Re: Problem with cls_flow nfct-* keys

Linux Advanced Routing and Traffic Control

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Гаврилов Игорь wrote:
So this problem not related to my setup. Seems that it occurs for a
long time. Is there any possibility to fix this, and what is the
reason of such behavior.

As Florian says on ingress tc gets the packet before conntrack.

I was slightly hopeful that I was wrong (in thinking this never worked)
when I saw "nf_ct_get" in the code, but it just looks at the skb which
on ingress won't have the fields filled in.

/* Return conntrack_info and tuple hash for given skb. */
static inline struct nf_conn *
nf_ct_get(const struct sk_buff *skb, enum ip_conntrack_info *ctinfo)
{
        *ctinfo = skb->nfctinfo;
        return (struct nf_conn *)skb->nfct;
}

Historically at least people used imq to get at traffic after netfilter.
It seems it's still alive -

www.linuximq.net

but you need to patch kernel/iptables.

When ifb first appeared it was mentioned that an action could be made to
get netfilter state and Florian mentions act_connmark.c so I guess some
progress was made.

Not really much use for your example I suppose.
--
To unsubscribe from this list: send the line "unsubscribe lartc" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html



[Index of Archives]     [LARTC Home Page]     [Netfilter]     [Netfilter Development]     [Network Development]     [Bugtraq]     [GCC Help]     [Yosemite News]     [Linux Kernel]     [Fedora Users]
  Powered by Linux