Jan Engelhardt wrote: > On Thursday 2010-04-01 12:37, Patrick McHardy wrote: > >> Jan Engelhardt wrote: >>> Since Xtables is now reentrant/nestable, the cloned packet can also go >>> through Xtables and be subject to rules itself. >> That sounds dangerous if conntrack isn't used to prevent loops. > > Conntrack loops are prevented by using a dummy conntrack, just as > NOTRACK does. My question was about the case without conntrack. >> Is that really useful? For filtering, you can simply apply the >> rules before deciding to TEE the packet. > > I can think of a handful of applications: > - CLASSIFY Good point, you should probably reset a couple of skb members after the skb_copy(). > - When the cloned packets gets XFRMed or tunneled, its status switches > from "special" to "plain". Doing policy routing on them does not seem > so far-fetched. Fair enough, provided we can also handle loops when conntrack isn't used. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html