Гаврилов Игорь wrote:
So this problem not related to my setup. Seems that it occurs for a
long time. Is there any possibility to fix this, and what is the
reason of such behavior.
As Florian says on ingress tc gets the packet before conntrack.
I was slightly hopeful that I was wrong (in thinking this never worked)
when I saw "nf_ct_get" in the code, but it just looks at the skb which
on ingress won't have the fields filled in.
/* Return conntrack_info and tuple hash for given skb. */
static inline struct nf_conn *
nf_ct_get(const struct sk_buff *skb, enum ip_conntrack_info *ctinfo)
{
*ctinfo = skb->nfctinfo;
return (struct nf_conn *)skb->nfct;
}
Historically at least people used imq to get at traffic after netfilter.
It seems it's still alive -
www.linuximq.net
but you need to patch kernel/iptables.
When ifb first appeared it was mentioned that an action could be made to
get netfilter state and Florian mentions act_connmark.c so I guess some
progress was made.
Not really much use for your example I suppose.
--
To unsubscribe from this list: send the line "unsubscribe lartc" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
