[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Nufw-devel] Re: [PATCH] Add mark to packet from libipq
|
From: |
Eric Leblond |
|
Subject: |
[Nufw-devel] Re: [PATCH] Add mark to packet from libipq |
|
Date: |
Thu, 16 Oct 2003 09:23:40 +0200 |
Le jeu 16/10/2003 à 09:08, Henrik Nordstrom a écrit :
> On Thu, 16 Oct 2003, Eric Leblond wrote:
>
> I have one question regarding the mark mask value in the kernel message..
> what is the purpose of this? Todays implementation looks rather wasteful
> as the userspace may just as well apply the mask before the value is sent
> to the kernel.
> If you are to have a mask I propose this mask indicates which bits to save
> of the original mark, not a mask to the new mark value. I.e. something
> like this:
>
> /* set mark of associated skb */
> entry->skb->nfmark = vmsg->nfmark | (entry->skb->nfmark &
> vmsg->mask);
>
> (alernately mask may be inverted)
That's what I was wanted ! I was too tired yesterday to see the huge
error I've done. I've found it at the end of my sleep ;-) you're mail
give the answer.
One other question I have it's whether or not it necessary to add
verdict value in the message if using mark sys call ?
If we mark the packet we wen to let it pass trough the gateway...
It will require some work (modification of some functions in ip_queue)
to do so but it's maybe a cleaner way to do.
> but in reality this is not needed either as the userspace knows the
> original mask and can a apply whatever transformations it likes
> when giving the new verdict mask.
How could userspace knows it ?
BR,
--
Eric Leblond
Nufw, Now User Filtering Works (http://www.nufw.org)
signature.asc
Description: Ceci est une partie de message numériquement signée.