Re: Usage of CONNMARK - Vinod Chandran

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Vinod Chandran <vinod_chandran@multitech.co.in>
Cc: netfilter-devel <netfilter-devel@lists.netfilter.org>,
	netfilter@lists.netfilter.org
Subject: Re: Usage of CONNMARK
Date: Sat, 05 Feb 2005 13:06:23 +0530	[thread overview]
Message-ID: <42047777.3030102@multitech.co.in> (raw)
In-Reply-To: Pine.LNX.4.61.0502041515360.10050@filer.marasystems.com

Hi,
 
Currently, from the FTP helper if DROP is given, the packets are not 
getting dropped since the conntrack entry exists and also since from 
where the helper routine is called, there is no check for return value 
of NF_DROP. Hence when NF_DROP is returned, inside ip_conntrack_in, I 
set the conntrack value
       ct->mark = 1
 However this CONNMARK value is getting applicable only from the next 
packet ownwards.

If on the other hand, say I try to change the mark value, 
(*pskb)->nfmark ( I assume it contains the MARK indicator), and put a 
rule in the KEEP_STATE_FORWARD chain to drop packets with the specific 
mark value, the kernel is panicing , with a BUG in sched.c. I also get 
panic if I call nf_conntrack_put.

The problem in my case, is the error is detected after the conntrack 
state is changed. I am wondering whether this is the reason why its 
causing all the problems.

Thanks,
Vinod C

Henrik Nordstrom wrote:

> On Fri, 4 Feb 2005, Vinod Chandran wrote:
>
>> I am using the CONNMARK patch.
>> Inside conntrack_core, in case of special conditions, I have modified 
>> the mark value in the conntrack.
>
>
> When in conntrack is this modification done?
>
>> However this CONNMARK value is getting effective only for the next 
>> packet and not for the same packet.
>
>
> The connmark match looks at the connection mark value at the time the 
> connmark match is evaluated.
>
>> Is there some way by which, I can make the settings applicable to the 
>> same packet itself?
>
>
> It is, assuming it's done before you need to evaluate the match.
>
> Regards
> Henrik
>

next prev parent reply	other threads:[~2005-02-05  7:36 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2005-02-04  8:13 Usage of CONNMARK Vinod Chandran
2005-02-04 14:17 ` Henrik Nordstrom
2005-02-05  7:36   ` Vinod Chandran [this message]
2005-02-06  0:51     ` Henrik Nordstrom
2005-02-06  0:51       ` Henrik Nordstrom
2005-02-07  4:16       ` Vinod Chandran
2005-02-04 21:35 ` dwhite

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=42047777.3030102@multitech.co.in \
    --to=vinod_chandran@multitech.co.in \
    --cc=netfilter-devel@lists.netfilter.org \
    --cc=netfilter@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.