The second patch is more speculative and aims to be a more general workaround, as well as a performance optimization: support (preferably JIT compiled) BPF programs as iptables match rules. Potentially, the skb->priority match can be implemented by applying only the second patch and adding a new BPF_S_ANC ancillary field to Linux Socket Filters. I also wrote corresponding userspace patches to iptables. The process for submitting both kernel and user patches is not 100% clear to me. Sending the kernel bits to both netdev and netfilter-devel for initial feedback. Please correct me if you want it another way. The patches apply to net-next. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
