Hi Mr. Dumazet 2010/5/27 Eric Dumazet <eric.dumazet@xxxxxxxxx>: > Its right only if you have a single NIC, and a single queue one. I have the machine in bridge mode with two NICs: one pointing the users, and the other pointing the routers. So I guess this is the "single NIC" case, right? > Or else two SYN packets could flight in // in extrachain (using two > cpus), and the logic would be wrong. Oh I see. So your suggestion is to mark everything with 0x0 to make sure that if something goes wrong the first port will get the packet, right? If everything goes right, it'll get marked using the other rules, right? Cheers, Felipe Damasio > I suggest using a first 'catch all' rule in extrachain, to make sure one > CONNMARK is done. > > Or else, some connections would not go through any TPROXY rule. > > Chain extrachain (1 references) > target prot opt source destination > > CONNMARK all -- 0.0.0.0/0 0.0.0.0/0 CONNMARK > xset 0x0/0xffffffff > > CONNMARK all -- 0.0.0.0/0 0.0.0.0/0 statistic > mode nth every 3 packet 1 CONNMARK xset 0x1/0xffffffff > > CONNMARK all -- 0.0.0.0/0 0.0.0.0/0 statistic > mode nth every 3 packet 2 CONNMARK xset 0x2/0xffffffff > > > > > > -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
