From mboxrd@z Thu Jan 1 00:00:00 1970 From: Patrick McHardy Subject: Re: CLASSIFY target Date: Sat, 24 Feb 2007 16:57:42 +0100 Message-ID: <45E06076.1000208@trash.net> References: Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-15 Content-Transfer-Encoding: 7bit Cc: netfilter-devel@lists.netfilter.org To: Chip Schweiss Return-path: In-Reply-To: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: netfilter-devel-bounces@lists.netfilter.org Errors-To: netfilter-devel-bounces@lists.netfilter.org List-Id: netfilter-devel.vger.kernel.org Chip Schweiss wrote: > Is there a technical reason why the CLASSIFY target can only be called > from the POSTROUTING chain of the mangle table? > > It seems rather wasteful to repeat all the logic necessary to classify a > packet in the POSTROUTING chain that in most case will already be done > in the filter table. It can also be called in the FORWARD and OUTPUT chains, but thats not the point of course. Technically there is no reason for this, its more of a convention to do packet mangling in the mangle table. The only case where it is really necessary is marking packets for routing by fwmark in the output chain, since these packets need to be rerouted. I guess we could remove this restriction. > Besides, in my testing the overhead of classifying > packets in the mangle table seems to be many magnitudes greater than in > the filter table. How did you test this? Please post numbers if you have any. > Would it be possible to simply remove the checks if the rule is being > added in the POSTROUTING chain of mangle table from the kernel & > iptables sources and have the CLASSIFY target work from the filter > table? Feel free so send a patch, but please also do this for all other targets restricted to the mangle table and update the manpage.