From: Hans Schillstrom <hans@schillstrom.com>
To: Pablo Neira Ayuso <pablo@netfilter.org>
Cc: Hans Schillstrom <hans.schillstrom@ericsson.com>,
kaber@trash.net, jengelh@medozas.de,
netfilter-devel@vger.kernel.org, netdev@vger.kernel.org
Subject: Re: [v8 PATCH 2/3] NETFILTER module xt_hmark, new target for HASH based fwmark
Date: Thu, 9 Feb 2012 19:32:03 +0100 [thread overview]
Message-ID: <201202091932.03785.hans@schillstrom.com> (raw)
In-Reply-To: <20120208002743.GA29189@1984>
On Wednesday, February 08, 2012 01:27:43 Pablo Neira Ayuso wrote:
> On Fri, Jan 27, 2012 at 03:41:42PM +0100, Hans Schillstrom wrote:
[snip]
> > +#if defined(CONFIG_NF_NAT)
> > + if (ct && test_bit(IP_CT_IS_REPLY, &ct->status)) {
> > + struct nf_conntrack_tuple *otuple;
> > +
> > + otuple = &ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple;
> > + /*
> > + * On the "return flow", to get the original address
> > + */
> > + if ((ct->status & IPS_DST_NAT) &&
> > + (info->flags & XT_HMARK_USE_DNAT)) {
> > + addr1 = (__force u32) otuple->dst.u3.in.s_addr;
> > + dnatport = otuple->dst.u.udp.port;
> > + }
> > + if ((ct->status & IPS_SRC_NAT) &&
> > + (info->flags & XT_HMARK_USE_SNAT)) {
> > + addr2 = (__force u32) otuple->src.u3.in.s_addr;
> > + snatport = otuple->src.u.udp.port;
> > + }
>
> You can make this much more simple.
>
> Allow the user to tell your HMARK target to use the conntrack
> information instead.
>
> My opinion is that the user must have total control on the target
> behaviour through the configuration options. The number of internal
> by-default decisions have to be kept up to the minimum, otherwise
> the behaviour of the target may seem obscure.
>
> > + }
> > +#endif
> > + /* user space tool ensures that prmask is zero when method is L3*/
While dealing with fragmentation in ipvs, an idea run into my head...
why not take care of fragments from nfct_reasm in L3_4 mode ?
OK it might be an obscure behaviour but on the other hand
people expect that fragments is handled by netfilter...
/Hans
next prev parent reply other threads:[~2012-02-09 18:32 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-01-27 14:41 [v8 PATCH 0/3] NETFILTER new target module, HMARK Hans Schillstrom
2012-01-27 14:41 ` [v8 PATCH 1/3] NETFILTER added flags to ipv6_find_hdr() Hans Schillstrom
2012-01-27 14:41 ` [v8 PATCH 2/3] NETFILTER module xt_hmark, new target for HASH based fwmark Hans Schillstrom
2012-02-08 0:27 ` Pablo Neira Ayuso
2012-02-08 14:07 ` Hans Schillstrom
2012-02-14 0:44 ` Pablo Neira Ayuso
2012-02-09 18:32 ` Hans Schillstrom [this message]
2012-01-27 14:41 ` [v8 PATCH 3/3] NETFILTER userspace part for target HMARK Hans Schillstrom
2012-02-08 0:32 ` Pablo Neira Ayuso
2012-02-08 14:46 ` Hans Schillstrom
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=201202091932.03785.hans@schillstrom.com \
--to=hans@schillstrom.com \
--cc=hans.schillstrom@ericsson.com \
--cc=jengelh@medozas.de \
--cc=kaber@trash.net \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.