From: Amin Azez <azez@ufomechanic.net>
To: netfilter-devel@lists.netfilter.org
Cc: netfilter-devel@lists.netfilter.org
Subject: Re: dangerous? Setting mark in nat table
Date: Tue, 13 Mar 2007 16:12:44 +0000 [thread overview]
Message-ID: <45F6CD7C.40708@ufomechanic.net> (raw)
In-Reply-To: <Pine.LNX.4.61.0703131632190.18488@yvahk01.tjqt.qr>
* Jan Engelhardt wrote, On 13/03/07 15:36:
> On Mar 13 2007 15:25, Amin Azez wrote:
>> I want need to set a mark (-j MARK) in the nat table based on dnat'ing done.
>>
>> This means changing the ipt_mark kernel module, at least for my own
>> consumption.
>>
>> Are there any overpowering reasons why I should not do this, or even why
>> it should not be done at all?
>
> It is valid from a programming point of view (the @skb is always writable
> a.k.a. it is not in a rodata section protected by hardware, which is why
> it can also be modified from within matches which have const struct
> sk_buff *skb), but it is perhaps some sort of layering violation (MARK is
> for mangle only). I recognize that it would be cheapest to MARK packets
> _after_ the whole lot of bad packets has been dropped in filter, rather
> than having to mark them first in mangle and then just filter it out
> again.
Heh, I spoke to soon.
1. x_tables.c already supports a null table name meaning no-restriction
(although this may be historic rather than planned) so I could just
remove the table name from xt_MARK
2. CONNMARK (as I used it) doesn't set a table restriction anyway,
so..... I'll just use CONNMARK for now.
Sam
next prev parent reply other threads:[~2007-03-13 16:12 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-03-13 15:25 dangerous? Setting mark in nat table Amin Azez
2007-03-13 15:36 ` Jan Engelhardt
2007-03-13 16:12 ` Amin Azez [this message]
2007-03-13 16:18 ` Jan Engelhardt
2007-03-14 10:35 ` Henrik Nordstrom
2007-03-14 11:02 ` Patrick McHardy
2007-03-14 12:43 ` Henrik Nordstrom
2007-03-14 12:52 ` [PATCH 1/1] " Amin Azez
2007-03-14 13:08 ` Patrick McHardy
2007-03-14 13:21 ` Jozsef Kadlecsik
2007-03-14 14:09 ` Jozsef Kadlecsik
2007-03-14 20:35 ` Patrick McHardy
2007-03-14 20:45 ` Henrik Nordstrom
2007-03-14 20:48 ` Jan Engelhardt
2007-03-14 22:21 ` Henrik Nordstrom
2007-03-14 22:58 ` Carl-Daniel Hailfinger
2007-03-14 23:02 ` Patrick McHardy
2007-03-14 23:12 ` Jan Engelhardt
2007-03-14 23:15 ` Patrick McHardy
2007-03-15 13:12 ` Roberto Nibali
2007-03-16 12:31 ` Patrick McHardy
2007-03-15 0:41 ` Henrik Nordstrom
2007-03-14 14:11 ` Amin Azez
2007-03-14 14:32 ` One unified table of nat/mangle/filter Henrik Nordstrom
2007-03-14 14:47 ` [PATCH 1/1] Re: dangerous? Setting mark in nat table Jozsef Kadlecsik
2007-03-14 16:47 ` Jan Engelhardt
2007-03-14 13:14 ` Henrik Nordstrom
2007-03-14 12:43 ` Amin Azez
2007-03-14 10:27 ` Henrik Nordstrom
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=45F6CD7C.40708@ufomechanic.net \
--to=azez@ufomechanic.net \
--cc=netfilter-devel@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.