Patrick McHardy <kaber@xxxxxxxxx> wrote: > > However, NF_QUEUE no longer DROPs the skb unconditionally if queueing > > fails (due to NF_VERDICT_FLAG_QUEUE_BYPASS verdict flag), so the > > re-route test should also be performed if this flag is set in the > > verdict. > > > > The full test would then look something like > > > > && ((ret & NF_VERDICT_MASK) == NF_QUEUE && (ret & NF_VERDICT_FLAG_QUEUE_BYPASS)) > > > > This is rather ugly, so just remove the NF_QUEUE test altogether. > > > > The only effect is that we might perform an unnecessary route lookup > > in the NF_QUEUE case. > > Alternatively we could have nf_queue.c perform the rerouting when > a packet is marked for queue bypass, just as it already does when > reinjecting a packet. mangle just needs to check for NF_ACCEPT, > since that is the only verdict we can return from the table that > doesn't cause the packet to be dropped or queued. Good point, thanks! I'll look into it. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
