocols files. The reason is the depencency
on "iptables-mod-filter" that both qos and sqm define. And iptables still
installs the l7-protocols files for that kmod.
To my understanding, after 45423-45425 that module actually only provides
"string" matching in iptables. And I haven't found a trace of that
functionality in qos or sqm.
So, to my understanding, there are actually three bugs :-(
1) iptables still pulls in l7-protocols for iptables-mod-filter, although
the support for layer7 has been removed.
https://dev.openwrt.org/browser/trunk/package/network/utils/iptables/Makefile#L519
Lines 519-527 define the L7-INSTALL and connect it to iptables-mod-filter,
although r45423 and r45424 removed the actual functionality:
{{{
L7_INSTALL:=\
$(INSTALL_DIR) $$(1)/etc/l7-protocols; \
$(CP) files/l7/*.pat $$(1)/etc/l7-protocols/
...
$(eval $(call BuildPlugin,iptables-mod-
filter,$(IPT_FILTER-m),$(L7_INSTALL)))
}}}
2)
qos-scripts Makefile defines dependency on iptables-mod-filter, most
likely due to the l7 matching, as I haven't found any usage of that
module's "string" matching in qos-scripts. (The dependency originates from
the initial import by r4935 to buildroot-ng in 2006, so it is ancient and
has been most likely included just for the l7 filtering support.)
As far as I understand, there is no need for iptables-mod-filter
dependency in https://dev.openwrt.org/browser/trunk/package/network/config
/qos-scripts/Makefile#L23
iptables-mod-filter also pulls in kmod-ipt-filter and kmod-lib-textsearch
(plus the l7-protocols already discussed above), so it generates quite
much payload.
https://dev.openwrt.org/browser/trunk/package/network/utils/iptables/Makefile#L117
https://dev.openwrt.org/browser/trunk/package/kernel/linux/modules/netfilter.mk#L163
3)
The same goes for sqm-scripts. The dependency originates from qos-scripts,
which has been used as the starting point for sqm:
https://github.com/dtaht/ceropackages-3.10/commit/bc8363c4d9795aa90b9acc635ce75f15300c2782
To my understanding, there is no actual usage of string matching (and
there was no l7 matching), so it looks unnecessary.
I will report that directly to sqm developers at github, but wanted to
document it also here.
--
Ticket URL: <https://dev.openwrt.org/ticket/19506>
OpenWrt <http://openwrt.org>
Opensource Wireless Router Technology
_______________________________________________
openwrt-tickets mailing list
[email protected]
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-tickets
