|Subject:||Re: iptables breakage WAS(Re: dummy as IMQ replacement|
|From:||Patrick McHardy <kaber@xxxxxxxxx>|
|Date:||Fri, 25 Mar 2005 21:18:20 +0100|
|Cc:||Andy Furniss <andy.furniss@xxxxxxxxxxxxx>, Harald Welte <laforge@xxxxxxxxxxxx>, Remus <rmocius@xxxxxxxxxxxxxx>, netdev <netdev@xxxxxxxxxxx>, Nguyen Dinh Nam <nguyendinhnam@xxxxxxxxx>, Andre Tomt <andre@xxxxxxxx>, syrius.ml@xxxxxxxxxx, Damion de Soto <damion@xxxxxxxxxxxx>|
|References:||<1107123123.8021.80.camel@xxxxxxxxxxxxxxxx> <1110453757.1108.87.camel@xxxxxxxxxxxxxxxx> <423B7BCB.10400@xxxxxxxxxxxxx> <1111410890.1092.195.camel@xxxxxxxxxxxxxxxx> <423F41AD.3010902@xxxxxxxxxxxxx> <1111444869.1072.51.camel@xxxxxxxxxxxxxxxx> <423F71C2.8040802@xxxxxxxxxxxxx> <1111462263.1109.6.camel@xxxxxxxxxxxxxxxx> <42408998.5000202@xxxxxxxxxxxxx> <1111550254.1089.21.camel@xxxxxxxxxxxxxxxx> <4241C478.5030309@xxxxxxxxxxxxx> <1111607112.1072.48.camel@xxxxxxxxxxxxxxxx> <4241D764.2030306@xxxxxxxxxxxxx> <1111612042.1072.53.camel@xxxxxxxxxxxxxxxx> <4241F1D2.9050202@xxxxxxxxxxxxx> <4241F7F0.2010403@xxxxxxxxxxxxx> <1111625608.1037.16.camel@xxxxxxxxxxxxxxxx> <424212F7.10106@xxxxxxxxxxxxx> <1111663947.1037.24.camel@xxxxxxxxxxxxxxxx> <1111665450.1037.27.camel@xxxxxxxxxxxxxxxx> <4242DFB5.9040802@xxxxxxxxxxxxx> <1111749220.1092.457.camel@xxxxxxxxxxxxxxxx> <42446DB2.9070809@xxxxxxxxxxxxx> <1111781443.1092.631.camel@xxxxxxxxxxxxxxxx>|
|User-agent:||Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.7.6) Gecko/20050324 Debian/1.7.6-1|
I dont think connmark will work - yet. Patrick? I think you need something attached on the skb that is derived off the netfilter contracking code for it to be usable.
Things will work once the "action track" is in place; i.e you would then say: "match xxx .. \ action track \ action connmark" If i was to prioritize my time for new actions - how important is this? I also wish someone else would start writting some of these actions ;-> Wanna right the tracking one? I could help - wink.
Before this the ipt action needs to make sure the packets are in valid state from the view of conntrack/ip_tables. Right now it doesn't even check if its IP. Both assume the length checks in ip_rcv() have been performed, it actually creates security problems in a few places if they haven't - length calculations can underflow and bad things will happen. Regards Patrick
|<Prev in Thread]||Current Thread||[Next in Thread>|
|Previous by Date:||[PATCH] Conntrack leak with raw sockets, Phil Oester|
|Next by Date:||Re: iptables breakage WAS(Re: dummy as IMQ replacement, Thomas Graf|
|Previous by Thread:||Re: iptables breakage WAS(Re: dummy as IMQ replacement, jamal|
|Next by Thread:||Re: iptables breakage WAS(Re: dummy as IMQ replacement, jamal|
|Indexes:||[Date] [Thread] [Top] [All Lists]|