On Mon, 20 Dec 1999, Rusty Russell wrote:
> In message <Pine.LNX.4.10.9912182240560.16239-100000@xxxxxxxxxxxxxx> you
> write:
> > Greetings,
> >
> > I have a kernel application (firewall driver) which wants to be able to
> > tell if, for example, the packet I am looking at in the output chain is
> > the same one that came in on the input chain.
>
> This is hard ATM: consider fragmentation. Other than this, you can
> use the nf_mark/fwmark field.
The code in question still hasn't made it to 2.2 yet, although that's RSN.
:-) What if, instead of keeping track of the iterations (which is rather
indirectly trying to solve the problem), we track the skb itself? With,
for example, a unique skb id which starts at 0 and is incrementally
assigned to each new skb that is allocated, until it wraps?
The goal is to be able to look at a packet in the forward or output chain
and very quickly say "yeah, I just saw this guy in the input chain and
there's no need to re-run some expensive computations on him". It is
otherwise expensive (based on the number of interfaces present) to
determine if a packet originated on the firewall itself.
thanks,
-bp
--
# bryan at terran dot org
# http://www.terran.org/~bryan
|