On 07/20/2015 07:03 PM, Pablo Neira Ayuso wrote:
On Mon, Jul 20, 2015 at 06:18:55PM +0200, Daniel Borkmann wrote:
[...]
The current approach implemented here that I found so far most appealing
and having the least complexity, was to just have a /single/ template and to
overwrite the zone->id with skb->mark on the ptr we have sitting on the stack.
It avoids all the issues mentioned. But perhaps you mean something entirely
different and I just seem to misinterpret your answer, hmm.
You mean something that from command line would look like:
iptables -A PREROUTING -t raw -j CT --zone mark
So we set the zone ID in the CT target based on the existing mark,
right?
Not in the target callback, in the example script and patches I've provided,
I'm indeed configuring ...
iptables -t raw -A PREROUTING -j CT --zone mark --zone-dir ORIGINAL
... which in nf_ct_zone_tmpl() call-sites will return the skb->mark mapped
zone ID, that is then used f.e. directly for the lookup in the hash table
resp. following ct entry allocation in case a lookup didn't return a ct entry.
Thanks,
Daniel
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
