Re: [PATCH 6/6] netfilter: do not omit re-route check on NF_QUEUE verdict

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 16.01.2011 14:19, Florian Westphal wrote:
> ret != NF_QUEUE only works in the "--queue-num 0" case; for
> queues > 0 the test should be '(ret & NF_VERDICT_MASK) != NF_QUEUE'.
> 
> However, NF_QUEUE no longer DROPs the skb unconditionally if queueing
> fails (due to NF_VERDICT_FLAG_QUEUE_BYPASS verdict flag), so the
> re-route test should also be performed if this flag is set in the
> verdict.
> 
> The full test would then look something like
> 
> && ((ret & NF_VERDICT_MASK) == NF_QUEUE && (ret & NF_VERDICT_FLAG_QUEUE_BYPASS))
> 
> This is rather ugly, so just remove the NF_QUEUE test altogether.
> 
> The only effect is that we might perform an unnecessary route lookup
> in the NF_QUEUE case.

Alternatively we could have nf_queue.c perform the rerouting when
a packet is marked for queue bypass, just as it already does when
reinjecting a packet. mangle just needs to check for NF_ACCEPT,
since that is the only verdict we can return from the table that
doesn't cause the packet to be dropped or queued.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html


[Index of Archives]     [Netfitler Users]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux