Am 16.01.2011 14:19, schrieb Florian Westphal: > ret != NF_QUEUE only works in the "--queue-num 0" case; for > queues > 0 the test should be '(ret & NF_VERDICT_MASK) != NF_QUEUE'. > > However, NF_QUEUE no longer DROPs the skb unconditionally if queueing > fails (due to NF_VERDICT_FLAG_QUEUE_BYPASS verdict flag), so the > re-route test should also be performed if this flag is set in the > verdict. > > The full test would then look something like > > && ((ret & NF_VERDICT_MASK) == NF_QUEUE && (ret & NF_VERDICT_FLAG_QUEUE_BYPASS)) > > This is rather ugly, so just remove the NF_QUEUE test altogether. > > The only effect is that we might perform an unnecessary route lookup > in the NF_QUEUE case. > > ip6table_mangle did not have such a check. Applied, thanks Florian. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
