On 30.08.2011 14:41, Florian Westphal wrote: > Patrick McHardy <kaber@xxxxxxxxx> wrote: >>> main drawback: >>> - additional fib lookup to get oif (used as flow key in reverse lookup) >> >> As discussed during the workshop, we could just perform input routing >> in the module to get the oif for free. That would require to take care >> of statistics as currently done in ip_rcv_finish() though. > > Right. > Any idea on how to solve the 'struct sk_buff *' (ip_route_input) vs. > 'const struct sk_buff *' (matches) problem? > > We'd have to modify all the match signatures... Some modules already remove the const by casting it away, not pretty, but works. Since the kernel doesn't assume strict aliasing this also shouldn't cause any problems in the future. Alternatively we can change the function signatures of course, although that would be a bit unfortunate just for this special case. >>> Other issues: >>> - can't use FORWARD chain because by the time FORWARD is invoked >>> ipv4 forward path may have already sent icmp messages is response >>> to to-be-discarded-via-rpfilter packets >>> - using it in PREROUTING may do the wrong thing (e.g. when using >>> policy routing via mangle PREROUTING) >> >> Not if you're setting up policy routing keys (marks) before doing >> rp_filter, right? Would require using it in the mangle table of >> course. > > Yes that should work as well. > It might be unexpected for some people, though (but this is just a > documentation issue). I agree. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
