From: Atis Elsts <atis@mikrotik.com>
To: steve@chygwyn.com
Cc: "Maciej Żenczykowski" <zenczykowski@gmail.com>,
"David Miller" <davem@davemloft.net>,
netdev@vger.kernel.org, panther@balabit.hu,
eric.dumazet@gmail.com, brian.haley@hp.com
Subject: Re: [PATCH] Add sk_mark route lookup support for IPv4 listening sockets, and for IPv4 multicast forwarding
Date: Mon, 19 Oct 2009 14:38:26 +0300 [thread overview]
Message-ID: <200910191438.27328.atis@mikrotik.com> (raw)
In-Reply-To: <20091019082033.GB27230@fogou.chygwyn.com>
On Monday 19 October 2009 11:20:33 steve@chygwyn.com wrote:
>
> Another potential use case would be to segregate traffic into different
> routing domains (and thus being able to change the mark when moving from
> one routing domain to another might be useful).
I agree. Actually, one of our users recenlty requested adding matcher in
firewall that would match outgoing the packets by the routing table that was
used to route them. (For now we found a workaround using tclassid, but that
requires manual configuration.) So yes, it's an useful feature even excluding
the tunnel cases.
I don't like the idea of using skb->mark for storing that information though,
because I think these multiple uses of the same field would be too confusing
for users, even if the default behavior remained the same as now. Also,
consider the case when someone watch to match packets in post routing chain
*both* by the mark that was set in prerouting chain, and routing table used
to route the packet?
There already is free space (padding fieds) in struct dst_entry, so why not
use this space to store the routing table? Speed is also not an issue,
because the field only needs to be filled in slowpath routing lookup, and
will be used only
1) if iptables are explicitly configured to match by it;
2) (?) in tunnel routing lookups. (no idea which is the best option here)
I see that struct rt6_info already has field
struct fib6_table *rt6i_table
so this matcher already can be made for IPv6 firewall. But IPv4 still is more
imporant at the moment :)
Atis
next prev parent reply other threads:[~2009-10-19 11:37 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-10-05 13:46 [PATCH] Add sk_mark route lookup support for IPv4 listening sockets, and for IPv4 multicast forwarding Atis Elsts
2009-10-07 10:19 ` David Miller
2009-10-07 12:59 ` Atis Elsts
2009-10-07 20:56 ` David Miller
2009-10-08 0:03 ` Maciej Żenczykowski
2009-10-08 5:39 ` David Miller
2009-10-14 7:51 ` Maciej Żenczykowski
2009-10-14 7:23 ` steve
2009-10-14 9:15 ` David Miller
2009-10-14 9:50 ` Maciej Żenczykowski
2009-10-14 9:27 ` steve
2009-10-14 11:04 ` Atis Elsts
2009-10-14 10:16 ` steve
2009-10-14 18:33 ` Maciej Żenczykowski
2009-10-19 8:20 ` steve
2009-10-19 11:38 ` Atis Elsts [this message]
2009-10-08 13:19 ` [PATCH] net: Use routing mark from skb in multicast forwarding routing lookups Atis Elsts
2009-10-13 10:33 ` David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200910191438.27328.atis@mikrotik.com \
--to=atis@mikrotik.com \
--cc=brian.haley@hp.com \
--cc=davem@davemloft.net \
--cc=eric.dumazet@gmail.com \
--cc=netdev@vger.kernel.org \
--cc=panther@balabit.hu \
--cc=steve@chygwyn.com \
--cc=zenczykowski@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).