[Top] [All Lists]

Re: [Design] skb->security and friends

To: Martin Josefsson <gandalf@xxxxxxxxxxxxxx>
Subject: Re: [Design] skb->security and friends
From: Manon Goo <lists@xxxxxxxx>
Date: Fri, 26 Oct 2001 17:19:46 +0200
Cc: Michael Richardson <mcr@xxxxxxxxxxxxxxxxxxxxxx>, design@xxxxxxxxxxxxxxxxxx, netdev@xxxxxxxxxxx
In-reply-to: <Pine.LNX.4.21.0110261655200.22037-200000@xxxxxxxxxxxxxx>
References: <Pine.LNX.4.21.0110261655200.22037-200000@xxxxxxxxxxxxxx>
Sender: owner-netdev@xxxxxxxxxxx

--On Freitag, 26. Oktober 2001 17:02 +0200 Martin Josefsson <gandalf@xxxxxxxxxxxxxx> wrote:

On Fri, 26 Oct 2001, Manon F. Goo wrote:

>   Aha, RGB! a customer for the skb->{security,ipcb,fwmark} mechanism.
> Well maybe.
>    skb->security           (16-bit)
>    skb->nfmark     (much contention for this field)

is it planed to be able to set nfmark value per connecction for later
processing with iptables ?

would it not be more convinient to define the netfilter mark for the ipsec connection so when the connection is setup it is automaticly marked an can be procesed in the
fw rule set.

There is an iptablesmodule called CONNMARK for this purpose :)
you mark the connection with a mark and all packets in that connection
inherit that mark. But I don't think CONNMARK is part of the patch-o-matic
:( So you'll have to search the netfilter-devel archives I think.

Ahh I actually had the patch here... it's a patch against the netfilter
CVS, it's probably not up to date so you might have to apply some hunks by
hand. And there's a bug in this patch...

++          case IPT_CONNMARK_SAVE:
++              ct->mark = (*pskb)->nfmark;
++              break;

that should read

++          case IPT_CONNMARK_SAVE:
++              (*pskb)->nfmark = ct->mark;
++              break;

I've never actually used it but people have said that it works :)

Good luck!


Never argue with an idiot. They drag you down to their level, then beat
you with experience.

<Prev in Thread] Current Thread [Next in Thread>