Hello!
> I think this patch is philosophically right because it allows netfilter to
> override userspace instructions,
What's about NF_IP_POST_ROUTING?
Well, _phylosophically_ it is wrong yet. skb->priority is exactly a hint
from user or another available source and overriding this is simply loss
of information. Real policy is made in queueing level: it decides to use
this hint or to ignore it. But in practice this can be convenient
despite of phylosophical flaws. :-)
Anyway, I never understood well the principle of placement of netfilter
hooks. F.e. NF_IP_FORWARD is apparently too late: all the modifications
are made, redirects are sent, DF packets are dropped... As result this hook
cannot be used for anything but silent dropping packets.
The same happens with all the intermediate hooks, in fact only
NF_IP_POST_ROUTING and NF_IP_PRE_ROUTING may be used for something
smart unambiguosuly. Very strange, to be honest.
Alexey
|