From mboxrd@z Thu Jan 1 00:00:00 1970 From: Andy Furniss Date: Thu, 03 Dec 2015 10:51:30 +0000 Subject: Re: Problem with cls_flow nfct-* keys Message-Id: <56601EB2.2070407@gmail.com> List-Id: References: <3419281448878074@web15j.yandex.ru> In-Reply-To: <3419281448878074@web15j.yandex.ru> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit To: lartc@vger.kernel.org Гаврилов Игорь wrote: > So this problem not related to my setup. Seems that it occurs for a > long time. Is there any possibility to fix this, and what is the > reason of such behavior. As Florian says on ingress tc gets the packet before conntrack. I was slightly hopeful that I was wrong (in thinking this never worked) when I saw "nf_ct_get" in the code, but it just looks at the skb which on ingress won't have the fields filled in. /* Return conntrack_info and tuple hash for given skb. */ static inline struct nf_conn * nf_ct_get(const struct sk_buff *skb, enum ip_conntrack_info *ctinfo) { *ctinfo = skb->nfctinfo; return (struct nf_conn *)skb->nfct; } Historically at least people used imq to get at traffic after netfilter. It seems it's still alive - www.linuximq.net but you need to patch kernel/iptables. When ifb first appeared it was mentioned that an action could be made to get netfilter state and Florian mentions act_connmark.c so I guess some progress was made. Not really much use for your example I suppose.