On Sat, Dec 15, 2001 at 04:59:56PM +0100, bert hubert wrote:
> Rusty & others:
>
> Right now, netfilter can't see or touch the skb->priority of packets
> generated locally because it is only set in ip_queue_xmit2, after netfilter
> has been consulted. This patch moves the skb->priority=sk->priority line to
> just before calling netfilter.
>
> I think this patch is philosophically right because it allows netfilter to
> override userspace instructions, which is what we do for lots of other
> targets too. We feel that it is ok to drop or mangle locally generated
> packets in netfilter. I think we should do the same for skb->priority.
I don't see any bad implications of your patch. What is the position
of our core networking people (Dave, Andi, Alexey) to this proposal?
I'd like to see this minimal change because it would extend the features
of iptables - without hurting anybody else.
--
Live long and prosper
- Harald Welte / laforge@xxxxxxxxxxxx http://www.gnumonks.org/
============================================================================
GCS/E/IT d- s-: a-- C+++ UL++++$ P+++ L++++$ E--- W- N++ o? K- w--- O- M-
V-- PS+ PE-- Y+ PGP++ t++ 5-- !X !R tv-- b+++ DI? !D G+ e* h+ r% y+(*)
|