netdev
[Top] [All Lists]

Re: iptables breakage WAS(Re: dummy as IMQ replacement

To: hadi@xxxxxxxxxx
Subject: Re: iptables breakage WAS(Re: dummy as IMQ replacement
From: Patrick McHardy <kaber@xxxxxxxxx>
Date: Fri, 25 Mar 2005 21:18:20 +0100
Cc: Andy Furniss <andy.furniss@xxxxxxxxxxxxx>, Harald Welte <laforge@xxxxxxxxxxxx>, Remus <rmocius@xxxxxxxxxxxxxx>, netdev <netdev@xxxxxxxxxxx>, Nguyen Dinh Nam <nguyendinhnam@xxxxxxxxx>, Andre Tomt <andre@xxxxxxxx>, syrius.ml@xxxxxxxxxx, Damion de Soto <damion@xxxxxxxxxxxx>
In-reply-to: <1111781443.1092.631.camel@jzny.localdomain>
References: <1107123123.8021.80.camel@jzny.localdomain> <1110453757.1108.87.camel@jzny.localdomain> <423B7BCB.10400@dsl.pipex.com> <1111410890.1092.195.camel@jzny.localdomain> <423F41AD.3010902@dsl.pipex.com> <1111444869.1072.51.camel@jzny.localdomain> <423F71C2.8040802@dsl.pipex.com> <1111462263.1109.6.camel@jzny.localdomain> <42408998.5000202@dsl.pipex.com> <1111550254.1089.21.camel@jzny.localdomain> <4241C478.5030309@dsl.pipex.com> <1111607112.1072.48.camel@jzny.localdomain> <4241D764.2030306@dsl.pipex.com> <1111612042.1072.53.camel@jzny.localdomain> <4241F1D2.9050202@dsl.pipex.com> <4241F7F0.2010403@dsl.pipex.com> <1111625608.1037.16.camel@jzny.localdomain> <424212F7.10106@dsl.pipex.com> <1111663947.1037.24.camel@jzny.localdomain> <1111665450.1037.27.camel@jzny.localdomain> <4242DFB5.9040802@dsl.pipex.com> <1111749220.1092.457.camel@jzny.localdomain> <42446DB2.9070809@dsl.pipex.com> <1111781443.1092.631.camel@jzny.localdomain>
Sender: netdev-bounce@xxxxxxxxxxx
User-agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.7.6) Gecko/20050324 Debian/1.7.6-1
jamal wrote:
I dont think connmark will work - yet. Patrick? I think you need
something attached on the skb that is derived off the netfilter
contracking code for it to be usable.

Correct.

Things will work once the  "action track" is in place; i.e you would
then say:
"match xxx .. \
 action track \
 action connmark"

If i was to prioritize my time for new actions - how important is this?
I also wish someone else would start writting some of these actions ;->
Wanna right the tracking one? I could help - wink.

Before this the ipt action needs to make sure the packets are in valid state from the view of conntrack/ip_tables. Right now it doesn't even check if its IP. Both assume the length checks in ip_rcv() have been performed, it actually creates security problems in a few places if they haven't - length calculations can underflow and bad things will happen.

Regards
Patrick

<Prev in Thread] Current Thread [Next in Thread>