PATCH: make MARK target terminate

[Patrick McHardy <kaber@trash.net>]

[-- Attachment #1: Type: text/plain, Size: 527 bytes --]

Hi.

The attached patch adds a new option --terminate to the MARK target 
which lets the user choose
if MARK should return IPT_CONTINUE (normal behaviour) or NF_ACCEPT (to 
terminate further rule processing).
This can be useful if you have complex marking rules, f.e. for QoS.
The current patch is against a clean MARK target, if anyone wishes i can 
also make a patch which will apply after MARK-operations.
A CONNMARK patch will follow but currently CONNMARK doesn't apply clean 
against 2.4.18/2.4.19-pre10 ..

Bye,
Patrick

[-- Attachment #2: iptables-terminate.diff --]
[-- Type: text/plain, Size: 3166 bytes --]

diff -urN userspace-clean/patch-o-matic/extra/MARK-terminate.patch userspace/patch-o-matic/extra/MARK-terminate.patch
--- userspace-clean/patch-o-matic/extra/MARK-terminate.patch	Thu Jan  1 01:00:00 1970
+++ userspace/patch-o-matic/extra/MARK-terminate.patch	Mon Jun 17 05:36:21 2002
@@ -0,0 +1,23 @@
+diff -urN linux/include/linux/netfilter_ipv4/ipt_MARK.h linux-2.4.18-terminate/include/linux/netfilter_ipv4/ipt_MARK.h
+--- linux/include/linux/netfilter_ipv4/ipt_MARK.h	Fri Mar 17 19:56:20 2000
++++ linux-2.4.18-terminate/include/linux/netfilter_ipv4/ipt_MARK.h	Mon Jun 17 05:07:29 2002
+@@ -3,6 +3,7 @@
+ 
+ struct ipt_mark_target_info {
+ 	unsigned long mark;
++	u_int8_t terminate;
+ };
+ 
+ #endif /*_IPT_MARK_H_target*/
+diff -urN linux/net/ipv4/netfilter/ipt_MARK.c linux-2.4.18-terminate/net/ipv4/netfilter/ipt_MARK.c
+--- linux/net/ipv4/netfilter/ipt_MARK.c	Sun Sep 30 21:26:08 2001
++++ linux-2.4.18-terminate/net/ipv4/netfilter/ipt_MARK.c	Mon Jun 17 05:07:58 2002
+@@ -21,7 +21,7 @@
+ 		(*pskb)->nfmark = markinfo->mark;
+ 		(*pskb)->nfcache |= NFC_ALTERED;
+ 	}
+-	return IPT_CONTINUE;
++	return markinfo->terminate ? NF_ACCEPT : IPT_CONTINUE;
+ }
+ 
+ static int
diff -urN userspace-clean/patch-o-matic/extra/MARK-terminate.patch.help userspace/patch-o-matic/extra/MARK-terminate.patch.help
--- userspace-clean/patch-o-matic/extra/MARK-terminate.patch.help	Thu Jan  1 01:00:00 1970
+++ userspace/patch-o-matic/extra/MARK-terminate.patch.help	Mon Jun 17 05:36:21 2002
@@ -0,0 +1,9 @@
+Author: Patrick McHardy <kaber@trash.net>
+Status: Working
+
+This patch adds a new option --terminate to MARK to terminate chain traversal.
+
+# iptables -t mangle -A PREROUTING -m tos --tos 0x08 -j MARK --set-mark 0x15 --terminate
+
+***** WARNING ***** This patch also patch the userspace directory which means that you
+                    you have to recompile and reinstall the iptables package after that.
diff -urN userspace-clean/patch-o-matic/extra/MARK-terminate.patch.userspace userspace/patch-o-matic/extra/MARK-terminate.patch.userspace
--- userspace-clean/patch-o-matic/extra/MARK-terminate.patch.userspace	Thu Jan  1 01:00:00 1970
+++ userspace/patch-o-matic/extra/MARK-terminate.patch.userspace	Mon Jun 17 05:36:21 2002
@@ -0,0 +1,42 @@
+diff -urN extensions/libipt_MARK.c extensions/libipt_MARK.c
+--- extensions/libipt_MARK.c	Wed May 29 15:08:16 2002
++++ extensions/libipt_MARK.c	Mon Jun 17 05:21:16 2002
+@@ -26,6 +26,7 @@
+ 
+ static struct option opts[] = {
+ 	{ "set-mark", 1, 0, '1' },
++	{ "terminate", 0, 0, '2' },
+ 	{ 0 }
+ };
+ 
+@@ -57,6 +58,10 @@
+ 		*flags = 1;
+ 		break;
+ 
++	case '2':
++		markinfo->terminate = 1;
++		break;
++		
+ 	default:
+ 		return 0;
+ 	}
+@@ -88,6 +93,9 @@
+ 		(const struct ipt_mark_target_info *)target->data;
+ 	printf("MARK set ");
+ 	print_mark(markinfo->mark, numeric);
++	
++	if (markinfo->terminate)
++		printf("terminate ");
+ }
+ 
+ /* Saves the union ipt_targinfo in parsable form to stdout. */
+@@ -98,6 +106,9 @@
+ 		(const struct ipt_mark_target_info *)target->data;
+ 
+ 	printf("--set-mark 0x%lx ", markinfo->mark);
++
++	if (markinfo->terminate)
++		printf("--terminate ");
+ }
+ 
+ static