On 12-12-22 08:43 AM, Jan Engelhardt wrote:
Looking up CT before ingress would mean the entire "raw" table needs to be moved before ingress. But with classic ip_tables, calling a table requires a lot of setup (basically ip_rcv).
Scanning the code: Would it not work if i only passed it IP packets (the tc classifier can check) and then for v4 i do something like ipv4_conntrack_in() with pre-routing as the hook to update the skb?
All new skbs (i.e. those that did not loop due to IPsec, for example) received through __netif_receive_skb should start out with skb->mark=0, which is why CONNMARK --restore-mark is needed to copy skb->mark=ct->mark.
I may be overthinking this: are you saying connmark should do the copying to skb->mark instead of some action? Earlier you said conmark depends on presence of skb->nfct. cheers, jamal -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
