On Wednesday 2009-02-25 11:29, Patrick McHardy wrote:
>>>> +static bool
>>>> +tee_tg_route4(struct sk_buff *skb, const struct xt_tee_tginfo *info)
>>>> +{
>>>> + int err;
>>>> + struct rtable *rt;
>>>> + struct flowi fl;
>>>> +
>>>> + memset(&fl, 0, sizeof(fl));
>>>> + fl.nl_u.ip4_u.daddr = info->gw.ip;
>>>> + fl.nl_u.ip4_u.scope = RT_SCOPE_UNIVERSE;
>>>>
>>> An index is probably useful when you want to mirror packets
>>> somewhere outside of regular routing.
>>
>> ifindex?
>
>Yes.
Hm. I previously had removed fl.nl_u.ip4_u.tos = RT_TOS(iph->tos)
since I reasoned:
The cloned packet would theoretically go through the OUTPUT
chain (if we did not skip Xtables to guard against
reentracy), even if the original packet went through FORWARD
instead. As such, it is not a true clone, and does not need
to be treated as such.
Adding ifindex to the routing key also makes me wonder whether the
mark should be used too, noting however, that it may lead to a trap
(order of MARK vs TEE in a ruleset) - or some kinky feature:
-t mangle -A PREROUTING -j TEE --gw 192.168.1.15
-t mangle -A PREROUTING -j MARK --set-mark 1
-t mangle -A PREROUTING -j TEE --gw 192.168.1.15
I pretty much have no opinion on this.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
