On Saturday 2012-12-22 14:19, Jamal Hadi Salim wrote: > > Having said that, what you are doing sounds so useful > that we need to make it work ;-> But it appears like > we need a brand new action for it, something like > GetMarkFromConntrack. Jan, I am assuming (on ingress only) > we need to call "something" to give us the nfct then > grab the skb->mark from nfct. Looking up CT before ingress would mean the entire "raw" table needs to be moved before ingress. But with classic ip_tables, calling a table requires a lot of setup (basically ip_rcv). > On egress, > I am assuming the skb->mark is already set if connmark > is to be used... Am i correct? All new skbs (i.e. those that did not loop due to IPsec, for example) received through __netif_receive_skb should start out with skb->mark=0, which is why CONNMARK --restore-mark is needed to copy skb->mark=ct->mark. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
