Rusty & others:
Right now, netfilter can't see or touch the skb->priority of packets
generated locally because it is only set in ip_queue_xmit2, after netfilter
has been consulted. This patch moves the skb->priority=sk->priority line to
just before calling netfilter.
I think this patch is philosophically right because it allows netfilter to
override userspace instructions, which is what we do for lots of other
targets too. We feel that it is ok to drop or mangle locally generated
packets in netfilter. I think we should do the same for skb->priority.
The real reason I need this is because I've patched iptables to be
skb->priority aware, allowing coolness like this:
# iptables -t mangle -A OUTPUT --dport 22 -j PRIO --classid 1:1
Which allows you to classify packets *directly* from iptables to QoS
classes.
Right now, this has to be done like this:
# iptables -t mangle -A OUTPUT --dport 22 -j MARK --set-mark 6
# tc filter add dev eth1 protocol ip parent 1:0 prio 1 handle 6 fw classid 1:1
Which requires not only more typing, but is also slower.
Or, if using only tc filter, like this:
# F="tc filter add dev eth0 parent 1:0 protocol ip prio 5"
# $F handle 1: u32 divisor 1
# $F u32 ht 1: match tcp dst 22 0xFFFF match ip protocol 6 0xFF match ip
firstfrag flowid 1:1
# $F u32 ht 800:: match u8 0 0 offset at 0 mask 0x0f00 shift 6 link 1:
The patch:
--- net/ipv4/ip_output.c.orig Sat Dec 15 16:45:47 2001
+++ net/ipv4/ip_output.c Sat Dec 15 16:06:28 2001
@@ -315,7 +315,6 @@
/* Add an IP checksum. */
ip_send_check(iph);
- skb->priority = sk->priority;
return skb->dst->output(skb);
fragment:
@@ -395,7 +394,7 @@
iph->ihl += opt->optlen >> 2;
ip_options_build(skb, opt, sk->daddr, rt, 0);
}
-
+ skb->priority = skb->sk->priority;
return NF_HOOK(PF_INET, NF_IP_LOCAL_OUT, skb, NULL, rt->u.dst.dev,
ip_queue_xmit2);
--
http://www.PowerDNS.com Versatile DNS Software & Services
Trilab The Technology People
Netherlabs BV / Rent-a-Nerd.nl - Nerd Available -
'SYN! .. SYN|ACK! .. ACK!' - the mating call of the internet
|