Patrick McHardy írta:
Laszlo Attila Toth wrote:
+static bool match_v1(const struct sk_buff *skb,
const struct net_device *in, const struct net_device *out,
const struct xt_match *match, const void *matchinfo,
int offset, unsigned int protoff, bool *hotdrop)
{
const struct ipt_addrtype_info *info = matchinfo;
const struct iphdr *iph = ip_hdr(skb);
+ const struct net_device *limit_dev = (info->flags &
IPT_ADDRTYPE_LIMIT_IFACE) ? in : NULL;
The match can be used on any hook, using the incoming interface
is a bit unflexible. How about using the incoming interface for
src-address and outgoing interface for destination address matches?
But what happens when I use only dst-type in the rule in the INPUT chain?
I think in the INPUT chain the incoming interface with the dst-type and
in the OUTPUT chain the outgoing interface with the src-type parameter
could be used. And what should I check in the other 3 chains? In FORWARD
it seems pointless to let the limit-iface option.
Alternatively add two flags to specify which device to use. You'll
need to add proper checks of course to make sure the interface is
valid for the hook the match is used in.
Hm, I need a hooknum parameter in the match function which exists only
in the target functions.
--
Attila
-
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
