Somehow, the first part of this email went missing. Not critical, but for completeness: These two patches each add an xtables match. The xt_priority match is a straighforward addition in the style of xt_mark, adding the option to filter on one more sk_buff field. I have an immediate application for this. The amount of code (in kernel + userspace) to add a single check proved quite large. On Wed, Dec 5, 2012 at 2:22 PM, Willem de Bruijn <willemb@xxxxxxxxxx> wrote: > The second patch is more speculative and aims to be a more general > workaround, as well as a performance optimization: support > (preferably JIT compiled) BPF programs as iptables match rules. > > Potentially, the skb->priority match can be implemented by applying > only the second patch and adding a new BPF_S_ANC ancillary field to > Linux Socket Filters. > > I also wrote corresponding userspace patches to iptables. The process > for submitting both kernel and user patches is not 100% clear to me. > Sending the kernel bits to both netdev and netfilter-devel for > initial feedback. Please correct me if you want it another way. > > The patches apply to net-next. > -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
