Re: [RFC] Die to NOTRACK/TRACE, long live MARK!

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Patrick McHardy <kaber@trash.net>
To: Philip Craig <philipc@snapgear.com>
Cc: Jozsef Kadlecsik <kadlec@netfilter.org>,
	netfilter-devel@lists.netfilter.org
Subject: Re: [RFC] Die to NOTRACK/TRACE, long live MARK!
Date: Fri, 21 May 2004 04:12:43 +0200	[thread overview]
Message-ID: <40AD659B.7090107@trash.net> (raw)
In-Reply-To: <40AD4B36.50202@snapgear.com>

Hi,

Philip Craig wrote:
> Jozsef Kadlecsik wrote:
> 
>> We could introduce a new silly target for that purpose like NOTRACK or
>> TRACE. However it's pure marking and we do have a interface to mark
>> packets: the MARK target. So if we could tell the system which mark value
>> has got the given special meaning, we wouldn't need a new target and we
>> could even eliminate the NOTRACK/TRACE targets.
> 
> 
> I assume this will mean allowing the MARK target to be used in the raw
> table, otherwise you can't mark the packets before conntrack.
> 
> Will this mean that only one of these features can be used at a time,
> since a packet cannot have multiple marks?  And use of any of these
> features would preclude current uses of MARK, such as policy routing?
> You could add support for masking bits of the mark, but you would have
> to add this to the policy routing also.

Instead of modifying the nf_mark value (which I don't think we should
do), we could just let the mark target perform the same operations that
NOTRACK/TRACE perform, namely attaching a dummy-conntrack (NOTRACK)
and setting a bit in nfcache (TRACE). For the tcp-window-tracking
spoofed-rst protection we could set a bit in the conntrack structure.
I suppose this feature need to be enabled on a per-connection base
anyway. Unfortunately adding NOTRACK functionality to MARK in this
way would create a dependency on ip_conntrack. Maybe we should add
it to CONNMARK ?

Regards
Patrick

PS: Joszef, I changed your address to @netfilter.org, your mailserver
doesn't like me.

PPS: I'll be away 'till Sunday so don't expect fast responses

next prev parent reply	other threads:[~2004-05-21  2:12 UTC|newest]

Thread overview: 13+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2004-05-19 21:30 [RFC] Die to NOTRACK/TRACE, long live MARK! Jozsef Kadlecsik
2004-05-20 10:48 ` Pablo Neira
2004-05-21  0:20 ` Philip Craig
2004-05-21  2:12   ` Patrick McHardy [this message]
2004-05-22 12:38     ` Jozsef Kadlecsik
2004-05-22 14:57       ` Patrick McHardy
2004-05-23  8:55         ` Martin Josefsson
2004-05-23 17:00           ` Patrick McHardy
2004-05-25 12:38         ` Pablo Neira
2004-05-25 17:45           ` Patrick McHardy
2004-05-27 10:33           ` Henrik Nordstrom
2004-05-28 11:41             ` Pablo Neira
2004-05-21 12:35   ` Jozsef Kadlecsik

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=40AD659B.7090107@trash.net \
    --to=kaber@trash.net \
    --cc=kadlec@netfilter.org \
    --cc=netfilter-devel@lists.netfilter.org \
    --cc=philipc@snapgear.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.