On Wednesday 2009-01-14 06:39, Jan Engelhardt wrote:
>parent cc46eb3e855b7c1f628e934e01b97f4f2642973e (v2.6.29-rc1-22-gcc46eb3)
>commit 11d60b1b555097e613ad6548b9b695a19735dda1
>Author: Jan Engelhardt <jengelh@xxxxxxxxxx>
>Date: Wed Jan 14 06:36:10 2009 +0100
>
>netfilter: proc file for extension overview
>
>Add a procfs file that dumps out the full Xtables target, match and
>table info for all known nfprotos, superseding the IPv4/v6-only
>/proc/net/ip{,6}_tables* which only provide names.
With this patch of mine I was able to identify a small discrepancy
(/proc/net/ip* would not have told me as it just prints names):
># -- Targets --
># type Name rev table nfproto l4proto hooks tgsize
>target MARK 2 * * * * 8
>target MARK 1 mangle * * * 8
>target MARK 0 mangle * * * 4
Namely that MARK.2 is available for all tables. It looks like an error,
given that the previous ones were all limited to the mangle table.
But, I would have to ask - what do we gain from limiting it to mangle?
All other *MARK targets are available for all tables too, so what was
the original reason for the table limit?
I could imagine it having to do with routing (nfmark can be used as
a routing key, as can TOS/DSCP):
>target TOS 1 mangle IPv4 * * 2
>target TOS 0 mangle IPv4 * * 1
>target DSCP 0 mangle IPv4 * * 1
then again, MARK has more uses than just for routing; it can, for example,
serve as a way to reduce the number of rules by remembering some previous
result.
What do others think?
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
