Thank you. I forgot to add the check for mark != value. I will submit a new version. -Kristian On Tue, Jan 7, 2014 at 4:32 PM, Florian Westphal <fw@xxxxxxxxx> wrote: > Kristian Evensen <kristian.evensen@xxxxxxxxx> wrote: >> +static void nft_ct_set_eval(const struct nft_expr *expr, >> + struct nft_data data[NFT_REG_MAX + 1], >> + const struct nft_pktinfo *pkt) >> +{ >> + const struct nft_ct *priv = nft_expr_priv(expr); >> + struct sk_buff *skb = pkt->skb; >> + u32 value = data[priv->sreg].data[0]; >> + enum ip_conntrack_info ctinfo; >> + struct nf_conn *ct; >> + >> + ct = nf_ct_get(skb, &ctinfo); >> + >> + if (ct == NULL) >> + return; >> + >> + switch (priv->key) { >> +#ifdef CONFIG_NF_CONNTRACK_MARK >> + case NFT_CT_MARK: >> + ct->mark = value; >> + nf_conntrack_event_cache(IPCT_MARK, ct); > > I think the event should only be raised when the mark value > is altered, else one might get nfct event storm. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html