On Mon, Jan 06, 2014 at 06:05:23PM +0100, Florian Westphal wrote:
> Kristian Evensen <kristian.evensen@xxxxxxxxx> wrote:
> > From: Kristian Evensen <kristian.evensen@xxxxxxxxx>
> >
> > This patch enables connmark to be set/retrieved using meta
> > expressions/statements.
> >
> > Signed-off-by: Kristian Evensen <kristian.evensen@xxxxxxxxx>
> > ---
> > include/uapi/linux/netfilter/nf_tables.h | 2 ++
> > net/netfilter/nft_meta.c | 34 ++++++++++++++++++++++++++++++++
> > 2 files changed, 36 insertions(+)
> >
> > diff --git a/include/uapi/linux/netfilter/nf_tables.h b/include/uapi/linux/netfilter/nf_tables.h
> > index aa86a152..05eaeb9 100644
> > --- a/include/uapi/linux/netfilter/nf_tables.h
> > +++ b/include/uapi/linux/netfilter/nf_tables.h
> > @@ -531,6 +531,7 @@ enum nft_exthdr_attributes {
> > * @NFT_META_NFTRACE: packet nftrace bit
> > * @NFT_META_RTCLASSID: realm value of packet's route (skb->dst->tclassid)
> > * @NFT_META_SECMARK: packet secmark (skb->secmark)
> > + * @NFT_META_CONNMARK: used to get/set the connection mark
> > */
> > enum nft_meta_keys {
> > NFT_META_LEN,
> > @@ -548,6 +549,7 @@ enum nft_meta_keys {
> > NFT_META_NFTRACE,
> > NFT_META_RTCLASSID,
> > NFT_META_SECMARK,
> > + NFT_META_CONNMARK,
> > };
>
> This looks wrong, meta is for packet properties.
> You should probably use NFT_CT_MARK from nft_ct_keys enum.
Well, actually the ct expression already supports connmark, as does userspace.
#ifdef CONFIG_NF_CONNTRACK_MARK
case NFT_CT_MARK:
dest->data[0] = ct->mark;
return;
#endif
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
